In a further official Opinion on the e-Privacy Directive, dated 10 February and now available online, the Article 29 Working Party has emphasised some of its concerns about the impending e-Privacy Directive. While much of the Opinion retreads old ground, the tone of the comments on the data breach notification aspects of the Directive is arresting.
The Working Party believes that:
‘an extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services. Online transactions including access to e-banking services, private sector medical records and online shopping are few examples of services that may be subject to personal data breaches causing significant risks to a large number of European citizens. Limiting the scope of these obligations to publicly available electronic communications services would only affect a very limited number of stakeholders and thus would significantly reduce the impact of personal data breach notifications as a means to protect individuals against risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm.’
On the topic of failure to report, or incorrectly reporting, a breach, the Working Party states ‘to prevent the concealing of breaches it is essential that the Directive provides the competent national regulatory authority with the power to impose punitive financial sanctions’.
The full Opinion is available at: http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2009_en.htm