The European Union has announced a comprehensive review of its data protection laws, alongside some hefty punishments for infringers.
The EU’s Justice Commissioner Viviane Reding today announced the new proposals, which will work to ensure users maintain control over their personal data.
These proposals will introduce ‘the right to be forgotten’ – forcing companies to delete the user data of those who request it, alongside an obligation for companies to report data breaches as soon as possible (If feasible, within 24 hours).
Any breaches will lead to penalties of up to €1 million, or up to 2% of the global annual turnover of a company. For a company the size of Facebook, with estimated revenue of $4.27bn, that would equate to a $85m fine.
The EU’s Data Privacy Directive has not been updated since 1995, and these changes are designed to tackle companies such as Facebook and Google’s collation (ad infinitum) of user data for monetisation purposes, and situations such as the belated response by Sony when its Playstation Network was hacked and credit card details were stolen.
"The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation."
While ostensibly aimed at new media technologies use of data, these law changes will also effect almost every technology company at work in the EU, from data storage through to the financial services industry.
Critics maintain that many of these measures are an unnecessary burden, especially amongst smaller businesses, while others maintain that industry best practise is already at work.
"A big question is whether the business community will be willing or able to police itself. If it can’t, businesses could find themselves exposed to regular reviews by official regulatory bodies. The definition of a ‘breach’ will also have to be made clear. Will it depend on the number of records or documents exposed, or on the type of information leaked?" says Christian Toon of Iron Mountain.
Paul Davis of Fireye believes the focus should be on intrustion detection, rather than punitive measures after a breach.
"An organisation has to be aware of an attack and they can’t report a data breach they have no knowledge of: that’s the real issue facing businesses today… Reporting within 24 hours of discovery is admirable but if the company wasn’t aware of the breach for 24 days then where do all involved stand?"
As part of the legislation, the EU also wants to streamline the whole process, noting that the 1995 laws were interpreted differently depending on each country’s legal system. The proposal would see a single set of rules, and the reduction of red tape, which Reding believes will cut business costs by €2.3bn. Each country will also get a national data protection authority which consumers can complain to.
Overall, the proposal aims to provide ‘increased responsibility and accountability for those processing personal data.’ These rules will apply to any company handling personal data that are active in the EU market and offer their services to EU citizens – regardless of which country they are based in. Companies of more than 250 staff will also be required to appoint a data protection officer.
It also requires organisations to explicitly ask users to give their consent to process their personal data, rather than assuming it.
It will also introduce ‘the right to data portability’ – users will be able to access what data is held on them, and be able to transfer this personal data from one service provider to another, such as from Facebook to Google+. This is designed to improve competition among services, but no outline for how this will be achieved was made.
The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.
Charles Race, Senior Vice President Global Sales Strategy
"The 21st century data explosion is in full swing, so it’s no wonder that breaches and abuse of personal information is top of the agenda for the EU. As consumers, patients, customers and social networkers, our personal information is stowed in countless places, outside of our control. Overhauling EU privacy rules puts the right level of pressure on organisations to ensure that they are in total control over valuable information, for the good of themselves and their customers.
"Businesses will need to re-evaluate what steps they have taken to prevent data breaches in the first place and I expect we’ll see the likes of data masking technology come into its own this year as a result. This enables organisations to implement more sophisticated tools and parameters that protect against data breaches.
"Already the subject of stringent regulation and the risk of hefty fines from the Financial Services Authority, following these new standards, the financial services industry in particular will be feeling the heat to make doubly sure that its data security measures are up to scratch."
Matt Gordon-Smith, Director of Security
"Concerns about the more prescriptive nature of the revised directive are understandable given potential cost implications and suitability for some organisations. However, presented with this mandate, IT service providers can use it as an opportunity to better develop the data-processor/data-controller relationship with their customers. This means defining specific controls and deliverables based on the new requirements and keeping data protection high up on the agenda. Tighter controls will undoubtedly precipitate an increase in demand for companies providing services such as detective measures for data loss, data destruction and forensic analysis."
