Simply Security - News, Views, and Opinions from Trend Micro

Posted on February 3rd, 2012 in Current News, Privacy & Policy by Simply Security | 1 Comment | Tags: Privacy

The European Union has proposed new data privacy rules that could have drastic effects in Europe and abroad.

The European Commission this week revealed a proposed overhaul to decades-old data protection rules in an effort to improve online privacy and Internet security across the European Union (EU) and beyond. However, even before the effects of the proposed rules could settle, backlash was felt from companies and governments around the world.

This would be the first major update of the data protection rules since 1995, when, as EU Justice Commissioner Viviane Reding points out, only 1 percent of Europeans used the Internet. The revision aims to bring the regulations into the modern era in which the Internet plays a central role in communication, entertainment, business, shopping and more.

The proposal would establish a single set of data protection rules across the EU, simplifying the way companies respond to data breaches and other data privacy violations.

One of the key elements of the EU's proposal is the commission's ability to fine companies that violate the data protection rules up to $1.3 million, or 2 percent of global turnover, for serious data security failures.

For less serious breaches, companies could be penalized approximately $327,000, or 0.5 percent of turnover. Individuals would have the "right to be forgotten," meaning they could demand that organizations delete their data if there are no legitimate grounds for keeping it.

Businesses would also be required to notify the proper authorities of any serious data breaches within 24 hours "if feasible," according to a statement from Reding.

"The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data," Reding said. "My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses."

According to Reding, the new rules will save European businesses approximately $3 billion a year by eliminating "unnecessary administrative requirements."

Despite Reding's promise of cost savings, the new data protection rules were received with mixed feelings. According to U.K. news provider the Register, Google's Marisa Jimenez agreed that the right to be forgotten policy was a step in the right direction. However, she did add that the situation is tricky when third parties are involved.

"The question comes when deleting data placed on a third party that has very little control of what's been done with that data. … Some of the scenarios enter well, others are rather unworkable. The way it is drafted is very unclear. It's a right, but written in a very technical way and not everyone will understand it in the same way when they read it," Jimenez said, according to the Register.

Another rule that received pointed criticism is the requirement that data protection and privacy regulations be applied to any company that is active in the EU market, whether it's a European country or not.

This means that companies like Google, Facebook and Microsoft – all of which are based in the United States – would be subject to the EU's regulations.

"American companies have their subsidiaries here in Europe, they are going to regulated in a one-stop shop, in the state where their subsidiary is. They will have to apply European law like everybody who is doing business in Europe," Reding said, according to the Wall Street Journal.

This demand for compliance is not likely to sit well with many international organizations. James Lovegrove of the not-for-profit TechAmerica Europe told the Journal that the rules could make it difficult for global businesses to operate in Europe.

"The real concern is that many of the proposed rules will inhibit the free flow of information globally and make it difficult for global businesses to operate and invest in Europe due to greater legal uncertainty, increased administrative burdens and the risk of fines," Lovegrove said.

The U.S. government was also quick to respond to the commission’s proposal. According to news provider the AFP, U.S. Coordinator for International Communications and Information Philip Verveer told reporters that the United States would examine the legislation closely in order to determine whether the proposal would be too costly for American businesses.

"What is very important I think is to try to avoid a situation where there are requirements that may unnecessarily add to compliance costs or administrative costs that will diminish the efficiency with which services can be rendered," Verveer said, according to the AFP.

The EU and the United States have butted heads over data security and privacy in the past. In December, for example, Reding and other EU legislators criticized U.S. data privacy practices – as they relate to the USA Patriot Act in particular – as being too invasive.

EU officials called for changes to U.S. data privacy regulations, with Reding noting that there must be a "free flow of data between our continents."

With this latest proposal, the EU may be trying to force the Unites States' hand, demanding that data protection and privacy practices align with its own in certain scenarios.

Though it is not certain that the EU's data protection rule will pass as currently written, the proposal does highlight a mindset shared by many around the world – an organization's data security practices can no longer be governed by a single set of rules.

This is especially evident with the growth of cloud computing and other web-based services, as data is no longer stored in the same country from it is being accessed. Certain companies must be able to operate internationally. Therefore, going forward it is likely that organizations will have to adopt data protection practices that transcend borders or risk running into fines or other sanctions.

Data Security News from SimplySecurity.com by Trend Micro