On March 2, 2011, the German Federal government adopted a draft law
revising certain sector-specific data protection provisions in the
German Telecommunications Act. The draft law addresses the
implementation of data breach notification requirements in the
European e-Privacy Directive by introducing a breach notification
obligation for telecommunications companies.
According to the proposal, telecommunications companies must report
data breaches to the Federal Network Agency (the Bundesnetzagentur or
“BNetzA”), and the Federal Commissioner for Data Protection and
Freedom of Information. In the event the rights or protected
interests of subscribers or other persons are affected by the data
breach, such individuals also must be notified without undue delay.
Notification is not necessary, however, if the telecommunications
provider can demonstrate that it had in place a security plan to
protect the potentially-affected personal data by appropriate
technical means, such as encryption. Notwithstanding this exception,
the BNetzA will have the authority to require any telecommunications
company to provide notification to individuals regardless of
information security protections in place at the time of the breach.
The law also contains detailed content requirements for the
notifications that must be sent to data subjects and the two
authorities. In addition, telecommunications companies will be
required to maintain records of data breaches in accordance with
specific provisions set forth in the law.
The revised data protection provisions also require providers of
location-based telecommunications services to send text messages
informing users whenever their mobile devices are being tracked based
on location.
No comments:
Post a Comment