Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/26/2012
08:28 AM
50%
50%

EU's More Stringent Data Privacy Proposal Poses Challenges For Businesses

Proposed changes to data privacy laws in Europe have garnered mixed praise

The European Commission has unveiled a proposal to strengthen data privacy laws, putting forward what could be another layer of compliance concerns for multinational businesses.

The new rules include a “right to be forgotten” for the public, where they can demand their data be deleted if there is no “legitimate grounds” for it to be kept. Businesses would also be required to notify the public of data breaches within 24 hours “if feasible.” The rules have a long way to go before they become law, and might be modified during what is expected to be at least a two-year legislative process.

Still, the debate about the new rules -- which also mandate companies with 250 or more employees would have to appoint a data protection officer -- underscores the challenges corporations face when juggling both their interests and the various laws that apply around the globe.

“The commission’s proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information,” argued Thomas Boue, director of European Affairs for the Business Software Alliance. “The rules should focus more on the substantive outcomes that matter most to citizens. The risk in the proposal’s current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth.”

Reducing complexity is one of the main drivers behind the proposed changes. According to the commission, a single set of rules would encourage a more consistent application of the law across the European Union (EU) and give businesses clear rules on how to treat private information.

Tracking the various data privacy laws from country to country can be difficult, said Matthew Norris, e-risk and privacy expert at small-business insurance specialist Hiscox.

“You can read law firm reports providing high-level guides for different countries, but at times, given the complexity of the laws, you may need to speak to the expert lawyers themselves to get much more specific detail and interpretation,” he said. “This could be information-specific to where you perform your business activities, but can need to extend far wider to where your suppliers conduct business on your behalf or even to the nationality of a customer.

“The legal advice not only needs to relate to assessing the compliance of your privacy practices -- and your obligations to notify -- but also to what forensic investigation you can carry out after a breach,” Norris continued. “For example, if you have a data breach in France, there is much more limited ability to forensically search employee emails, as it may infringe the employee's right to privacy.”

Cutting the red tape with a single set of rules could save businesses an estimated 2.3 billion Euros a year, the commission has speculated. But Jonathan P. Armstrong, an attorney specializing in technology and compliance at the law firm Duane Morris, viewed that claim skeptically.

“The commission, I think, is making a play of the fact that all of these regulations will save money for corporations, but to be completely blunt, if that is the case, it will be the first regulation that I’ve ever heard of that saves money,” he said.

In addition, he called the idea of requiring businesses to act within 24 hours of a breach “quite crazy,” and added that telling people about trivial breaches has led to “notification fatigue” in the U.S.

“If you’ve ever been involved in a security breach, you know that the first concentration for any corporation should be limiting the disaster,” Armstrong said.

While migrating to the new rules if they are passed may be a complex process for some multinationals, the introduction of a single set of privacy standards for all EU territories is long overdue, said David Gibson, director of strategy for the data governance specialist Varonis.

“The key issue in the new rules that made me sit up and take notice is the requirement that any company maintaining personal information -- be that customer records, internal human resources directories, or any other list -- will have to comply with the new rules and be able to show how and why they are using personal data,” he explained in a statement.

“The application of the rules to non-EU entities -- especially those in the U.S. -- that want to offer their goods and services into the EU -- is also to be welcomed, as it helps to balance parallel requirements under the U.S. Sarbanes-Oxley governance rules, for example,” Gibson added.

The cost of failure could be high: Rule breakers could face hefty fines for violating the EU mandates. John M. Simpson, privacy project director for Consumer Watchdog, said the final European rules will have a “substantial impact in the United States.”

“That's because the global Internet giants -- Google, Facebook, and Microsoft -- will have to follow Europe's rules,” he said in a statement. “It will be cost-effective for them to use the same procedures and protections around the world. Americans are likely to receive the same level of protection in many areas as Europeans."

“I think we’re going to see the ‘right to be forgotten,’ if it gets in to the legislation, come into the U.S. by default really because the cost of having one operation for Europe versus one for the U.S. will be too great,” Armstrong said. “Most global players will say [that] one size has got to fit all.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.