RD358 - ETNO Reflection Document - Response to the public consultation on the ePrivacy Directive: circumstances, procedures and formats for personal data breach notifications

Data breach notification systems must remain valuable for end-users and excessive notifications, without due cause, must be avoided. “Undue delay” in notification to individuals should be the shortest period possible but it may not be appropriate to define a specific timeframe in legislation. Standardized notification forms may be useful when notifying authorities. However, flexibility around communicating with subscribers/individuals should be allowed.Executive Summary:

Data breach notification systems must remain valuable for end-users and excessive notifications, without due cause, must be avoided. “Undue delay” in notification to individuals should be the shortest period possible but it may not be appropriate to define a specific timeframe in legislation. Standardized notification forms may be useful when notifying authorities. However, flexibility around communicating with subscribers/individuals should be allowed.



Executive Summary:

  • Data breach notification systems must remain valuable for end-users and excessive notifications, without due cause, must be avoided. It is important that end-users do not lose confidence in telecommunication services.
  • “Undue delay” in notification to individuals should be the shortest period possible but it may not be appropriate to define a specific timeframe in legislation. Notification of an incident to national authorities can, however, occur at the early stage of the process.
  • Standardized notification forms may be useful when notifying authorities. However, flexibility around communicating with subscribers/individuals should be allowed as there are differences according to the type of emergency, technical complexity and the number of persons to be contacted.