Companies suffering data breaches will have 24 hours to tell the relevant authorities or risk legal action and large fines, EU Justice Commissioner Viviane Reding has confirmed.
Reding’s comments at a Munich conference come in the week her department plans to publish the full details of the draft data protection regime that will sweep away a confusion of different laws across the EU’s 27 states.
The 24-hour rule has been on the cards since Reding’s department published a consultation document on the topic which suggested fines could reach 5% of turnover.
“Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay,” Reding was reported as saying, which in the UK would mean informing the Information Commissioner’s Office (ICO).
“All data protection authorities in whatever EU country will have the same adequate tools and powers to enforce EU law.”
Reding presented the reforms as offering businesses a single set of regulations across the region which would, she said, save 2.3 billion euro in paperwork.
As tough as the 24-hour rule sounds, Reding’s other comments on giving consumers more control over the data businesses collect on them could prove even more significant.
Companies will need to seek consent from consumers when they collect data, offer access to it on request and delete it if asked to, she said. This alone could impose huge demands on businesses that in some cases simply lack the tools to manage data to this degree.
The removal of confusion and red tape across 27 countries will save on some costs but many businesses will be handed an expensive data management headache in return.
Reding’s view seems to be that strong data protection offers competitive advantages to offset this.
“Personal data is the currency of today’s digital market. And like any currency, it needs stability and trust. Only if consumers can trust that their data is well protected, will they continue to entrust businesses and authorities with it, buy online, and accept new services,” The Wall Street Journal reported her as saying.
The move for disclosure and tougher sanctions comes nine months after Sony suffered its infamous PlayStation network breach that ended up serving as a case study for the confusion and uncertainty that can be caused by such events.
For days it was unclear what had happened although the disappearance of the network underlined that whatever had occurred had been serious. Eventually Sony admitted that its 77 million customer database had been breached on a large scale.