Regulation of Data Breaches in the European Union: Private Companies in the Driver’s Seat of Cybersecurity?

Abstract

This chapter illustrates how EU law on data breaches has come to put private companies that are not PMSCs in the driver’s seat of cybersecurity, due to their pivotal role for network and information security and the prevention of cybercrime, which are two of the three pillars of the Union cybersecurity strategy. The applicable law divides into a double regime, depending on whether the breach of security concerns personal or impersonal data. However, the differences between the two regimes are trumped by a number of important commonalities. The analysis of the bridging role played by ENISA unveils that commonalities between the two regimes are not casual, but rather relate to the applicable law’s common pursuit of network and information security. The instruments are informed by the logics of risk management and assessment, as well as the prevention of security incidents. These logics frame the norms on data breaches notification and mitigation, which appear part of a wider infrastructure of security aimed at the prevention of cybercrime. This is the case irrespective of whether the breach concerns personal or impersonal data, as demonstrated by means of an analysis of the notion of information security, and of the ‘risks’ entailed by personal data breaches. It is in this light that private companies managing data breaches implicitly become cybersecurity agents, or drivers of cybersecurity. To continue along the lines of the car metaphor, it is as if EU law tries to supply private company with a specific route—the implementation of risk-based network and information security measures—and fit the car with emergency breaks—the notification of data breaches. Whether private companies are ready—or sufficiently incentivized—to ‘start the engine’ of cybersecurity, drive along the designated route, and break when needed is, however, a different question. In fact, data breaches obligations may appear as the (only?) ‘stick’ available to the state to ensure that private companies do not take all the gains of the information society at the risk for critical (information) infrastructure, begging the question of the effectiveness of the stick.