Out-Law.com reports:
Businesses should only have to report that they have experienced a personal data breach in cases where it is likely that individuals’ rights and freedoms have been “severely affected” by such a breach, EU Ministers have proposed.
The Working Party on Information Exchange and Data Protection (DAPIX), set up within the structure’s of the EU’s Council of Ministers, said, though, that there are circumstances in which data breaches likely to ‘severely affect’ individuals should not have to be reported.
Read more on Out-Law.com.
While I generally do not like risk of significant harm triggers, it’s interesting to note that in the EU, the harm would include significant humiliation or harm to reputation. Most U.S. data breach laws do not incorporate those as cognizable harms triggering reporting.