log in
All Articles | Back

Member Articles

European Commission Introduces New Rules on Breach Notification by Telcos and ISPs 

by A&L Goodbody

Published: July, 2013

Submission: August, 2013


On 26 June 2013, a new Commission Regulation on what telecommunications operators (Telcos) and Internet Service Providers (ISPs) should do if their customers' personal data is lost, stolen or otherwise compromised, was published in the Official Journal of the European Union. The purpose of the new rules is to ensure businesses, operating in more than one EU country, can take a pan-EU approach in the event of a data breach.

Since 2011, Telecos and ISPs have had a mandatory obligation under the e-Privacy Regulations 2011 (S.I. 336/2011) to notify national data protection authorities, and any individuals adversely affected, about breaches of personal data. However the 2011 Regulations do not prescribe specific timeframes for breach notification.


The new Regulation provides businesses with clarity on how to meet their existing breach notification obligations. Companies will be required to:

Notify the personal data breach to the competent national authority no later than 24 hours after detection of the breach, in order to maximise its confinement. If it is not feasible to make full disclosure within that period, an initial notification should be made within 24 hours, with the rest to follow within three days.

Annex 1 of the Regulation sets out the information to be contained in the notification to the competent national authority.

In assessing whether to notify individuals of the data breach incident companies should consider:

(a) the nature and content of the data compromised, in particular where the data concerns financial information, location data, internet log files, web browsing histories, email data, and itemised call lists; 

(b) the likely consequences of the breach for the individual concerned; and 

(c) whether the data has been stolen or is in the possession of an unauthorised third party.

Annex 2 of the Regulation sets out the information to be contained in the notification to the individuals adversely affected by the breach.

The Regulation has direct effect and will come into force on 25 August 2013.


For further information please contact Davinia Brennan at [email protected]


Link to article





WSG Member: Please login to add your comment.


WSG's members are independent firms and are not affiliated in the joint practice of professional services. Each member exercises its own individual judgments on all client matters.

HOME | SITE MAP | GLANCE | PRIVACY POLICY | DISCLAIMER |  © World Services Group, 2021