Europe Readies New Data Security Rules

The European Commission is considering regulations requiring companies to reveal security leaks -- but not all companies and not right away

The European Commission is considering tightening some regulations around when companies have to reveal security leaks - but rules will only cover a small number of companies and won't come into force for years.

As part of its review of the EU regulatory framework for electronic communication networks and services, the EC is proposing specific requirements for providers of electronic communications to warn on certain breaches of security and to inform users.

The EC said this will help to reinforce business and individual users' trust and confidence in electronic communications.

The proposed rules would cover providers of electronic communications, namely public network operators and ISPs. Private sector organisations such as banks and retailers would not be included.

Last month launched its Full Disclosure campaign which calls on the UK government to rethink its existing legislation and require all companies and organisations that lose their customers' sensitive data to warn those individuals a leak has taken place. For more details see the grey box.

And even the limited proposals from the EC have a long journey ahead of them before they end up in national law: in the autumn the Commission will formally propose to the Council of Ministers and European parliament a revision of the current regulatory framework for electronic communications and services, which will involve amending the five existing directives, including the ePrivacy directive.

The Council and parliament could then take a year or two to complete their 'co-decision' process, so revised directives would only be adopted by them in 2009. After this, the directives must still be incorporated into national law by the national parliaments, before they will become effective.

The trade association for UK ISPs, Ispa, said it would not welcome a security breach notification law. "However, if any breach notification regime was implemented in Europe, it should be done in a harmonised manner, be technologically neutral and limited to circumstances in which there was a significant risk of harm from financial fraud," it said in a statement.

It added that ISPs currently work in tandem to share information and notify others when a significant security breach has occurred. "The current notification system works on an international basis and it is because of its flexible nature that we can get information in a timely and accurate manner," it said.

If you want to find out more about's campaign read the original Full Disclosure story or read what a leading lawyer thinks about the current state of data disclosure legislation.'s Full Disclosure campaign is about giving the public confidence that when they entrust their personal information to an organisation, it will act as a responsible guardian of that data. Reinforcing that trust will encourage more people to interact online, providing an important boost to the online economy. Sign the e-petition and make your voice heard by government.

Before it's here, it's on the Bloomberg Terminal.