A comparison between the EU and U.S. data breach notification laws

Data Protection should always be a huge concern for companies and organisations. As with most laws, there are differences that can give some people in some countries more rights than others, such as the differences and similarities with data breach notification laws within both the EU and U.S.

In a world where data breaches can be cross-jurisdictional – i.e. a hacker from the U.K. hacks an American business – these differences could become quite important. It’s a challenge we face when representing victims for claims.

So, what are some of the characteristics of EU and U.S. data laws?

EU stance

The EU doesn’t really have a general data breach notification obligation written into legislation right this second, but this will all change in May 2018 when the EU General Data Protection Regulation (GDPR) will be enforced.

Historically, the uniform data breach rules were established in the telecommunication industry. As with some American states, some EU member states enacted breach notification legislation, but the legislation has been far less uniform in the EU when compared to that in the U.S.

In the event of a breach, the new GDPR has said to model U.S. breach notification requirements. The regulation will apply to companies based in the EU and also U.S. companies that seek to process information through the services they offer to citizens in the EU, or monitoring of citizens in the EU. Under the new regulations, a “personal data breach” can be defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

The regulation is thought to be broad enough to encompass many things and it may afford greater protection for data breach victims and perhaps act as a deterrent for companies who fail to protect data.

And so far, the U.K. has agreed to adopt the GDPR despite Brexit as far as we’re aware. This is very good news indeed!

U.S. stance

To date, the U.S. has reportedly failed to agree on a federal data breach notification legislation. This has led to a lack of federal statute to govern companies.

The failure to impose a single federal statute has led some states to take matters into their own hands. 47 states, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands have imposed state-breach notification legislation. The only states without such laws are Alabama, New Mexico and South Dakota, although in some circumstances the data breach notification State laws may apply to some citizens.

In the event of the breach, state legislation requires private, governmental or educational organisations to notify individuals of data breaches involving personally identifiable information. The security breach legislation encompasses provisions for: who must comply with the law; definitions of personal information; what constitutes as a breach; requirements for notice; and who must be notified.

The legislation also provides what exemptions may apply: for example, for encrypted information.

Similarities of both systems

The U.S. breach notification statutes require that data licensees notify data owners of a data breach and then the data owners have to notify consumers and regulators of the security breach. The new E.U. regulation imposes a similar requirement. The data processors must notify data controllers of the breach, and in turn, data controllers must notify affected individuals and government regulators.

New ICO powers to fine organisations up to £17 million

Introducing the vicious cycle of data breach fatigue