Data breach notification rules should only apply where individuals are ‘severely affected’, say EU Ministers

Out-Law.com reports:

Businesses should only have to report that they have experienced a personal data breach in cases where it is likely that individuals’ rights and freedoms have been “severely affected” by such a breach, EU Ministers have proposed.

The Working Party on Information Exchange and Data Protection (DAPIX), set up within the structure’s of the EU’s Council of Ministers, said, though, that there are circumstances in which data breaches likely to ‘severely affect’ individuals should not have to be reported.

Read more on Out-Law.com.

While I generally do not like risk of significant harm triggers, it’s interesting to note that in the EU, the harm would include significant humiliation or harm to reputation. Most U.S. data breach laws do not incorporate those as cognizable harms triggering reporting.

Revealed: Afghan data breach after MoD official left laptop open on train
Canada says hacktivists breached water and energy facilities
UK: FCA fines former employee of Virgin Media O2 for data protection breach
China Amends Cybersecurity Law and Incident Reporting Regime to Address AI and Infrastructure Risks
Alan Turing institute launches new mission to protect UK from cyber-attacks
Safaricom-Backed M-TIBA Victim of a Possible Data Breach Affecting Millions of Kenyans

Related: