Legal help for data breach compensation claims

A comparison between the EU and U.S. data breach notification laws

Posted by Editor on January 12, 2018 in the following categories: Data

us and eu data breach laws

Data Protection should always be a huge concern for companies and organisations. As with most laws, there are differences that can give some people in some countries more rights than others, such as the differences and similarities with data breach notification laws within both the EU and U.S.

In a world where data breaches can be cross-jurisdictional – i.e. a hacker from the U.K. hacks an American business – these differences could become quite important. It’s a challenge we face when representing victims for claims.

So, what are some of the characteristics of EU and U.S. data laws?

EU stance

The EU doesn’t really have a general data breach notification obligation written into legislation right this second, but this will all change in May 2018 when the EU General Data Protection Regulation (GDPR) will be enforced.

Historically, the uniform data breach rules were established in the telecommunication industry. As with some American states, some EU member states enacted breach notification legislation, but the legislation has been far less uniform in the EU when compared to that in the U.S.

In the event of a breach, the new GDPR has said to model U.S. breach notification requirements. The regulation will apply to companies based in the EU and also U.S. companies that seek to process information through the services they offer to citizens in the EU, or monitoring of citizens in the EU. Under the new regulations, a “personal data breach” can be defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

The regulation is thought to be broad enough to encompass many things and it may afford greater protection for data breach victims and perhaps act as a deterrent for companies who fail to protect data.

And so far, the U.K. has agreed to adopt the GDPR despite Brexit as far as we’re aware. This is very good news indeed!

U.S. stance

To date, the U.S. has reportedly failed to agree on a federal data breach notification legislation. This has led to a lack of federal statute to govern companies.

The failure to impose a single federal statute has led some states to take matters into their own hands. 47 states, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands have imposed state-breach notification legislation. The only states without such laws are Alabama, New Mexico and South Dakota, although in some circumstances the data breach notification State laws may apply to some citizens.

In the event of the breach, state legislation requires private, governmental or educational organisations to notify individuals of data breaches involving personally identifiable information. The security breach legislation encompasses provisions for: who must comply with the law; definitions of personal information; what constitutes as a breach; requirements for notice; and who must be notified.

The legislation also provides what exemptions may apply: for example, for encrypted information.

Similarities of both systems

The U.S. breach notification statutes require that data licensees notify data owners of a data breach and then the data owners have to notify consumers and regulators of the security breach. The new E.U. regulation imposes a similar requirement. The data processors must notify data controllers of the breach, and in turn, data controllers must notify affected individuals and government regulators.


Start Your Claim

If you have any queries about a potential data breach compensation claim of any kind, then get in touch! We can talk through your claim and, if accepted, make sure that you receive maximum compensation to help give you peace of mind.


You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to get more options on contacting the Data Leak Lawyers.

Start Your Claim


Introducing the vicious cycle of data breach fatigue
New ICO powers to fine organisations up to £17 million
Request a call back from our team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked * are required.

%d bloggers like this: