Despite suggestions that the European Commission proposal for a comprehensive reform of EU data protection rules would be delayed until the Spring, an announcement is scheduled for this Wednesday, January 25 at 12:30 PM CET (6:30 AM EST). The press conference with Viviane Reding, Vice-President of the European Commission in charge of Justice will be live streamed here.
It appears that the requirement for notice within 24 hours of a data security breach will be part of the proposal despite objections based on experience with the 49 jurisdictional data security laws in the United States that it is often impossible to assess much less notify within such a short time-period. Also, the potential financial penalty of up to 5% of an entity’s global world-wide turnover for violations of the privacy regulation was a subject of enormous controversy when leaked; it now appears that the upper limit of the financial penalty will be 2%, which is still a very significant amount.
Some excerpts, as reported by the Wall Street Journal Tech Europe blog — Here, Ms. Reding speaks of the change to a regulation from a directive:
A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the member state in which the company has its main establishment. It will not matter anymore which data protection authority deals with a case. All data protection authorities in whatever EU country will have the same adequate tools and powers to enforce EU-law.
On international data transfers:
It seems odd that data held by a European company is adequately protected whilst it is inside the borders of the European Union, but not when it is transferred to a different part of that same company in Asia or South America.
In the Internet age, data protection laws need to take account of this global dimension. If they only focus on the activities of a company within a given country, they will not reflect reality.
I therefore want to improve the current system of binding corporate rules to make these exchanges less burdensome and more secure.
On individual control of data:
First, people need to be informed about the processing of their data in simple and clear language. Internet users must be told which data is collected, for what purposes and how long it will be stored. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated.
Second, whenever users give their agreement to the processing of their data, it has to be meaningful. In short, people’s consent needs to be specific and given explicitly.
Thirdly, the reform will give individuals better control over their own data. I will include easier access to one’s own data in the new rules. People must be able to easily take their data to another provider or have it deleted if they no longer want it to be used.
And on the right to be forgotten:
The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a data base. The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.
The announcement from the European Commission comes as the world marks Data Privacy Day. On its part, the Commission produced this video which focuses on an individual’s responsibility to keep certain life details private in light of the harm to career that is possible from too much information being shared.