EU set to announce new data breach disclosure rules

Reports indicate that companies will be required to disclose data breaches within 24 hours

The European Union (EU) is planning to release new proposals that firms be given 24 hours to formally disclose data breaches, according to widespread reports.

"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay," said vice president of the European Commission Viviane Reding at last week's DLD conference, according to Bloomberg.

Corporate giant Sony was criticised for the length of time it took to notify its customers that more than 100 million accounts had been compromised when its servers were hacked in early 2011.

The new rules, if adopted, would ensure that firms have clear guidance over what is expected of them, if they are hacked.

The proposals will also aim to homogenise data protection rules across the EU, making it easier for international businesses to understand their obligations.

Reding said this will save businesses £1.9bn per year by reducing administrative costs.

In her speech, Reding also stated that the EU will amend its policies around online advertising and social networking.

Stricter rules around cookies will be imposed, and powers will be conferred on national data protection authorities to impose fines on organisations that fail to comply.

Reding said the legislation will require organisations to obtain "specific and explicit" consent from internet users to store information, and to delete data unless there is a "legitimate and legally justified interest" in keeping it.

The EU is expected to formally announce its proposals on Wednesday, 26 January 2012.