Europe could have the strictest data protection laws in the world if the current draft of the rules are implemented, according to security IT provider Sophos.
The European Commission proposed a reform of the EU’s 1995 data protection rules in 2012 to bring the laws up-to-date with technology, and the new law is expected to be approved next year. Once this has happened, EU member states will have two years to implement the laws, which, if breached, could lead to fines of up to €100 million or up to five percent of a business’ global annual turnover - whichever is higher. The new law would apply to all companies operating in the EU, no matter where they are based.
“If implemented in its current form, [the EU data protection laws] could be the most strict data protection in the world,” Anthony Merry, director of data protection at Sophos said at a roundtable in London today.
“But, they may be watered down,” he warned. “In the two years since they announced the law, there’s been 4,000 amendments to it. I wouldn’t be surprised if there are another 4,000 over the next two years.”
Despite this, Merry believes that the updated regulations - overdue since they have not been changed significantly since 1995 - are a “step in the right direction”.
The updated regulations aim to give citizens the same rights online as they have offline, give them confidence that they have protection when they’re online, and ensure that organisations better protect customer data.
Businesses will also be required to notify the supervisory authority in a country - CERT-UK [the UK National Computer Emergency Response Team] is viewed as the UK's supervisory authority at present - of a data breach, which is not currently mandatory for the private sector in the UK. At present, only public sector organisations are obligated to notify the Information Commissioner’s Office (ICO) of a serious data breach.