European Data Protection Reform – 24 hour disclosure or undue delay?

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

24 hour disclosure or undue delay?

The new regulation establishes the consumer right to know when their data has been “hacked”. Companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible, if feasible within 24 hours, so that users can take appropriate measures. The initial 24 hour disclosure mandate was then extended by the Parliament to 72 hours. Now the last draft of the regulation doesn’t require the controller to report personal data breaches within 24 hours but rather without undue delay (Art. 31 para. 1.). Likewise, the processor no longer has the obligation to immediately inform the controller of a personal data breach but only to do so without undue delay (Art. 31 para. 2.). This change was absolutely necessary as the prior obligation was not only lacking the flexibility needed but also disproportionate. The new wording seems to sufficiently protect the interest of the data subject concerned.

“It is extremely unlikely that a company is able to analyze the full extent of a data breech and disclose it in 72 hours” adds Balboni, “we need to consider two situations: one is the notification to the data protection authority, and I think that should be done as soon as possible after you know about it. Then, the data controller should have more time to do all the necessary investigations before being obliged to notify the breach to their customers.”

Leupold is confident that the 24 hour disclosure is gone for good: “the people who drafted it finally realized that it’s unrealistic. I don’t think the 24 hours deadline will be reintroduced in the final version. The without undue delay provision is here to stay, really.” Without undue delay is a legal concept that stems from the German term “unverzüglich.” “It means that you’re not hesitating to fulfill your duty to notify a breach, that’s all. Hesitating can mean anything but two to three days at the longest seem fair to me.”

But how do you define a data breach? And how do you know you’ve been breached? According to Leupold, “Most European companies do not have any incident reporting system. They don’t know when a breach occurred. They just don’t get to know it. As long as they don’t know they can’t be subject to a fine of course because they didn’t fulfill their reporting duties.” Also, what if you have a suspicion that a data breach occurred but you can’t be sure? Is that enough to trigger the mandatory disclosure or are you only obliged to report once you know for sure? “This can’t be inferred from the light wording of the regulation Article 31. I’d say whenever you have a suspicion which is not entirely unfounded but it’s reasonable, you should report it”, explains Leupold. “In Europe most companies fall victim of Trojans, malware and similar attacks. And don’t even know. The number of companies not knowing is huge. This is an extremely difficult issue”.

According to Snead “the term “breach” needs to be defined in the contract, meaning that as long as the parties know what a breach means to them, then they can discuss timing and when they need to know. From an enterprise standpoint, negotiating about what a breach is, and then creating a strategy around it, is probably a healthier way to handle this issue than it is to say, “Every single breach has to be notified in X number of hours, or days, or whatever.” That’s the way I tend to approach it in negotiations.”



Coming Next: The enforced Data Privacy Officer – revenue generation for lawyers?

Previous: The 100 million euro fine: outrageous sanctions set a disturbing precedent.

CREDITS

 

Andreas LeupoldDr. Andreas Leupold LL.M.

IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.

Munich, Germany

 

David SneadDavid Snead

Internet Attorney and co-founder of Internet Infrastructure Coalition

Washington D.C. Metro Area

 

Paolo BalboniPaolo Balboni

Founding Partner at ICT Legal Consulting

Milan Area, Italy

 

European Data Protection Reform – The 100 Million Euro Fine

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

The 100 million euro fine: outrageous sanctions set a disturbing precedent.

Under the current national European data protection laws enacted or amended in the wake of Directive 95/46/EC, administrative fines are rather limited – i.e. in Germany the maximum fine is €300,000 – and rarely imposed at all. The new regulation entails a paradigm change in that it introduces substantial sanctions for non-compliance with the new rules. Read more of this post

European Data Protection Reform – What you should know.

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

EU regulation vs. U.S. laws: a matter of cultural bias?

The consolidated version of the EU commission´s proposal for a General Data Protection Regulation following the LIBE Committee vote of October 21, 2013 differs fundamentally from the U.S. approach to the protection of personal data. “Whether one approach is better than the other, is a question of data protection culture. You might think that these are two extremes. On the one hand you have very restrictive regulation with higher fines, which are in my opinion over the top. On the other hand, there is so much leeway under the U.S. data protection laws that you can do almost anything as long as it’s not specifically prohibited.” observes Andreas Leupold, the German IT attorney recipient of the “Lawyer of The Year 2013” award who advises clients across Germany, England and the U.S.

Read more of this post

Mobile Security: iOS Jailbreaks Pose Risks

Mobile Security: iOS Jailbreaks Pose RisksJailbreaking is happening in the millions: don’t turn a blind eye.



