Firms face tough new EU fines for data breaches

[Jake Kouns <jkouns () opensecurityfoundation org>]

NEWS
Businesses may be fined two percent of turnover for serious data
breaches under tough new data-protection rules proposed by the
European Commission.

EU commissioner Viviane Reding has said firms could be fined up to two
percent of turnover for serious data breaches, under new proposals.

Firms should inform national data-protection authorities within a day
of serious exposure of personal data, justice commissioner Viviane
Reding told a press conference in Brussels on Wednesday.

"Companies and organisations must notify [authorities] of serious data
breaches as soon as possible — and to me, that means within 24 hours,"
said Reding.

The two-percent figure is a slight climbdown for the Commission, which
had considered a five-percent fine level.

Under the Commission's proposed changes to the 1995 Data Protection
Directive, companies can be fined up to €1m (£830,000), or two percent
of global turnover, for serious violations of the regulations. For
example, processing sensitive data without an individual's consent
will be considered a serious violation, according to a Commission FAQ.

For less serious breaches of the rules, such as a company charging
people a fee for requests for their personal data, firms can be fined
€250,000 or up to 0.5 percent of turnover. Companies can be fined on a
sliding scale depending on the severity of the breach: for example,
penalties of up to €500,000 or up to one percent of turnover may apply
for not supplying information to a user or for not rectifying
incorrect data.

National data protection watchdogs will have their powers extended so
they can enforce the new rules, the Commission said in a statement on
Wednesday.

Single point of contact

One of the aims of the new rules is to provide businesses with much
simpler data protection administration throughout Europe, according to
Reding. National data authorities will become the primary point of
contact for companies dealing with Europe-wide data questions, and the
legislation aims to provide a single set of rules for data protection
across Europe.

Rationalisation of data-protection administration, such as
notification requirements across Europe, should save companies €2.3bn
per year, according to the Commission.

The data-protection rules aim to strengthen consumer protections. When
consent is required for data processing, that consent has to be
explicit. People will have a right to data portability — they should
be able to transfer personal data from one service provider to
another.

Facebook and Google

European data-protection authorities will have jurisdiction over
companies active in the European market which handle Europeans'
personal data abroad. Companies such as Facebook and Google must
comply with European data rules said Reding.

"American companies... have to apply European law, like everybody who
is doing business in Europe. Full stop," said Reding.

The rules will enforce a "right to be forgotten", which will allow
people to request that their data is deleted. Companies faced with a
request for deletion of data will have responsibility to pass that
request on to companies that have copies of that data, according to
Marc Dautlich, head of information law at Pinsent Masons.

"The right to be forgotten will undoubtedly have an effect on internet
platforms," Dautlich told ZDNet UK on Wednesday. "Even if I take down
data from Facebook, I haven't got rid of it, because it's going to
appear in Google's and all search engines' cache."

Compliance would have other implications — organisations with over 250
employees will have to employ a data-protection officer under the
proposed rules, he said.

The Commission's new rules will go to the European Parliament and to
the European Council for debate. Once adopted by these bodies, the
legislation will take two years to come into effect.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/