TITLE OF THE INITIATIVE Error! Not a valid bookmark self-reference.
TYPE OF INITIATIVE CWP Non-CWP Implementing act/Delegated
LEAD DG – RESPONSIBLE UNIT INFSO B1
EXPECTED DATE OF ADOPTION Month/Year: Q4 2011
VERSION OF ROADMAP No: 2 Last modification: Month/Year: 15.12.2010
This indicative roadmap is provided for information purposes only and is subject to change.
It does not prejudge the final decision of the Commission on whether this initiative will be pursued
or on its final content and structure.
A. Context, problem definition
(i) What is the political context of the initiative?
(ii) How does it relate to past and possible future initiatives, and to other EU policies?
(iii) What ex-post analysis of the existing policy has been carried out and what results are relevant for this
Article 4 of the ePrivacy Directive 2002/58/EC sets provisions regarding the security of processing of personal data by
providers of publicly available electronic communications services in the EU. It obliges providers to take appropriate
technical and organisational measures to safeguard the security of their services and to provide information to authorities,
subscribers and individuals on risks for users that cannot be addressed by the provider and on actual breaches of security
that put personal data at risk.
Article 4(5) of the ePrivacy Directive 2002/58/EC as amended by Directive 2009/136/EC empowers the Commission to
adopt implementing measures concerning the circumstances, format and procedures applicable to the information and
notification requirements referred to in paragraphs 2 (providers to inform subscribers about particular risks of a breach of
security outside their control and possible remedies), 3 (notification of personal data breaches to competent authorities and
to subscribers and individuals whose personal data or privacy are likely to be adversely affected by the breach) and 4
(guidelines by national authorities, inventory of personal data breaches to be held by providers), according to the regulatory
procedure with parliamentary scrutiny (PRAC), in order to ensure consistency in the implementation of the respective
measures. The relevant committee is the Communications Committee established by Article 22 of the Framework Directive
2002/21/EC. Before adopting such measures, the Commission shall consult ENISA, the Article 29 Working Party on Data
Protection and the EDPS.
The technical implementing measures will build on the transposition of the revised framework by Member States; and they
will provide guidance to national regulatory authorities who may in turn issue national guidelines and instructions. This
action is related to two activities under the Digital Agenda for Europe: on the one hand, it builds on the implementation of
the privacy related provisions of the amended telecom framework; on the other hand, the technical implementing measures
will be developed in parallel to the legislative process on the review of the data protection directive, which may include
proposals for generally applicable breach notifications. This relationship reflects that the technical implementing measures
are relevant for two objectives of the DAE, i.e. the Digital Single Market and Trust and Security.
What are the main problems which this initiative will address?
Practical procedures for personal data breach notifications across the MS shall be harmonised as far as possible in order to
create a level playing field for service providers and enable them to benefit from economies of scale in the single market,
The basic act provides a certain degree of harmonisation, but more detailed guidance must be provided and maintained. The
Commission is empowered by the amended Directive to perform this task.
Who will be affected by it?
Providers of electronic communications services, national authorities, subscribers and individuals concerned by breaches
(i) Is EU action justified on grounds of subsidiarity?
(ii) Why can Member States not achieve the objectives of the proposed action sufficiently by themselves?
(iii) Can the EU achieve the objectives better? (Test of EU Value Added)
(i) The subsidiarity principle was taken into account by the legislator. By empowering the Commission to adopt
implementing measures, the EU legislator recognized the need for harmonisation at EU level.
(ii) The provisions of the Directive set out the general principles for information and notification, but do not specify the
circumstances, format and procedures to be applied in detail. This takes account of the relatively rapid development of
technology and services in the sector and the need to be able to adapt the procedures more quickly than through the
legislative process. At the same time, it creates the need for more detailed guidance on these matters to ensure
harmonisation between MS. It is unlikely that without EU level guidance MS procedures would be harmonised. Already
existing provisions in some MS (e.g. FI and DE) differ in some relevant aspects. (In the US, where breach notifications are
regulated at state level, currently 46 different regimes exist.)
(iii) The Commission can obtain the necessary information about the technical and business conditions of operators in the
sector and the legal, administrative and economic conditions in the MS, which should provide the basis for its implementing
B. Objectives of the initiative
What are the main policy objectives?
