On Wednesday, EU Justice Commissioner Viviane Reding proposed changes to the 17-year-old EU Data Protection Directive along the lines she outlined in a speech on Monday.
Two of the proposed changes are particularly galling to businesses: a requirement that firms notify authorities within 24 hours (if feasible) about a serious data breach and fines for violation of the directive as high as €1 million or 2% of the global annual turnover of a company.
Commenting on the proposed changes, Lisa Banyard, data protection leader at London-based consultancy PricewaterhouseCoopers, observed that “fines imposed in the UK for data breaches were fairly small but going forward this could change dramatically. Organizations will have to demonstrate how they are complying with the law by having proper policies and procedures in place. Sticking a privacy policy on the website will no longer be sufficient.”
Banyard added, “the introduction of compulsory breach notification means companies have to report losses to the Data Protection Authority within 24 hours and that’s going to be tough for some companies to adhere to. Those that don’t already have a well-oiled reporting mechanism in place will need to implement measures to be able to flag breaches in time.”
Adam Malik, founder and content director with Maven-Cast, a UK-based digital conference and events organizer, told Infosecurity that the proposed EU changes display a “lack of understanding of where we are going from a tech perspective...It is going to impact every single business that is running a website.”
Malik said that the EU proposals, if enacted, would make small businesses “jump through a hoop every few minutes. It just adds another tax onto a small business, not just a financial tax, but also a resource and capabilities tax.”
UK cloud provider Star warned that the EU’s “knee jerk reaction” would stifle innovation. “UK businesses don’t need more complex legislation, more distraction from their operations, nor the additional costs this will undoubtedly impose upon them”, the company warned.
Star questioned whether the proposed reforms, which Reding is selling as saving European businesses €2.3 billion through regulatory streamlining, will actually save companies money. “There is no way the proposed bill can save UK businesses money, and although there is some common sense in unifying the rules across the EU they seem heavy handed and will place UK businesses in further discomfort.”
Belinda Doshi, partner at London-based commercial law firm Nabarro, noted that the proposed fines of up to 2% of global turnover were “eye-watering” and the data breach notification requirement would have “major repercussions for business in terms of compliance costs.” At the same time Doshi praised the proposal as an “immense achievement” that would put the “EU at the forefront of privacy and data protection law.”