This module is a resource for lecturers

Data breach notification laws

Even though many countries have laws that mandate data breach notification (e.g., Philippines, Data Privacy Act of 2012; Qatar, Law No. (13) of 2016 Concerning Personal Data Protection; and Indonesia, Regulation No. 82 of 2012 regarding Provisions of Electronic Systems and Transactions and its implementing regulation, Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System), data breach notifications are not mandatory in most countries (e.g., Argentina, Belarus, Costa Rica, Egypt, Japan, Macau, Malaysia, Madagascar, Mauritius, Panama, Russia, and Saudi Arabia) and/or are mandatory for the private sector and not the public sector in other countries, or only for certain sectors in society (e.g., Angola and Serbia). In Argentina, while data breach notification is not required, agencies are required to keep records of data breaches in the event they occur in case they are requested during an investigation or audit.

Did you know?

DLA Piper has made an interactive world map of data protection laws, as well as a searchable database of national data protection and data breach notification laws.

Data breach notification laws include provisions relating to the application of these laws, such as the people, agencies and/or authorities the laws apply to and what is considered a breach pursuant to these laws. These laws require entities that have been subjected to a breach (and are covered by the law) to contact the individuals whose data was breached and other relevant parties and inform them about the incident.

These laws particularly include the manner in which a notification occurs, the time limit for this notification, and the people, agencies and/or authorities that need to be contacted about the breach. The GDPR, for example, has an obligatory 72-hour data breach notice for unauthorized access to systems and data, use and distribution of data (Article 33). Data processors are required to notify data controllers within 72 hours of a breach and data controllers are required to notify the supervisory data protection authority in the EU Member State affected within the same time period.

Data breach notification laws also include exceptions to the notification requirement. For instance, under the GDPR, notification of the data subject depends on the severity of the data breach (Article 34). Some data breach notification laws do not require notification if it is determined that the breach will likely not harm the affected parties. In other laws, notification occurs when a breach reaches a particular threshold. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires the notification of affected parties within 60 days of the breach. However, in cases where more than 500 individuals' health data was accessed, the Department of Health and Human Services' Office for Civil Rights and the media must be contacted within 60 days of the breach, whereas if the personal health information of fewer than 500 people was breached, the media does not need to be notified and the Department of Health and Human Services' Office for Civil Rights should be contacted no later than 60 days after the start of the next calendar year (HIPPA Journal, 2015).

Other countries' data breach notification laws also require entities that process data to implement security measures to protect data and/or actions on the part of the breached entity to rectify the situation and/or remediate the harm (e.g., Canada, Indonesia, and the United States).

Next: Enforcement of privacy and data protection laws
Back to top