EU Proposal Would Raise Standards, and Penalties, For Handling Data Protection Breaches

Patrick Burke

On January 25th, European Union Justice Commissioner Viviane Reding, speaking in Brussels, proposed changes to the EU's data protection law, sparking significant controversy as to the anticipated consequences of her proposal. Of particular note are two provisions. First, companies with over 250 employees would be required to appoint data protection officers, who then would be required to alert authorities within 24 hours in the event of a serious data breach. Second, the so-called "right to be forgotten" provision which would allow Internet users to have their personal data deleted so long as there is no legal justification in retaining that information. Violations of these guidelines would result in penalties of €1 million (about $1.3 million), or as much as 2% of a company's yearly global sales. Less serious offenses will still be punishable, but with smaller penalties.

“The EU has long desired to encourage consistent regulations for data protection with respect to treatment of Internet-users’ data and reporting of hacking incidents,” said George I. Rudoy, CEO of the international consultancy Integrated Legal Technology, “and the aim is to reach beyond the 27 EU Member States to the eastern European countries currently not in EU including former Soviet Republics reaching as far as Russia.” Rudoy spoke at the 5th International Conference entitled “European Data Protection: Coming of Age” that took place during the week Reding unveiled long anticipated proposal Rudoy emphasized Reding’s comments that the reform will take at least 18 months before it is likely to come to a vote. “It should be expected,” said Rudoy, “that the language of the reform will change substantially during such discussions given the significant historical differences on a question of data protection among European countries,”

Advocates of the new proposal suggest that data protection officers at companies should be able to save as much as €2.3 billion per year by eliminating what they deem to be excessive and unnecessary data-protection reporting costs.

The proposal is generating some criticism from the U.S. and elsewhere expressing concern the proposed regulations will obstruct the development of new Web-based business platforms. Furthermore, because the proposal defines "personal data" more broadly than under U.S. regulations, there is a greater scope of potential data held by global corporations that conduct business in the EU market, making it more likely that hacking incidents will be deemed to constitute breaches of personal data, triggering significant monetary penalties under the proposal.

This should be a debate worth following. If Viviane Reding can achieve the vision of unified, comprehensive data protection standards, it may become the de facto global standard.

No comments :

Post a Comment