Differences in interpretation of the EU’s 1995 data protection rules may soon be resolved, according to a proposal by Viviane Reding, Vice-President of the EC in charge of Justice, Fundamental Rights and Citizenship
A single set of European rules on data protection valid everywhere across the European Union, so one rule for the 27 Member States and for the 500 millions people. One data protection authority for one company: a one stop shop and one authorisation for the whole European Union. This will reduce administrative burden and will save the businesses around 2.3 billions Euros a year.
The new rules carry some interesting concepts such as a new burden of proof for companies to retain personal information. Reding advocates for the ability of a person to request that their data be deleted (“right to be forgotten”) unless a company can prove a “legitimate reason” for retention. She also has said companies will have to report a breach “as soon as possible,” which has been suggested to mean 24 hours. Compliance is expected to be managed by a data-protection officer that will be required at all companies by more than 250 employees.
Possibly one of the more interesting points about this is the potential fines structure. Up to 2% of _global_ revenue in fines for data breaches in the EU.