I was in Netherland last week at the Heliview Privacy conference and found that in the Netherlands, starting from January 1st, 2016 the data breaches must be notified to the authority and to the data subject.
The non-compliance fines are set to 810.000 euro or an impressive 10% of the company turnover.
Here you find more information if you know Dutch or use google translator… https://cbpweb.nl/nl/melden/meldplicht-datalekken
It is good to see that discussions are starting about about how to apply the new law and to interpret the meaning of some key words such as “severe” data breach.
This law follows a common trend in Europe started by the national DP authorities to anticipate the most important concepts of the EU DP Act that will be approved sometime in the future. For example I have seen the same data breach notification obligations in Italy for the Telco, Internet Providers, Health Care and Banking (moral suasion) sectors.
Not only the national Privacy Commissioners are introducing data breach notification: the Bank of Italy has issued a regulation that requires banks to notify severe data breaches to the bank surveillance authority.
So the discussion about what is the meaning of “severe” is open. I hope that “severe” won’t mean from earthquake or terrorist attack up only.
Fines can be high but costa related to data breaches are higher: see what happened to Sony http://go.techtarget.com/r/48922390/6483012/2 .