Back to Blog

GDPR and Data Breach Notification Laws: A Global Overview

LeakedSource Team
|

Why Breach Notification Laws Exist

For decades, companies that suffered data breaches had no legal obligation to tell anyone. Millions of people had their personal information stolen without ever being notified. The result was that criminals could exploit stolen data for months or years before victims had any idea they were at risk.

Breach notification laws changed this by requiring organizations to disclose breaches within specific timeframes and to inform affected individuals so they can take protective action.

The European Union: GDPR

The General Data Protection Regulation, enacted in 2018, established the most comprehensive data protection framework in the world. Its breach notification requirements are among the strictest:

  • 72-hour notification rule: Organizations must report breaches to their supervisory authority within 72 hours of becoming aware of the incident
  • Individual notification: If the breach poses a high risk to individuals, the organization must notify affected persons "without undue delay"
  • Content requirements: Notifications must describe the nature of the breach, likely consequences, measures taken, and contact information for the data protection officer
  • Penalties: Violations can result in fines up to 20 million euros or 4 percent of global annual turnover, whichever is higher
  • Extraterritorial scope: GDPR applies to any organization processing the data of EU residents, regardless of where the organization is based

GDPR fundamentally shifted the balance of power by treating personal data as belonging to the individual, not the organization that collects it.

The United States: A Patchwork Approach

The United States has no single federal breach notification law. Instead, all 50 states have enacted their own statutes, creating a complex web of varying requirements:

  • California (CCPA/CPRA): Among the strongest state laws. Grants consumers the right to know what data is collected, demand deletion, and opt out of data sales. Breach notification within a reasonable timeframe
  • New York SHIELD Act: Requires reasonable security safeguards and broadens the definition of private information that triggers notification requirements
  • Texas: Notification required within 60 days. Breaches affecting more than 250 residents require notification to the state attorney general
  • Florida: Notification within 30 days, one of the shorter deadlines among US states

Common elements across US state laws:

  • Notification to affected individuals is universally required
  • Definitions of "personal information" vary significantly between states
  • Timeframes range from 30 to 90 days, with some states using vague language like "most expedient time possible"
  • Many states require notification to the state attorney general for large breaches

Canada: PIPEDA

Canada's Personal Information Protection and Electronic Documents Act requires organizations to:

  • Report breaches creating a "real risk of significant harm" to the Privacy Commissioner
  • Notify affected individuals as soon as feasible
  • Maintain records of all breaches for two years, regardless of severity
  • Penalties of up to $100,000 CAD per violation

Australia: Notifiable Data Breaches Scheme

Since 2018, Australian organizations covered by the Privacy Act must:

  • Assess suspected breaches within 30 days
  • Notify the Office of the Australian Information Commissioner and affected individuals if the breach is likely to result in serious harm
  • Provide specific details about the breach and recommended protective steps

Brazil: LGPD

Brazil's Lei Geral de Protecao de Dados, modeled after GDPR, requires:

  • Notification to the national data protection authority within a "reasonable timeframe"
  • Communication to affected data subjects when the breach may cause significant risk or damage
  • Penalties up to 2 percent of revenue, capped at 50 million reais per violation

What These Laws Mean for You

You have the right to be informed. In most jurisdictions, organizations must tell you when your data has been compromised. If you receive a breach notification, take it seriously and act immediately.

Notification does not mean protection. Being told about a breach after the fact does not undo the damage. By the time you receive a notification letter, your data may have been circulating for weeks or months.

Companies often delay. Despite legal requirements, many organizations take months to disclose breaches. Some discover breaches only after stolen data appears for sale online.

Cross-border breaches create jurisdictional complexity. When a multinational company is breached, different notification rules may apply to different affected individuals based on where they live.

Proactive Monitoring Is Essential

Relying solely on breach notifications leaves you reactive. Companies may not know they have been breached, may delay notification, or may not be subject to strong notification requirements in their jurisdiction.

Check LeakedSource to proactively monitor whether your data appears in breaches, rather than waiting for a notification that may arrive too late.

Check Your Breach Exposure

Find out if your email address has been compromised in any known data breaches.

Scan Your Email Now

LeakedSource Support

AI assistant — a human reviews escalated chats

This chat has been escalated to our support team — a human will reply here or by email. If you haven't shared your email yet, just type it here so we can reach you.
Hi! I'm the LeakedSource assistant. Ask me about scans, breaches, billing, or your account.