European Commission Tightens The Deadline: Data Breach Notification Within 24 Hrs

A new EU Regulation forces providers of public communications services to notify data breaches to their regulators within 24 hours. This Regulation will be directly applicable in the Member States as of 25 August 2013. At first glance, Austrian telecommunications law would seem to be in line with this new Regulation, but the difference lies in the details.

1. New EU Regulation on data breach notification

   The European regulatory framework on electronic communications obliges providers of public electronic communications services to report personal data breaches to their national authorities.1 The European Commission, however, detected a respective lack of harmonization among the Member States and exercised its power to issue technical implementing measures on the notification obligations by publishing the Regulation (EU) No 611/2013.2 This directly applicable and fully binding Regulation will enter into force on 25 August 25 2013.

   The new Regulation applies to providers of public electronic communication services. If a provider detects a personal data breach, it must notify the competent national authority of this breach within 24 hours.3 This stipulation puts eminent pressure on the provider, as it will be hard to meet this deadline when considering the attending circumstances, such as the company's effective business hours and its internal structures and reporting lines. However, the Regulation provides a loophole by stating that the notification must be submitted within 24 hours "where feasible." In case a provider is not able to provide all information about the incident within this timeframe, the Regulation allows it to file only an initial (but still comprehensive) notification within 24 hours. That notification must include the provider's identity, the date, time and circumstances of the incident (e.g. data loss, theft, copying), the nature and content of the breached data, and the technical and organisational measures initiated by the provider. Within three days after this initial notification, the provider must deliver a second set of information containing further details about the data breach, such as a summary of the incident, the number of individuals concerned, potential consequences, potential adverse effects, etc.

   Additionally, the provider must notify the affected individuals without "undue delay" if the data breach is likely to adversely affect their personal data or privacy.4 This stipulation requires each provider to self...