EU Poised to Propose 24-Hour Breach Notification, Data Privacy Rules

Companies operating in the European Union would be subject to more stringent data breach notification rules and data privacy requirements if the proposed rules are adopted.

Companies operating in the European Union may be required to disclose data breaches within 24 hours if proposed new rules are approved.

The European Commission will propose several changes to the data protection and privacy rules to protect individual rights and ensure a high level of data protection on Jan. 25. The proposed changes will simultaneously simplify and toughen the current mishmash of rules and policies currently used by the European Union's 27 member countries.

Along with the data breach notification rule, the commission's proposal includes stricter sanctions and would provide national data-protection officials with authority to levy administrative sanctions and fines, such as fining companies a percentage of their global revenue for violating the rules. The proposed changes would overhaul the EU's 17-year-old data protection policies addressing online advertising and social networking sites.

"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay," EU Justice Commissioner Viviane Reding said at a conference in Munich on Jan. 22, according to Bloomberg.

There are currently some overlaps and gaps across country rules, which these changes are designed to correct. The proposal would also define national points of contact that can make decisions that would apply across borders. Having a universal set of rules for the EU would save businesses over $3 billion (2.3 billion euros) a year by reducing bureaucracy, according to Reding.

"In Europe, we have too many rules, conflicting rules," Reding said.

Details about the sanctions companies would face for not complying with the 24-hour rule and other penalties are expected to be worked out as the rules are debated in a process expected to take at least two years. Companies will not be required to comply before 2014 or 2015, according to Reuters.

Companies with global operations would be subject to the EU rules even if they are based out of the United States. Industry groups have warned that strict data privacy rules may stifle innovation. Facebook expressed its concerns in a letter submitted to the commission last year urging caution on proposals for stiffer sanctions.

"There is a risk that an excessively litigious environment would impede the development of innovative services that can bring real benefit to European citizens," the company wrote.

The proposed rules would also require companies to obtain "specific and explicit" consent from Internet users to store information and to delete data unless there is a "legitimate and legally justified interest" to retain the data, Reding said. "We need individuals to be in control of their information," she said. Reding also outlined a "right to data portability," which would allow people to easily transfer personal data between companies.

However, the "right to be forgotten" is not an "absolute right," and the new rules would include explicit provisions to ensure those types of data are protected, Reding said. The archives of a newspaper, for example, cannot be deleted as that would "amount to a right of the total erasure of history," she said.

Similar data breach notification legislation is circulating through both houses of Congress. A Senate committee approved a bill for a federal data breach notification law that would standardize how companies would have to disclose incidents. Currently, organizations have to navigate the "patchwork" of varying state rules in the event of a breach.

Sony was roundly criticized last April for waiting six days to disclose the cyber-attack on PlayStation Network and other cloud services that exposed more than 100 million customer accounts.