The European Commission has proposed a “digital to-do list” which sets out seven new priorities for the digital economy and society. Included in the proposal is a strategy and proposed Directive to prevent and counter cybercrime. Proposed by Neelie Kroes, the European Union’s Commissioner for the digital agenda, the draft Directive is expected to impose data breach notification and disclosure requirements on any company that runs large databases, including Internet search providers, social networks, e-commerce sites or cloud services. The Directive would harmonise national laws across Europe, where there is currently no overarching data breach law. Currently, only a few Member States have implemented data breach notification requirements, each with different approaches as to who should be notified, and the threshold requirements to trigger such notifications.
This new digital Directive, however, has, at best, the potential to overlap with or, at worst, conflict with the draft EU General Data Protection Regulation, which requires organisations to report data breaches within 24 hours to the "lead" data protection authority where it has its main European operations, as well as to each individual whose data has been compromised. Right now the only EU-wide data breach notification requirement stems from the ePrivacy Directive, and applies only to ISPs and telecoms providers.
The proposed new data breach obligation has the potential to cover a wide array of industries, possibly leading to notification fatigue. Liam Benham, a vice president in charge of governmental programs at IBM Europe, suggested that the reporting requirements should be limited to operators of critical infrastructure, like power grids, financial networks and transport systems.
There is clearly a need for ensuring that companies are not overburdened by notification requirements, and that any notification obligation does not either overlap or conflict with other obligations, or thwart the overall objective of reducing cybercrime.