Proposed new rules, including a "right to be forgotten" clause, could create compliance mess for multinational businesses.
The European Commission has unveiled a proposal to strengthen data privacy laws, putting forward what could be another layer of compliance concerns for multinational businesses.
The new rules include a "right to be forgotten" for the public, where they can demand their data be deleted if there is no "legitimate grounds" for it to be kept. Businesses would also be required to notify the public of data breaches within 24 hours "if feasible." The rules have a long way to go before they become law, and may be modified during what is expected to be at least a two-year legislative process.
Still, the debate about the new rules--which also mandate companies with 250 or more employees would have to appoint a data protection officer--underscores the challenges corporations face when juggling both their interests and the various laws that apply around the globe.
"The commission's proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information," argued Thomas Boue, director of European affairs for the Business Software Alliance. "The rules should focus more on the substantive outcomes that matter most to citizens. The risk in the proposal's current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth."
Reducing complexity is one of the main drivers behind the proposed changes. According to the commission, a single set of rules would encourage a more consistent application of the law across the European Union (EU) and give businesses clear rules on how to treat private information. Tracking the various data privacy laws from country to country can be difficult, said Matthew Norris, e-risk and privacy expert at small business insurance specialist Hiscox.
Heightened concern that users could inadvertently expose or leak--or purposely steal--an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. An Insider Threat Reality Check, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)
Published: 2014-04-22 Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.
Published: 2014-04-22 Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.
Published: 2014-04-22 lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
Published: 2014-04-22 The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.