European Commission data protection proposals draw hostile reaction

Reaction to the European Commission data protection proposals has been largely negative, as many believe the new rules are costly and misdirected.

A new set of European Commission data protection proposals aimed at simplifying data protection rules across the 27 countries of the EU has received a hostile reaction from industry.

We see 
no reason 
for such 
a radical 
when existing 
data protection 
fit for purpose.

Matthew Fell
Confederation of British Industry

In a January 25 written announcement, the Commission proposed a comprehensive reform of the EU's 1995 data protection rules, which it claimed would both strengthen online privacy rights and boost Europe's digital economy.

“A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year,” the announcement said. “The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.”

The main savings, according to a statement from EU Justice Commissioner Viviane Reding, would come from the harmonisation of data privacy rules across Europe and the ability for companies to deal with a single national supervisory authority, usually in the country where they do most of their business.

Along with the benefits will come new sanctions for companies that suffer data breaches. They would be required to notify the national supervisory authority of any serious data breach as soon as possible, within 24 hours if feasible. They could also face fines of up to 2% of their worldwide revenues. According to the Financial Times, Reding had asked for the fine to be 5%, but the percentage figure was scaled down at the last minute.

According to the proposals, consumers would have easier access to their own data and would be able to transfer personal data from one service provider to another more easily. They would also have the “right to be forgotten,” having their data deleted from systems such as social networking sites.

Despite the promise of reduced costs, the Confederation of British Industry, a lobbying organisation representing more than 250,000 companies, reacted angrily to the proposals.

“At a time when we should be boosting business confidence and encouraging innovation in digital services, these proposals will interfere with the relationship between businesses and their customers, and only add to costs,” said Matthew Fell, CBI director for competitive markets, in a written statement. “We see no reason for such a radical overhaul when existing data protection legislation remains fit for purpose.”

While some security industry professionals welcomed the idea of giving more power to consumers, they doubted the effectiveness of the proposed rules. Rob Rachwald, director of security strategy for database security vendor Imperva, said the rules are too vague and need to be more prescriptive.

“Since [the European Commission proposals] mainly propose fines, they will not help keep EU citizen data safe from hackers or insiders,” he said in a statement.  “Such approaches have not met with great success in the past. Rather, the EU should put in place fines coupled with a more prescriptive approach, identifying specific actions firms should take to protect data. The payment card industry, PCI, adopted this approach and has managed to lock down data better than any regulation in existence today.”

Paul Davis, director of European operations for network security vendor FireEye, also questioned how the new disclosure rules would be applied. “Notification of data breaches is important, but detection and blocking of exploits should take precedence,” he said. “Most companies are unable to detect external targeted attacks leading to data loss. Reporting within 24 hours of discovery is admirable, but if the company wasn't aware of the breach for 24 days, then where do all who are involved stand?”

However, Jeff Finch, security services product manager at London-based cloud services provider Interoute, said the harmonisation of rules will deliver real benefits. “With the current environment, piecing together differing national data protection laws can be a massive patchwork task for organisations, especially as the introduction of cloud computing placed question marks over the exact location of data,” he said. “The next step is to look for harmonisation with laws in other countries like the US, where the Patriot Act enables authorities to search telephone, email and financial records without a court order.”

The new proposals will now be passed on to the European Parliament and EU Member States for discussion in the Council of Ministers. If adopted, they will take effect in two years.

Read more on Regulatory compliance and standard requirements