A week has gone by since Aruba users were inconvenienced by the damage to Aruba servers which caused the most serious blackout ever monitored on the Italian web. We would like to present a few thoughts here also considering the upcoming adoption of Directive 2009/136/EC which amends the 2002 e-privacy Directive.
The Aruba blackout was caused by a blaze at the Aruba server farm which happened on the night of the 28 of April and which lasted for approximately 11 hours. During that time more than 1 million registered domains and more than 5 million email accounts were unreachable.
For the entire morning of the 29th of April, no one who owned an Aruba email account or a website hosted on Aruba’s servers received any communication regarding the state of their data. The first company press communications were released around noon. Aruba users learned about the blaze through social networks and online magazines. At about 3.30 p.m. the damage that had actually affected only a few generators had been repaired and the network resumed normal service.
Fortunately, the Aruba incident provoked no destruction or damage to users’ data.
However, the scale of the event led many commentators to ponder on the effective state of data protection guaranteed to individuals and companies by hosting server providers.
From a normative standpoint this issue is of current interest. Directive 2009/136/EC, which must be adopted by Member States by the 25th of May 2011, deals with this question from the point of view of communication with subscribers in case of security or integrity incidents, threats or vulnerabilities.
Art. no. 2 amending Directive 2002/58/EC (Directive on privacy and electronic communications) adds to art no 4 paragraph no 1-bis which provides that “the appropriate technical and organizational measures to safeguard security of electronic communications services” shall at least “protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure and ensure the implementation of a security policy with respect to the processing of personal data.”
To this end paragraph no.3 has been inserted, which states that providers of publicly available electronic communication services are obliged to notify the competent national authority as well as their subscribers and other persons involved, in case a “personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual”.
New paragraph no 4 also states that “the competent national authorities may adopt guidelines and where necessary issue instructions concerning the circumstances in which providers are required to notify personal data breaches, the format of such notification and the manner in which the notification is to be made. They shall also be able to audit whether providers have complied with their notification obligations under this paragraph, and shall impose appropriate sanctions in the event of a failure to do so.”
While waiting for the Directive to be adopted clearly there are questions to be asked regarding the procedures and time scales companies will have to adhere to in order to fulfill their obligations of notification in case of events similar to the Aruba incident.