Günther Leissler and Veronika Wolfbauer explain:
The European regulatory framework on electronic communications obliges providers of public electronic communications services to notify personal data breaches to their national authorities.(1) However, the European Commission recently found a lack of harmonisation among member states in this respect, and exercised its power to issue technical implementing measures on the notification obligations by publishing EU Regulation 611/2013.(2) This directly applicable and fully binding regulation will enter into force on August 25 2013.
New regulation
The new regulation applies to all providers of public electronic communication services. If a provider detects a personal data breach it must notify the competent national authority of this breach within 24 hours.(3) This can put the provider under undue pressure, as it can be hard to meet this deadline when the attending circumstances are taken into account. However, the regulation provides a loophole by stating that the notification must occur within 24 hours “where feasible”. Therefore, in cases in which a provider cannot provide all information about the incident within this timeframe, the regulation permits it to file only an initial (but still comprehensive) notification within 24 hours. Within three days of this initial notification, the provider must provide a second set of information which gives further details about the data breach.
Read more on International Law Office (free sub. required)