Reading:
A comparison between the EU and U.S. data breach notification laws
Share:
us and eu data breach laws

Data Leak Lawyers - Begin Your Data Breach Claim Today!

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

A comparison between the EU and U.S. data breach notification laws

Data Protection should always be a huge concern for companies and organisations. As with most laws, there are differences that can give some people in some countries more rights than others, such as the differences and similarities with data breach notification laws within both the EU and U.S.

In a world where data breaches can be cross-jurisdictional – i.e. a hacker from the U.K. hacks an American business – these differences could become quite important. It’s a challenge we face when representing victims for claims.

So, what are some of the characteristics of EU and U.S. data laws?

EU stance

The EU doesn’t really have a general data breach notification obligation written into legislation right this second, but this will all change in May 2018 when the EU General Data Protection Regulation (GDPR) will be enforced.

Historically, the uniform data breach rules were established in the telecommunication industry. As with some American states, some EU member states enacted breach notification legislation, but the legislation has been far less uniform in the EU when compared to that in the U.S.

In the event of a breach, the new GDPR has said to model U.S. breach notification requirements. The regulation will apply to companies based in the EU and also U.S. companies that seek to process information through the services they offer to citizens in the EU, or monitoring of citizens in the EU. Under the new regulations, a “personal data breach” can be defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

The regulation is thought to be broad enough to encompass many things and it may afford greater protection for data breach victims and perhaps act as a deterrent for companies who fail to protect data.

And so far, the U.K. has agreed to adopt the GDPR despite Brexit as far as we’re aware. This is very good news indeed!

U.S. stance

To date, the U.S. has reportedly failed to agree on a federal data breach notification legislation. This has led to a lack of federal statute to govern companies.

The failure to impose a single federal statute has led some states to take matters into their own hands. 47 states, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands have imposed state-breach notification legislation. The only states without such laws are Alabama, New Mexico and South Dakota, although in some circumstances the data breach notification State laws may apply to some citizens.

In the event of the breach, state legislation requires private, governmental or educational organisations to notify individuals of data breaches involving personally identifiable information. The security breach legislation encompasses provisions for: who must comply with the law; definitions of personal information; what constitutes as a breach; requirements for notice; and who must be notified.

The legislation also provides what exemptions may apply: for example, for encrypted information.

Similarities of both systems

The U.S. breach notification statutes require that data licensees notify data owners of a data breach and then the data owners have to notify consumers and regulators of the security breach. The new E.U. regulation imposes a similar requirement. The data processors must notify data controllers of the breach, and in turn, data controllers must notify affected individuals and government regulators.

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy
SRA
Contact
www.dataleaklawyers.co.uk is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon