European Union plans stronger data protection laws

The European Commission (EC) is considering legislation that will force companies to inform their customers of data breaches.

The data-protection proposals, published recently in the EC’s Digital Agenda, are seen as a means of building consumer trust.

In a statement the EC said: “Europeans will not embrace technology they do not trust – they need to feel confident and safe online.

“A better coordinated European response to cyber-attacks and reinforced rules on personal data protection are part of the solution. Actions could also potentially oblige website operators to inform their users about security breaches affecting their personal data."

Currently, there are no data-breach notification laws within the EU. However, telecommunications companies will soon be required to inform customers if their personal data has been compromised under new telecommunications legislation passed last year.

The EC said in the Digital Agenda that it would explore the possibility of extending this notification requirement to other companies.

In the UK there has been resistance to introducing any such notification legislation. Although the majority of states within the US have enacted disclosure laws, in the past, the Information Commissioner’s Office (ICO) has rejected the idea.

In November 2008, the UK Government also rejected calls for data-breach notification. A report published by the Ministry of Justice into the Information Commissioner’s inspection powers backed up the ICO’s position on notification laws.

"As a matter of good practice any significant data breach should be brought to the attention of the ICO and that organisation should work with the ICO to ensure that remedial action is taken," said the Ministry's report.