In January, the European Commission introduced a proposal for a comprehensive reform of the European Union’s (EU) 1995 rules governing the protection of consumer data and digital privacy. The proposal is broadly aimed at creating a unified set of data protection rules across the continent and at updating regulations to take into account the advent of the Internet and many other new technologies.
The proposal needs to be officially agreed upon by the EU parliament; it then needs to be ratified by individual member states. The rules would go into effect two years later. Major changes include the introduction of a strict new rule requiring organizations to report data breaches.
The new proposal would require that organizations report breaches to authorities within 24 hours. This is significant as European countries currently do not require such notification. Creating a process for notifying customers and proper authorities about a data breach can be complex and challenging, says Pascale Gelly, founding partner of Cabinet Gelly, a Paris-based law firm. For larger organizations in particular, it would be worth starting to look now at how they will meet those new mandates.
Other changes to the EU rules strengthen privacy and security, and organizations will likely need to consider more robust security solutions in response, says Lukas Feiler, associate at the Vienna-based law firm Wolf Theiss and a fellow at the Stanford-Vienna Transatlantic Technology Law Forum. One example could be the use of encryption solutions to protect data, he says. As is usually the case in the United States, if a laptop is lost and it’s encrypted, organizations won’t be required to notify authorities, he says.
Organizations may also want to consider taking the stricter privacy rules into account when either purchasing or developing new kinds of software, says Hazel Grant, a partner at the law firm Bristows. Examples could include when an organization is developing a new in-house program for human resources, she says, or when an organization is developing a new Web site. There will be a need to emphasize the concept of “privacy by design” with such software and applications, she says. It will also be important to more carefully document how such programs will protect sensitive data, she says. The new rules will have a greater requirement overall for organizations to document their data collection practices and their strategy and governance surrounding data protection, says Grant.
The proposed changes also aim to provide consumers with greater control over what data is stored about them. Organizations will need to provide consumers with the ability to “opt in” whenever any data collection is involved. In addition, consumers will have a greater ability to have their data transferred from one entity to another. People will also have the “right to be forgotten,” or to have their data deleted, under the rules.