×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

EU Considers Strict Data Breach Notification Rules

Soulskill posted more than 2 years ago | from the wrist-slap-doctrine dept.

Security 33

JohnBert writes "The European Commission is examining whether additional rules are needed on personal data breach notification in the European Union. Telecoms operators and Internet service providers hold a huge amount of data about their customers, including names, addresses and bank account details. The current ePrivacy Directive requires them to keep this data secure and notify individuals if such sensitive information is lost or stolen. Data breaches must also be reported to the relevant national authority. 'The duty to notify data breaches is an important part of the new E.U. telecoms rules,' said Commissioner Neelie Kroes. 'But we need consistency across the E.U. so businesses don't have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

33 comments

Shaft hardens when stroked... then explodes (-1)

Anonymous Coward | more than 2 years ago | (#36791696)

I could cut steel with this fucker.

Goddamn those interfering Commies (0)

cyber-vandal (148830) | more than 2 years ago | (#36791702)

Imagine expecting businesses to give a shit about their customers' personal information.

Re:Goddamn those interfering Commies (2)

Luckyo (1726890) | more than 2 years ago | (#36795196)

Get out of the states and you'll find that they either give a shit, or get shut down by fines exceeding their revenues.

breach (4, Insightful)

Hazel Bergeron (2015538) | more than 2 years ago | (#36791704)

OK, could this please include:

(1) Notification of all data retention and breaches by government as a result of government legislation, since the EU demands all sorts of data retention for "law enforcement";

(2) Equivalent rules for everyone doing business in the EU even if they store data outside the EU;

(3) The requirement for governments to terminate contracts with any businesses involved in breaches more than n number of times (actually, I'd prefer no public-private partnerships on IT work whatever, but simply requiring competent contractors would go a great way toward this).

Re:breach (1)

Schmorgluck (1293264) | more than 2 years ago | (#36791732)

(3) The requirement for governments to terminate contracts with any businesses involved in breaches more than n number of times (actually, I'd prefer no public-private partnerships on IT work whatever, but simply requiring competent contractors would go a great way toward this).

Just make it n=0 and I agree with you.

Re:breach (2)

ludwigf (1208730) | more than 2 years ago | (#36791774)

(3) The requirement for governments to terminate contracts with any businesses involved in breaches more than n number of times (actually, I'd prefer no public-private partnerships on IT work whatever, but simply requiring competent contractors would go a great way toward this).

Just make it n=0 and I agree with you.

n=0 might just mean they are unable to notice breaches.

After all that happened lately to Sony they might learn from it and soon be the ones with the most secure network... Maybe not.

Re:breach (0)

Anonymous Coward | more than 2 years ago | (#36792262)

After all that happened lately to Sony they might learn from it and soon be the ones with the most secure network... Maybe not.

This is Sony we're talking about here. They probably changed a few passwords and called it good...

Re:breach (2)

Teun (17872) | more than 2 years ago | (#36791800)

About 1), yes there is a requirement for data retention on connections, in other words the content or body of the message is not exposed.

When a EU authority including national authorities want access this is generally recorded and can later be questioned for legality.
Illegally obtained evidence is in most EU nations not admissible.
Where 'generally' and 'most' is written there is place for more EU rulings to level the playing field.

2), read TFA.
3), no, dissolve the business involved but first fine them into bankruptcy.

Re:breach (1)

AmiMoJo (196126) | more than 2 years ago | (#36793248)

no, dissolve the business involved but first fine them into bankruptcy.

Bankruptcy should not be an excuse to avoid paying fines either. Andrew Crossley of ACS:Law escaped a £200,000+ fine for loss of extremely private by simply claiming to be insolvent. If you are a criminal ordered to pay reparations you don't get off simply by having no money, we wait until you do have money or just start selling off your stuff at auction.

Re:breach (1)

drinkypoo (153816) | more than 2 years ago | (#36791866)

A good idea except (3), which is awful; they can just invent breaches that don't even exist as an excuse to terminate a contract. Take that one back to the drawing board, and smoke it.

