ePrivacy: Security of Processing
Security of Processing [Art 4]
Rule: Providers of publicly available electronic communications services must implement appropriate technical and organizational security measures to safeguard their services.
Core Requirement
Article 4(1) requires service providers to take security measures:
- Appropriate to the risk presented
- Having regard to the state of the art
- Considering the cost of implementation
###Security Obligations
| Obligation | Details | Citation |
|---|---|---|
| Access control | Personal data accessible only by authorized personnel for legally authorized purposes | Art 4(1)(a) |
| Data protection | Protect against accidental or unlawful destruction, accidental loss, alteration | Art 4(1)(b) |
| Prevent disclosure | Guard against unauthorized or unlawful storage, processing, access or disclosure | Art 4(1)(b) |
| Security policy | Implement security policy with respect to processing of personal data | Art 4(1)(c) |
Who Must Comply?
| Entity | Obligation |
|---|---|
| Service providers | Must take primary responsibility for security measures |
| Network providers | Must cooperate with service providers for network security |
Network Security Cooperation
Article 4(1) states that service providers must take security measures:
“if necessary in conjunction with the provider of the public communications network with respect to network security”
This means:
- Service providers and network providers must work together
- Security is a shared responsibility across the communications chain
- Both parties must ensure end-to-end protection
Risk-Based Approach
Security measures must be proportionate to:
-
The nature of the risk
- Higher risks require stronger measures
- Consider likelihood and severity of security incidents
-
State of the art
- Use current best practices
- Implement industry-standard security controls
- Update measures as technology evolves
-
Cost of implementation
- Balance security with reasonable costs
- Not an excuse to avoid necessary measures
- Consider cost in context of risk
Notification of Security Breaches
Article 4(3) requires notification when a breach occurs:
Who notifies: Service provider
Who is notified:
- The subscriber or individual concerned
- National regulatory authority (where required)
What to notify:
- Nature of the breach
- Measures being taken to address it
- Any recommended actions for users
Practical Security Measures
Technical measures:
- Encryption of communications and data
- Secure authentication mechanisms
- Network segmentation and access controls
- Regular security testing and monitoring
- Intrusion detection systems
Organizational measures:
- Staff security training and vetting
- Documented security policies
- Incident response procedures
- Regular security audits
- Supplier security assessments
Relationship with GDPR
Article 4 applies specifically to electronic communications services. For matters not specifically covered:
- GDPR Article 32 (Security of processing) also applies
- Both directives require appropriate technical and organizational measures
- ePrivacy provides sector-specific security obligations
Penalties
Member States must provide for enforcement:
- National penalties for non-compliance
- Regulatory powers to investigate breaches
- Orders to remedy security deficiencies
- Potential fines under national transposition