dataprotectionlaw&policy FEATURED ARTICLE 09 /0 9 cecile park publishing Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093 info@e-comlaw.com www.e-comlaw.com
EU Local solutions to data breach notification issues An increasing number of data organisations do not comply with notification requirements in light the basic data security of the increasing public concern breaches have been notified to requirement. A brief review of the over data security. individual Member States recently, reported UK breaches reveals many which has led to extensive debate UK breach laws rudimentary mistakes, including as to whether the EU should adopt data being downloaded onto Since the HM Revenue & Customs unencrypted portable devices that data breach in 2007 3 , the UK a breach notification law. With a are lost, data processed by third Information Commissioner has particular focus on the UK, France parties without adequate promoted a best practice and Germany, Bridget Treacy, a safeguards in place, numerous lost requirement to notify his office of Partner at Hunton & Williams, laptops and data that are carelessly serious data breaches and, in some examines how individual Member disposed of. In this context, there cases, to notify affected individuals. have been calls for a US-style The notification requirement is States are devising local solutions to breach notification law in Europe. based on a harm threshold. the data breach issue and how the Notification is required where recent debate surrounding the e- US data breach laws ● the breach is likely to result in Privacy Directive contributed to the US data breach laws had their significant harm to individuals; genesis in the California Computer ● the breach involves a large data breach debate. Security Breach Notification Act volume of compromised data; or A recent study claims that two out (S.B. 1386), which came into effect ● the compromised data are of every three Australian on 1 July 2003. Over time, the sensitive. companies leak data 1 . We may not Californian requirement to notify In the UK, the potential for harm have equivalent statistics for the individuals of data breach to individuals is the most EU but, in the last 18 months some incidents has come to include all significant factor to consider when 600 serious data breaches have affected persons, whether a deciding whether to notify a been reported to the Information resident in California or not. More breach. The assessment requires an Commissioner in the UK. Data than 45 individual states in the US organisation to consider the nature breaches have also been reported in have now enacted data breach laws. of the compromised data and the many other EU Member States. There has been much analysis of circumstances in which the data Increasingly, Europe is considering the effectiveness of US data breach were compromised. If data are US-style data breach laws as a laws, focusing on whether the sensitive, such as health data, it means of forcing organisations to notification requirement itself may not matter that only a small safeguard the data they handle. To contributes significantly to number of records were affected. date, the primary EU debate reducing identity theft and other The risk of harm to the small surrounding a data breach law has losses that may flow from a data number of affected individuals taken place in the context of the breach incident. It is difficult to may be high. Where there is a real review of the e-Privacy Directive, draw a clear conclusion that data likelihood of harm, there is a but increasingly we see individual breach laws reduce identity theft 2 . presumption to report. Where the jurisdictions exploring the merits What is clear is that the existence risk of harm is low, for example of passing local breach laws. This of the laws and the consequences because the storage device was article will explore some of those of breach act as incentives to encrypted, there is no need to themes, with a particular focus on organisations to ensure that data notify. Notification is made to the the UK, France and Germany. are adequately safeguarded. Information Commissioner, but organisations frequently take the What is data breach? EU data breach laws initiative and notify individuals as ‘Data breach’ is a generic term There is currently no general well. The Information applied to many situations in provision in the EU Data Commissioner expects to be which the security or integrity of Protection Directive requiring the informed of whether individuals data is compromised, whether notification of data breaches, have been informed and may deliberately or not. Despite the whether to regulators or to the require that individuals are data security requirements of our individuals whose data have been notified. At a practical level, the EU data protection law, there have compromised. Notwithstanding decision to notify can be a finely been many recent examples of data this, many Member States have balanced decision. breaches, suggesting that begun to develop their own In the UK, the Information 04 data protection law & policy september 2009
Recommend
More recommend
