On January 25, the European Commission will propose an overhaul to privacy rules that have existed as they are for more than 15-years, with a focus on reinforcing individuals’ rights, strengthening the EU market, and ensuring a high level of data protection.
The proposal will implement a single set of privacy and protection standards, which would override variations within existing rules between the 27 countries that are part of the EU.
“Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries,” the commission’s website explains.
The concern is that while many businesses within the EU have pushed for streamlined rules and protection standards, the proposal may go too far. One of the most talked about proposals includes a 24-hour limit on breach notifications. Any organization that houses personal information, collected from customers or employees, would be required to disclose a breach of this data to those impacted and authorities within 24-hours. Failure to do so could result in the organization being fines up to 2% of their global turnover, which is 3% less than what was originally called for.
“Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay. European data protection rules will become a trademark people recognize and trust worldwide,” commented EU Justice Commissioner Viviane Reding, during a conference on Sunday in Munich.
The proposed changes to the EU’s data protection policies came after the commission itself said that the EU needs a more comprehensive and coherent approach to its policy on the fundamental right to personal data protection.
“Data does not stop at national borders. As a result, citizens and businesses need common, harmonised rules to protect their personal data and ensure that it flows freely throughout the EU. A unified approach at EU level will make Europe stronger in promoting high data protection standards globally.”
On top of the disclosure changes, the EU change areas of the data protection policy that apply to criminal justice matters and law enforcement cooperation. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework, a statement on the proposal explains.
Moreover, the new policy will require “specific and explicit” from Internet users when it comes to storage and removal of data. The only exception would be if keeping the stored data has a legally justified interest, such as meeting law enforcement retention standards.
The consent requirements and the “right to be forgotten” provision are troubling to some organizations. They fear that such requirements will stifle innovation. The “right to be forgotten” forces social networks such as Facebook to completely remove everything a person as posted once requested to do so, even if the user consented to it being a public profile.
In a pitch on the provision, the commission said that the “right to be forgotten” is a necessity.
“Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries,” the commission explains.
“70% of EU citizens are worried about the misuse of their personal data. That's why the EU is developing rules to strengthen your right to access, change, or delete your data. And it's adding a 'Right to be Forgotten' online, letting you remove all your data from a website as soon as you want it gone. Because your personal data, it's you.”
Another issue with the proposal is that the new EU mandates will apply to non-EU organizations, something that US regulators have vehemently opposed.