In this two-part series, we’re exploring the byzantine breach notification laws governing two of the world’s largest economies: the United States and the European Union. If you missed Part 1, it covered U.S. laws.
PART 2: EUROPEAN UNION
As in the United States, organizations doing business in the European Union have to muddle through a mix of pan-European and member state-specific breach notification laws.
Member state laws
Member state laws vary by the type of personal data covered, what constitutes a breach, which organizations must notify, who must be notified, when and the amount of fines.
For a CliffsNotes® interpretation, check out these two documents intended to help companies get through the maze. Keep in mind neither should be considered legal advice or binding, but they’re still extremely helpful.
- The Article 29 Data Protection Working Party’s Opinion, issued in 2014. It provides examples of cases in which affected individuals should be notified, and cases in which notification isn’t required.
- The 2015 International Compendium of Data Privacy Laws, a primer published by Baker & Hostetler, a law firm specializing in privacy and data protection. It provides a country-by-country look at privacy and breach notification requirements—not just for the EU, but also for most major countries.
Currently, the only pan-European breach notification law—EU Data Protection Directive 2002/58/EC—applies to communication providers.
- It requires providers to notify their national data protection authority (DPA) within 24 hours of breach discovery.
- Notification of affected individuals is less prescriptive. Providers are advised to “take into account the type of data compromised when assessing whether to notify subscribers and individuals,” and to notify “without undue delay.”
- There is a notification exemption to affected individuals if the data have been rendered unintelligible, often called the “encryption exemption.”
But a more broad-sweeping single EU notification law is in the works—intended to replace the Data Protection Directive and the patchwork of member state laws. The EU Commission introduced the General Data Protection Regulation in 2012, and it’s now entering the last stages of ratification. A final version is expected at the end of this year, with implementation by 2017.
The new regulation, as it’s worded now, includes:
- All entities—not just communication providers—to notify of data breaches.
- A “one-stop-shop” provision, so organizations only have to work with a single DPA, determined by where the company is established or where there are affected individuals.
- Fines of up to €1 million or 2% of the company’s annual turnover.
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.