New EU Data Breach Notification Requirements
Client Alert | 1 min read | 01.04.10
Public communications providers (ISPs and telcos) in Europe will soon be required to inform their customers and national regulatory authorities about security breaches affecting their personal data.
The European Commission hopes that the new rules will increase the incentives for better protection of personal data by providers of communications networks and services.
The new e-Privacy Directive, 2009/136/EC, enacted on December 18, 2009, amends earlier Directive 2002/58/EC. In addition to mandatory breach notification, communications providers are also required to implement a security policy, adopt measures to restrict access to personal data, and to protect against data breaches. National data protection authorities are given authority to audit compliance with these measures.
Where there is a personal data breach, notice must be given to the national regulator "without undue delay" -- a phrase that is not defined in the Directive. A personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service." This definition tracks directly the language of state security breach notification bills that exist in nearly every state in the United States.
In addition to the national regulator, customers must also be informed without undue delay of any breach that is likely to adversely affect their personal data or privacy, unless the communications provider can demonstrate to the national regulator that the information was protected by a technological measure that would render it unintelligible to those with unauthorized access, e.g. encryption.
The new e Privacy Directive must be implemented into national law in the EU member states by May 2011.
Contacts
Insights
Client Alert | 5 min read | 12.12.25
Eleventh Circuit Hears Argument on False Claims Act Qui Tam Constitutionality
On the morning of December 12, 2025, the Eleventh Circuit heard argument in United States ex rel. Zafirov v. Florida Medical Associates, LLC, et al., No. 24-13581 (11th Cir. 2025). This case concerns the constitutionality of the False Claims Act (FCA) qui tam provisions and a groundbreaking September 2024 opinion in which the United States District Court for the Middle District of Florida held that the FCA’s qui tam provisions were unconstitutional under Article II. See United States ex rel. Zafirov v. Fla. Med. Assocs., LLC, 751 F. Supp. 3d 1293 (M.D. Fla. 2024). That decision, penned by District Judge Kathryn Kimball Mizelle, was the first success story for a legal theory that has been gaining steam ever since Justices Thomas, Barrett, and Kavanaugh indicated they would be willing to consider arguments about the constitutionality of the qui tam provisions in U.S. ex rel. Polansky v. Exec. Health Res., 599 U.S. 419 (2023). In her opinion, Judge Mizelle held (1) qui tam relators are officers of the U.S. who must be appointed under the Appointments Clause; and (2) historical practice treating qui tam and similar relators as less than “officers” for constitutional purposes was not enough to save the qui tam provisions from the fundamental Article II infirmity the court identified. That ruling was appealed and, after full briefing, including by the government and a bevy of amici, the litigants stepped up to the plate this morning for oral argument.
Client Alert | 8 min read | 12.11.25
Director Squires Revamps the Workings of the U.S. Patent Office
Client Alert | 8 min read | 12.10.25
Creativity You Can Use: CJEU Clarifies Copyright for Applied Art
Client Alert | 4 min read | 12.10.25
Federal Court Strikes Down Interior Order Suspending Wind Energy Development
