EU's More Stringent Data Privacy Proposal Poses Challenges For Businesses

The European Commission has unveiled a proposal to strengthen data privacy laws, putting forward what could be another layer of compliance concerns for multinational businesses.

The new rules include a “right to be forgotten” for the public, where they can demand their data be deleted if there is no “legitimate grounds” for it to be kept. Businesses would also be required to notify the public of data breaches within 24 hours “if feasible.” The rules have a long way to go before they become law, and might be modified during what is expected to be at least a two-year legislative process.

Still, the debate about the new rules -- which also mandate companies with 250 or more employees would have to appoint a data protection officer -- underscores the challenges corporations face when juggling both their interests and the various laws that apply around the globe.

“The commission’s proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information,” argued Thomas Boue, director of European Affairs for the Business Software Alliance. “The rules should focus more on the substantive outcomes that matter most to citizens. The risk in the proposal’s current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth.”

Reducing complexity is one of the main drivers behind the proposed changes. According to the commission, a single set of rules would encourage a more consistent application of the law across the European Union (EU) and give businesses clear rules on how to treat private information.

Tracking the various data privacy laws from country to country can be difficult, said Matthew Norris, e-risk and privacy expert at small-business insurance specialist Hiscox.

“You can read law firm reports providing high-level guides for different countries, but at times, given the complexity of the laws, you may need to speak to the expert lawyers themselves to get much more specific detail and interpretation,” he said. “This could be information-specific to where you perform your business activities, but can need to extend far wider to where your suppliers conduct business on your behalf or even to the nationality of a customer.

“The legal advice not only needs to relate to assessing the compliance of your privacy practices -- and your obligations to notify -- but also to what forensic investigation you can carry out after a breach,” Norris continued. “For example, if you have a data breach in France, there is much more limited ability to forensically search employee emails, as it may infringe the employee's right to privacy.”

Cutting the red tape with a single set of rules could save businesses an estimated 2.3 billion Euros a year, the commission has speculated. But Jonathan P. Armstrong, an attorney specializing in technology and compliance at the law firm Duane Morris, viewed that claim skeptically.

“The commission, I think, is making a play of the fact that all of these regulations will save money for corporations, but to be completely blunt, if that is the case, it will be the first regulation that I’ve ever heard of that saves money,” he said.

In addition, he called the idea of requiring businesses to act within 24 hours of a breach “quite crazy,” and added that telling people about trivial breaches has led to “notification fatigue” in the U.S.

“If you’ve ever been involved in a security breach, you know that the first concentration for any corporation should be limiting the disaster,” Armstrong said.

While migrating to the new rules if they are passed may be a complex process for some multinationals, the introduction of a single set of privacy standards for all EU territories is long overdue, said David Gibson, director of strategy for the data governance specialist Varonis.

“The key issue in the new rules that made me sit up and take notice is the requirement that any company maintaining personal information -- be that customer records, internal human resources directories, or any other list -- will have to comply with the new rules and be able to show how and why they are using personal data,” he explained in a statement.

“The application of the rules to non-EU entities -- especially those in the U.S. -- that want to offer their goods and services into the EU -- is also to be welcomed, as it helps to balance parallel requirements under the U.S. Sarbanes-Oxley governance rules, for example,” Gibson added.

The cost of failure could be high: Rule breakers could face hefty fines for violating the EU mandates. John M. Simpson, privacy project director for Consumer Watchdog, said the final European rules will have a “substantial impact in the United States.”

“That's because the global Internet giants -- Google, Facebook, and Microsoft -- will have to follow Europe's rules,” he said in a statement. “It will be cost-effective for them to use the same procedures and protections around the world. Americans are likely to receive the same level of protection in many areas as Europeans."

“I think we’re going to see the ‘right to be forgotten,’ if it gets in to the legislation, come into the U.S. by default really because the cost of having one operation for Europe versus one for the U.S. will be too great,” Armstrong said. “Most global players will say [that] one size has got to fit all.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.