Data Breach Notification Laws in Europe Conference & Report

22 April 2009

Edinburgh, Scotland


Data Protection Commissioners' Views and Recommendations from 21 European countries

The data breach notification laws which started in California and have now spread over most of the USA have provided a stimulus to companies' top managements doing business there to take the protection and use of the personal data in their care with much greater seriousness and commitment realising that their companies' reputations are at stake.

In Europe, with national data protection laws already in place since as early as 1973 in Sweden, data security remains just one element of their comprehensive coverage. Notifying a national Data Protection Authority of when personal data has been lost or stolen has now come onto the agenda of national authorities as providing an instrument to assist national data protection authorities and financial regulators to enforce the national data protection laws.

In the last two or three years, the question of whether the European Union should legislate on notifying data breaches has become an issue of conflict at the heart of the E-Privacy Directive. To whom should it apply and what should companies do when a breach occurs?

Several questions arise which form the core of the Data Breach Survey conducted by Privacy Laws & Business among 21 national Data Protection Authorities (DPAs) since January 2008. They can be summarised as follows:

  1. What data breach notification law, if any, is currently in place in your country?
  2. Do you as a DPA consider there to be a demand in your country for more explicit data breach laws?
  3. What should be the purpose and scope of data breach legislation in your country?
  4. What powers would your Data Protection Authority be seeking in a national law?

The full list of questions are below.

Privacy Laws & Business is now taking the opportunity of the European DPAs' annual conference in Edinburgh to provide the results of the survey not only to the 20 Data Protection Authorities which participated in the survey but also to any interested party in the form of:

  • a half day conference and
  • a report.

National Data Protection Authorities participating in the survey

Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Guernsey, Hungary, Iceland, Ireland, Italy, Jersey, Luxembourg, Netherlands, Poland, Portugal, Slovak Republic, Spain, Sweden, United Kingdom

Questions in the survey

A. Current Data Breach Laws in your Country, if any

  1. What law, if any, is currently in place in your country?

B. Demand for Data Breach Laws, if any

  1. Do you as a DPA consider there to be a demand in your country for more explicit data breach laws?
  2. Do you think a specific national law dealing with data breaches is necessary or is there enough "related law" to achieve maximum protection against data breaches? Is the current problem of the loss or theft of personal data in your country at such a level to justify a national law?
  3. In light of the adoption of data breach law in US, to what extent do you think your country should be following this example?
  4. Do you consider existing data security provisions of your national Data Protection law sufficient?

C. Purpose and Scope of Data Breach Legislation

  1. Should data breach law be consistent across the EU but have scope for national implementation to reflect national needs?
  2. Do you think the scope of data breach law should include not only controllers but also processors? For example during the course of credit card transactions.
  3. What do you consider to be the positive and negative impact of a national data breach law on data subjects?
  4. Do you think that a national data breach law would help protect personal data more than current provisions?
  5. What would be the expected impact of a data breach law? For example, to what extent do you think that national legislation dealing with data breaches will:
    • (a) Help restore confidence and
    • (b) Force businesses to take data breaches more seriously?
  6. To what extent do you agree that the implementation of a national law will strengthen data security but restrict the free flow of data between both member states and third countries not in the European Economic Area 

D. Legal Provisions to be included in a Data Breach Law

  1. Would it be enough to incorporate data breach law into other related areas of law such as theft or will it be necessary to move further than this and create a distinct piece of legislation?
  2. What powers would your Data Protection Authority be seeking in a national law?
  3. Would you expect your new legal provisions to cover both public and private sectors?
  4. What would your DPA want from a national law?
  5. What would your DPA want a data breach law to do in practice?
    • (a) Compensation to individuals
    • (b) Notifying the authorities of any breaches (if not the DPA, which authority?)
    • (c) Notifying customers
    • (d) Notifying staff
    • (e) Media plan
    • (f) Other, please specify

Report in pdf format based on the survey for DPAs

  • Survey participants: Free
  • Other DPAs: £100 + 15% VAT

Report in pdf format based on the survey for companies: £200 + 15% VAT