David A. Zetoony, Joshua A. James, Jena M. Valdetero, and Christopher M. Achatz of Bryan Cave provide an overview of significant differences between U.S. breach notification laws and the EU’s General Data Protection Regulation (“GDPR”). Here’s a snippet from their analysis:
That said, there are several significant differences including:
- Type of Information Governed. Data breach notification laws in the United States apply only to enumerated types of data that are considered particularly sensitive such as Social Security Numbers, financial account numbers, or driver’s license numbers. The GDPR’s breach notification provision applies to all types of “personal data” – a term that is defined as “any information relating to identified or identifiable natural person (data subject).”5
- Materiality Threshold For Government Notification. Some breach notification laws in the United States only require notification if the breach is “material” (g., it compromises confidentiality, security, or privacy of an individual). The GDPR’s breach notification provision requires notifying a government agency (i.e., relevant Data Protection Authority) unless the breach is not likely to result in a risk of the “rights” of individuals.6
Read more on Bryan Cave.