Data leaks - Europe readies new rules

The European Commission is considering tightening some regulations around when companies have to reveal security leaks - but rules will only cover a small number of companies and won't come into force for years.

As part of its review of the EU regulatory framework for electronic communication networks and services, the EC is proposing specific requirements for providers of electronic communications to warn on certain breaches of security and to inform users.

The EC said this will help to reinforce business and individual users' trust and confidence in electronic communications.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

The proposed rules would cover providers of electronic communications, namely public network operators and ISPs. Private sector organisations such as banks and retailers would not be included.

Last month silicon.com launched its Full Disclosure campaign which calls on the UK government to rethink its existing legislation and require all companies and organisations that lose their customers' sensitive data to warn those individuals a leak has taken place. For more details see the grey box.

And even the limited proposals from the EC have a long journey ahead of them before they end up in national law: in the autumn the Commission will formally propose to the Council of Ministers and European parliament a revision of the current regulatory framework for electronic communications and services, which will involve amending the five existing directives, including the ePrivacy directive.

The Council and parliament could then take a year or two to complete their 'co-decision' process, so revised directives would only be adopted by them in 2009. After this, the directives must still be incorporated into national law by the national parliaments, before they will become effective.

The trade association for UK ISPs, Ispa, said it would not welcome a security breach notification law. "However, if any breach notification regime was implemented in Europe, it should be done in a harmonised manner, be technologically neutral and limited to circumstances in which there was a significant risk of harm from financial fraud," it said in a statement.

It added that ISPs currently work in tandem to share information and notify others when a significant security breach has occurred. "The current notification system works on an international basis and it is because of its flexible nature that we can get information in a timely and accurate manner," it said.

If you want to find out more about silicon.com's campaign read the original Full Disclosure story or read what a leading lawyer thinks about the current state of data disclosure legislation.

silicon.com's Full Disclosure campaign is about giving the public confidence that when they entrust their personal information to an organisation, it will act as a responsible guardian of that data. Reinforcing that trust will encourage more people to interact online, providing an important boost to the online economy. Sign the e-petition and make your voice heard by government.