Key Points

• EU data protection laws requires notification of personal data breaches to data subjects if they present a high risk of harm, and define personal data breaches as breaches of security leading to a compromise of personal data.
• However, these laws offer no comprehensive definition of a breach of security. And the current definition of a personal data breach leaves out a ‘breach of security’ which could be risky to data subjects, but cannot be ascertained to have caused a data compromise.
• This article seeks to determine what would constitute a ‘breach of security’ in EU data protection law, and to propose an alternative approach to EU personal data breach legislation to address the above limitation in protecting data subjects.
• To determine what could constitute a ‘breach of security’ in EU data protection law, the article analyses relevant information security literature the NIS Directive against EU data protection rules of secure processing. It finds that a ‘breach of security’ could mean either a violation of data protection rules of secure processing, or an actual defeat of a processing security system.
• To address the limitation of risky breaches of security which may not be followed by an ascertained data compromise, the article proposes either a modification of the EU definition of a personal data breach to include a risk of a data compromise, or to modify the EU personal data breach reporting requirements to include notification (to data subjects) of high risk breaches of security.

中文翻译：

---

违反安全与个人数据泄露：对欧盟数据主体通知要求的影响

关键点

• 欧盟数据保护法要求将个人数据泄露通知给数据主体，如果它们存在高伤害风险，并将个人数据泄露定义为导致个人数据泄露的安全漏洞。
• 然而，这些法律没有提供违反安全的全面定义。目前对个人数据泄露的定义忽略了可能对数据主体构成风险但无法确定是否导致数据泄露的“安全漏洞”。
• 本文旨在确定什么会构成欧盟数据保护法中的“违反安全”，并提出欧盟个人数据泄露立法的替代方法，以解决上述保护数据主体的限制。
• 为了确定什么可能构成欧盟数据保护法中的“违反安全”，本文分析了相关信息安全文献 NIS 指令反对欧盟数据保护规则的安全处理。它发现“违反安全”可能意味着违反安全处理的数据保护规则，或者处理安全系统的实际失败。
• 为了解决可能不会导致确定的数据泄露的风险安全漏洞的限制，文章建议修改欧盟对个人数据泄露的定义以包括数据泄露的风险，或者修改欧盟个人数据泄露的风险。数据泄露报告要求包括通知（向数据主体）高风险安全漏洞。