EU's Data Protection Proposals Likely to Include 24-Hour Breach Notification
The proposed new law is to be revealed on Wednesday, despite delays and criticism
Mon, January 23, 2012
IDG News Service — After weeks of controversy, lobbying and concessions, the European Commission looks set to unveil its new data-protection proposals on Wednesday.
The reform of the 1995 Data Protection Directive is one of 2012's key pieces of legislation and has been dogged by more criticism than usual for a directive reform proposal. But over the weekend the commissioner responsible, Viviane Reding, gave more hints about its content during a speech in Munich.
Companies will be required to disclose data security breaches within 24 hours under normal circumstances, Reding said. This new rule is widely seen as a reaction to the Sony PlayStation breach last April when Sony took more than a week to inform its 77 million customers that their data may have been at risk.
However the U.S. Department of Commerce has weighed into the debate, saying that 24 hours is "simply too short," that it could lead to "massive fines" for companies and to confusing "false alarms" for consumers. Such strong criticism from a third country before the proposals have even been issued is seen as a breach of etiquette by many in Brussels.
But the draft proposals have also faced criticism from within the Commission. As a result some of the early plans have been watered down. According to leaked reports, not all identification numbers, location data, or online identifiers need to be considered as personal data. But Reding says that Internet outfits that collect and retain data about their customers will be required to explain why it is necessary to hold such information on their databases and that explicit consent must be given by the user.
The "right to be forgotten," allowing customers to request that their information be erased, and a "right to data portability," allowing customers to transfer their personal data among companies are also expected to be included in the legislative proposals.
The maximum fine for Internet companies breaching the new rules is likely to be revised, with media reports suggesting changes to the current 5 percent of global turnover, to between 1 percent and 4 percent.
The unusually high number of negative internal opinions to the draft legislation is partly a result of a significant lobbying campaign, including high-level phone calls to top level staff in the European Commission according to digital rights group EDRi. And the next couple of days are not likely to see any let-up in lobbying.
However, Wednesday's announcement will be just the first step in a long process that could last up to two years. Once the Commission puts forward its compromise proposal, it must still be approved by European Union member states and the European Parliament.