Directive 2002/58/EC refers to the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive). The directive introduces the obligation for data processors from electronic communications area to notify data breaches. Also, some European countries already have a much larger data breach obligation or more categories of data processors. At the EU level, such an obligation could be directly mandated through the new Data Protection Regulation.
This section seeks to look at how this obligation was implemented in national law, what sanctions the Data Protection Authorities may apply and what is the media coverage of such breaches.
|Country||Data breaches imposed for all data processors? (or just for some categories)||Data breaches included in the national ePrivacy law||Competent authority to receive data breaches notifications|
Sanctions for data breaches
|Major data breaches published by DPA or media|
|Austria||Any provider of public services.||Yes (Telekommunikationsgesetz - TKG)||RTR – Rundfunk und Telekom Regulierungs GmbH||None|
This website lists some of the data breaches.
|Bulgaria||Providers of electronic communications networks or services only.|
Yes. Electronic Communications Act (Article 243b) and Commission Regulation (EU) 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/ECof the European Parliament and of the Council on privacy and electronic communications
Communications Regulation Commission – (Electronic Communications Act)
Commission for Personal Data Protection – (Commission Regulation (EU) 611/2013)
Where the provider having a direct contractual relationship
with the end user, despite having made reasonable
efforts, is unable to identify within a reasonable timeframe all individuals who are likely to be adversely
affected by the personal data breach, the provider may notify
those individuals through advertisements in major national or
regional media, in the relevant Member States, within that timeframe. (Article 3, para 7 of Commission Regulation (EU) 611/2013)
Publication only if DPA wants/ fines only if not implementing security standards.
Fines – 1000 – 10 000 Euro (Article 327, para 3 of Electronic Communications Act)
|The personal data of more than 10 000 students, their parents and teachers were leaked on the Internet in December 2017. The data contained their names, addresses, personal identification members and mobile telephone numbers. The information system of the school was most probably hacked.|
The Office for Personal Data Protection (OPDP)
Immediate direct notice to aggrieved parties. OPDP can steer and set condition for publishing such notice. Voluntary publication in national media in case the data operator cannot define who can be endangered by the data breach.
100 000 – 10 000 000 CZK
No provision regarding publication of reported breaches in media. Government CERT can issue a
Fines only if not implementing security standards or conditions defined by the lawFine 100 000 CZK
Over 1.2 million customer records at T-Mobile Czech Republic were stolen by one of its employee in 2016. The Czech DPA imposed a fine of 3.6 mil CZK (130 000 EUR)
Security bug in the Internet banking of the pension savings section. Access to personal data of all clients.
Only concern public ISPs as defined in the
Article L 33-1 Code on Postal and Electronic Communication
Article 34bis of Law 78-17 of 6 January 1978
CNIL (French Data Protection Authority)
CNIL investigates data breaches notification and decides upon the gravity of violation, if the concerned person was adequately informed, if appropariate technical measures were in place prior to the violations. CNIL may impose the violation to inform the concerned person if it has not been properly.
Penal sanctions Article 226-16 until 226-34 of the Penal Code
The French Digital Republic Bill significantly increases the maximum level of fines for violations of the French Data Protection Act. The French Data Protection Authority (“CNIL”) will be able to immediately impose a fine of up to €3 million (previously, fines could not exceed €150,000) until the GDPR becomes applicable. Once the GDPR becomes applicable, the Bill states that the CNIL will be entitled to exercise the full scope of sanctions prescribed by the GDPR (i.e., fines of up to, as the case may be, (1) €10 million or 2 percent of annual worldwide turnover, or (2) €20 million or 4 percent of annual worldwide turnover).
§ 42a BDSG
§ 15a TMG
§ 109a TKG
Federal Commissioner for Data Protection
16 Commissioners for Data Protection of the federal states
Federal network agency (for telecommunication services, together with the federal DPC)
|Notification to DPA and customers; if the notification is missing, fines up to 300.000 € can be charged|
The IT-systems of the German Bundestag have been targeted by Hackers. However, there is no information about whether any computers containing sensitive information were penetrated.
Further information can be found here.
A tester was able to access health data provided by Barmer GEK (Germany’s second biggest health insurance) of a third person by faking his identity using the person’s name, date of birth and the identification number of the insurance in a phone call with the hotline of Barmer GEK. As a consequence, data protection authorities claimed that they want to review the authentication procedure for phone calls with insurance companies.
Aerticket AG, a company based in Berlin selling approximately 3.5mio flight tickets per year, stated that there was a data breach: Information regarding tickets, names and addresses of customers as well as payment information was accessible on the internet without any bigger efforts. According to Aerticket, about 1.5mio bookings per year had been affected by the security breach. However, it seems that the security breach was not used by criminals so far.