Re:breach (2)

LittleBobbyTables (2296754) | more than 2 years ago | (#36792084)

Your paranoia is a little far-reaching here...sure a company is welcome to try that tactic but not without tarnishing their image. Try and repeat it enough times on a small scale or even once on a large enough scale there will be backlash as it will not be a smart choice to go with a compant who is constantly under-secured resulting in breaches and customer data loss. Just look at the whole Sony fiasco, er 17+ Sony fiascos rather...They were lucky to have a customer base on ps3 that are soo ADD they can't remember why they shouldnt trust the company, or theyre too young/ignorant to care about that kind of thing. Sony's biggest mistake though was in not disclosing the data breach to their customer base for a week after it had occurred...enough time for card traders and criminals to make use of that stolen data, and what could have alternatively been time psn users could have used to cancel their credit cards and start monitoring their identities. Sony blatantly disregarded theircustomer loyal customers and should feel lucky the data was not extensively used (yet) for Identity Theft, etc...

Re:breach (1)

drinkypoo (153816) | more than 2 years ago | (#36792462)

Your paranoia is a little far-reaching here...sure a company is welcome to try that tactic but not without tarnishing their image.

Your paranoia is a little short-reaching here... I'm talking about actions by government, not the corporations, although it's true that the two do regularly work together to fuck the populace out of their rights and money.

Security is NOT an issue with The Cloud. (2, Funny)

Anonymous Coward | more than 2 years ago | (#36791928)

Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

Re:Security is NOT an issue with The Cloud. (1)

Harodotus (680139) | more than 2 years ago | (#36791966)

At the risk of admitting to being "whoooshed", i have to wonder if this is sarcasm?

It's wrong in so many ways, i can't even being to start.

Re:Security is NOT an issue with The Cloud. (1)

cyber-vandal (148830) | more than 2 years ago | (#36792198)

It is sarcasm but still believable. The gullibility of IT illiterate decision makers when schmoozed by weasels in an Armani suits is the stuff of legends. The scariest words you'll ever hear in IT are "that will take too long we'll buy a package". Run away screaming the second the words are uttered.

Re:Security is NOT an issue with The Cloud. (0)

Anonymous Coward | more than 2 years ago | (#36792404)

Don't worry there is not risk at all.

Re:Security is NOT an issue with The Cloud. (0)

Anonymous Coward | more than 2 years ago | (#36792282)

Great, who told the boss about /.???

Re:Security is NOT an issue with The Cloud. (1)

NSN A392-99-964-5927 (1559367) | more than 2 years ago | (#36792330)

I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

Do you work for a Cloud company? Those will be your famous last words. You seriously need to look at the bigger picture here. How funny will it be when your medical records end up as a bit-torrent? News of the World have been hammered and Murdoch to which I welcome.

Police corruption is rife and Cloud computing is spy-ware. Yes it will be hacked.

My name is Famous Anus

Re:Security is NOT an issue with The Cloud. (0)

Anonymous Coward | more than 2 years ago | (#36796516)

I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

Do you work for a Cloud company? Those will be your famous last words. You seriously need to look at the bigger picture here. How funny will it be when your medical records end up as a bit-torrent? News of the World have been hammered and Murdoch to which I welcome.

Police corruption is rife and Cloud computing is spy-ware. Yes it will be hacked.

My name is Famous Anus

whoosh!

Re:breach (3, Informative)

jonbryce (703250) | more than 2 years ago | (#36792064)

Certainly in the UK, the government has had to notify data breaches in the past. The Department of Work and Pensions is one recent example.

People doing business in the EU have to either store data in the EU, or store it under "safe harbour" provisions which guarantee the same standards as in the EU.

So boxes 1 and 2 are already ticked.

Re:breach (1)

Teun (17872) | more than 2 years ago | (#36792676)

Just a pity the Safe Harbour provisions are according to those in the know a completely unenforceable dead letter, google it!

Re:breach (1)

KDR_11k (778916) | more than 2 years ago | (#36793882)

(2) is already covered more harshly, you can't even export that information if you cannot guarantee that it will be protected up to EU standard wherever you bring it.

