E.U. emphasizes data ownership, portability


A proposed directive aims to give European citizens greater access to their personal data and stresses the right to data portability, which could make transferring personal data from one entity--particularly Internet-based businesses--to another easier, according to an E.U. statement. The directive's "right to be forgotten" would allow citizens to mitigate risks online in that they could "delete their data if there are no legitimate grounds for retaining it."

The proposed data protection rules, introduced Jan. 25 by the European Commission, would also apply to any information transferred domestically or across borders for police and judicial data-sharing efforts.

The Commission is moving to reform its 1995 rules in part because enforcement varied so much from member state to member state. If approved, the legislation would create a comprehensive E.U. framework for data protection and a directive to guide prevention, detection, and judicial investigation or prosecution.

Under the proposal, European companies that experience a data breach would be required to notify supervisory government entity of a serious data breach as soon as possible--ideally within 24 hours. Contacting a single, national data protection authority in the each E.U. country aims to eliminate the need for each company to issue its own data breach notifications.  

U.S. companies and federal agencies sometimes try to verify a breach and investigate the extent of a breach prior to alerting individual whose information may have been compromised.

"A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market," said E.U. Justice Commissioner Viviane Reding in a Jan. 25 statement. The Digital Single Market aims to increase business to digital entertainment and online services, establish a single-online payment platform and protect E.U. consumers in cyberspace; it's one of eight pillars in Europe's Digital Agenda.

E.U. data protection rules will apply to European citizens' personal data handled abroad by companies active in the E.U. The plan would also allow independent national authorities to fine companies that violate E.U. data protection rules. "This can lead to penalties of up to €1 million or up to 2 percent of the global annual turnover of a company," according to an E.U. statement.

For more:
- see an E.U. page with a press release, memo and fact sheets

Related Articles:
Grant: NSTIC planning proceeding despite uncertain funding
E.U. body outlines broad security goals for industrial control systems
Europe unveils open data strategy, hopes to see economic benefits
E.U. official unimpressed by U.S. Internet privacy initiatives