Comparison of Data Breach Rules in Europe and the United States

Businesses have discovered, since the General Data Protection Regulation went live in the European Union last month, that this legislation pertain to the personal data of all EU residents not just those living in EU countries.

One area of major concern is personal data breaches. Personal data under GDPR is defined as any personal information that would make any EU resident identifiable. Some of this data may be considered sensitive: like race, sexual persuasion, politics, union membership, medical information, religion, or criminal proceedings.

According to the GDPR Article 4 Paragraph 12 personal data breaches are the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

GDPR rules differ from ways in which data breaches are handled. Let’s take a look at how the GDPR differs from American privacy laws when it comes to personal data.

American and European Regulations Differ in what is Considered a Data Breach

U.S. privacy rules define a personal data breach as the “unauthorized access or acquisition” of sensitive materials. These include names, addresses, and Social Security numbers. The GDPR defines it as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”

Risk of personal data in a data breach is also considered differently. In the General Data Protection Regulations, not all data breaches are considered necessary to be reported to Supervisory Authorities of the GDPR. The regulations state that only those breaches where there is a potential infringement of a data subject’s “rights or freedoms” do Dara Controllers or Data Protection Officers need to report these to GDPR.

On the other hand, American data-breach laws, all breaches that may pose a threat to individuals’ personal data must be reported.

Security measures are another area where GDPR and American Privacy Laws differ. GDPR warns companies that collect and process personal data that: “if appropriate technical and organizational measures” are in place to assure protection of the personal data of EU data subjects then, there is no need to report a personal data breach. However, American Privacy legislation limits breaches to personal data that is encrypted when it is stored.

American Privacy legislation states that companies have between five and thirty days to report a personal data breach. GDPR cautions businesses to notify Supervisory Authorities of GDPR states companies must report data breaches “without undue delay and, where feasible, not later than 72 hours after” company personnel to whom the breach should have been reported i.e., Data Controller and/or the Data Protection Officer.

What is included in the report of a data breach also differs.  American Privacy Act allows companies a choice in its manner of reporting. It also gives them leeway about what to include in the report.

On the other hand, GDPR has a specific standard form. Businesses are required to describe in detail the nature of the data breach, contact information for Data Controller and/or Data Protection Officer, information which has been compromised, measures taken by the company to reduce the risk to the personal data.

In U.S. Privacy Laws, after a breach the American legislation expects that there will be a postmortem process. There is no specific law for how this should complete. On the other hand, GDPR states that all businesses that report a breach to Supervisory Authorities of GDPR must have a post-breach process. Within it is a plan to ensure breaches do not occur again. Companies are encouraged to complete this post-breach investigation for all personal data breaches, not just the ones they had to report.

As the GDPR has just become enforceable, the jury is still out on how U.S. laws concerning privacy of personal data will be affected.