Information Society Services and Mandatory Data Breach Notifications: Introduction to Open Issues in the EU Framework
In 2011 Sony suffered an extensive breach in its online game network that led to the theft of account data of 77 million users from all over the world. This was one of the largest internet security break-ins that resulted in a large scale personal data breach. As an answer to numerous incidents of security breaches where personal data have been compromised, an instrument of mandatory data breach notification is currently being implemented in the European Union that follows the approach taken in the United States. The revised e-Privacy Directive and the fresh proposal for a General Data Protection Regulation both introduced a provision whereby the entity suffering a breach will have to notify the competent authorities of the breach. Many large online service providers, operate globally, offering its services to users in different countries and processing users’ data in different locations, in the EU and wider. In case such a provider suffers a data breach, and on
condition that European law applies to its operations, the provider will be obliged to report the data breach to the authorities and possibly to the injured individual users.
The paper presents the changes in the regulatory framework in the EU and tackles the question of how the new regulations on mandatory breach notifications will affect online service providers,especially the ones operating across borders. The paper presents the legal framework, assesses its implications and sheds light on the issues that will arise, in terms of applicable law, competencies of the national authorities and the rights of the injured individuals.