UK data protection laws currently going through the European Parliament have been significantly strengthened to protect people's personal data against the kind of US mass surveillance recently revealed by whistleblower Edward Snowden.
The new laws will also impose fines up to 100 times higher than first proposed on companies who fail to guard European citizens' personal data or fail to report cyber attacks and data breaches.
But the UK privacy watchdog, the Information Commissioner's Office (ICO), has given a lukewarm reception to the changes. An ICO spokesperson said: “We don't necessarily embrace all the Parliament's changes with open arms and there's still some way to go, but the progress is pleasing, and we'd echo the words of Jan Albrecht MEP that Monday's agreement at least has the potential to be ‘a breakthrough for data protection rules in Europe' ”.
The regulations were last week (25 October) backed by the key EU Civil Liberties Committee of MEPs, who took the opportunity to tighten up the draft rules.
Their changes are still to be ratified by the full European Parliament and the UK and other EU Member States, but as they stand companies who break the law will be fined up to €100 million or five per cent of their turnover – compared to €1 million or two per cent of turnover in the earlier draft.
EU Justice Commissioner Viviane Reding, who is masterminding the pan-European update to the law, triumphantly tweeted: “With a large majority vote, @Europarl_EN committee has sent a strong signal tonight: as of today data protection is made in Europe.”
The new law stops companies transferring personal data to non-EU government bodies – unless they “seek authorisation from the national data protection authority” and “inform the person of such a request”.
This would effectively prevent the likes of Google, Microsoft, Facebook and Apple sharing data about their European customers with the US authorities, as they did under the Prism programme revealed by Snowden.
Individuals in Europe will also be given the ‘right to erasure' – previously called the ‘right to be forgotten' – meaning they can insist on internet and other companies wiping out their personal data if they ask them. The ‘data controller' will also have to forward the request to any others where the data is replicated.
The reforms have been welcomed by the UK-based Information Security Forum (ISF), whose members are mainly security professionals in the Fortune 500 and Forbes 2000. ISF global vice president Steve Durbin told SC: “I'm a big fan of what they've done.”
Durbin acknowledged that some US multinationals are now questioning whether they should still operate in Europe, “because the financial penalties associated with things potentially going wrong are so large”.
But his view is: “If you've got a fine of up to that level, it does cause you to think very long and hard. I think this is a deliberate move on the part of the EU to say – ‘look we may not necessarily be imposing fines of that level, but we do have the teeth if we need to use them'. The hope, I think, is that it will cause companies to take the issue exceptionally seriously, rather than perhaps try to get away with some things.”
Dwayne Melancon, chief technology officer at Tripwire, adds: “The size of the fines connected with the Directive are so big they will definitely get the attention of CEOs and boards. It is incumbent upon senior business executives to seek clear answers about security risks from information security leadership to ensure appropriate steps are taken to enable compliance with this Directive before it takes effect.”
On the ‘right to erase', Durbin said US firms are again questioning the difficulty of deleting personal information “in an internet-connected world”.
But he said: “The counter to that is, if you are dealing with sensitive information you do need to know where it is, how it's being collected, how it's being stored, how it's being used, and you do have to protect it and to make sure it is destroyed effectively, either on demand or when you cease using it.”
Durbin added that standardising data privacy and protection law across Europe is “a big tick in the box” because: “We didn't have consistent guidelines, now we do. We can argue the merits and demerits of them, but at least there's a guideline.”
James Castro-Edwards, a senior solicitor in the cyber security team at law firm PwC Legal, called the regulation “a mixed bag”.
He told SC: “I think there needs to be a clear message that personal data is a valuable asset. It's a right to privacy and I think that needs to be protected.”
But he said: “As a document the regulation is rather prescriptive and that has been a criticism. Perhaps a lighter touch and saying if you comply with the principles rather than you must do A, B and C - that might be a more workable approach.”
Melancon advises less reflection and more action, commenting: “The new EU Directive has the potential to have a huge global impact because it applies to any organisation which operates in the EU, even if they are headquartered elsewhere in the world. Countries have been given two years to put the EU Directive into place and organisations should be using this time to tighten their security programmes; ensure that incident detection and response processes are in place and effective; and harden their systems, applications, and networks to reduce the risk of breaches.”