Companies operating in the European Union would be subject to more stringent data breach notification rules and data privacy requirements if the proposed rules are adopted.
Companies operating in the European
Union may be required to disclose data breaches within 24 hours if proposed new
rules are approved.
The European Commission will propose
several changes to the data protection and privacy rules to protect individual
rights and ensure a high level of data protection on Jan. 25. The proposed
changes will simultaneously simplify and toughen the current mishmash of rules
and policies currently used by the European Union's 27 member countries.
Along with the data breach notification
rule, the commission's proposal includes stricter sanctions and would provide
national data-protection officials with authority to levy administrative
sanctions and fines, such as fining companies a percentage of their global
revenue for violating the rules. The proposed changes would overhaul the EU's
17-year-old data protection policies addressing online advertising and social
"Companies that suffer a data leak
must inform the data protection authorities and the individuals concerned, and
they must do so without undue delay," EU Justice Commissioner Viviane
Reding said at a conference in Munich on Jan. 22, according to Bloomberg.
There are currently some overlaps and
gaps across country rules, which these changes are designed to correct. The
proposal would also define national points of contact that can make decisions
that would apply across borders. Having a universal set of rules for the EU
would save businesses over $3 billion (2.3 billion euros) a year by reducing
bureaucracy, according to Reding.
"In Europe, we have too many
rules, conflicting rules," Reding said.
Details about the sanctions companies would
face for not complying with the 24-hour rule and other penalties are expected
to be worked out as the rules are debated in a process expected to take at
least two years. Companies will not be required to comply before 2014 or 2015,
according to Reuters.
Companies with global operations would
be subject to the EU rules even if they are based out of the United States.
Industry groups have warned that strict data privacy rules may stifle
innovation. Facebook expressed its concerns in a letter submitted to the
commission last year urging caution on proposals for stiffer sanctions.
"There is a risk that an
excessively litigious environment would impede the development of innovative
services that can bring real benefit to European citizens," the company
The proposed rules would also require
companies to obtain "specific and explicit" consent from Internet
users to store information and to delete data unless there is a
"legitimate and legally justified interest" to retain the data,
Reding said. "We need individuals to be in control of their
information," she said. Reding also outlined a "right to data
portability," which would allow people to easily transfer personal data
However, the "right to be
forgotten" is not an "absolute right," and the new rules would
include explicit provisions to ensure those types of data are protected, Reding
said. The archives of a newspaper, for example, cannot be deleted as that would
"amount to a right of the total erasure of history," she said.
Similar data breach notification
legislation is circulating through both houses of Congress. A Senate committee
approved a bill for a federal data breach notification law that would
standardize how companies would have to disclose incidents. Currently,
organizations have to navigate the "patchwork" of varying state rules
in the event of a breach.
Sony was roundly criticized last April for
waiting six days to disclose the cyber-attack on PlayStation Network and other
cloud services that exposed more than 100 million customer accounts.