IAPP-GDPR Web Banners-300x250-FINAL

With the severity of data breaches on the rise, will Europe adopt U.S.-style mandatory disclosure of data privacy regulation violations?
By Mathew Schwartz
At the RSA Conference, IAPP London correspondent Mat Schwartz put an ear to the European debate on mandatory breach notifications. Here's what he heard.

To notify, or not to notify?

Mandatory data breach notifications—public alerts whenever consumers' personal information has been lost or stolen—are de rigueur in the United States. As a result, many companies have improved their data security safeguards and been forced to publicly apologize and compensate data-loss and identity theft victims.
Now, European Union officials are debating whether to make U.S.-style data breach notifications mandatory throughout the EU's 27 member states, or even to go one better and impose civil penalties, including jail time, for violating data privacy statutes.

The ball got rolling in November 2007, when the European Commission (EC) suggested revising its "Directive on Privacy and Electronic Communications" (#2002-58) to include new security and data privacy requirements, including mandatory data breach notifications for "accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data."

The only wrinkle: the directive applies solely to telecommunications companies and ISPs. Therefore the goal of the revision, says Anna Buchta, a policy officer for the EC, is to "harmonize" existing telecommunications and ISP laws and thus ensure an EU-wide "level playing field."

The best consumer protection

But in this era of rampant data breaches, is such a narrow update what's really needed? "Having it just for ISPs and telecoms providers? I'd say forget about it, it's got comparatively little use to the consumer," says Martha Bennett, research director for financial services at Datamonitor in London.
In fact, some EU agencies also want stronger medicine. The Council of Ministers, which fashions directives together with the EC and the European Parliament, has argued for applying the revised directive to all entities handling private data. Likewise, the European Network and Information Security Agency (ENISA), which advises the EU on information security matters, recommends notifications for raising consumer, business and government awareness of today's security shortcomings.

Buchta counters that the purpose of an EU directive is "to reflect only what is already in place in most member states" and thus "should be a quite high-level and general obligation which we hope would not lead to any conflicts with other security obligations."

Five-legged sheep or harmony?

Will Europe find harmony through a proactive approach to data breach disclosure? Or will it settle for the lowest common denominator, producing legislation that Bennett says all too often resembles "the five-legged sheep with three tails?"
The progressive side of the fence includes the strict data protection laws of Germany and Scandinavia, where "opt-in" has been the dominant social principle for decades . And in Italy, which only recently passed a data privacy law, violators now face jail time.

Other countries, meanwhile, still have weak data privacy penalties. In the UK, for example, while public sector organizations must disclose data security incidents to the Information Commissioner's Office (ICO), it can impose a maximum fine of only £5,000 ($7,400). "The Information Commissioner is about as efficient as a paper tiger," notes Bennett.

And it shows: "I've regularly gone onto corporates and advised on security breaches which should never have happened: putting private data on test servers and making that live, leaking information onto Web sites in unsecured form, user data on memory sticks…" says Simon Briskman, a partner at London-based law firm Field Fisher Waterhouse LLP. "My message is that that hasn't changed in the last 10 years or so. I was doing the exact same job in '97 as in '08."

Giving UK enforcers some bite

Finally, after more than a year of embarrassing data breaches involving such agencies as the Ministry of Defense and HM Revenue & Customs, the government is increasing the ICO's power to audit organizations and levy fines. Richard Thomas, the UK Information Commissioner, is pushing for fines of up to 10 percent of a company's revenue. As he noted in a recent speech at the RSA Europe conference in London, "the threat and reality of substantial penalties will concentrate minds and act as a real deterrent."
Interestingly, however, he's against mandatory data breach notifications. "Put simply, where the risks posed by security breaches are serious, a notification requirement would be too timid. If they are not, it would be excessive." Furthermore he worries that an overly broad notification rule would result in "breach fatigue" and lead to public apathy.

Flogging, or the scarlett "B"

Some experts, however, argue that Thomas is overlooking the most effective data breach deterrent of them all. "Being forced to tell customers 'we have screwed you' with all the attendant press coverage has had a major impact of boards of directors paying attention to security—orders of magnitude more than reporting regimes like [Gramm-Leach-Bliley] and Sarbanes-Oxley," notes Gartner Inc. analyst John Pescatore.
Of course if the EU mandates public data breach notifications, the UK will have to get on board. But it wouldn't happen overnight: after the EU publishes the revised directive—anticipated to occur in mid-2009—member states typically pass national laws which instantiate it about 18—24 months later.

Even if mandatory notifications don't make it into the directive, however, the legislative writing is on the wall, especially in the UK. Over the next five years, predicts Briskman, organizations that continue to treat information security as a "Cinderella subject" and fund it accordingly will get burned. "It's time that people at board level wake up to these issues.

Mathew Schwartz, a freelance journalist based in England, has covered information security issues for more than a decade.  


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»