Data breach notification rules should only apply where individuals are ‘severely affected’, say EU Ministers reports:

Businesses should only have to report that they have experienced a personal data breach in cases where it is likely that individuals’ rights and freedoms have been “severely affected” by such a breach, EU Ministers have proposed.

The Working Party on Information Exchange and Data Protection (DAPIX), set up within the structure’s of the EU’s Council of Ministers, said, though, that there are circumstances in which data breaches likely to ‘severely affect’ individuals should not have to be reported.


While I generally do not like risk of significant harm triggers, it’s interesting to note that in the EU, the harm would include significant humiliation or harm to reputation. Most U.S. data breach laws do not incorporate those as cognizable harms triggering reporting.

About the author: Dissent

Comments are closed.