EU Data Breach Notification in 24 Hours?

On January 25, 2012, the European Union will announce a comprehensive reform of its data protection rules.  This proposed shift will likely toughen existing data-protection requirements and, according to one published report, will include a new rule requiring companies to disclose data breaches within 24 hours of the breach – in effect leapfrogging the toughest existing breach notification laws of the United States.   The EU’s initial Data Protection Directive does not even have a breach notification requirement.

The proposed retooling of the 1995 Directive will also likely prod national data-protection authorities within the 27-member EU to assess administrative sanctions and fines.  Interestingly, an EU conference will be held in Washington, D.C. on March 19, 2012 to obtain feedback from US stakeholders.  One issue that will likely be aired at this D.C. conference is a potential new EU privacy right “to be forgotten” — a hot topic at the most recent International Conference of Data Protection and Privacy Commissioners.   Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, has recently publicly called for such a right:  “I also want to create a right to be forgotten, which will build on existing rules to better cope with privacy risks online. If an individual no longer wants their personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.”

Although the proposed new directive framework to be announced on January 25, 2012 will take some time to be implemented by EU member countries and then enforced by the respective member Data Protection and Privacy Commissioners, it is clear that the EU privacy world will soon be changing in a dramatic way.  Those firms processing personal data within the EU are well advised to take notice and prepare for potential new obligations and privacy requirements.

Update:  January 25, 2012
The new proposed set of rules will indeed morph into “big news” if ultimately passed.  First of all, the 1995 Directive will be repealed in favor of a consistent approach for all member states.   In fact, these new rules might also  impact US businesses to the extent they process EU protected data and have a EU presence.  In a nod to harmonization hawks, only one member state would have authority to regulate a particular business even if the data was processed among several member states — jurisdiction will ultimately be determined by domicile or where the bulk of processing takes place.

As reported, the proposed new rules do, indeed, have a proposed notification provision that requires notification “without undue delay and, where feasible, not later than 24 hours of becoming aware of [the breach]”.   And, there is also a new “right to be forgotten” that is created via these new rules.  Top fines that can be levied for non-compliance of these rules can reach up to 2% of a firm’s gross worldwide turnover (“revenue”).

There are other noteworthy changes so it is definitely worth taking the time to fully review this proposed comprehensive reform of EU data protection rules found at the European Commission website.