The European Union (EU) legal landscape on data privacy and information security is undergoing significant changes. A prominent legislative development in recent years is the introduction of breach notification requirements within a number of regulatory instruments. In only the past two years, the Community legislator has adopted, and proposed, four different regulatory instruments containing breach notification requirements. There are also existing requirements for the telecom sector. This creates a complex mesh of regulatory frameworks for breach notification where different aspects of the same breach within the same company might have to be dealt with under different regulatory instruments, making compliance with such requirements challenging. In this article, the existing and en route breach notification requirements under the EU legal framework are examined – elaborating their potential areas of convergence or conflict and the resulting complexity in compliance with such requirements. To this end, the article examines the scope of the notification regimes, the types of breaches, when a breach is considered to occur under the relevant rules, and the relevant requirements to notify stakeholders. Furthermore, the article examines why a proactive approach to compliance with breach notification requirements is essential and suggests the need to address breach notification requirements in conjunction with security risk analysis, which is being mandated in most of the regulatory instruments.
Samson Esayas, Breach Notification Requirements Under the European Union Legal Framework: Convergence, Conflicts, and Complexity in Compliance, 31 J. Marshall J. Info. Tech. & Privacy L. 317 (2014)