![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
EU-wide data breach notification requirements are “coming your way,” according to Field Fisher Waterhouse’s Olivier Proust. Proust describes frenzied lobbying in Brussels over the notification requirement in the European Commission’s proposed replacement of the Data Protection Directive, particularly over the severity of breaches necessitating notification and the timeframe data controllers have to do so. Ultimately, Proust recommends that companies begin implementing notification procedures now, since despite the absence of a requirement--an absence that won’t last--companies seen as handling breaches responsibly have a competitive advantage over those seen as less forthright.
Pinsent Masons’ Out-Law.com explains the labyrinthine contours of EU data protection enforcement. Despite sharing the Data Protection Directive, each country, and sometimes each region within a country, enforces the directive to varying degrees and nuances. Sketching three leading countries’ regulatory bodies—those of France, Germany and the UK—the report states, “Knowing the different attitudes that each of the watchdogs takes to enforcement is a useful tool for companies operating in the EU.”
THE NETHERLANDS
The Dutch Data Protection Authority (DPA) has found that four mobile phone operators--KPN, Tele2, T-Mobile and Vodafone--violated Dutch laws regarding user data retention and anonymization. According to the regulator’s study, which began in 2011, the companies failed to delete or anonymize data such as websites visited and apps used as quickly as possible, as regulations require. Of the four, KPN is reportedly the only operator to have resolved each of the issues identified by the investigation. The others claim to be actively addressing the issues in cooperation with Dutch regulators.
Meanwhile, Bird & Bird’s Berend van der Eijk has said a bill proposing fines of up to €450,000 for public and private organizations that fail to meet notification requirements “is very likely” to pass, noting the earliest it would enter “into force would likely be 1 July 2014, or more realistically, 1 January 2015.”
SWITZERLAND
Switzerland’s DPA has issued its 20th Report of Activities, covering the timeframe of April 2012 to March 2013. Hunton & Williams’ Privacy and Information Security Law Blog details the report’s focus on several data protection issues including employer monitoring of employee behavior at work, businesses’ social media and loyalty program analytics and whistleblowing provisions.