Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Proposed EU data protection rules include right to be forgotten

The European Commission wants companies that fail to comply with the proposed rules to pay signficant fines

A proposed new data-protection law for the European Union includes fines of up to two percent of global turnover for companies that breach the rules, E.U. Justice Commissioner Viviane Reding announced Wednesday.

Despite rumors that the figure would be five percent, Reding insisted the legislative proposals had not been watered down. "Five percent was not something in my pipeline," she said at a news conference to unveil the proposals.

Fines will be on a sliding scale: 0.5 percent of a company's global turnover for charging a user for a data request, one percent if a firm refused to hand over data or failed to correct bad information and two percent for more serious violations.

Under the proposals, companies with more than 250 employees will have to appoint a data-protection officer to be responsible for compliance with the new rules, which include the controversial "right to be forgotten", allowing people to have data held about them deleted if there are no legitimate grounds for retaining it.

Reding insisted that "personal data belongs to the person" and that individuals have the right to take any information about them held by a company and move it to another company. They also have the right to insist that personal data be deleted, and companies must comply unless they can show legitimate grounds for retaining the data.

Reding also said that companies would have to report data security breaches "as soon as possible" -- which she said means 24 hours.

The news was welcomed by Green member of the European Parliament Jan Philipp Albrecht.

"We particularly welcome the proposals to impose conditions and time limits on the use of data from individuals who volunteer their private information. In the current online era it is easy for internet users to lose sight of private data that they volunteer online or simply forget, making it all the more important to ensure safeguards are in place. To this end, the proposals for sanctions against major online businesses that abuse private data are also welcome," Albrecht said.

However some industry representatives were less pleased.

"The Commission's proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information. The rules should focus more on the substantive outcomes that matter most to citizens. The risk in the proposal's current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth," said Thomas Boué, European director of government affairs for the Business Software Alliance.

The reform of the E.U.'s old 1995 Data Protection Directive is one of the key pieces of legislation the European Commission is pushing in 2012, but it has been dogged by more criticism than is usual for a directive reform proposal.

Wednesday's announcement, however is just the first step in a long process as the proposals must still be approved by E.U. member states and the European Parliament.

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to jennifer_baker@idg.com.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Business Software Alliance, EU, European Commission, European Parliament
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: data breach, european commission, government, legislation, privacy, security
Latest Blog Posts
Whitepapers
  • Avaya Deploys the Avaya Desktop Video Device with the Avaya Flare® Experience
    A revolutionary new video collaboration device, the Avaya Desktop Video Device has been making waves in the communications industry ever since Avaya introduced the product in the fall of 2010. Avaya’s own employees have been among the earliest users and have seen first-hand how the product can improve collaboration and make people more efficient and effective. Read more.
    Learn more »
  • Providing effective endpoint management at the lowest total cost
    Endpoints, otherwise known as servers, workstations, laptops, mobile devices, and virtually any other network-connected device, are critical components that enable business to be transacted. Properly implemented, endpoint management ensures continuous compliance with IT policies, regardless of where the machines are located and what type of network they are connected to.
    Learn more »
  • Spear Phishing Attacks - Why they are successful and how to stop them
    There's been a rapid shift from broad, scattershot attacks to advanced target attacks that have had serious consequences for victim organisations. The increased use of spear phishing is directly related to the fact that it works, as traditional security defences simply do not stop these types of attacks. This paper provides a detailed look at how spear phishing is used within advanced attacks and the key capabilities organisations need in order to effectively combat these emerging and evolving threats.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments