Reding detailed the proposal, which is part of comprehensive reform of the EU Data Protection Directive, during a speech at a conference in Berlin on Sunday. She said the proposal would require companies to notify customers of a data breach “without undue delay”, which she interpreted as within 24 hours.
“Whether user data gets stolen from an online gaming service, or credit card details are hacked on a firms' website: these security breaches affect millions of users around the world. There were recently many serious data breach incidents which highlight why companies need to reinforce the security of the information they hold. Frequent data security breaches risk undermining consumers' trust in the digital economy”, Reding told the conference.
The proposed reform will also include simplification of Europe’s data protection laws. Reding noted that there is currently a patchwork of 27 different, often conflicting data protection laws in Europe. This patchwork costs businesses €2.3 billion per year, she estimated. Instead, the proposed reform would create one law that would apply to all EU member states and companies operating in Europe.
The EU commissioner first indicated her intention to propose comprehensive data notification rules last June in a speech to the British Bankers’ Association. At that time, she admitted that she expected resistance to a comprehensive data breach requirement. Her prediction is about to be put to the test.