Viviane Reding, Vice-President of the European Commission, spoke on Monday at the Data Protection and Privacy Conference of the British Bankers’ Association in London.
Ms. Reding acknowledged that the current EU legal frame work protecting personal data may no longer be appropriate to a world which has much changed since 1995 (when Directive 95/46/EC, the data protection Directive, was first published) as individuals “leave digital traces with every move [they] make.” The European Union now “needs a more comprehensive and more coherent approach in its policy for the fundamental right to personal data protection.”
Businesses must also play their part. The way they collect, process, store, and use personal data must be done in a more transparent way than it is right now. Ms. Reding alluded to the recent Sony PlayStation Network data breach, which affected some 70 million users worldwide, whose personal information, name, address, email, and birth date have been compromised. According to Ms. Reding, “this incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers’ trust in the online economy. “
Companies must better protect personal data against security breaches and identity theft. Ms. Reding stated that “they should immediately notify breaches of data security and confidentiality” and that she does intend to introduce a mandatory requirement for business organizations to notify data security breaches.
As of today, Directive 2009/136/EC, which introduced mandatory data breach notification in the EU legal framework, makes it a requirement only to providers of publicly available electronic communications services to report data breaches. Business organizations do not however, have to report them.
This is likely to change soon, as Ms Reding wants to introduce this requirement for all sectors, including banking and financial services. She expressed hope that “[i]t would … create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data.”
Changes are ahead, as new EU data protection legislation proposals should be finalized in the upcoming months.