January 25th, 2012 saw the announcement of new data security regulations for the European Union (E.U.) – the idea being to ‘upgrade’ to the challenges of a new world. The previous Data Privacy Directive had been implemented in 1995 and didn’t reflect the changing data ownership and distribution model that exists today…Cloud storage concerns, jurisdictional issues, the sheer volume of information that now exists on each business and individual. Vivian Reding, the EU Justice Commissioner, had the unenviable task of updating this historic law and making it ‘fit for purpose’ for modern business concerns, the first results can be seen here:
One of the main areas that businesses need to be aware of is the updated regulations around data breach. The EU has seen a similar challenge regarding data breach regulation to what we have seen in the US. In the EU legislation has been driven at a State rather than Federal level – as each of the 27 member countries have enacted different data breach notification regulations, resulting in a huge range of confusing interpretations throughout Europe. A key focus for this new law is to fix this problem, therefore it is a proposed ‘Regulation’, rather than a ‘Directive’ – this is important as it means that each member state is required to implement it consistently, as opposed to the previous directive, which allowed the individual counties a large degree of latitude over how they implemented the guidelines into their own national law. The main impacts of the new Data Breach law are:
- The requirement to notify affected customers/employees & the national Data Protection Authority within 24 hours of the incident.
- New fines to be set at a maximum of €1 million or 2% of the global annual turnover of the company, a huge increase over most current regimes.
These new rules are likely to concern businesses, particularly the aggressive timeframe around reporting incidents, and the consultation period will undoubtedly see much discussion on the proposed regulations. The updated law contains a number of other areas that businesses need to consider when looking their EU data protection strategy:
- The introduction of a ‘Right to be Forgotten’ – aimed primarily at social networking sites and search engines, this will also extend to any company’s database – how do we ensure that we remove all traces of an individual based on their request
- ‘Explicit’ rather than ‘Implied’ consent for data collection – Where we are collecting information – on a website, at an event, then we will have to be very clear about what we intend to do with it, how it will be stored and how can the impacted individual gain access to that information.
- EU Data Protection Authorities to apply these rules even if this information is processed outside of Europe, it’s not clear today whether these new rules will have any impact on the existing US/EU Safe Harbor regulations – something to watch out for in the consultation period.
So what’s next?
The Commission’s proposals will now enter a consultation period – where the member states and the European Parliament will review the documents and consult with external sources, it represents an opportunity for industry to provide feedback. The intended timeline for implementation would see this come into force in 2015 – close enough for businesses to consider how they collect data in the EU, and what differences they may have to make.
- European Commission proposals
- Feedback from the European Data Protection Supervisor
- Duane Morris law firm update on new proposals
- UK Information Commissioner’s response to the proposals
- ZD.Net blog on European draft data law
- US feedback on EU data rules