The latest jailbreak for iOS 6.1, released on 4 February, was downloaded by a whopping 5 million users in the first 48 hours alone, according to the website stats posted by Cyril (a.k.a. pod2g), the developer of the latest hack published on evasi0n.com. During these first two days, the websites served 40 million page views of which a good 50 per cent to 2.5 million unique visitors from the U.S.

Read more of this post

Icebergs, The Nordics, and Other BYOD Considerations

The BYOD iceberg headed towards your businessNew data shows that companies are increasingly exposed to security risks due to a variety of consumer-grade technology brought in by the employees.


I just returned from a tour in the Nordic countries where I presented to the local press the results of the latest BYOD survey* conducted by YouGov on behalf of Trend Micro. The data collected from 3,012 interviews across Norway, Sweden, and Denmark highlights many details of this controversial IT Trend. Most importantly, the research confirms an undeniable truth: Companies around the world are exposed to increasing security risks due to a variety of consumer-grade technology brought into the enterprise by the employees and inevitably used for work-related activities.

Read more of this post

The Financial Impact of Consumerization – The Hidden Costs

BYOD Financial CostsExecutives and IT leaders are struggling to understand the true costs and benefits of IT consumerization and it’s not difficult to see why. Even a cursory Google search on the subject throws up as many questions as it does conflicting answers. The reason is that no comprehensive research has been conducted into the financial impact of such programs before.

That’s why Trend Micro recently decided to take the bull by the horns and commission Forrester Consulting to conduct a rigorous, scientific study – interviewing over 200 IT leaders in the US, UK, France, and Germany. With the results we have begun to build an accurate picture for the first time of what organizations are measuring in their BYOD programs and the cost impacts, in order that IT leaders can go away and begin to formulate for themselves an effective cost benefit analysis.

Read more of this post

The Financial Impact of Consumerization – BYOD boosts productivity.

BYOD Financial BenefitsIT strategists and commentators alike have been talking about the cost impacts and benefits of the Consumerization of IT for years. However, no-one seems to agree on what’s actually going on out there from a financial perspective. Why? Because no one has managed to formulate an effective framework for measuring the financial impact of consumer-grade technology on the enterprise. IT managers are effectively flying blind with only a vague notion of what to measure and how to measure it.

Read more of this post

BYOD, Enterprise Mobility and Beyond – What to expect in 2013

BYOD, Enterprise Mobility and Beyond – What to expect in 2013Trend Micro’s CTO Raimund Genes recently published his traditional new year predictions for 2013. Quite insightful and mind opening paper, which I invite you to download and add to your reading list for the Holidays.

Interestingly enough for Trend Micro – the company that has made the “Journey to the Cloud” its corporate mantra – Raimund’s top two predictions are not related to the cloud but rather to the inevitable impact of consumer mobile platforms on corporate IT – a topic particularly relevant to the Consumerization blog and to the Enterprise Mobility professionals among us:

#1 The volume of malicious and high-risk Android apps will hit 1 million in 2013.

#2 Windows 8 offers improved security—but only to consumers.

Read more of this post

The Financial Impact of Consumerization – You can’t manage what you don’t measure

Most Scrutinized BYOD Expense ItemsThe Consumerization of IT is a trend even the most parochial IT manager has surely heard of by now. It’s sweeping through enterprises across the planet with no regard for legacy, tradition or order and can be seen as either the most exciting or terrifying thing to happen to IT in the past decade, depending on where you stand.

For many IT managers, unfortunately, the prevailing attitude is still “why should I allow it?”. They are clinging on to the old paradigm whereby IT controlled and dictated the purchasing and ongoing management of technology used by employees. This attitude just will not stand any longer – consumerization is happening, and it needs to be managed in as financially efficient a manner as possible.

Read more of this post

Legal and technical BYOD pitfalls highlighted at RSA Conference

Companies that don’t protect themselves through policies place themselves at risk.

Post based on my interview* with Mikael Ricknas of Computerworld.

Allowing employees to bring their own devices to work is causing new challenges, including what happens when a device needs to be wiped or employees want to sell their smartphone or tablet.

Mobile security and BYOD (bring your own device) are main themes at the European edition of RSA’s security conference, which takes place this week in London.

Letting employees use their own smartphones or tablets for work represents a loss of control for IT departments. Also, if personal data isn’t handled correctly, the company may end up being sued, said Cesare Garlati, vice president of mobile security at Trend Micro and the moderator of a conference session called “The Dark Side of BYOD“.

Read more of this post

Follow

Get every new post delivered to your Inbox.