Earlier today, ten days since my return from Brussels, I received an email from Mr. Lambrinidis regarding a number of amendments on the upcoming e-Privacy directive that he contributed to. An interesting topic that I think merits a short post was that of breach notification. Breach notification refers to the situation when citizens whose personal data were kept by a third party A (e.g. a corporation) get ‘stolen’ or ‘compromised’ by another party B without their consent. The amendments stipulate whether A has any obligation to notify the citizens whose data were compromised and if so in which cases and how.

In the email Mr. Lambrinidis states that obligatory notification of affected citizens, by the service providers and/or the national regulatory authority, in cases where their personal data is compromised by a third party is guaranteed, in contast to previous amendments (see for example the Harbour Report from July 2008, whereby it was up to the national regulatory authorities to determine whether a breach was serious enough for notification to take place or not). Indeed, the bulk of Lambrinidis’s amendments are certainly an improvement over the previous text and a very welcome addition to the directive. I was particularly impressed by his ability to balance the arguments and come up with a relatively decent text. Nevertheless, I still have reservations with regard to the formulation of the directive. Take for example Amendment (183):

The competent authority should determine the seriousness of the breach and should require the relevant service providers to give an appropriate notification without undue delay to the persons affected by the breach, as appropriate. [emphasis mine].

The uncertainty introduced by ‘as appropriate’ could mean that the national regulatory authority has the last say on how, when and perhaps whether it should notify those involved. Someone might not be notified on time (or at all) before his or her personal data are used illegally by third parties, if the national authority does not consider this to be a serious breach for them to notify him or her soon enough. It is my opinion, that ambiguous terms such as these should be avoided and the law should be clear regarding the authorities’ and service providers’ obligations.
»