The European Commission has outlined a proposal for reforming data protection laws in the European Union, touting the move as a way to both protect consumers’ and individuals’ privacy as well as save businesses billions every year by reducing the overhead needed to comply with current regulations. As outlined by EU Justice Commissioner Viviane Reding, the proposed laws would make data protection requirements uniform across the EU’s 27 member states, increase penalties for rule breaches, and would enshrine both a right for people to access and transfer their personal data as well as a “right to be forgotten” — that is, have data about them deleted it there are no legitimate reasons to keep it.
If enacted, the proposed regulations would be the first comprehensive reform of European data protection standards since 1995.
“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data,” said EU Justice Commissioner Viviane Reding in a prepared statement. “My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses.”
The EU’s 1995 Data Protection Directive guaranteed EU citizens a right to data protection, but the specifics have been difficult to manage, with different member states implementing the law in different ways. Similarly, the complexity of inter-jurisdictional cases (where, say, a user is in one country and a company with data about them is in another — or outside Europe) created even more headaches. The result is that businesses looking to manage data responsibly have to deal with scores of different sets of regulations and enforcement agencies, and citizens often have little idea where to turn if they’re concerned about how their data is being used. And they are concerned: A recent Eurobarometer survey (PDF) found seven out of 10 Europeans are worried their personal data may be misused.
To keep businesses happy, the new regulations would impose a single set of data protection rules that would apply across the entire EU. And while businesses and individuals would still have to deal with individual data protection authorities in their respective countries, they can work with that single agency even then data is being processed by companies outside the EU. The idea here is to reduce paperwork, bureaucracy, and administrative costs: The European Commission estimates the changes will save businesses about €2.3 billion a year. In exchange for lower regulatory burdens, companies also have some stiffer requirements: They have to report data breaches as soon as possible (like, within 24 hours) and can be penalized up to €1 million or two percent of their global revenue for breaching data protection regulations.
The proposed regulations also include many tools to help everyday people manage their personal data and understand how it is being used. First of all, it defines personal data as essentially any information about an individual, whether it be their name, a photo, an email address, details of their private or professional life, medical information, posts on social networking sites, and even their IP address.
Companies would have to acquire explicit consent to collect and use personal data, rather using “assumed consent” mechanisms such as continuing to use an account beyond a certain date. (Take note, Google!) Companies must also explicitly inform users if their personal data will be handled abroad.
The regulations also require users be able to transfer their data from one service provider to another. This is a bid to increase competition amongst services by preventing them from keeping users from leaving because their data is held hostage. For instance, if someone wants to switch from Facebook to Google+ right now, they’ll essentially be saying goodbye to most of the data (photos, videos, posts, comments, files, etc.) they’ve put on Facebook. The portability requirement would make such moves simpler, but it’s not clear what sort of technical solutions would satisfy the regulatory mandate.
The right to be forgotten
Perhaps the highest-profile item in the proposal is the “right to be forgotten,” that would require Internet companies to delete data about a user unless there are legitimate reasons to keep it around. In other words, if a Facebook user chose to delete his or her account, Facebook would actually have to delete it, not just put it in a kind of inaccessible limbo, where it’s information is still used to target advertising, tailor services, and (potentially) fall into the wrong hands. Consumer rights advocates note that a “right to be forgotten” helps Internet users have confidence in their ability to manage their personal data; however, many industry watchers expect companies like Facebook to argue about what a “legitimate” reason for retaining data might be. From Facebook’s point of view, keeping an account in limbo is a wonderful service, so they can restore the account if (no, when!) the user decides to come back.
The proposal also includes a new directive that will apply data protection principles to police and law enforcement matters, both domestically and internationally. The European Commission argues that having the same legal framework in all EU member states will enable police forced to more effectively battle online crime and fraud, and also ensures that personal data used by law enforcement is uniformly protected throughout the EU.
If the European Commission’s proposal is enacted and resonates with EU citizens, it could have significant repercussions in the rest of the world, since so many major Internet players — from Amazon to Netflix to Google to Facebook to Twitter to Apple — all operate in Europe. Most of those companies would not want to be in a position where they’re perceived to treat personal data with care…but only in Europe.