Information Society Services and Mandatory Data Breach Notifications: Introduction to Open Issues in the EU Framework

• Author: Jelena Burnik
• Position: MSc Communication Regulation and Policy, Information Commissioner of Slovenia
• Pages: 126-137

2012

Jelena Burnik

126

2

Information Society Services and

Mandatory Data Breach Notifications:

Introduction to Open Issues

in the EU Framework

by Jelena Burnik, Slovenia

MSc Communication Regulation and Policy, Information Commissioner of Slovenia.*

© 2012 Jelena Burnik

Everybody may disseminate this ar ticle by electroni c means and make it available for downlo ad under the terms and

conditions of the Digita l Peer Publishing Licence (DPPL). A copy of the license text may be obtaine d at http://nbn-resolving.

de/urn:nbn:de:0009-dppl-v3-en8 .

This article may also b e used under the Creative Commons Attribution-ShareA like 3.0 Unported License, available at h t t p : //

creativecommons.org/licenses/by-sa/3.0/.

Recommended citation: Jelena B urnik, Information Society Serv ices and Mandatory Data Breach Notificat ions: Introduction

to Open Issues in the EU Framework, 3 (2 012) JIPITEC 126, para. 1.

Keywords: Information society service providers, Data protection, Mandatory breach notification, EU data pro-

tection framework.

A. Introduction

1 In 2011 Sony suffered a massive breach in its video

game online network that led to the theft of names,

addresses and possibly credit card data belonging to

77 million user accounts from all over the world. This

was one of the largest internet security break-ins re-

sulting in a large scale personal data breach.1 Criti-

cism over Sony’s response to the break-in accumula-



of their customers because it took a few days be-



that Sony did not allow them “to make an informed

decision as to whether to change credit card num-

Abstract: In 2011 Sony suffered an exten-

sive breach in its online game network that led to the

theft of account data of 77 million users from all over

the world. This was one of the largest internet secu-

rity break-ins that resulted in a large scale personal

data breach. As an answer to numerous incidents of

security breaches where personal data have been

compromised, an instrument of mandatory data

breach notification is currently being implemented in

the European Union that follows the approach taken

in the United States. The revised e-Privacy Directive

and the fresh proposal for a General Data Protection

Regulation both introduced a provision whereby the

entity suffering a breach will have to notify the com-

petent authorities of the breach. Many large online

service providers, operate globally, offering its ser-

vices to users in different countries and processing

users’ data in different locations, in the EU and wider.

In case such a provider suffers a data breach, and on

condition that European law applies to its operations,

the provider will be obliged to report the data breach

to the authorities and possibly to the injured individ-

ual users.

The paper presents the changes in the regulatory

framework in the EU and tackles the question of how

the new regulations on mandatory breach notifica-

tions will affect online service providers, especially

the ones operating across borders. The paper pres-

ents the legal framework, assesses its implications

and sheds light on the issues that will arise, in terms

of applicable law, competencies of the national au-

thorities and the rights of the injured individuals.