We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our cookie policy. Learn more here.Close Me
The European legal framework on the protection of personal data
(Directive 95/46/Ec) is acknowledged as one of the strictest in the
world. This tendency seems to be confirmed by the new draft
regulation on the protection of personal data revealed by the
European Commission in January 2012, which, once adopted, will
certainly not enter into force before 2015. On the contrary, as
opposed to American regulations, the current European Directive
seems quite lenient when it comes to data breaches.
This said, in reality, should data breaches be treated
differently in Europe than in the United States? The answer is
"no."
Although the current Directive does not provide an explicit
obligation of notification to the competent national authorities
and the individuals concerned, this obligation still exists. In the
absence of case law on this point from the European Court of
Justice, the Directive needs to be interpreted and applicable
general principles of law need to be taken into account.
First, in accordance with the Directive itself, any
communication (even involuntary) constitutes a processing of
personal data. Therefore, this processing must be notified to the
competent national authorities, particularly when the data
controller has not made a prior notification, either contrary to
the regulation or because he benefitted from an exemption. This
point is confirmed by the obligation of security that the Directive
imposes on the data controller, by virtue of which all controllers
must take organizational measures, notably in the case of a data
breach. Because these measures must be proportionate to the risks
and the nature of the personal data concerned, notification appears
to be an adequate organizational measure when a data breach
occurs.
Second, several sectorial regulations require an explicit
obligation of notification to the competent authorities and to
individuals, particularly when the latter are likely to suffer
damage. This is the case with the "e-privacy Directive"
(Directive 2002/58), applicable to the telecommunication sector and
for certain professions, such as attorneys.
And last but not least, the general principle of liability
obliges all controllers to minimize the damage caused to the
individuals concerned. One of the ways to do this is to notify the
data breach to the concerned individuals, who can then take
appropriate measures to avoid certain risks (identity theft,
unauthorized use of access codes, etc.).
In summary, a prudent and diligent controller will notify,
particularly when the data breach is likely to cause damage to the
concerned individuals. Confirming this analysis, several member
states of the European Union and of the European Economic Area
— such as Norway, Germany and Austria — have
adopted regulations that explicitly oblige data controllers to
notify any data breaches to the national authorities and to
concerned individuals. Other European countries provide in an
explicit manner, but without making it mandatory, procedures for
notification of data breaches.
Undoubtedly for these reasons the Commission has introduced in
the new draft regulation an explicit and general obligation of
notification in case of data breaches.
In conclusion, a controller who suffers a data breach in the
United States — for example by the loss of a laptop
containing personal data of individuals residing in the European
Union, the European Economic Area or the United States —
must notify the breach to the competent authorities and to the
individuals, in both the United States and Europe. A controller
that does not, could have liability issues.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Identity theft is a serious threat. In 2012, more than 12.6 million adults became victims of identity theft in the U.S.1 And the costs have been astronomical.
On April 22 Verizon released its 2013 Data Breach Investigations Report (DBIR), which has since 2008 become a leading annual survey of data breaches, with participants across the globe.
Increasingly, privacy is a big concern in app development. California and other jurisdictions are ramping up enforcement efforts around existing privacy laws.
Understanding the complexities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules is often a challenge for health care providers and consumers.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.
FTC On The Prowl, And Businesses Looking For Guidance On New COPPA Changes
