The Information Commissioner's Office (ICO) has broadly welcomed the upcoming changes to the Data Protection Directive this week, but called some areas "unnecessarily and unhelpfully over-prescriptive".
In a statement, the ICO said there was "no doubt that the EU's legal framework for data protection needs modernising", with information systems becoming more sophisticated and global information networks, mass information sharing and "the ever-growing online collection of personal data" increasingly making individuals feel that they have lost control of their personal information.
It also welcomed the recognition by Viviane Reding, vice-president of the European Commission in charge of justice, fundamental rights and citizenship, of "privacy by design" and privacy impact assessments that require organisations to be able to demonstrate that they have measures in place to ensure personal information is properly protected.
The changes will introduce "a single set of rules on data protection that would be valid across the EU's 27 member states" and would create "one data protection authority for one company" and "one authorisation for the whole of the EU". This will include mandatory reporting of ‘major' data breaches in 24 hours and employment of a data protection officer, although businesses with fewer than 250 staff will be exempt from the latter rule.
However, the ICO said: “While recognising that there is inevitably some tension between the drive for harmonisation of data protection standards across the European Union and his desire for flexibility in focusing obligations on processing that poses genuine risks, the commissioner believes that in a number of areas the proposal is unnecessarily and unhelpfully over-prescriptive.
“This poses challenges for its practical application and risks developing a ‘tick-box' approach to data protection compliance. The proposal also fails to properly recognise the reality of international transfers of personal data in today's globalised world and misses the opportunity to adjust the European regulatory approach accordingly.”
It said it particularly felt that the following needed to be re-examined:
- Retaining the concept of special or sensitive categories of personal data and the inflexible nature of the grounds on which such data can be processed;
- Requiring organisations to obtain the prior approval of the data protection authority for some types of processing, particularly in relation to international transfers;
- Extending the scope of data protection obligations to any processing that is directed at individuals residing within the EU without any clear indication of how the regulation's requirements can be readily enforced outside the EU;
- Restricting the ability of public authorities to process personal data even where the processing can only be of benefit to individual citizens.
It also said it was concerned about the European Commission's separate proposal for a new directive that will apply to the processing of personal data by law enforcement authorities. It said a high level of data protection that is equally applicable across all sectors is required and hopes that these provisions will be strengthened as negotiations progress.
Lisa Banyard, data protection leader at PwC, said implementing the proposals will present an increased administrative burden for businesses and, under these changes, organisations would be operating under a tougher regime where they would face increased accountability and heavier fines, which could add up to two per cent of worldwide turnover for the most serious breaches.
She said: “The introduction of compulsory breach notification means companies have to report losses to the Data Protection Authority within 24 hours, and that's going to be tough for some companies to adhere to. Those that don't already have a well-oiled reporting mechanism in place will need to implement measures to be able to flag breaches in time.”
Jonathan Armstrong, lawyer at Duane Morris LLP, said: “There are many uncertainties with the new proposals. It is apparent that changes will be made and there is likely to be widespread confusion between now and then. Companies should think now about how best to plan for those changes.
“The commission's proposals will now be passed on to the European Parliament and EU member states for discussion and, realistically, this process may take a year or more, with a two-year implementation process making the earliest realistic date for this to become law sometime in 2015.”
Jim Killock, executive director of the Open Rights Group, said: “We broadly welcome the commission's desire to strengthen people's privacy. But the Commission must make sure that progress for citizens' privacy is not trumped by worries about burdens on business. Facebook and Google are not the best people to take privacy advice from. We must be in control of our data, and must be able to trust that companies will respect our wishes.”
Rob Rachwald, director of security strategy at Imperva, said: “The new EU privacy law takes a good step forward for privacy. The ability to control and even delete individual data profiles is a needed move; however, the proposal doesn't do enough to protect data.
“Since it mainly proposes fines, it will not help keep EU citizen data safe from hackers or insiders. Such approaches have not met with great success in the past. Rather, the EU should put in place fines coupled with a more prescriptive approach, identifying specific actions firms should take to protect data.”
Gerhard Eschelbeck, CTO of Sophos, said: “While broadly supportive of the proposals and in particular the recommendation to reduce the time taken to notify users of a data breach, there is a concern that the requirement to notify users and the authorities within 24 hours is very aggressive and may impact the quality of such disclosures.
“We also need to look at how these more reactive measures should be tied into more proactive data protection requirements, such as how and which customer data needs to be encrypted, protected and stored in the first place.”
Mark Fullbrook, director of UK and Ireland at Cyber-Ark, said: “If the goal of this law is to provide consumers with upfront information about the security of their information, then a 24-hour notification period is hardly going to enable that. After all, if you look at any of the serious breaches that have occurred over the past year, not one of the affected organisations was able to articulate the true extent of the breach within a day.
“It's quite clear that Europe is looking to follow in the footsteps of the US with its own version of Senate Bill 1386, but truthfully, from our experience as a company that has seen things from both sides of the Atlantic, I remain unconvinced that legislating around the disclosure of breaches actually provides any real incentive for organisations to employ best practices when it comes to data security.
“Let's face it, imposing a fine or a time limit is just like putting a plaster over a gaping wound – it only goes so far. If we are to truly address this increasing problem, then organisations that hold sensitive information must be audited to ensure that their systems can adequately prevent this type of incident from happening in the first place. At the end of the day, legislating for 'after the horse has bolted' is simply too late.”
Bruce Green, chief operating officer at M86 Security, said: “While we applaud the move to strengthen safeguards around individuals' private information, we recognise that this harmonisation of data privacy rules across Europe will increase the data management overhead for companies of all sizes.
“With the increasingly stealthy tactics employed by cyber criminals and hacktivists, companies are going to be increasingly wary of untoward activity on servers, email and web channels. We predict that the European directive will drive a new wave of awareness and innovation in information protection and cyber security.”
Paul Davis, director of European operations at FireEye, said: “It's all well and good to legislate that companies must notify the public and the authorities within 24 hours or face a fine of two per cent of their global revenue, but the elephant in the room is that most companies are unable to detect external targeted attacks leading to data loss.
“The protection of information is critical to business, and the establishment of trust with customers and the notification of data breaches is important, but detection and blocking of exploits should take precedence.
“An organisation has to be aware of an attack – they can't report a data breach they have no knowledge of: that's the real issue facing businesses today. Just because they can't see an attack or are unaware of the subsequent loss of data doesn't mean it isn't happening. Reporting within 24 hours of discovery is admirable, but if the company wasn't aware of the breach for 24 days then where do all involved stand?”
Nick Banks, director of sales EMEA and APAC for Imation Mobile Security, said: “The ultimate aim of this legislation should not be to levy large fines, but to drive new behaviour for organisations across the EU to think about implementing systems or processes to reduce the rate of serious data breaches.
“The responsibility must also rest with individual companies to implement clear internal policies and systems, including encryption and strategies for identifying and dealing with data breaches. Identification will be particularly important in light of the EU directive which will force firms to give notice of a breach within the first 24 hours.”Stephen Midgley, V-P of global marketing at Absolute Software, said: “In our experience, very few companies are able to say where their data is at any one time and, as such, new and more aggressive legislation could leave thousands of businesses open to financial penalty.
“Businesses face an impossible task of securing data that can be emailed, copied, shared or saved to devices they have no way of knowing remain secure.”