The European legal framework on the protection of personal data
(Directive 95/46/Ec) is acknowledged as one of the strictest in the
world. This tendency seems to be confirmed by the new draft
regulation on the protection of personal data revealed by the
European Commission in January 2012, which, once adopted, will
certainly not enter into force before 2015. On the contrary, as
opposed to American regulations, the current European Directive
seems quite lenient when it comes to data breaches.
This said, in reality, should data breaches be treated
differently in Europe than in the United States? The answer is
Although the current Directive does not provide an explicit
obligation of notification to the competent national authorities
and the individuals concerned, this obligation still exists. In the
absence of case law on this point from the European Court of
Justice, the Directive needs to be interpreted and applicable
general principles of law need to be taken into account.
First, in accordance with the Directive itself, any
communication (even involuntary) constitutes a processing of
personal data. Therefore, this processing must be notified to the
competent national authorities, particularly when the data
controller has not made a prior notification, either contrary to
the regulation or because he benefitted from an exemption. This
point is confirmed by the obligation of security that the Directive
imposes on the data controller, by virtue of which all controllers
must take organizational measures, notably in the case of a data
breach. Because these measures must be proportionate to the risks
and the nature of the personal data concerned, notification appears
to be an adequate organizational measure when a data breach
Second, several sectorial regulations require an explicit
obligation of notification to the competent authorities and to
individuals, particularly when the latter are likely to suffer
damage. This is the case with the "e-privacy Directive"
(Directive 2002/58), applicable to the telecommunication sector and
for certain professions, such as attorneys.
And last but not least, the general principle of liability
obliges all controllers to minimize the damage caused to the
individuals concerned. One of the ways to do this is to notify the
data breach to the concerned individuals, who can then take
appropriate measures to avoid certain risks (identity theft,
unauthorized use of access codes, etc.).
In summary, a prudent and diligent controller will notify,
particularly when the data breach is likely to cause damage to the
concerned individuals. Confirming this analysis, several member
states of the European Union and of the European Economic Area
— such as Norway, Germany and Austria — have
adopted regulations that explicitly oblige data controllers to
notify any data breaches to the national authorities and to
concerned individuals. Other European countries provide in an
explicit manner, but without making it mandatory, procedures for
notification of data breaches.
Undoubtedly for these reasons the Commission has introduced in
the new draft regulation an explicit and general obligation of
notification in case of data breaches.
In conclusion, a controller who suffers a data breach in the
United States — for example by the loss of a laptop
containing personal data of individuals residing in the European
Union, the European Economic Area or the United States —
must notify the breach to the competent authorities and to the
individuals, in both the United States and Europe. A controller
that does not, could have liability issues.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.