New EU data laws to include 24hr breach notification
The EU's new data protection laws, due for publication later this week, will include an obligation for organisations to reveal data breaches within 24 hours
The European Union's new data protection laws will include rules oblige organisations to reveal data breaches "without undue delay", justice commissioner Viviane Reding revealed yesterday. Speaking at a conference in Munich on Sunday evening. Reding said that 'undue delay' would mean anything more than 24 hours.
The full revised laws are due for publication on Wednesday this week. The proposed laws are due for ratification by member states in 2014 or 2015.
Reding told the conference that the new laws would give European tech companies the edge when handling personal data. "Personal data is the currency of today’s digital market," the Wall Street Journal reported Reding as saying. "Like any currency, it needs stability and trust. Only if consumers can ‘trust’ that their data is well protected, will they continue to entrust businesses and authorities with it, buy online, and accept new services."
As well as due disclosure, the new legislation will include "the right to be forgotten" and a "right to data portability", meaning that customers must be able to transfer their personal information easily between internet services, even between rival companies.
Reding said that the new laws would cover all EU states, and that national data protection authorities, such as the Information Commissioner's Office in the UK, would all have the same tools and powers to enforce EU law. She estimated that the new laws would save €2.3 billion in costs through the elimination of red tape and the unification of the current, patchy regulations across Europe.
Commenting on the proposed changes, Liz Fitzsimons from international law firm Eversheds acknowledged that data protection laws need to be updated for the 21st century.
"Regulators must carefully balance the need to maintain suitable protection for individual privacy and rights, against ensuring that compliance is realistic and achievable" she warned. “The new data protection regulation will impose material changes in approach. At a time when trading is vulnerable and enterprise needs to be encouraged, it is hoped that the right balance has been achieved."