Rule 1: (0)

Anonymous Coward | more than 2 years ago | (#36791706)

Let be guess:
Rule 1: Giving governments access to the data does not count as leaking.
Rule 2: If a government leaks the data, it's nobodies fault.

Does that include 3-letter agencies? (2)

Teun (17872) | more than 2 years ago | (#36791716)

Now that The Cloud and US-based have been excluded at excuses to not report breaches of EU citizens data I wonder about the requirements and feasibility of reporting access by the notorious 3-letter agencies that seem to roam wild in the USofA...

I don't hold my breath.

About who does what (3, Interesting)

Psicopatico (1005433) | more than 2 years ago | (#36791798)

I think it's worthy remembering two things:
1) the European Commission (EUC) is not a decisional power. Its steatements are considered as mere advices by the Parliament, if considered at all.
2) the same Parliament is not a Sovrane Government (think of the Federal Government). But still member's legislators have ten years (IIRC) to comply or face fines.

Re:About who does what (1)

Anonymous Coward | more than 2 years ago | (#36791872)

While you are right on point 2 (The EU is not sovereign), I disagree on point1.

The EU parliament has to vote on some, but not all, laws and is generally there to be seen as democratic rather than actually doing anything terrible important. The EU commission is somewhere between a 'civil service' where the highest ranking officials from each department discuss and decide what should be done (note that each country sends about 1 commissioner depending on their size, and commissioners also represent their home country, to some extent). The real executive body in the EU is the council, made up of the head of states of each member state; and they are the ones that make the main decisions. Generally, they listen to the commissions proposals, haggle over them, and then adopt them.

So basically, the parliament is a talking shop, the commission is the smaller half of the executive and is 'political', the Council is the larger half of the executive and is 'diplomatic'

Central Channel for Notifications (2)

Fractal Dice (696349) | more than 2 years ago | (#36792338)

Please remember when designing these rules that as soon as people have been trained to react to notifications of a privacy breach, scammers will begin sending fake notifications as a phishing hook.

Horizontal v. vertical (3, Informative)

Neil_Brown (1568845) | more than 2 years ago | (#36792932)

The approach outlined here seems very reasonable to me. Personal data breach legislation was rushed into the reform package for telecommunications services in Europe, because it was better than waiting for the review of the data protection directive, where it properly sits. However, it means that regulation is vertical - affecting only telecoms service provision - rather than horizontal, which would affect all providers. Since directive 95/46/EC [europa.eu] - on data protection - is horizontal, it would make sense to insert the provisions into that directive, and remove them from directive 2002/58/EC [europa.eu] - the directive of privacy and electronic communications..

For those who care, the measures are contained within directive 2009/136/EC [europa.eu] (the relevant measures here are in Art. 2), but are amendments to Art. 4 of ePrivacy directive (above). However, as befits a directive forming part of the telecommunications package, the subject of the regulation are "provider[s] of a publicly available electronic communications service".

"Electronic communications service" is defined in Art. 2 of directive 2002/18/EC [europa.eu], as:

"a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services; it does not include information society services, as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or mainly in the conveyance of signals on electronic communications networks"

I highlighted the reference to information society services, since this represents a substantial carve-out - this means that websites on online services which gather personal data, and which might suffer from data breaches, are not within the scope of the breach notification. When play.com suffered a breach, for example, it was not obliged under the breach notification to make any statement. It strikes me as odd - although understandable, given the context - that website operators, which are likely to generate huge swathes of personal data, should not be within scope. Something which a change from vertical regulation to horizontal regulation would hopefully remedy.

Re:Horizontal v. vertical (1)

countertrolling (1585477) | more than 2 years ago | (#36793610)

"vertical? horizontal? understandable, reasonable?? Ya right..

It's a bunch of circular gibberish designed as welfare for lawyers and bureaucrats who don't understand any of it either, but will make millions arguing about it in front of a guy who dresses funny, and might even wear one of those white wigs. I cannot for the life of me understand how we give these people any kind of credibility, much less actual authority.. Ultimately we will devolve into the age of bureaucracy when nothing else is left.

Or maybe the joke just went my head, again.. as your write up there was pretty impressive :-)

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...