Continued from page 1

_ An obligation to notify national authorities and the individuals involved of serious data breaches as soon as possible, within 24 hours if feasible.

_ A requirement to get explicit rather than assumed consent for personal data to be processed.

_ An obligation to allow people easier access to their personal data and the ability to transfer their personal data more easily from one service provider to another.

Businesses with fewer than 250 employees would be exempted from some of the requirements, such as the need to appoint a data protection officer.

Breaches of the rules could be punished by fines of up to euro1 million ($1.3 million) or up to 2 percent of the annual revenues of the company.

Gary Clark, an expert with the internet security company SafeNet, said the proposed regulation is needed. “The proposed regulation will give consumers more control over their privacy and will force organizations to reconsider how private data is being handled and stored,” he said.

The directive would take effect two years after its adoption.


Raphael Satter in London contributed to this report. Don Melvin can be reached at


Full text of the proposal: