The EU’s Viviane Reding has announced a ‘right to be forgotten’ and large fines but missed the security issues, say critics
The European Commission has laid out a series of key reforms to 1995’s data protection rules in an effort to increase online privacy rights and make companies more accountable for users’ information.
Key proposals include a “right to be forgotten”, a demand that organisations report any data breaches within 24 hours, and an increase in the fines that companies may pay for breaching data protection rules.
Although industry welcomed the proposals, they have been criticised for an over-reliance on fines and punishment, as opposed to encouraging security improvements.
Reforms and criticisms
“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data,” said EU Justice Commissioner Viviane Reding, a Commission vice-president.
The proposed ‘right to be forgotten’, would give individuals greater freedom over personal information, allowing them to request any data about them to be deleted if there are no “legitimate grounds” to keep it.
Organisations will be required to report data breaches to the authorities as soon as possible, “if feasible within 24 hours”, and data protection authorities will be able to impose fines of up to two per cent of a company’s global annual turnover for any breaches of data laws.
The new rules are intended to come into effect in late 2013 and would not only target organisations within the EU, but any that offer services to EU citizens and handle their data.
Though the Commission’s proposals are presented as a way to make organisations more accountable and consumers more trustworthy of those that handle their information, critics of the new measures are concerned that the law will not properly target the main concerns of data security.
“Since it mainly proposes fines, it [the proposals] will not help keep EU citizen data safe from hackers or insiders,” says Rob Rachwald, Director of Security Strategy at Imperva.
“Rather, the EU should put in place fines coupled with a more prescriptive approach, identifying specific actions firms should take to protect data. The payment card industry, PCI, adopted this approach and has managed to lock down data better than any regulation in existence today.”
Others welcomed the tough stance that the EU will be taking, and warned that the consequences for companies could be serious. Steve Shelton, Head of Data at BAE Systems Detica, hoped that tougher penalties might get companies into line.
“Too many businesses lack a coordinated approach to managing their data,” he said. “They don’t know which customer data they’re storing, where it is being stored or who else in the business may be using it. In the future, this could mean they risk substantial fines for non-compliance with customers’ ‘right to be forgotten’”.
Missing the core problem
Though many commentators commended the European Commission for taking a step forward for consumer privacy, some said the proposed reforms are not tackling the core concerns of data privacy. More worryingly, the proposals seem to be catching up with technology rather than preparing for the future challenges of data security.
“The bigger concern is how the adoption of new technologies such as cloud and virtualisation will impact the longevity of the latest data protection directive proposals,” says Francois Zimmermann, Chief Technology Officer at Hitachi Data Systems UK.
“If it is a further two years before internet companies are legally obliged to comply with the latest changes, will they still be relevant? To implement effective data management policies, the rules and policies should be updated as part of an evolutionary process, with changes being introduced as and when they are needed, rather than in a raft every few years or so.”