X

New EU data protection rules due this week

Companies would be required to immediately disclose breaches, and individuals would get the "right to be forgotten" under a European Union proposal.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
internet security hack lock computer CBS

Companies will be required to disclose security breaches within 24 hours of their occurrence under European Union proposals being made this week to strengthen data protection rules.

New rules are needed to protect consumers and reduce bureaucracy, EU Justice Commissioner Viviane Reding said in a speech at a conference today in Munich.

"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay," Bloomberg quoted Reding as saying at the DLD conference. "European data protection rules will become a trademark people recognize and trust worldwide."

Individuals would be granted new rights under the proposal, including a "right to be forgotten" that would allow them to request their information be erased, according to a draft obtained by Reuters. In addition, a "right to data portability" would allow individuals to easily transfer their personal information between companies. Member states would be allowed to fine companies up to 1 percent of their global revenues for violating EU rules, Reuters reported.

The new data-protection rules, which are expected to be announced Wednesday, are still subject to the legislative process and may still be revised during the next two years.

The rules are designed to address the concerns of consumers snared in security breaches suffered last year by Sony and Citigroup. One of the chief complaints from PlayStation Network customers was how long Sony took to inform them of the breach. Sony waited more than a week to inform its 77 million customers that their personal information had been illegally accessed in April 2011.

About 3,400 Citigroup credit card customers suffered a loss of $2.7 million during a May 10 hacking, but the company waited nearly a month to disclose the security breach on June 8.