With the severity of data breaches on the rise, will Europe adopt U.S.-style mandatory disclosure of data privacy regulation violations?
By Mathew Schwartz
At the RSA Conference, IAPP London correspondent Mat Schwartz put an ear to the European debate on mandatory breach notifications. Here's what he heard.

To notify, or not to notify?

Mandatory data breach notifications—public alerts whenever consumers' personal information has been lost or stolen—are de rigueur in the United States. As a result, many companies have improved their data security safeguards and been forced to publicly apologize and compensate data-loss and identity theft victims.
Now, European Union officials are debating whether to make U.S.-style data breach notifications mandatory throughout the EU's 27 member states, or even to go one better and impose civil penalties, including jail time, for violating data privacy statutes.

The ball got rolling in November 2007, when the European Commission (EC) suggested revising its "Directive on Privacy and Electronic Communications" (#2002-58) to include new security and data privacy requirements, including mandatory data breach notifications for "accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data."

The only wrinkle: the directive applies solely to telecommunications companies and ISPs. Therefore the goal of the revision, says Anna Buchta, a policy officer for the EC, is to "harmonize" existing telecommunications and ISP laws and thus ensure an EU-wide "level playing field."

The best consumer protection

But in this era of rampant data breaches, is such a narrow update what's really needed? "Having it just for ISPs and telecoms providers? I'd say forget about it, it's got comparatively little use to the consumer," says Martha Bennett, research director for financial services at Datamonitor in London.
In fact, some EU agencies also want stronger medicine. The Council of Ministers, which fashions directives together with the EC and the European Parliament, has argued for applying the revised directive to all entities handling private data. Likewise, the European Network and Information Security Agency (ENISA), which advises the EU on information security matters, recommends notifications for raising consumer, business and government awareness of today's security shortcomings.

Buchta counters that the purpose of an EU directive is "to reflect only what is already in place in most member states" and thus "should be a quite high-level and general obligation which we hope would not lead to any conflicts with other security obligations."

Five-legged sheep or harmony?

Will Europe find harmony through a proactive approach to data breach disclosure? Or will it settle for the lowest common denominator, producing legislation that Bennett says all too often resembles "the five-legged sheep with three tails?"
The progressive side of the fence includes the strict data protection laws of Germany and Scandinavia, where "opt-in" has been the dominant social principle for decades . And in Italy, which only recently passed a data privacy law, violators now face jail time.

Other countries, meanwhile, still have weak data privacy penalties. In the UK, for example, while public sector organizations must disclose data security incidents to the Information Commissioner's Office (ICO), it can impose a maximum fine of only £5,000 ($7,400). "The Information Commissioner is about as efficient as a paper tiger," notes Bennett.

And it shows: "I've regularly gone onto corporates and advised on security breaches which should never have happened: putting private data on test servers and making that live, leaking information onto Web sites in unsecured form, user data on memory sticks…" says Simon Briskman, a partner at London-based law firm Field Fisher Waterhouse LLP. "My message is that that hasn't changed in the last 10 years or so. I was doing the exact same job in '97 as in '08."

Giving UK enforcers some bite

Finally, after more than a year of embarrassing data breaches involving such agencies as the Ministry of Defense and HM Revenue & Customs, the government is increasing the ICO's power to audit organizations and levy fines. Richard Thomas, the UK Information Commissioner, is pushing for fines of up to 10 percent of a company's revenue. As he noted in a recent speech at the RSA Europe conference in London, "the threat and reality of substantial penalties will concentrate minds and act as a real deterrent."
Interestingly, however, he's against mandatory data breach notifications. "Put simply, where the risks posed by security breaches are serious, a notification requirement would be too timid. If they are not, it would be excessive." Furthermore he worries that an overly broad notification rule would result in "breach fatigue" and lead to public apathy.

Flogging, or the scarlett "B"

Some experts, however, argue that Thomas is overlooking the most effective data breach deterrent of them all. "Being forced to tell customers 'we have screwed you' with all the attendant press coverage has had a major impact of boards of directors paying attention to security—orders of magnitude more than reporting regimes like [Gramm-Leach-Bliley] and Sarbanes-Oxley," notes Gartner Inc. analyst John Pescatore.
Of course if the EU mandates public data breach notifications, the UK will have to get on board. But it wouldn't happen overnight: after the EU publishes the revised directive—anticipated to occur in mid-2009—member states typically pass national laws which instantiate it about 18—24 months later.

Even if mandatory notifications don't make it into the directive, however, the legislative writing is on the wall, especially in the UK. Over the next five years, predicts Briskman, organizations that continue to treat information security as a "Cinderella subject" and fund it accordingly will get burned. "It's time that people at board level wake up to these issues.

Mathew Schwartz, a freelance journalist based in England, has covered information security issues for more than a decade.  


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»