The European Commission has unveiled the formal drafting of proposed reforms to its data protection laws.
The reforms seek to unify regulation and enforcement across member states and introduce new obligations for large organisations.
The proposed rules require organisations to disclose data breaches "as soon as possible, which for me means within 24 hours", vice president of the European Commission Vivien Reding said today. This would end the current "scandal" that when personal data is stolen, the subject of that data often does not find out for weeks.
They also mandate that organisations with more than 250 employees (small business are exempt) appoint data protection officers, and introduce a ‘right to be forgotten’, the obligation for companies to delete data they hold about an individual on request "unless there is a material reason to keep it".
The reforms propose that data rules should be harmonised across member states, and that there should a "one stop shop" for data protection regulation and enforcement in every country. "We need strong, independent data protection authorities. by which I mean independent from politics and from industry."
Reding said that harmonising data protection rules across member states and ‘streamling’ the approval processes for multi-national companies moving data between European states, the reforms will save business €2.3 billion a year.
She said that the reforms aim to improve confidence among consumers that their personal data will be handled with care.
"72% of EU citizens are concerned that their data may be used inappropriately," Reding said at a press conference. "They are concerned that companies may pass on their data to other parties without them knowing. This discourages them from being free with their data."
"This reform will increase trust that data is well protected and ensure that people are well informed about what is done with their data," she said. This in turn will boost Europe’s digital economy, she added. "People will have confidence to use online services."
The draft proposals establish that non-EU companies that sell services into members states will be subject to the rules.
Reding was asked whether the new rules would address the confusion about the US Patriot Act, which allows US security forces to access data on European citizens held by US companies. She said that the proposal includes rules that restrict the ability of external bodies to access EU citizens’ data. "Transfers should only be allowed when requirements are met," she said. "The future will show if this will be operable or not."
The proposals will now pass through European Parliament. James Mullock, head of data privacy at law firm Osborne Clark, told Information Age that major changes to the proposals would only take place if one or more of the member states took a strong position against them.
The UK’s Ministry of Justice reiterated remarks made by justice minister Ken Clarke’s earlier this year, cautioning against ‘one size fits all’ data protection rules.
"Failing to protect people’s data causes problems. But failure to share data can cause harm too. We need to protect safety, encourage innovation and safeguard people’s privacy," the Ministry said in a statement. "We need a common sense approach that respects different cultures and legal systems.
"We agree with the Commission that the processing of personal data should be founded on the principles of necessity and proportionality, but that does not mean that we should seek to introduce disproportionate and unrealistic data protection legislation that inhibits economic growth or the ability of our law enforcement agencies to protect the public."
The UK’s legal sector has warned that the draft proposals will impose new burdens on businesses.
Osborne Clarke’s Mullock described Reding’s claim that the reforms will save businesses money as ‘fatuous’. "I think its slightly disnegenous to describe this as a cost reduction," he said. "It is benefical to businesses but it will cost them more money. They should expect to have to spend more money on compliance."
Marc Dautlich, head of information law at Pinsent Masons, said executives with responsibilty for data protection will welcome the harmonisation of laws across EU states. "But when this is approved, they will without a doubt need a bigger budget, because they’ve got a lot to do."
Consumer rights group Consumer Focus welcomed the draft reforms. "It is only right that if firms want to collect and benefit from using the data they collect they must also be willing to take the responsibility that comes with this," said Adam Scorer, director of policy and external affairs. "This is a big step forwards in putting control of personal information back into consumers’ hands."