The privacy watchdog for EU institutions has called for a planned requirement for telecoms companies to publish details of information security breaches to be extended to banks, businesses and medical bodies.
The European Commission has proposed a data breach notification law which would force telecoms companies to tell customers when personal information had been lost. The requirement was among other proposed changes to the Privacy and Electronic Communications Directive published last autumn.
The European Data Protection Supervisor (EDPS) has said that if the proposal is designed to help prevent identity theft it must be extended to include banks, businesses and others.
"While the EDPS is pleased with the security breach notification system … he would have favoured their application at a wider scale to include providers of information society services," said the EDPS's response. "This would mean that online banks, online businesses, online providers of health services etc would also be covered by the law."
EDPS Peter Hustinx said that the extension makes logical sense.
"The reasons that justify imposing the security breach notification upon providers of public electronic communication services also exist regarding other organisations which also process massive amounts of personal data, the disclosure of which may be particularly harmful to data subjects," said his response.
"The compromise of information held by online banks and online business which may include not only bank account numbers but also credit card details may trigger identity theft, in which case it is essential for individuals to be made aware in order to take the necessary measures," said the EDPS.
The European Commission has proposed a data breach notification law which would force telecoms companies to tell customers when personal information had been lost. The requirement was among other proposed changes to the Privacy and Electronic Communications Directive published last autumn.
The European Data Protection Supervisor (EDPS) has said that if the proposal is designed to help prevent identity theft it must be extended to include banks, businesses and others.
"While the EDPS is pleased with the security breach notification system … he would have favoured their application at a wider scale to include providers of information society services," said the EDPS's response. "This would mean that online banks, online businesses, online providers of health services etc would also be covered by the law."
"The reasons that justify imposing the security breach notification upon providers of public electronic communication services also exist regarding other organisations which also process massive amounts of personal data, the disclosure of which may be particularly harmful to data subjects," said his response.
"The compromise of information held by online banks and online business which may include not only bank account numbers but also credit card details may trigger identity theft, in which case it is essential for individuals to be made aware in order to take the necessary measures," said the EDPS.
Have you read these related articles?
Newsletter:
