The European Parliament approved a draft law on data protection on Wednesday, but the mooted changes are still to win universal approval from all in the infosec community.
All 28 European Union member states gave the plenary vote the green-light, with the draft law being approved by 621 MEPs but rejected by 10 (22 MEPs were absent). The law could yet face further tribulations, however, given that the E.U Parliament is due to disband before the next elections in May - one month before MEPs are due to argue on how to move forward with the law.
The laws, the first significant changes to European data privacy legislation since 1995, have been under discussion since 2012 with a view to being fully ratified in 2015 and implemented in 2016, and will introduce a number of changes that will have a dramatic effect on how consumer data is stored, and how companies respond in the event of a data breach.
In particular, the changes will stipulate that companies must pay up to €100 million (approximately £82.2 million) - or 5 percent of their global turnover - in the event of a data breach - a sanction opposed by a number of large American and European companies - as well as the right for individuals to have the “right to be forgotten†when they change to another online service.
Furthermore, explicit consent will be required for businesses looking to process data, while companies will need to inform users, paying or not, of data breaches “without undue delayâ€. There's some speculation about what this constitutes, although Justice Commissioner Viviane Reding believes that 24 hours should be achievable for any organisation.
The changes haven't come without concerns however. At the International Cybersecurity Forum in Lille, France in January, Bird & Bird lawyer Gabriel Voisin said that the “question remains if it becomes positive law,†while DigitalEurope said on Wednesday that the regulation is “ill-suited to the digital economyâ€.
"The text adopted at today's plenary session of the European Parliament is over-prescriptive. It will hamper Europe's ability to take advantage of new ways of using data. This will put Europe at a disadvantage to other parts of the world that are embracing the new technologies," it said in a statement released on Wednesday.
Others, too, have expressed concerns that while the changes will likely be welcomed by consumers, they will cause problems for most European businesses.
“While consumers will welcome the fact that the European Parliament has voted through the EU's first major overhaul of data protection legislation since 1995, many European businesses will be feeling nervous,†Christian Toon, head of information risk at Iron Mountain, told SCMagazineUK.com.Â
“The reality is that many remain underprepared, as demonstrated by a recent study revealing that only 45 percent of mid-sized businesses across Europe have an information risk policy in place.
“Businesses that fail to address the issue now not only run the risk of significant financial penalties in the near future, but may also risk serious reputational damage that will make customer retention more complicated…Companies must see this announcement as a wake-up call and use the time they now have to review and tighten their information management policies to make sure they are in a position to comply fully with the proposed changes to legislation if, or more likely now when, they come to pass.â€
Lior Arbel, CTO of data specialist Performanta added in an email exchange with SCMagazineUK.com that the emphasis will now fall on how companies gather and safeguard data.
“Whilst the news is a vital first step in improving data protection, more needs to be done to make companies liable for the data they gather and force them to deploy necessary safeguards,†he said.
“Many companies do not currently have the technical support to match any new data protection rules. Businesses therefore need to take proactive steps to ensure its information is properly monitored and secured, from external and internal threats, with effective information security controls."
