Does a Data Breach in the U.S. Require Notification in Europe?

June 8, 2012

The European legal framework on the protection of personal data (Directive 95/46/Ec) is acknowledged as one of the strictest in the world. This tendency seems to be confirmed by the new draft regulation on the protection of personal data revealed by the European Commission in January 2012, which, once adopted, will certainly not enter into force before 2015. On the contrary, as opposed to American regulations, the current European Directive seems quite lenient when it comes to data breaches.

This said, in reality, should data breaches be treated differently in Europe than in the United States? The answer is “no.”

Although the current Directive does not provide an explicit obligation of notification to the competent national authorities and the individuals concerned, this obligation still exists. In the absence of case law on this point from the European Court of Justice, the Directive needs to be interpreted and applicable general principles of law need to be taken into account.

First, in accordance with the Directive itself, any communication (even involuntary) constitutes a processing of personal data. Therefore, this processing must be notified to the competent national authorities, particularly when the data controller has not made a prior notification, either contrary to the regulation or because he benefitted from an exemption. This point is confirmed by the obligation of security that the Directive imposes on the data controller, by virtue of which all controllers must take organizational measures, notably in the case of a data breach. Because these measures must be proportionate to the risks and the nature of the personal data concerned, notification appears to be an adequate organizational measure when a data breach occurs.

Second, several sectorial regulations require an explicit obligation of notification to the competent authorities and to individuals, particularly when the latter are likely to suffer damage. This is the case with the “e-privacy Directive” (Directive 2002/58), applicable to the telecommunication sector and for certain professions, such as attorneys.

And last but not least, the general principle of liability obliges all controllers to minimize the damage caused to the individuals concerned. One of the ways to do this is to notify the data breach to the concerned individuals, who can then take appropriate measures to avoid certain risks (identity theft, unauthorized use of access codes, etc.).

In summary, a prudent and diligent controller will notify, particularly when the data breach is likely to cause damage to the concerned individuals. Confirming this analysis, several member states of the European Union and of the European Economic Area — such as Norway, Germany and Austria — have adopted regulations that explicitly oblige data controllers to notify any data breaches to the national authorities and to concerned individuals. Other European countries provide in an explicit manner, but without making it mandatory, procedures for notification of data breaches.

Undoubtedly for these reasons the Commission has introduced in the new draft regulation an explicit and general obligation of notification in case of data breaches.

In conclusion, a controller who suffers a data breach in the United States — for example by the loss of a laptop containing personal data of individuals residing in the European Union, the European Economic Area or the United States — must notify the breach to the competent authorities and to the individuals, in both the United States and Europe. A controller that does not, could have liability issues.

McGuireWoods Global Data Privacy and Security Team

Members of our data privacy and security team include more than 30 interdisciplinary lawyers on the front lines of this rapidly evolving area of the law. We provide proactive counseling designed to protect the integrity of our clients’ systems, investigative and remediation services that may be required after a breach, and guidance to assist our clients as they develop new relationships and sources of revenue. Whatever the context, the team possesses the experience and professional networks necessary to address all our clients’ global needs spanning the industry spectrum in the area of data privacy and security.