In January, draft language for the new European Data Protection Directive, is expected to be released publicly.
The directive's goals include setting in place guidelines for the protection of data that originates within Europe and laying out if, how and when that data can leave Europe. The directive will replace the EU's existing Data Protection Directive.
But we don't have to wait until January for the new language. ZDNet's Zach Whittaker has the scoop:
The General Data Protection Regulation will allow the free-flow of data and the protection of individuals. The Police and Criminal Justice Data Protection Directive gives rights to those who work in law enforcement, for the purposes of prevention, investigation, detection or prosecution of criminal offenses.
Some of the most important and interesting items Whittaker found:
- Data processors like Google will have to adhere to many of the requirements applied to data controllers like universities.
- Citizens of EU countries will have a "right to be forgotten," meaning they will have a right to force private companies to remove their data if requested.
- Companies suffering a security breach or data loss incident will be required to report this to both the authorities and affected individuals within 24 hours of learning of the incident.
- Certain companies will be required to have an officer dedicated to data protection.
- A company will not be able to transfer data to a United States government agency under existing Safe Harbor laws. Instead, it must first get the approval of the corresponding agency in the European state in which it's headquartered.
The penalties for non-compliance with the new laws will be fierce: under the proposed language, each violation could result in a penalty of up to 5% of the violator's annual worldwide revenue. As Whittaker notes, this could equate to $1.1bn for each hypothetical Microsoft violation, and $430m for each hypothetical Google violation.
Obviously, there could be changes to this draft language between now and January, but one thing is clear: the new Data Protection Directive will be significant and have a big impact on many companies operating in Europe.