EU Data-Privacy Rules to Make Breach Disclosures Mandatory Within 24 Hours
By Cornelius Rahn – Jan 23, 2012 3:45 AM ET
A European Union proposal to simplify and toughen the region’s data-protection rules will require companies to disclose data breaches within 24 hours of their occurrences, Justice Commissioner Viviane Reding said.
The EU will this week outline an overhaul of its 17-year- old data-protection policies addressing online advertising and social-networking sites. The bill, which includes stricter sanctions and will equip national data-protection authorities with powers to levy administrative sanctions and fines, will “become a trademark people recognize and trust worldwide,” Reding said at a conference in Munich yesterday.
Sony Corp. (6758) was criticized last year by U.S. lawmakers for taking six days to warn customers about a cyber attack that exposed more than 100 million customer accounts, the second- largest online data breach in U.S. history. Industry groups with members including Microsoft Corp. (MSFT) and Google Inc. (GOOG) have warned the EU against setting overly strict data-privacy rules, saying that may stifle innovation.
“What exactly do companies need to do within those 24 hours, and what happens for example with cookies?” said Kay Oberbeck, Mountain View, California-based Google’s head of communication for Germany, Austria and Switzerland, in an interview. Oberbeck was referring to Internet files that are saved on a user’s computer to enable website operators to display personalized content.
The legislations will require companies to obtain “specific and explicit” consent from Internet users to store information, and delete data unless there is a “legitimate and legally justified interest” to keep them on their servers, Reding said at the annual Digital Life Design conference.
Google, Facebook Inc., Yahoo! Inc. (YHOO) are among Web companies that collect user information and get paid by clients who can use the data to better target advertisements for their products or services. Having to get approval for individual data retention and an obligation to purge files may reduce those companies’ revenue.
“Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay,” Reding. She cited a survey showing 72 percent of Europeans are concerned about how companies use their data.
The draft rules aim to establish common legislation for the 27-member European Union, as well as national points of contact that can make decisions that will be valid for the region. Uniform legislation will save businesses 2.3 billion euros ($3 billion) a year by, for example, reducing paperwork, Reding said.
The European Commission, the EU’s executive agency, is backed in its reform efforts by countries including Germany and France, which are aiming at giving local companies a boost against U.S.-based Web pioneers.
Companies such as Deutsche Lufthansa AG (LHA) say the sharing of data is important to customize services.
“Data protection is important, but as soon as the customer really benefits from opening up some of his information to the airline, he’ll be ready to do so,” Lufthansa CEO Christoph Franz said today. “With information the customer has shared in advance, we can go and say, hey, we’ve already opened a bottle of your preferred wine.”
Stefan Gross-Selbeck, chief executive officer of Xing AG (01BC), a German professional-network operator that competes with Mountain View, California-based LinkedIn Corp., said a common market would make it easier for it to attract a Europe-wide customer base.
“In the longer-term there’s actually no fundamental conflict between companies and regulators,” Gross-Selbeck said at the conference. “You need the trust of your customers to build a successful and stable business, and so all companies have an interest to build that trust.”
Data breaches at Tokyo-based Sony and Citigroup Inc. have also sharpened scrutiny by the U.S. government on how businesses protect consumer information and notify the public about cyber attacks. A U.S. senate panel in September approved a measure that would set a national standard for notifying consumers about data breaches, replacing varied reporting requirements in 47 states. It also would make concealing a data breach a crime.
Reding didn’t specify what sanctions European regulators may impose on companies failing to comply with the requirements.
In the U.S., Internet companies are also fighting anti- piracy bills supported by the movie and music industries. Senate and House leaders last week shelved the proposed legislation after a global online protest by Google and Wikipedia eroded congressional support.
“Politicians are so slow, they are miles behind,” Andrew Keene, author of “The Cult of the Amateur: How Today’s Internet Is Killing Our Culture,” said at the conference, adding that companies such as Facebook will find ways to get ahead of the rules.
To contact the reporter on this story: Cornelius Rahn in Munich via email@example.com