The Register has an article from Out-Law.com that begins:
New rules setting out the circumstances in which telecoms companies need to report personal data breaches, as well as the kind of information they need to share in those reports, have come into force.
The EU’s Regulation on the notification of personal data breaches (7-page/756KB PDF) applies to all providers of publicly available electronic communications services, such as internet service providers (ISPs) and other telecoms companies, and sets new rules on notifying both regulators and customers about personal data breaches.
Read more on The Register.
The notification to individuals provisions are similar to our old HIPAA standards, meaning that under the new rules, individuals have to be notified “without undue delay” if the entity’s risk assessment suggests that the breach is likely to have an adverse effect on the individuals’ privacy:
When assessing whether a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, account should be taken, in particular, of the nature and content of the personal data concerned, in particular where the data concerns financial information, such as credit card data and bank account details; special categories of data referred to in Article 8(1) of Directive 95/46/EC; and certain data specifically related to the provision of telephony or internet services, i.e. e-mail data, location data, internet log files, web browsing histories and itemised call lists.
As in U.S. laws, there are exemptions that permit delays in notification to individuals:
In exceptional circumstances, the provider should be permitted to delay the notification to the subscriber or individual, where the notification to the subscriber or individual may put at risk the proper investigation of the personal data breach. In this context, exceptional circumstances may include criminal investigations, as well as other personal data breaches that are not tantamount to a serious crime but for which it may be appropriate to postpone notification. In any event, it should be for the competent national authority to assess, in each case and in the light of the circumstances, whether to agree to the postponement or require the notification.