This article is also available in:
Deutsch: Seminar des Europäischen Datenschutzbeauftragten: Reaktion auf Datenv...
On 23 October 2009 the European Data Protection Supervisor (EDPS) and the European Network and Information Security Agency (ENISA) organised a seminar on security breaches. The three sessions focussed on the prevention, the management and the reporting of data breaches.
Background of this seminar was the upcoming reform of the ePrivacy directive (2002/58), which requires telecommunication providers to inform on security breaches related to personal data. EDRi was invited to present its positions on this topic.
From a data subjects point of view data breach notifications are not only an important instrument to mitigate the risk of identity theft or other criminal uses of leaked data. Since an active identity management is becoming more and more important in the information society (everybody does some kind of "identity management" by e.g. keeping private and professional information separated) it also is increasingly important to know who has access to which personal information and which information became public - either on purpose or by accidental security breaches.
Data breaches therefore cause not only financial risks but also a risk to ones identity management and - as the German Constitutional Court defined it about 25 years ago - ones right to informational self determination.
Therefore several safeguards are necessary to mitigate the risks for data breaches to occur. Data controllers should conduct risk assessments to identify potential threats to the data they process and the potential negative effects such a breach would cause not only for the controllers but also for the data subjects. Based on this assessment they should improve data security by technical and organisational measures and especially by focusing on data minimisation and the use of privacy enhancing technologies.
Based on the risk assessment guidelines should be developed on how to respond to data breaches as a data controller but also as a data subject. This helps to ensure, that data controllers and affected individuals can effectively respond to a given data breach event and have all the information at hand, that is needed to minimise negative effects.
Mandatory data breach notifications for telecommunication providers are an important first step to address an important problem. Similar obligations need to be implemented soon for all other sectors - public and private - and businesses.
Stakeholders discuss how to respond to data breaches at EDPS-ENISA seminar
(26.10.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/...
Data breach notification: Requirements from a Civil society perspective
(23.10.2009)
http://www.edri.org/docs/Krisch_data_breach_notification_20091023.pdf
EDRi-gram: EDPS endorses data breach notification provision in ePrivacy
Directive (28.04.2008)
http://www.edri.org/edrigram/number6.8/edps-data-breach-notification
(Contribution from Andreas Krisch - EDRi)