Paul Davis, Director of European Operations
"It’s all well and good to legislate that companies must notify the public and the authorities within 24 hours or face a fine of 2% of their global revenue, but the elephant in the room is that most companies are unable to detect external targeted attacks leading to data loss.
The protection of information is critical to business and the establishment of trust with customers and the notification of data breaches is important, but detection and blocking of exploits should take precedence. An organisation has to be aware of an attack and they can’t report a data breach they have no knowledge of: that’s the real issue facing businesses today. Just because they can’t see an attack or are unaware of the subsequent loss of data doesn’t mean it isn’t happening. Reporting within 24 hours of discovery is admirable but if the company wasn’t aware of the breach for 24 days then where do all involved stand? A greater emphasis on detection and blocking is required: it’s better for businesses and ultimately the customer."
Jeff Finch, Security Services Product Manager
"The new EU privacy rules are a clear signal that the real implications of data theft have been felt. The impact on a citizen once their personal data falls into malicious hands is more than distressing. Yet, incidents of organisations holding vast quantities of personal data without the recourse of systems and policies to enable the protection of that information, have been an all too prominent part of our daily lives. The onus is now on organisations to find a solution that can protect them from potential direct attacks and information leakages.
"There is some good news for businesses in Europe. The collation of harmonised data protection rules across 27 countries will without a doubt save organisations from a headache. Piecing together differing national data protection laws will have felt like one massive patchwork task for organisations, especially as the introduction of cloud computing placed question marks over the exact location of data. The next step is to look for harmonisation with laws in other countries like the US, where the Patriot Act enables authorities to search telephone, e-mail, and financial records without a court order. Thus, understanding where data resides and in whose data centre will continue to be a crucial part of corporate governance for organisations. "
Corero Network Security
Andre Stewart, President International
"Personal data is not just about who you are, it’s where you go and what you do. Our cyber lives are now so intimately linked to our actual existence that the value of this information is immense. Facebook identities in the criminal cyber bazaar are now more valuable than credit card particulars. There is no recourse for the individual whose personal data is stolen and therefore the obligation to safeguard confidentiality must be made explicit, and accountability spelled out.
The new data breach laws try to do just that – prescribe and homogenise the rules across the EU with the stated aim of encouraging business growth as well. The question remains whether the law will tread the fine line between achievable data protection and compliance requirements. The new rules say personal data is valuable. Safeguard it. Make someone in your organisation responsible for protecting it. And if you don’t comply you’ll pay because not only can you get hacked — you will get fined."
Christian Toon, Head of Information Security for Europe
"Many businesses of all sizes are falling short of what is required to manage information responsibly. In today’s increasingly scrutinised business environment, the lack of a solid and legally compliant information management policy is inexcusable. Regardless of turnover, sector or country of operation, making sure that employee and customer information is protected should be common practice, not a reaction to new legislation."
"A big question is whether the business community will be willing or able to police itself. If it can’t, businesses could find themselves exposed to regular reviews by official regulatory bodies. The definition of a ‘breach’ will also have to be made clear. Will it depend on the number of records or documents exposed, for example, or on the type of information leaked? Organisations should prepare for both of these options."
"[the requirement for named data protection officers] could incur costs that have not been accounted for, so it would be beneficial for a business to consider this before the legislation comes into effect. Having a named data protection officer is already mandatory in Germany. For many businesses, it may be possible to add a new responsibility to the remit of an appropriately skilled employee. Having a specific person to deal with data protection is good practice anyway, and businesses should not wait for official legislation to bring this into effect."
"[Increased fines equating to] two per cent of worldwide turnover is a huge and potentially devastating sum for most businesses. That the EU is prepared to authorise this level of punishment highlights just how serious data protection is taken. Companies needn’t be scared, just prepared. Having plans for storing and accessing records; training employees on those plans are great first steps towards doing the right thing and, maybe soon, the legal thing."
Hitachi Data Systems
Francois Zimmermann, UK Chief Technology Officer
"The announcement by the European Commission that it will overhaul the rules regulating how companies store personal data is a step in the right direction. These measures will help to address the explosion of data we have seen in recent years and put basic measures in place to better protect our personal information.
