Cross-Border Breach Notification

Abstract

Mandatory breach notification is one of the most promising new ideas to enter the privacy regulatory and enforcement debate. There has been widespread and rapid take-up of the idea in the USA since the first breach notification law was enacted in California in 2002. Breach notification has been the subject of intense study around the world and has been recommended in many jurisdictions. Mandatory breach notification is poised to become the norm in data protection and privacy laws in the next five or 10 years. While notification obligations are typically imposed at domestic level, a number of breaches that warrant notification involve companies that hold the personal information of individuals from many jurisdictions. The individuals are situated well beyond the domestic base of a particular company or where a breach might be said to have occurred. The chapter explores aspects of cross-border breach notification. As notification laws become more widespread, companies may be faced with a patchwork of obligations to notify consumers in various jurisdictions in accordance with differing regimes. Obligations may be conflicting, unclear, incomplete or contradictory. The author recommends that notification laws and standards be designed to ensure that coherent and complementary approaches to cross-border notification are taken that will promote better outcomes for all stakeholders, particularly consumers, but also the businesses that must comply with the new laws.