Details of the new EU data protection law have been announced. The bill seeks to reform EU data regulations and save an estimated €2.3 billion in costs, implement pan-European regulation, and deliver a competitive edge to European companies.
Among the requirements of the new regulations is a mandate that companies seek user consent prior to using private data. In addition, a separate rule requires that businesses reveal details of any data breach to affected individuals and data protection authorities, and they “must do so without undue delay.” While “undue delay” has not yet been explicitly defined, EU justice commissioner Vivian Reding suggested in a Munich news conference that a delay over 24 hours would violate the law.
Companies that fail to comply with the new rules will face harsh financial penalties. This would apply to U.S. concerns conducting business in the EU as well as European companies. The U.S. Department of Commerce issued a statement opposing the rule, claiming that the time period to comply is “simply too short”, and companies seeking to follow the rule may issue false alarms to avoid the risks of violation.
Ratification of the laws by member states is expected in 2014 or 2015, and must be approved by the European. Businesses are expected to press heavily for amendments to the draft laws during the ratification period.