1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Data leaks

July 18, 2011

With news about data leaks surfacing on a regular basis, the European Union is considering a set of 'practical rules' governing how they should be handled. Experts say transparency is necessary when leaks happen.

Neelie Kroes
Neelie Kroes wants an EU-wide data breach notification standardImage: AP

The European Commission is considering a set of "practical rules" to govern companies' behavior in the case of a data breach.

The announcement comes in the wake of a series of high-profile data breaches, including Sony's announcement in April that the personal information of 78 million PlayStation users was stolen.

The rules, which were outlined in Brussels last Thursday, would specify the procedures and format for notifications. Until the early September deadline, the European Commission is seeking input from the public and from sources including national data protection authorities and consumer organizations.

According to Neelie Kroes, the EU's digital agenda commissioner, a section of the EU's new telecoms rules came into force in May requiring companies to notify consumers and national data protection authorities of data breaches. But additional rules could ensure consistency throughout EU member nations, she added.

"The duty to notify data breaches is an important part of the new EU telecoms rules," she said in a statement last week. "But we need consistency across the EU so businesses don't have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses."

Viktor Mayer-Schönberger
Viktor Mayer-Schönberger agrees with this move by the European UnionImage: picture-alliance/Frank May

Breaches likely a fixture

Experts say data breaches will likely be an increasing problem as private companies gather store ever-more personal data.

Joe McNamee, the head of European Digital Rights, said in an e-mail sent to Deutsche Welle that "clear and predictable" rules and "legal certainty" transcending European borders is vital. Companies need to have contingency plans in case of data breaches, he added.

"It is precisely because there will inevitably be breaches that rules are needed to ensure that citizens are informed and that companies have compelling reasons to minimize the data they collect and maximize their internal security," he noted.

McNamee added that companies need "compelling reasons to minimize the data they collect and maximize their internal security."

Similarly, Viktor Mayer-Schönberger, a professor at the Oxford Internet Institute, notification requirements have acted "as incentives for the private sector to implement more stringent data security and data privacy structures and processes in their organizations" in other locations, including the United States.

"Private companies must see data breach as clear risk exposure – and as with all risks need to adopt a two-prong approach: to take measures to reduce the likelihood of data breach occurring, and to put in place measures to mitigate the damage should a data breach happen," he also wrote to Deutsche Welle by e-mail. "The recent Sony PlayStation 3 disaster shows that private sector companies often lack both."

Sony's PlayStation 3
Sony's PlayStation 3 data breach was the most dramatic of many recent breachesImage: AP

While laws regarding data privacy differ in various EU countries, Mayer-Schönberger added it is important for protocol regulating data breaches to be harmonized throughout Europe. That would make it easier "for consumers to understand and comprehend what is happening," he said.

Opinions diverge

But not all experts agree that this type of notification will actually be effective.

Thomas Hoeren, head of the University of Münster's Institute for Information, Telecommunication and Media Law, said that requiring companies to notify consumers of data breaches could cause a flood of notifications which citizens ignore.

"I see the danger that companies will publish any minor breach and the newspapers will be full of breach notifications which nobody is reading that any more," he wrote in an e-mail. "It is more important to have a notification duty in relation to the (national) data protection authorities."

Author: Gerhard Schneibel
Editor: Cyrus Farivar