A database of mitfahrgelegenheit.de – a ridesharing community – was copied by an unknown person. The dataset consisted of 638.000 IBAN and bank account numbers, 101.000 email addresses and 15.000 mobile phone numbers. In some cases, name and address data of former users were included as well.
Due to a data breach in a cloud-service of Deutsche Telekom, data of address books of customers (i.e. contact details) was displayed in the address books of other users. The service is used by 2.300 customers, approximately 1.200 were affected by this data breach.
A non-official list of data breaches, including small incidents can be found here.
Notifications to the Data Protection Authority are imposed for all data breaches involving electronic communication services (and not, for example content providers). Data Protection Authority issued Guidelines for the implementation of the e-privacy directive and a model for data breach notifications.On April 26th 2013 the Authority established that all the telecommunication companies and internet providers are obliged to inform their users in case of breach of their personal data, without any delay.
The ePrivacy directive was adopted by Italy by Law 69 of May 28 2012. The adoption produces some changes in the Italian Data protection code for adapting it at the internet environment. One of the most important change is the introduction of the definition of “personal data breach” as a “security breach leading, accidentally or not, to the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in the context of the provision of a publicly available communications service.” (art.3-g bis).The regulation adopted on April 4 2013 contains duties for electronic communication services to provide adequate technical and organizations measures to guarantee data security. In June 2013 Italy adopted the indications contained in the EU Rule 611 2013.
|Autorità Garante per la protezione dei dati personali (National Data Protection Authority). For the enforcement of the Code, the Authority cooperates with a special Unit of Police and of the Guardia di Finanza.|
Failure or delay to notify a personal data breach to the Italian DPA is sanctioned with a fine ranging between Euro 25,000 to Euro 150,000. Failure or delay to notify a personal data breach to the contractor or other individuals is sanctioned with a fine ranging between Euro 150 and Euro 1,000 for each contractor or individual.
Providers’ failure to keep an inventory of personal data breaches can be sanctioned with a fine ranging between Euro 20,000 to Euro 120,000Provision of untrue information, or submission of untrue records or documents, in connection with the notification to the Italian DPA in the case of data breaches, is punished with imprisonment from six months to three years.
|During the year 2013, the Authority received around 20 communications of data breach, by the main electronic communication providers. One of this breach involved around 250.000 users of a social network by a hacker attack.|
S.L. 440.01 Processing of Personal Data (Electronic Communications Sector) Regulations
|Information and Data Protection Commissioner||Sanctions for failure to comply with any regulations in the S.L carries a maximum penalty of EUR 23,293.73 for each violation||Yes|
Effective 1 January 2017, Dutch data protection law requires organizations to notify the Dutch Data Protection Authority within 72 hours of “a breach of security […] which results in a significant chance of severe detrimental effects or has severe detrimental effects for the protection of the private life”. The data subject must also be informed if “the breach probably will result in adverse effects on their private life”. These obligations only apply if the Dutch Data Protection Act applies, for instance in situations wherein a Dutch entity is data controller.
Yes, Article 34a introduced in the the Data Breach Act the notification obligation - Wet Bescherming Persoonsgegevens.
Also, the Dutch Data Protection Authority published the consultation version of guidelines on breach notification. The document is non-binding in nature.
The Dutch Data Protection Authority
For relatively minor infringements: the fines are go up to 20.250 euro.
For deliberate and repeated violations, the fines go up to 810.000 euro.
In certain circumstances fines on legal entities of up to 10% of annual turnover for several privacy violations, including in relation to data breaches; for telecommunication companies, the maximum fine for violating the data breach notification requirement is 450.000 euro.
Read more here.
Cheaptickets.nl encountered a data breach in 2011 in which personal data of over 715,000 clients were leaked
|Romania||Only for some data processors||Yes. Law no 506/2004 on ePrivacy||Romanian Data Protection Authority ANSPDCP||10 k data lost on 31.03.2014|
|Spain||No (research in progress)||Spanish data protection agency AGPD|
Fines 60.000 € – 600.000 €
None specific to data breaches.
|Switzerland||Not applicable||Not applicable||Not applicable||Not applicable||Not applicable|
UK is also reacting to the EU Network Information Security Directive which requires regulatory notification of data loss incidents.
|Yes. Data Protection Act 1988 (DPA) and Personal and Electronic Communication Regulations (PECR)||Information Commissioners Office||Fines up to £500k|
On 5 October 2016, the ICO issued a Monetary Penalty Notice, imposing a £400,000 fine on TalkTalk Telecom Group PLC ("TalkTalk") in respect of a data breach that affected over 156,000 customers who had their personal data stolen, including over 15,000 customers whose bank account details were also taken.
Ten significant cases listed here.
Last updated 28 February 2018.
Suggestions? Corrections? Additions? Please send us an email at observatory (at) mappingtheinternet (dot) eu. Or suggest via this webform.