Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by admin on maggio 12, 2011


(No comments)

A week has gone by since Aruba users were inconvenienced by the damage to Aruba servers which caused the most serious blackout ever monitored on the Italian web. We would like to present a few thoughts here also considering the upcoming adoption of Directive 2009/136/EC which amends the 2002 e-privacy Directive.

The Aruba blackout was caused by a blaze at the Aruba server farm which happened on the night of the 28 of April and which lasted for approximately 11 hours. During that time more than 1 million registered domains and more than 5 million email accounts were unreachable.

For the entire morning of the 29th of April, no one who owned an Aruba email account or a website hosted on Aruba’s servers received any communication regarding the state of their data. The first company press communications were released around noon. Aruba users learned about the blaze through social networks and online magazines. At about 3.30 p.m. the damage that had actually affected only a few generators had been repaired and the network resumed normal service.

Fortunately, the Aruba incident provoked no destruction or damage to users’ data.

However, the scale of the event led many commentators to ponder on the effective state of data protection guaranteed to individuals and companies by hosting server providers.

From a normative standpoint this issue is of current interest. Directive 2009/136/EC, which must be adopted by Member States by the 25th of May 2011, deals with this question from the point of view of communication with subscribers in case of security or integrity incidents, threats or vulnerabilities.

Art. no. 2 amending Directive 2002/58/EC (Directive on privacy and electronic communications) adds to art no 4 paragraph no 1-bis which provides that “the appropriate technical and organizational measures to safeguard security of electronic communications services” shall at least “protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure and ensure the implementation of a security policy with respect to the processing of personal data.”

To this end paragraph no.3 has been inserted, which states that providers of publicly available electronic communication services are obliged to notify the competent national authority as well as their subscribers and other persons involved, in case a “personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual”.

New paragraph no 4 also states that “the competent national authorities may adopt guidelines and where necessary issue instructions concerning the circumstances in which providers are required to notify personal data breaches, the format of such notification and the manner in which the notification is to be made. They shall also be able to audit whether providers have complied with their notification obligations under this paragraph, and shall impose appropriate sanctions in the event of a failure to do so.”

While waiting for the Directive to be adopted clearly there are questions to be asked regarding the procedures and time scales companies will have to adhere to in order to fulfill their obligations of notification in case of events similar to the Aruba incident.


The deadline for adopting and publishing Directive 2009/136/EC is 25 May 2011. This Directive, inter alia, amends Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, the so-called e-privacy Directive.

The three major changes are the following:

1) Security Breach Notification

According to this principle, the provider of publicly available electronic communication services shall immediately notify violations to the competent national authority as well as directly to subscribers and other persons concerned. The notification must also indicate the measures recommended to mitigate the damage.

2) Cookies

In brief, consent will be needed in order to install cookies on users’ computers.

3) Unsolicited commercial communications

Prior subscriber consent is required in case of unsolicited commercial communication. In any event, if national legislation, as is now the case in Italy, in some cases permits the sending of commercial communications according to the opt-out system, which allows subscribers to express rejection, the Directive provides that Member States shall in any case use appropriate measures to ensure adequate protection.


  • Recent comments

  • Popular posts

    • None found