The main objective of the provisions of Article 4 ePrivacy Directive is to ensure that providers of electronic comunications
services take appropriate technical and organisational measures to safeguard security of their services. The obligations to
inform subscribers about remaining particular risks and to notify authorities and those concerned by actual personal data
breaches serve as additional incentives for the providers to ensure that measures taken are indeed appropriate to the risks
presented, and further provide authorities and subscribers with a means to assess the quality of services provided with
respect to certain security aspects. Several recent cases of personal data breaches provide evidence that measures were not
adequate and that disclosure of breaches to entities concerned was considerably delayed, or that breaches were only
discovered as the result of investigations by third parties. Observing growing interest and pressure in MS to introduce data
breach notification obligations in the electronic communications sector, the review of the electronic communications
framework provided the opportunity to ensure that such an obligation can be harmonised at EU level. The Directive
provides a certain degree of harmonisation, but more detailed guidance will be needed to ensure tht operating conditions are
not distorted. For that reason, the Commission is empowered to adopt technical implementing measures on format,
procedures and circumstances of the notifications.
Do the objectives imply developing EU policy in new areas?
The measures concern the implementation of existing EU policy.
(i) What are the policy options being considered?
(ii) What legislative or 'soft law' instruments could be considered?
(iii) How do the options respect the proportionality principle?
The choice of policy instrument, i.e. Commission implementing measures, was taken by the legislator following the
Commission proposal for the amendment of the Directive and the accompanying impact assessment. Given that comitology
was introduced in this Directive for the first time, the provision was subject to considerable scrutiny in EP and Council.
The Commission implementing measures will provide guidance on the circumstances giving rise to the information and
notification requirements as well as on procedures to be followed and formats to be used in the event of a personal data
D. Initial assessment of impacts
What are the benefits and costs of each of the policy options?
As explained above, providers will benefit from harmonised conditions for breach notifications through simplification,
increased legal certainty and reduced operational costs, compared to a system of differing MS provisions. A harmonised set
of conditions will also simplify the work of national authorities when defining guidance on national level and its
enforcement and will simplify cooperation between authorities in cases with cross-border relevance. There is no indication
that harmonisation of application causes any additional costs compared to diverging national regimes.
The chosen option of Commission implementing measures provides the best impact in terms of harmonisation and
Could any or all of the options have significant impacts on (i) simplification, (ii) administrative burden and (iii) on
relations with other countries, (iv) implementation arrangements? And (v) could any be difficult to transpose for
certain Member States?
(i) (ii) Harmonisation of measures aims to simplify business operation of providers and reduce administrative burden by
avoiding the need to comply with different sets of rules.
(iii) No specific impact on relations with third countries is expected.
(iv) The objective of the measures is to simplify implementation arrangements through harmonisation.
(v) There is no indication that any MS would have difficulties to transpose the measures
(i) Will an IA be carried out for this initiative and/or possible follow-up initiatives? (ii) When will the IA work
start? (iii) When will you set up the IA Steering Group and how often will it meet? (iv) What DGs will be invited?
(ii) Q1 2011 (iii) Q1 2011, possibly three times (iv) JUST, LS, SG
(i) Is any of options likely to have impacts on the EU budget above €5m?
(ii) If so, will this IA serve also as an ex-ante evaluation, as required by the Financial regulation? If not, provide
information about the timing of the ex-ante evaluation.
E. Evidence base, planning of further work and consultation
(i) What information and data are already available? Will existing impact assessment and evaluation work be
(ii) What further information needs to be gathered, how will this be done (e.g. internally or by an external
contractor), and by when?
(iii) What is the timing for the procurement process & the contract for any external contracts that you are
planning (e.g. for analytical studies, information gathering, etc.)?
(iv) Is any particular communication or information activity foreseen? If so, what, and by when?
ENISA has performed research in the domain of breach notifications and will make results available in early 2011. Studies
on the functioning and effects of different forms of breach notifications schemes are available for the US, where such
notifications have already been in place for a while. Annually updated studies are available for the economic effects of
breaches in the US and the UK. Existing Eurobarometer and other surveys provide information about the attitude of citizens
towards breach notifications. Some aspects of notification schemes have been explored in studies for the IA of the original
legislative proposal to introduce breach notifications.
Further information will be collected by Commission services through consultation of MS authorities and stakeholders and
the entities explicitly referred to in the Directive. No specific procurement or communication activities are foreseen.
Which stakeholders & experts have been or will be consulted, how, and at what stage?
Initially, MS authorities will be consulted on existing or intended measures in MS. Stakeholders and the entities referred to
in the Directive will be consulted on the findings of this initial phase. The consultative EU entities will also be consulted on
draft measures, as well as MS and EP in the context of the comitology procedure.