On August 25, 2013, a new European Regulation came into effect that changed and expanded upon the breach notification procedures set forth in the E-Privacy Directive (2002/58/EC). The Regulation outlines two independent notification obligations: (1) notification to the relevant national authority within 24 hours after detection of a personal breach where feasible; and (2) notification to affected individuals when the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual without undue delay. Notification to subscribers or individuals is not required if the provider has encrypted the data or otherwise rendered it unintelligible. While the E-Privacy Directive and the Regulation applies only to “providers of publicly available telecommunication services,” such as telecommunication companies, ISPs, and email providers, these new requirements have generated and will continue to generate broader interest because of similar language incorporated into the draft General Data Protection Regulation 2012, which applies to all businesses that handle personal data.