Infosec: New EU data protection laws still years away

New EU-wide data protection laws are still at least two to three years away, but are likely to mandate data breach notifications for all organisations, according to the deputy information commissioner David Smith.

Speaking at the Infosecurity Europe event in London today, Smith explained that the Data Protection Directive is currently under review by the European Commission, which will announce a set of initial proposals in the summer.

"However, this is a sensitive and difficult area so don't hold your breath," he added. "It could be two or three years before the final proposals come out, but we will see changes."

One of these changes is likely to be data breach notification laws "across the board", according to Smith.

From May this year notification will become mandatory for service providers under UK law, but the European proposals would stretch to all firms in a similar way to those enforced in the US.

"We're keen to ensure its proportionality ... so only the ones which are significant [are notified]," said Smith.

Other areas likely to be included in the forthcoming update include data minimisation rules, privacy by design and the ‘right to be forgotten', i.e. the deletion of personal data from social networking and other sites.

Smith also defended the £500,000 cap on fines that the ICO is allowed to levy on organsations found to be in serious breach of the Data Protection Act.

"I don't think that any company would see a £500,000 fine as a bit of a joke, although for multinational businesses it would not necessarily have a huge financial impact," he argued.

"But there's always the trust, confidence and reputation damage which is a key driver for businesses. What we've got is proportionate and if [the fines] fail to deliver improved data protection we will be knocking on the door of government."