Simon Says – Musings of a Technology CTO

The Register recently reported that the European Commission is considering passing EU-wide laws on data breach notification, along the lines of those in place in the USA already. Viviane Reding, the Information Security Commissioner said

The Telecoms Reform has put the issue of mandatory notification of personal data breaches firmly on the European Policy agenda.

The committee formed from Europe’s national data protection watchdogs (The Article 29 Working Party) has apparently also backed the idea.

Predicted to launch in 2010, a major initiative to review and strengthen the EU information security policy is in plan according to Reading, along with initiatives to consider emerging challenges for privacy and trust in the information society.

If this comes to place, it will bring the same kind of rigid requirement to report loss (or possible loss) of PHI and PII within Europe that is present in 48 US States today, and will further help companies both understand the risk of loss of PII, and will help consumers by giving them the choice to not do business with organizations known for having a lapse or defective stance on data security.

Remembering that PII information belongs to us, and not to corporates is a lesson slowly (and hard) learned in the USA – it’s encouraging that Europe is rapidly catching up.

Commissioner Reding made some firm comments re data protection:

A key principle of EU data protection law is that those who process personal data have to take the necessary security measures to counter the risks to this data… when a security breach happens, the operator will have to inform the authorities and those citizens who may face harm..

…

It is absolutely essential that we find the right European responses to the concerns

of European citizens about their fundamental rights to privacy and data protection.

You can read the full text of Commissioner Reding’s speech on this matter from the EC.Europa.EU site.