In seemingly never-ending “Beat My Data Protection Law” match, the EU is debating a proposal for comprehensive reform of the existing EU data protection framework which will apply across all 27 EU Member States. This is a Regulation not just a Directive. So they are serious this time. But does the proposed reform to the European data privacy law that has been causing much controversy since it was unveiled in January 2012 really measure up against the California and Massachusetts legislatures?
What are those fun-loving European bureaucrats coming up with to make life easier? Here are 10 things to watch out for.
1. An Even Broader Scope
“Personal data” could now be ANY information relating to an individual, including posts on social networking websites and your computer’s IP address. Merely targeting EU consumers from offshore will be enough to trigger the regulation. Time to shut down your websites? And watch out for those limited “personal info” definitions in your cyber policy.
2. Express Consent to Process Personal Data Required
Consumers must opt in…? What? You mean we have to ask everyone if we can use their data after all the surreptitious work we did to obtain it?
3. Breach Notification Requirement
Companies must notify the authorities within 24 hours of awareness of the breach. Kapow!!!! The best that CA could come up with was five days.
4. Requirement to Implement Measures to Demonstrate Compliance
Keeping records of day to day events to include records of customers’ requests for rights of access, correction or deletion of data. No way! Let’s just go surfing off the Santa Monica pier in a hurricane.
5. Appropriate Organizational Processes
Creating documented procedures and organizational structures to protect personal information and other data. Gnarly!! Think of U.S. Red Flag requirements for all companies. If you are not familiar with the Red Flag rules think of a large manual with a lot of charts to be implemented.
6. Data Security
As before, safeguards such as passwords, virus protection and intrusion detection must be implemented. But the devil will be in the details, the EU Commission wants the power to randomly decide what particular standards everyone in Europe has to adopt. Just because the U.S. can’t come up with definitive technical standards that are appropriate to different size companies don’t think that the Europeans can’t do it in 23 official languages including Maltese.
7. Data Protection Impact Assessments
Before you do anything new with data, you will need to conduct privacy impact assessment. As if struggling large accounting/consultancy firms need more audit work.
8. Requirement to Appoint Data Protection Officer
Yes. If you have more than 250 employees you have to appoint one. A mini in-house privacy watchdog you pay for because governments can no longer be asked to pay for such things when they have a banking crises.
9. Significant Penalties
Up to 1,000,000 euros or 2% of the annual worldwide turnover of a company. Phew. And we thought they would get tough on this one.
10. One Stop Regulatory Shopping
Is it possible there could be good news in this? It seems so. Even though the restrictions on the transfer of personal data to places that do not offer an adequate level of protection (likely to be everyone including CA and MA) remain in place, multinationals will likely only need a single EU country to approve standards in order to be approved by all.
It is still possible that the proposed Regulation could be modified before adoption as the member states are still in the process of suggesting amendments. We will provide further update you further as the situation develops.