EU Data Security Rules

By John Wagley

01 July 2012

Print Issue: July 2012

IN JANUARY, the European Commission introduced a proposal for a comprehensive reform of the European Union’s (EU) 1995 rules governing the protection of consumer data and digital privacy. The proposal is broadly aimed at creating a unified set of data protection rules across the continent and at updating regulations to take into account the advent of the Internet and many other new technologies.

The proposal needs to be officially agreed upon by the EU parliament; it then needs to be ratified by individual member states. The rules would go into effect two years later. Major changes include the introduction of a strict new rule requiring organizations to report data breaches.

The new proposal would require that organizations report breaches to authorities within 24 hours. This is significant as European countries currently do not require such notification. Creating a process for notifying customers and proper authorities about a data breach can be complex and challenging, says Pascale Gelly, founding partner of Cabinet Gelly, a Paris-based law firm. For larger organizations in particular, it would be worth starting to look now at how they will meet those new mandates.

Other changes to the EU rules strengthen privacy and security, and organizations will likely need to consider more robust security solutions in response, says Lukas Feiler, associate at the Vienna-based law firm Wolf Theiss and a fellow at the Stanford-Vienna Transatlantic Technology Law Forum. One example could be the use of encryption solutions to protect data, he says. As is usually the case in the United States, if a laptop is lost and it’s encrypted, organizations won’t be required to notify authorities, he says.

Organizations may also want to consider taking the stricter privacy rules into account when either purchasing or developing new kinds of software, says Hazel Grant, a partner at the law firm Bristows. Examples could include when an organization is developing a new in-house program for human resources, she says, or when an organization is developing a new Web site. There will be a need to emphasize the concept of “privacy by design” with such software and applications, she says. It will also be important to more carefully document how such programs will protect sensitive data, she says. The new rules will have a greater requirement overall for organizations to document their data collection practices and their strategy and governance surrounding data protection, says Grant.

The proposed changes also aim to provide consumers with greater control over what data is stored about them. Organizations will need to provide consumers with the ability to “opt in” whenever any data collection is involved. In addition, consumers will have a greater ability to have their data transferred from one entity to another. People will also have the “right to be forgotten,” or to have their data deleted, under the rules.

The “right to be forgotten” will likely be one of the most challenging parts of the proposal in many cases, says Frank Maher, a partner at the law firm Legal Risk, based in Liverpool. In just one example, “you may send your [curriculum vitae to a company], and it then may be in a few people’s inboxes as well as in backup storage,” which could make the information challenging to track and delete.

The reforms also increase the penalties for data breaches. Under the new rules, organizations could be fined up to one million euros or 2 percent of the organization’s annual revenue. This increase is significant, Gelly notes, as the largest fine of a European company has been about 100,000 euros (about $132,000). Organizations with more than 250 employees will have to appoint a data protection officer.

Organizations may want to consider complying with parts of the rules even though they are not yet required to, says Feiler. “It’s still a proposal, but generally speaking, I think it could be wise to get ahead of the development and really make a point of being as good a corporate citizen as possible.” One strategy could be to focus on the parts of the regulation “that make [the best] business sense.”

One of the first steps organizations should take in preparing for the changes is to conduct a risk assessment, says Maher. This includes identifying what the risks are of “losing or keeping data and then addressing [those risks].”

Experts note that the proposed changes could be a boon to international commerce because the new regime will provide more consistency by introducing one set of rules for the continent. That would simplify the process of getting the authorization needed to transfer data across international borders, says Gelly. Gaining such authorization under the current rules can “take weeks or months,” she says.

Due to reduced administrative, compliance, and other costs, it is estimated that the new rules will save European businesses a considerable amount, about 2.3 billion euros (or about $3 billion) annually, according to the European Commission. At the same time, it is hoped that the initiative “will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs, and innovation in Europe,” according to a Commission statement.

The European Commission has said that it is aiming to pass the changes in 2012, but many are skeptical that it will be able to meet that deadline. One reason it will be hard to pass is that European nations tend to differ on how they view privacy and data protection, Grant says. She also cites other EU priorities, including significant financial issues. That said, if the proposal is accepted by the EU, Grant says it is likely the rules will quickly be ratified, as many nations are eager to come to a common agreement on new rules.