In December, the much anticipated draft of recommended reforms to the EU Data Protection Directive was released into inter-service consultation. The draft came in the form of two documents outlining recommendations for proposed regulations, one covering government entities and the other covering private businesses.

The proposed regulations for private business would repeal the EU Data Protection Directive and lay out requirements for the protection of personal information via the regulation. By using a regulation to mandate data protection standards, the EU avoids each nation having to enact its own law to put the standards into effect. This eliminates the variation that can occur from nation to nation and has caused headaches for multi-national companies under the existing directive.

The draft also included a general breach notification requirement, widening the scope that had previously applied to just internet service providers and telecommunications companies. Notice would be required when a breach adversely affects the personal data of an individual, particularly if it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. Notice to the Data Protection Authorities (DPAs) and to individuals would be required without undue delay, and as a rule, not later than 24 hours after the breach has been established. The notice to DPAs and individuals must include:

• The nature of the breach, including the categories and number of individuals and data concerned;
• Contact information where more information can be obtained; and
• Recommended measures individuals can take to mitigate adverse effects of the breach.

Notice to the DPAs must also describe the consequences of the breach and describe the measures proposed or taken by the data controller to address the breach. Specifics regarding the criteria for determining if personal information is “adversely affected,” acceptable methods of providing notice, or when a breach is considered “established” to trigger the 24 hour notice window are yet to be determined.

The draft contained several controversial provisions, including the “right to be forgotten” and stronger opt-in requirements. Items like these drew criticism from several Directorates-General, and it’s likely that significant changes will be made to the drafts before official release.

Let us hear from you – how would a breach notification requirement, such as the one included in this reform, affect your global operations?

By Francesca Wolf
Legal Counsel & Compliance Officer

Tags: EU Data Protection Directive, international data privacy

Categories: Data Security Issues.