Businesses will have to report major data breaches within 24 hours under new EC law
Businesses will have to report major data breaches within 24 hours under new EC law

The proposed changes to the European Data Protection Directive need to include streamlining on cooperation and the process needs to be slowed down.

Speaking at the annual cloud computing conference in Brussels, Viviane Reding, vice president of the European Commission, acknowledged that the current 1995 directive is too widespread in terms of national law and that there is a "need to ensure that the same rules apply to all businesses providing services to EU residents".

She acknowledged that the world has changed since 1995, and the ‘great debate' about the proposed changes, which were announced a year ago, had been "intense, vibrant, fascinating".

“Since the beginning of the negotiations, the story has remained the same. Those who want to maintain a high level of protection in Europe have recognised the need to move fast. Those who want to lower the level of protection in Europe have tried to slow the file down. I will not let this happen,” she said.

However she said that the challenge to the changes "relates to the speed with which we will reach a deal", as "some will say this is all going too fast" and that the ramifications are huge.

Reding said that individual decisions will still be taken by national data protection authorities and it needs to streamline cooperation on issues with implications for all of Europe.

Also in her speech, Reding said that there are three reasons why the data protection reform is so important: data protection is a fundamental right in the EU; data protection is a market opener; and there is a need to ensure that the same rules apply to all businesses providing services to EU residents.

She said: “This is not a revolution but an evolution. We do not change the fundamentals. The same goes for other core elements of the proposal – the definition of personal data, the provision on profiling. The commission didn't invent data protection in 2012. The principles of the 1995 directive remain valid. They simply need to be refreshed. If your business model is in line with the current rules, you have nothing to fear. Things are fine if you comply.”

Christian Toon, head of information risk Europe and global security services at Iron Mountain, said: “The news that Brussels is under pressure to relax strict data protection rules may come as a relief to many organisations, but this does not mean that they can afford to be complacent with the information they hold.

“Businesses need to understand what information they hold and embrace good practice as part of doing good business to prevent potential data losses, regardless of whether or not the EU legislation is ultimately watered down.”

Gary Clark, vice president EMEA at SafeNet, said: “Regulations are key so long as they are enforceable and don't have unintended consequences like inhibiting the economic development that European citizens desperately need to see.

“So the reports of the European Commission reviewing its initial proposals on harmonising data protection laws are welcome especially if it promotes a consistently strong data protection culture and economy across all member states.”