Details are beginning to emerge for the European Union’s data protection laws. Like many before it, the use of encryption software is being encouraged in order to safeguard the private information of people who fall under the EU’s jurisdiction. In addition, a number of other details are being considered as well, such as the use of anonymized data for satisfying data security requirements.
Personal Data Breach Notification
According to out-law.com, the EU committee has agreed that breach notifications must be made to regulators within 72 hours of discovery – assuming that it “‘may result in physical, material or moral damage’ to individuals.” Whether this language will constitute a loophole that undermines the breach notification laws remains to be seen. (For example, a person who’s overseeing the breach may conclude that the risks are negligible – not because that happens to be the case but because going public with the breach would be bad business).
A second similar problem that I see is the use of the term “undue delay”:
organisations would also face a new obligation to inform consumers “whose rights and freedoms could be severely affected” by a personal data breach of such an incident “without undue delay”.
What exactly is an undue delay? Is a day? A week? A month? A year? The use of such linguistic loopholes tends to create havoc for those the law intends to protect. It’s the reason why in the US, the set of federal rules governing patient information (aka, HIPAA) requires that a notification be sent as soon as possible but not later than 60 calendar days since discovery. Pass this mark and you’re in breach of the law.
Likewise, the final version of HIPAA struck out the “harm threshold” requirement that reads similar to the may result in physical, material or moral damage to individuals language. The reason? It became quite obvious that such a clause invited abuse.
Encryption Software Use Encouraged
The committee also agreed that using data encryption would be grounds for providing safe harbor from reporting requirements,
“appropriate technological protection measures” to protect the data that has been lost or stolen from being accessed by people not authorised to see it.
“Such technological protection measures should include those that render the data unintelligible to any person who is not authorised to access it, in particular by encrypting the personal data,”
Which is a good move, seeing how experts agree that the use of encryption provides more than adequate data security. However, there is some room for improvement here, as not all encryption is created equally. Perhaps the law should specify the use of strong encryption, or perhaps do what the HIPAA regulators have done and defer the definition of encryption to a body that oversees such matters (the NIST, in HIPAA’s case).
Likewise, the use of pseudonymization as a data security move is quite puzzling, as experts are increasingly finding out that this form of data protection doesn’t really work, especially when combined with Big Data initiatives. Although laws tend to lag behind technology, there’s no reason why it has to when the evidence is well within reach.
There is, of course, still plenty of time left for arriving at a final set of rules. One hopes the EU will play it smart and not repeat the mistakes others have made before them.
Related Articles and Sites: