The Italian DPA (Garante) has issued, following a public consultation, a decision that defines in detail the obligations for telephone companies and Internet service providers regarding possible cases of data breach, according to the relevant provisions contained in the Italian privacy law and in the European Directive 2002/58/EC.
Directive 2002/58/EC, otherwise known as the e-Privacy Directive, specifically applies to publicly available electronic communication services and complements the more general provisions of Directive 95/46/EC, the so-called Data Protection Directive. In brief, according to Article 4 of the e-Privacy Directive, as amended in 2009, the provider of publicly available electronic communications services shall notify the competent national DPA in the case of personal data breach without undue delay. In the most serious cases, the provider shall also notify the subscribers or other individuals likely to be adversely affected by the data breach. Providers shall also maintain an inventory of occurred personal data breaches to allow the DPA to assess the compliance with their obligations. Finally, the competent national DPA may adopt guidelines and issue instructions to the providers. These provisions were transposed in the Italian Data Protection Code (legislative decree No. 196/2003) with amendments introduced last year.
In this context, the Garante’s decision aims at providing indications and instructions on how to comply with the new obligations.
According to the Italian Data Protection Code, a personal data breach is “a security breach leading, accidentally or not, to the destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed in the context of the provision of a publicly available communications service.” This definition is wide, but it contains a few elements that permit to limit the scope of the new provisions. In particular, it clarifies that they apply to providers of publicly available electronic communication services and only in relation to the provision of such services, e.g. a telephone line or Internet access. This means that if the breach concerns data processed by the provider for other reasons, such as personnel management or accounting, the obligations do not apply. Besides, the scope of application of this provision does not include, for instance, entities directly offering electronic communication services to limited groups of individuals, e.g. public or private bodies that make use of telephone switching systems within a private enterprise (PABX), managers of Internet websites publishing contents on the ‘Net, so-called "content providers," search engines and all other entities that do not provide electronic communication services to the public. Conversely, mobile payment services, carried out through smartphones, etc., are explicitly included in the scope of the provision.
Providers must notify the Garante of every data breach incurred within 24 hours of its detection. If all the information required is not immediately available, providers must send a second, more detailed communication to the authority within three days from the first one. In order to comply with this obligation, the provider must fill in a questionnaire available on the Garante’s website. The information required includes a brief description of the data breach, date and place of the event, nature of the compromised data, estimated number of individuals involved, security measures that were applied to the compromised data, mitigating measures adopted by the provider, content and modalities of the communication to the customers where needed, etc.
Furthermore, providers must notify the customers or other persons involved within three days from the detection of the data breach, only when the accident is likely to adversely affect their personal data or privacy. Such communication is not required as far as the provider demonstrates to the Garante that it has implemented appropriate technological measures that render the data concerned by the breach unintelligible to any unauthorized person. To this end, the Garante suggests that providers shall carry out a structured risk assessment in order to identify and adopt the security measures needed to mitigate the possible effects of a data breach. Among these measures, the Garante points out that providers should delete or anonymize personal data when they are no more necessary for the purposes for which they were collected and processed; protect the data with the help of encryption or anonymization technologies, and pay particular attention to mobile devices, in view of the fact that, very often, security breaches involve mobile devices used by employees or suppliers outside the premises of the providers.
Whenever part of the electronic communication services have been outsourced to a different supplier/subcontractor, in case of personal data breach, the latter shall inform—within 24 hours—the service provider that has the direct contractual relationship with the subscribers in order to allow it to carry out its obligations.
The Garante acknowledges the difficulties concerning the assessment of the possible adverse effects of the data breach that shall be carried out by the provider in order to determine whether the communication to customers or other involved persons is required or not. In order to facilitate this task, the Garante suggested that the providers should consider the following parameters:
- security controls and measures that protect the affected data, e.g. encryption,
- nature of the compromised data, e.g. password or other identification credentials, telephone traffic data, etc.,
- circumstances of the event, e.g. unauthorized access, data loss or destruction, etc.,
- possibility of identifying the data subjects, e.g. in the case of a breach of multiple data sets concerning the same individual, and
- relevance and up-to-dateness of the compromised data.
Providers shall keep an updated inventory of personal data breaches including the circumstances of the breach, its consequences and the measures adopted to remedy the breach in such a way as to enable the Garante to assess the compliance with the above mentioned provisions.
A fine of up to 100,000 euros is provided for failing to notify the Garante in case of data breach, and a fine up to 1,000 euros, per individual involved, for failing to communicate, where needed, the event to the customer or other persons. These administrative sanctions may be increased up to four times if they may prove ineffective on account of the provider’s economic status.