News - Fresh Data Archive Article

Return to Fresh Data Blog
Return to Fresh Data Archive

EU Data Privacy Series #3: New Proposed Rules on Data Breaches

Date: August, 2013 --


We here continue our series on the European Data Protection Regulation currently under debate in the European Parliament and expected to be adopted in 2014. Today, we focus on two very critical subjects treated by the Regulation. These subjects are unfortunately familiar to our U.S. readers as they relate to security breaches, the scope of data covered, and your obligations when they occur. 

But first, let’s recall that even American businesses with no physical presence in Europe, but who handle Europeans’ personal information, are required to comply with this proposed law. It reads in part:

“The processing of personal data of data subjects residing in the Union by a controller [such as your company] not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects.”

In short, if your company in the course of its business acquires personal information of Europeans which relates to making commercial offers to them, or where your activities involve monitoring their behavior, such as by tracking online activities or other data acquisition for profiling, you are subject to the regulation. For example, if you are a U.S. hotel chain or car rental company with no physical businesses in Europe, but you collect data on Europeans through their doing business with you in the U.S., or their browsing behavior online, or through data trades with other companies, and your data capture “relates to offering goods and services”,  you are subject to the law.

The complexities and complications of this requirement will be difficult to work out. For example, would a domestic-only U.S. airline which does no marketing or business in Europe be subject to this statute simply because it carries Europeans from New York to Albany and Boston? Or would it be subject only if the data was used to make offers to these passengers? What if it only made offers to them when they were in the U.S.?  It would seem unlikely that Parliament would intend this result in the latter case, especially given the possibility of having a U.S. law being interpreted against a European company doing the same thing in Europe to an American.   

Like U.S. law, the Regulation requires you to take certain steps when you detect that your security has been breached and personal data may have been compromised or stolen; however, the Regulation imposes much more demanding burdens on you than does U.S. law.  

As with U.S. law, there is a notification requirement in the case of a data breach, but what constitutes a “personal data breach” is defined much more broadly in the Regulation, making the likelihood of a notification event occurring much higher.

The Regulation defines personal data breach as “any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data”. This definition is very broad. The grandfather of the U.S. laws on this subject, drafted in California, defines a breach as only the unauthorized disclosure of personal information, not its loss, destruction, or alternation.    

In addition, the definition of “personal data” in the Regulation is much broader than in most U.S. legislation, being “any information relating to a data subject.” Most U.S. legislation focuses on disclosure of specified information, such as name, social security number and financial or health information.  The Regulation does indeed intend to cover “any data of or pertaining to an identifiable person”, not just credit card information or banking and medical records. Personal purchase history with a company, or what football games a season pass holder attended, and even the names of a football club’s fans  would all be data whose loss would trigger a notification obligation, as would the disclosure of an email address or phone number. 

In addition, the rules regarding your responsibilities of disclosure and notice are much more rigorous than in the U.S. For example, the controller (your company) must notify the occurrence of the breach to the appropriate supervisory authority in the country you have selected to “be domiciled in” within 24 hours, if feasible.

This is an extremely short time period for an organization to notify management and the appropriate executives, to seek legal and technical advice, and to draw up and present the response plan called for by the law. One wonders what purpose is served by such a short deadline, given that the supervisory authorities themselves have no time-sensitive statutory functions in these circumstances.

 In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject,” the company must notify the data subjects themselves “without undue delay” after having notified the Supervisory Authority. The form of that notice may apparently also be dictated by the Supervisory Authority.  

Finally, if your data is maintained by Data Services, Inc., then as Controller under the Regulation, you will have certain responsibilities regarding agreements with Data Services with respect to security and processing. Fortunately, Data Services, Inc. is registered under the Direct Marketing Association Safe Harbor Program and thus fully qualified to act under the Regulation as currently formulated.