Under what circumstances would the telco rather than a service provider like an online bank be responsible for loss of personal data? What telco would be daft enough to place itself in a position under which the transfer of unencrypted data was attributable to the actions of the telco, itself, rather than the incompetence of its customers.
If my online bank facilitates the transfer of my personal data insecurely, how is that attributable to the telco? What is the telco supposed to do about it?
It feels very much as if the EU has at great expense solved a non-existent problem.