European Union Directives Will Require Mandatory Data Breach Notification

Proposed revisions to the European Union’s Data Protection Directive have been a hot topic in recent months.  A “Directive”, for those unfamiliar, is a legislative act of the European Union which requires all EU member states to implement laws to achieve a particular result.  As enacted, the Data Protection Directive lacks mandatory data breach notification provisions, and only a handful of European countries (Germany, for instance) have their own breach notification laws.  However, the EU Commission is currently developing initial proposals for notification provisions that should eventually be integrated into the existing Data Protection Directive. 

At the annual Infosecurity Europe event held on April 20, 2011, David Smith, EU Deputy Commissioner & Director Of Data Protection, delivered a keynote speech which addressed the European Commission’s review of proposals to implement mandatory data breach notification requirements.  According to an article by Phil Muncaster on V3.co.uk, Mr. Smith indicated that such notification requirements were an inevitability, but it could be “two or three years” before final proposals would be available.  Advocates for consumer privacy will be hoping for an EU-wide breach notification Directive sooner rather than later, as more and more large-scale breaches are affecting European citizens, including the recent high-profile breach of the Sony PlayStation Network.

As the EU Commission is mulling over broad, standardized notification requirements, another EU Directive containing notification requirements specific to the telecommunications industry will go into effect in May 2011.  EU Directive 2009/136/EC amends the existing E-Privacy Directive and requires that a provider of publicly available electronic communications services notify relevant national authorities and, in some instances, affected individuals of a personal data breach.  This Directive’s notification provisions are very similar to many of the existing state notification laws in the United States.  For example, the Directive:

• conditions individual notification requirements on a risk of harm standard;
• notification must be made “without undue delay”; and
• the definition of “breach” tracks the language commonly used in U.S. notification laws. 

Considering these similarities, telecom companies operating in Europe will no doubt be looking to the notification compliance efforts of U.S. companies that have successfully handled past breaches.  While Directive 2009/136/EC does not explicitly provide for specific enforcement penalties comparable to the enforcement provisions of U.S. notification laws, many EU member states have instituted fines and penalties for violations of laws enacted under the existing E-Privacy Directive.  We expect to see similar fine and penalty provisions in the forthcoming breach notification laws enacted under Directive 2009/136/EC.