A comparison between the EU and U.S. data breach notification laws
Posted by Editor on January 12, 2018 in the following categories: Data
Data Protection should always be a huge concern for companies and organisations. As with most laws, there are differences that can give some people in some countries more rights than others, such as the differences and similarities with data breach notification laws within both the EU and U.S.
In a world where data breaches can be cross-jurisdictional – i.e. a hacker from the U.K. hacks an American business – these differences could become quite important. It’s a challenge we face when representing victims for claims.
So, what are some of the characteristics of EU and U.S. data laws?
The EU doesn’t really have a general data breach notification obligation written into legislation right this second, but this will all change in May 2018 when the EU General Data Protection Regulation (GDPR) will be enforced.
Historically, the uniform data breach rules were established in the telecommunication industry. As with some American states, some EU member states enacted breach notification legislation, but the legislation has been far less uniform in the EU when compared to that in the U.S.
In the event of a breach, the new GDPR has said to model U.S. breach notification requirements. The regulation will apply to companies based in the EU and also U.S. companies that seek to process information through the services they offer to citizens in the EU, or monitoring of citizens in the EU. Under the new regulations, a “personal data breach” can be defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
The regulation is thought to be broad enough to encompass many things and it may afford greater protection for data breach victims and perhaps act as a deterrent for companies who fail to protect data.
And so far, the U.K. has agreed to adopt the GDPR despite Brexit as far as we’re aware. This is very good news indeed!
To date, the U.S. has reportedly failed to agree on a federal data breach notification legislation. This has led to a lack of federal statute to govern companies.
The failure to impose a single federal statute has led some states to take matters into their own hands. 47 states, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands have imposed state-breach notification legislation. The only states without such laws are Alabama, New Mexico and South Dakota, although in some circumstances the data breach notification State laws may apply to some citizens.
In the event of the breach, state legislation requires private, governmental or educational organisations to notify individuals of data breaches involving personally identifiable information. The security breach legislation encompasses provisions for: who must comply with the law; definitions of personal information; what constitutes as a breach; requirements for notice; and who must be notified.
The legislation also provides what exemptions may apply: for example, for encrypted information.
Similarities of both systems
The U.S. breach notification statutes require that data licensees notify data owners of a data breach and then the data owners have to notify consumers and regulators of the security breach. The new E.U. regulation imposes a similar requirement. The data processors must notify data controllers of the breach, and in turn, data controllers must notify affected individuals and government regulators.
Start Your Claim
If you have any queries about a potential data breach compensation claim of any kind, then get in touch! We can talk through your claim and, if accepted, make sure that you receive maximum compensation to help give you peace of mind.
You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to get more options on contacting the Data Leak Lawyers.