On Jan. 25, 2012, the European Commission released the final version of its proposed revisions to the European Union’s data protection framework. The package of changes represents a comprehensive reform of the EU’s 1995 data protection rules.

Significant changes include:

• A “right to be forgotten,” which would give individuals a right to demand that user data be permanently deleted from websites;

• A requirement that websites obtain explicit consent from users to permit the storage and use of their personal data (and allow for revocation of consent);

• A requirement to provide notifications about data breaches to data protection authorities and individuals within 24 hours of discovery; and

• A right for individuals to request that their personal data (such as posts, contacts, and pictures on a social network) be moved from one online service to another.

Fines for violation of the new regulation can be as high as two percent of a company’s worldwide gross income.

The proposals on breach notification are intended to catch Europe up with requirements in the U.S. Mandatory breach notification requirements are not common in Europe and fines for security breaches have been modest at best. Regulatory penalties are the primary enforcement mechanisms in the EU as there is no class action litigation.