An analysis of the effectiveness of the EU data breach notification obligation

Bernold Nieuwesteeg*, Michael Faure

*Corresponding author for this work

Research output: Contribution to journalArticleAcademicpeer-review

205 Downloads (Pure)


In this paper we study the law and economics of the EU data breach notification obligation (EU DBNO), which is part of the general data protection regulation. We start our discussion with the origins and aims of the EU DBNO. Following this, we study the social benefits of the DBNO and the conditions for these social benefits to emerge. Next, we analyse whether there would be spontaneous notification without the existence of a DBNO. We discuss how the national DPAs, that are responsible for the execution of the EU DBNO, can sufficiently induce data controllers to comply with the regulation. We also discuss the scope of the regulation from a social welfare perspective, in particular the conditions, which trigger a notification from data controllers. (C) 2018 Bemold Nieuwesteeg and Michael Faure. Published by Elsevier Ltd. All rights reserved.

Original languageEnglish
Pages (from-to)1232-1246
Number of pages15
JournalComputer Law and Security Review
Issue number6
Early online date18 Aug 2018
Publication statusPublished - Dec 2018


  • Data breach notification obligation
  • GDPR
  • Social welfare analysis
  • Data protection authority
  • Deterrence
  • Disclosure threshold
  • Digital first aid kit
  • LAWS

Cite this