Does A Data Breach In The U.S. Require Notification In Europe?

Author:Mr Paul Van Den Bulck
Profession:McGuireWoods LLP

The European legal framework on the protection of personal data (Directive 95/46/Ec) is acknowledged as one of the strictest in the world. This tendency seems to be confirmed by the new draft regulation on the protection of personal data revealed by the European Commission in January 2012, which, once adopted, will certainly not enter into force before 2015. On the contrary, as opposed to American regulations, the current European Directive seems quite lenient when it comes to data breaches.

This said, in reality, should data breaches be treated differently in Europe than in the United States? The answer is "no."

Although the current Directive does not provide an explicit obligation of notification to the competent national authorities and the individuals concerned, this obligation still exists. In the absence of case law on this point from the European Court of Justice, the Directive needs to be interpreted and applicable general principles of law need to be taken into account.

First, in accordance with the Directive itself, any communication (even involuntary) constitutes a processing of personal data. Therefore, this processing must be notified to the competent national authorities, particularly when the data controller has not made a prior notification, either contrary to the regulation or because he benefitted from an exemption. This point is confirmed by the obligation of security that the Directive imposes on the data controller, by virtue of which all controllers must take organizational measures, notably in the case of a data breach. Because these measures must be proportionate to the risks and the nature of the personal data concerned, notification appears to be an adequate organizational measure when a data breach occurs.

Second, several sectorial regulations require an explicit obligation of notification to the competent authorities and to individuals, particularly when the latter are likely to suffer damage. This is the case with the "e-privacy Directive" (Directive 2002/58), applicable to the telecommunication...

To continue reading