FROM RAISING BARRIERS TO RAISING ALARMS : A review of Data Breach notifications in the context of Information Security Provisions

Abstract

ABSTRACT The Directive 2009/136/EC required the implementation of a Personal data breach notifications regime. This notification is a complement to the already existing Information Security Provisions. Information Security traditional function is to prevent the unauthorized access or disclosure of personal data. As modern technology was adopted into the processing of personal data, the risks inherent to such technology threaten the personal data being processed. The responsibility was placed over the controllers and processors, but as data breaches were more commonly related to Identity theft cases, other measures were necessary to prevent the controller to remain silent if affected by a breach. California was the first jurisdiction to implement a mandatory regime of personal data breach notifications. In Europe, Spain and Germany implemented such notifications before the reforms to the E-Privacy Directive where adopted. As this date Personal Data Breach Notification Provisions are mandatory throughout the territory of the EU. These notifications have as main function to give notice to the data subjects about the occurrence of a data breach that affects or its believed have affected, their personal data. The providers of publicly available electronic communication services in the Telecommunication sector are the only controllers who are obligated to perform the notification to both the National Data Protection Authorities or to the data subjects. The present thesis reviews these provisions and analyses them in the context of the information security measures provisions. Discusses the threshold for appropriateness and develop on the traditional function that the information security had: to prevent unlawful access to or disclosure of personal information. Since the model of the notification provision resembles the one applied in California, reference to this framework will be made. Also the national provisions in Germany, Ireland, the United Kingdom and Spain will be taken as reference to compare the different approach that member states have taken to comply with the implementation of the reforms that unsaturated the notification regime. Finally, notes to consider for future reforms will be presented.