A new agreement is under negotiation, but both sides are struggling to find an acceptable middle-ground. Meanwhile, the European Commission has announced that if a satisfactory agreement is not in place by the end of January, each Member State's Data Privacy Commissioner will consider initiating "coordinated enforcement actions" to mandate compliance.
In the meantime, the European Commission, in conjunction with the European Parliament and Council, has finally drafted the long-awaited General Data Protection Regulation. It would supersede the current Data Protection Directive of 1995. The Directive is only an advisory set of rules, which has caused each of the 28 EU Member States to draft its own version of privacy laws.
Under the newly proposed regulations, however, there would be only one set of rules applicable to all 28 states. There will also be a newly-created "right to be forgotten" and "right to portability" giving every EU citizen the right to move and remove her or his data. A breach notification requirement will require victims be contacted as "soon as possible" but no later than 72 hours after discovery of the breach.
Based on how these cases evolve, the results could have significant repercussions for how organizations are required to store and move data, both at a domestic and international level.
Sign up for CIO Asia eNewsletters.