Data Breach Notification Under E-Privacy Directive And General Data Protection Regulation

• Published date: 14 December 2020
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: Maravela, Popescu & Asociatii
• Author: Ms Cristina Crețu and Laura M. Dinu

Abstract: Data breach notifications were firstly introduced in 2009 by means of amendments to the E-Privacy Directive, where such data breaches occurred in connection with the provision of publicly available electronic communications service. Further on, GDPR extended data breach notification obligation to all industries. The initial scope was to have a single notification regime, as E-Privacy Directive was intended to be replaced by E-Privacy Regulation, when GDPR became applicable. Since E-Privacy Regulation has a long way until entering into force, an electronic communications provider has difficulties in navigating through two regulatory regimes when it comes to data breach notifications.

1. General remarks

The obligation to notify personal data breaches to the relevant national authority and, in some cases, to the individuals affected, has become mandatory for the first time under the amended Directive 2002/58/EC122¹ (hereinafter referred to as the "E-Privacy Directive"). This followed the broader review of the regulatory framework for electronic communications in 2009, which had affected five different EU directives.

As the E-Privacy Directive applies only to providers of publicly available electronic communications services (the "Telecom Providers") and since the risks associated with breaches of personal data held by other entities may be at least comparable, the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the "GDPR") included the obligation to notify personal data breaches regardless of the sector.

The GDPR extended the breach notification requirement to all entities that process personal data, irrespective of the sectors where such entities operate. The initiative was more than welcomed, as it is in accordance with the "right to know" of the individuals affected and is a key element of transparency and accountability.

For the purpose of this article, it is particularly important to mention that in the proposed E-Privacy Regulation the obligation to notify data breaches was placed only under the GDPR², thus the Telecom Providers would cease to be subject of the obligation to notify privacy incidents under two different legal frameworks.

Although the intentions of the EU legislator were to offer more legal certainty, the fact that the entry into force of the E-Privacy Regulation continues to be delayed creates a dire need to some clarifications regarding the overlap between the obligation arising from the E-Privacy Directive and the one arising from GDPR.

2. Interplay between GDPR and E-Privacy Directive

Privacy and data protection are core values of the European Union³, thus the EU legislator needs to make continuous efforts in order to set down specific and efficient rules to protect personal data and to ensure the confidentiality and security of electronic communications, backed by strong enforcement.

The data protection legal framework is two-fold: GDPR aims to protect the data subjects' rights in connection with the processing of personal data, while E-Privacy Directive concerns the protection and confidentiality of personal data in electronic communications.

However, this is not what the EU legislator envisioned when it took the decision to reform the data protection package, as the prediction was to also repeal E-Privacy...