While data breach notification laws (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1412063) are often hailed as important pieces of legislation that will promote data security, some argue (https://www.repository.law.indiana.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1235&context=facpub ) they have a limited effect, are not worthy of their high costs, and can even lead to negative outcomes. What position has the EU taken in this debate? Do you agree with it? Your response should refer to the specific data breach notification provisions in the GDPR.

1. GDPR, Recitals 83, 85-87; Articles 32-34 2. NIS Directive, Recital 48; Articles 1-6, 16, 20 3. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), Recitals 1-9, 16-17, 19-22, 24, 74; Articles 1, 3-12, 38, 46, 49, 58. 4. Voigt and Von dem Bussche, pp. 38-43 5. Cybersecurity Strategy of the European Union