Viviane Reding’s future Data Protection Law includes ‘serious’ breach notification
Viviane Reding, Vice-President of the European Commission, EU Justice Commissioner, gave a very important speech at the BBA (British Bankers’ Association) Data Protection and Privacy Conference in London on 20 June 2011: Assuring data protection in the age of the internet. Interest has focused on her statement:
I intend to introduce a mandatory requirement to notify data security breaches – the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services.
This is something Europeans have been calling for (for example, see The Institute of Directors – talking net neutrality, compliance and breach notification with Richard Swann on this blog).
The thrust of the speech was that she would create a level playing field across Europe, so that precisely the same data protection rules would apply in every EU country.
This is what I will do for businesses.
But in return,
People must know how their data is being used. Service providers have to increase transparency on how a service operates, what data is collected and further processed, for what purposes, and where and how it is stored. In light of recent data theft scandals, let me add that I expect companies to do more to keep their customers’ personal data secure.
Mandatory breach notification is seen as a key motivation for ensuring that increased security. But there are further hints for the future, including:
Take the cloud, the story goes that the data in cross-border and cross-continent flows is impossible to regulate. This is not my vision of the future… I am considering the inclusion of the “accountability principle” in my reform so that data of citizens exported to third countries is always exported with their rights attached.
Or take the “right to be forgotten”. “Impossible” some say, “get over it”. Well, I don’t agree… I cannot accept that individuals have no say over their data once it has been launched into cyberspace.
All of this is fine a noble – but we should remember that at the moment it is just an aspiration. The devil will be in the detail; and we can already see how this will work. The phrase ‘serious breach’ already occurs:
I do believe that an obligation to notify incidents of serious data security breach is entirely proportionate and would enhance consumers’ confidence in data security and oversight mechanisms.
‘Serious’ is underlined – not by me, but by Ms Reding. So who defines ‘serious’? Well, it can’t be the EC, because if there is no notification, they have nothing to judge. So this is in effect a pretty meaningless statement; if it is not serious, does it not have to be disclosed?
Garry Sidaway, Director of Security Strategy at Integralis believes that industry will feel compelled to comply. “Legislation and audit pressures are huge on businesses at the moment due to the global crisis,” he told me. “The auditors do not want to be caught out again and are driving and enforcing compliance and demonstration to policy – businesses who ignore the pending disclosure law will face increased audit pressures and they can’t afford to ignore that.”
Matt Peachey, VP EMEA at Veracode, however, sees potential problems. “The challenge for both governments and businesses will be in implementation. As we’ve seen recently with EU regulation around cookies, each member state looks at these areas differently. Although some EU member states, notably Germany, already have data breach notification laws in place, we are likely to see something similar to the US State-driven model, where we have multiple standards in place for enforcement, regulation and financial penalties.” And he foresees additional problems. “These can prove unduly arduous on small businesses, but could also potentially result in the consumer ignoring notifications, as they become immune to the constant noise.”
And I’d like to throw a further thought into the mix. In the UK, the Data Protection Act is enforced, well officially if not practically enforced, by the ICO. I have extreme doubts over whether it has either the balls or the teeth to take on, for example, a major bank in serious undisclosed breach. Time will tell. I hope I’m wrong – but my fear is that this will be just more PR legislation riddled with get-outs for all the companies that can afford them.