The unveiled rules for the EU's data privacy law revamp includes 24-hour breach notification, appointing a data protection officer and required user consent for online data access.
The European Commission on Jan. 25 unveiled its proposed changes to existing data privacy laws that would force Internet companies to better protect user information or face fines.
The European Commission introduced new rules to update the 17-year-old data privacy laws to better protect Internet users on Jan. 25. The laws are intended to improve online defenses that protect children from online predators, simplify data protection laws
across all European Union countries and reduce bureaucracy.
If approved by all 27 member states and the European Parliament, the rules would become law by the end of 2013. Companies found to have violated the rules could face fines of up to 2 percent of a company's annual revenue, which could amount to hundreds of millions of dollars for many Internet and technology companies.
"The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data," Viviane Reding, the European commissioner in charge of data privacy, told Reuters.
Technology companies argued the legislation, if approved, would be almost impossible to implement and could potentially affect their businesses adversely. These rules would apply to non-EU companies if they provide services to EU citizens, such as Google, Apple, Microsoft and Facebook.
The upcoming changes will impact companies based abroad but having branch offices and subsidiaries within the EU on how they manage and secure the data belonging to customers and employees, Brian Honan, an independent security consultant, wrote in the SANS Institute's NewsBites.
The proposal imposes "prescriptive mandates" on how enterprises must collect, store and manage information, said Thomas Boue, director of European affairs at the Business Software Alliance. The rules should focus on "substantive" mandates and be flexible enough to adapt to a fast-changing digital environment, he said.
"The risk in the proposal's current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth," Boue said.
While the concerns about the technical problems associated with managing, protecting and auditing access to data are understandable, "the reality is that with the correct technology in place, these issues can easily be solved," said David Gibson, director of strategy at Varonis Systems. The introduction of a single set of privacy standards for all EU territories is long overdue, he said.
Under the new rules, any company with more than 250 employees would be required to appoint a data protection officer. This was "excellent news," because it will focus the attention of companies on this major issue, according to Gibson.
The new rules would require companies to notify consumers as soon as possible of a security breach that puts user data at risk. In theory, the notification should be within 24 hours, according to Reding. In practice, the timeframe would not be feasible. Most breaches are detected weeks and months after the fact, and organizations need additional days and weeks to understand what really happened, according to William Hugh Murray, an associate professor at the Naval Postgraduate School. "All the regulation in the world cannot change that," Murray wrote in the SAN Institute's NewsBites.
Gibson saw the penalty maximum as "a very positive deterrent for any company thinking they can simply hope for the best with their actual data protection systems."
Web services must now get consent from parents when collecting data from anyone ages 13 and under, "which is going to cause problems," said Mark Owen, a partner at London-based media and entertainment law firm Harbottle & Lewis. Exactly how consent requirements will work still need to be clarified, but "no one has yet worked out a foolproof way of doing this," he said.
There are strict rules for informing users how the data is being used, making it "portable" to use on other services and deleting data upon request.
The new rules may make it more difficult for companies to use behavioral advertising techniques and targeted ads, according to Owen. It will also place an "administrative burden" on insurance companies and financial institutions that rely on statistical profiling to understand their customers. BSA's Boue worried that the rules didn't balance protecting privacy rights with ensuring people have access to the "full complement of services the Internet has to offer."
There will be "a lot of moaning and groaning" about the new rules; after a while, they will become "accepted business practice" and part of the data protection and management landscape, according to Gibson.