The European Data Protection Supervisor (EDPS) issued on – 27 September 2012 – an Opinion on the European Commission's proposal for an Electronic Trust Services Regulation. The proposed Regulation – adopted on 4 July 2012 by the European Commission – amends Directive 1999/93/EC on electronic signatures and aims to provide a coherent framework for the mutual recognition of e-identification and authentication. The EDPS welcomed the Regulation, but stated that the mandatory data breach obligations imposed on electronic trust service providers should be clarified, among others.
Under Article 15(2) of the proposed Regulation, trust service providers would, 'without undue delay and where feasible not later than 24 hours', have to notify the competent authorities and other relevant third parties of 'any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein.' The EDPS welcomed that provisions on data breaches have been included in the proposed Regulation, however raised concerns that there is no definition of 'breach of security' or 'loss of integrity' and no clarification of what 'a significant impact' would mean.
© 2013 Cecile Park Publishing Ltd. All rights reserved
The EDPS called for the notion of data breach to be defined more precisely in the proposed Regulation and recommended that the mandatory data breach obligations imposed on electronic trust service providers 'should be consistent with the requirements established in the revised e-privacy Directive and in the proposed data protection Regulation'.
The EDPS also recommended that the proposal establish appropriate mechanisms to set a framework for the interoperability of national identification schemes.
Hustinx said: "A high level of data protection is essential for the use of electronic identification schemes and trust services. The development and use of such electronic means must rely upon the adequate processing of personal data by trust service providers and electronic identity issuers. This is all the more important as such processing will be relied upon, amongst other things, for identifying and authenticating natural (or legal) persons in the most reliable manner."
Under the Regulation, 'trust service' means any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals.