The European Commission is putting into place new rules on what exactly telecoms operators and internet service providers (ISPs) should do if their customers’ personal data is lost, stolen or otherwise compromised.

The Commission said the purpose of these “technical implementing measures” is to ensure all customers receive equivalent treatment across the EU in case of a data breach, and to ensure businesses can take a pan-EU approach to these problems if they operate in more than one country.

Telecoms operators and ISPs hold a range of data about their customers, such as name, address and bank account details, in addition to information about phone calls and websites visited. These companies have been operating since 2011 under a general obligation to inform national authorities and subscribers about breaches of personal data.

Thanks to a Commission Regulation, companies will have extra clarity about how to meet those obligations, and customers will have extra assurance about how their problem will be dealt with.

For example, companies must inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.

The Commission also wants to incentivise companies to encrypt personal data. As such, and in conjunction with ENISA, the Commission will also publish an indicative list of technological protection measures, such as encryption techniques, which would render the customer data unintelligible to any person not authorised to see it.

If a company applies such techniques but suffers a data breach, they would be exempt from the burden of having to notify the subscriber because such a breach would not actually reveal the subscriber’s personal data.

The Commission said it is implementing these rules following its 2011 public consultation, which showed widespread stakeholder support for a harmonised approach in this area.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.