Today it is very common to see consumers being asked to accept broad terms and conditions that include data management waivers. However, this may mean accepting waivers that sign away valuable personal information and allow confidential personal details to be easily transferred across borders and departments. What the EU is proposing is interesting – the ‘right to be forgotten’ and the ‘right to be deleted’ effectively puts customers in charge of their own data. While organisations are still legally obliged to take ownership of where data sits, a rethink is required by consumers so that they think before ticking the box, understand what T&C’s are there for, and how their information is being used.
However, a bigger concern is how the adoption of new technologies such as cloud and virtualisation will impact the longevity of the latest data protection directive proposals. If it is a further two years before internet companies are legally obliged to comply with the latest changes, will they still be relevant? Since the last raft of changes were made to the legislation in 1995, we have seen ever increasing amounts of personal data routinely transferred in a manner beyond our control. In our hyper-connected world we need to address this challenge with responsibility being shared by the individual and by corporations. To implement effective data management policies the rules and policies should be updated as part of an evolutionary process, with changes being introduced as and when they are needed, rather than in a raft every few years or so. This will challenge organisations to have an infrastructure in place that can cope with this constant change; one that enables businesses to understand what data they have, where it is stored and how much it is worth. What is certain is that these changes will force organisations to rethink the way they plan their data management processes."
Gerhard Eschelbeck, CTO
"Any strengthening of the current data protection directives has to be a positive and it is important we continue to update our legal directives in line with developments in technology and both corporate and user practices. Broadly, regulatory changes have had a positive impact on information security, driving better security architectures, and therefore improving protection of customer data. Today the European Commission put forward a number of positive proposals, such as looking to cover all EU member states for the first time and raising the stakes in terms of the financial penalties – up to 2 percent of annual global turnover – for falling foul of the directive. These are moves that many IT security and data protection experts have been calling for, for some time."
"While broadly supportive of the proposals and in particular the recommendation to reduce the time taken to notify users of a data breach, there is a concern that the requirement to notify users and the authorities within 24 hours is very aggressive, and may impact the quality of such disclosures. We also need to look at how these more reactive measures should be tied into more proactive data protection requirements, such as how and which customer data needs to be encrypted, protected and stored in the first place."
Hunton & Williams
Bridget Treacy, partner.
"The draft General Data Protection Directive is to be welcomed. There has been much criticism of EU data protection law, and the draft Regulation addresses many of these concerns. The reduction in red tape will be a real benefit for businesses. A single set of data protection laws across Europe, a single Data Protection Authority (as a "one stop shop") and the need for a single authorisation are helpful, especially for smaller businesses. But not everything in the draft will be welcomed.
For UK organisations, the draft Regulation offers a mixed bag. Harmonisation of data protection laws will be at a higher level than we are used to in the UK. This will hit UK businesses particularly hard. The mandatory appointment of data protection officers with numerous prescribed obligations (such as mandatory Privacy Impact Assessments) will be expensive, particularly for smaller organisations. Also of particular note for the UK is the fact that data processors will have direct obligations under the legislation, and be subject to enforcement action, including fines.
"In a radical change, companies that are based outside the EU, but which target their services at EU consumers, or monitor their behaviour, will find that they are subject to EU data protection law. This will be a significant issue for non EU companies to watch.
"Mandatory reporting of data breaches within 24 hours will be difficult, if not impossible, to comply with. Increased enforcement powers, including fines of up to 2% of worldwide turnover, will ensure that data protection is taken seriously. Organisations will need to think strategically about data protection compliance . In the UK, companies are likely to lament the inevitable loss of a more pragmatic approach to enforcement.
The "right to be forgotten" has been widely hailed as a key legislative reform that will give individuals greater control over their data. In the formal draft of the Regulation, this right is not an absolute right. Importantly, the obligations on a controller to remove or take down data are now linked to the actions of that controller in publishing or authorising the publication. In the original leaked draft, there was a much more onerous and general obligation on the controller to erase such data."