[_9MOTHER9HORSE]

There are already similar laws in the UK and other countries.

See this recent example, where a sexual health centre accidentally leaked a list of 800 people who had attended HIV clinics.

They ended up with a £180,000 fine: http://www.bbc.co.uk/news/technology-36247186

[corin_]

Most people would consider their possibly/definitely having HIV to be a more personal piece of information than their email address.

If I'd been affected by this Let's Encrypt email thing I frankly wouldn't care, other than to question why it happened. (Just speaking for myself, I'm sure some people would care.) But if I was data in a leak revealing a personal serious medical issue, I absolutely would care.

[M2Ys4U]

Data protection is already regulated by the EU (only by means of a Directive rather than a Regulation) so the same principles apply across the EU/EEA, if not the exact rules.

[pfg]

Good point and very similar case (though in an entirely different category of "damage caused", plus there seemed to be a prior offense).