4.5.2 ePrivacy Directive

The ePrivacy (2002/58/EC) Directive was reviewed in 2009 in the frame of the reform of the regulatory framework on electronic communications by the Citizens Rights Directive (2009/136/EC).

Its Article 3, titled Services concerned, states that it "shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices". The Directive applies therefore to communications providers or Internet service providers (ISPs) involved in the processing of individuals' personal data, and not to Information Society Services (e.g. SaaS providers) tout court.

The Directive deals with the security of the communications in Article 4 ^[26] , whose first paragraph mandates the provider of a publicly available electronic communications service to undertake "appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented". Moreover, its second paragraph states that "(i)n case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved". In 2009, as mentioned, the ePD was amended by Directive 2009/136/CE, which modified Article 4: aside from renaming the title (now “Security of processing”), it added additional paragraphs which clarify on one hand the concepts of technical and organisational measures and of data breach, and on the other the obligations deriving from them.

Paragraphs 3 and 4 of the amended Directive deal with data breach notifications, obliging the provider of publicly available electronic communications services to notify the personal data breach to the competent national authority without undue delay; moreover, "(w)hen the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall also notify the subscriber or individual of the breach"  ^{[27] [28]} . The paragraph continues, however, with an exception: the provider shall not be required to notify individuals of a personal data breach if it "has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it"  ^[29] . The paragraph ends with a vague description of the content of the notification with regards to individuals ( "(t)he notification to the subscriber or individual shall at least describe the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach") and relevant authorities ("(t)he notification to the competent national authority shall, in addition, describe the consequences of, and the measures proposed or taken by the provider to address, the personal data breach").