January 25th, 2012 saw the announcement of new data security regulations for the European Union (E.U.) – the idea being to ‘upgrade’ to the challenges of a new world. The previous Data Privacy Directive had been implemented in 1995 and didn’t reflect the changing data ownership and distribution model that exists today…Cloud storage concerns, jurisdictional issues, the sheer volume of information that now exists on each business and individual.
Vivian Reding, the EU Justice Commissioner, had the unenviable task of updating this historic law and making it ‘fit for purpose’ for modern business concerns, the first results can be seen here:
One of the main areas that businesses need to be aware of is the updated regulations around data breach. The EU has seen a similar challenge regarding data breach regulation to what we have seen in the US. In the EU legislation has been driven at a State rather than Federal level – as each of the 27 member countries have enacted different data breach notification regulations, resulting in a huge range of confusing interpretations throughout Europe.
A key focus for this new law is to fix this problem, therefore it is a proposed ‘Regulation’, rather than a ‘Directive’ – this is important as it means that each member state is required to implement it consistently, as opposed to the previous directive, which allowed the individual counties a large degree of latitude over how they implemented the guidelines into their own national law.
The main impacts of the new Data Breach law are:
These new rules are likely to concern businesses, particularly the aggressive timeframe around reporting incidents, and the consultation period will undoubtedly see much discussion on the proposed regulations.
The updated law contains a number of other areas that businesses need to consider when looking their EU data protection strategy:
The Commission’s proposals will now enter a consultation period – where the member states and the European Parliament will review the documents and consult with external sources, it represents an opportunity for industry to provide feedback. The intended timeline for implementation would see this come into force in 2015 – close enough for businesses to consider how they collect data in the EU, and what differences they may have to make.