A New Data Protection Law for Europe: Giving Data 'Back' to Citizens?
BY Antonella Napolitano | Thursday, January 26 2012
Personal data is the currency of today's digital market. And like any currency it needs stability and trust.
Last Sunday at the DLD conference, European Commissioner for Justice Viviane Reding used these words to introduce the creation of a much-awaited new data protection law. (the official announcement was given yesterday).
The aim of this bill, explained the Commissioner, is to give citizens full control of their personal data available online and to provide a single set of rules for European and international companies that use this data in their business. A game-changing move that will have significant impact on how these Internet companies work: they will now have to obtain explicit consent and to comply with any consumer’s request to delete such data.
After a week of controversy around the SOPA/PIPA bills, the tech giants are focusing their attention on governments’ actions and citizens have backed them in their protests. But a law that gives people more power over their own personal data may break this improptu alliance.
The New York Times, which obtained an early copy of the draft, wrote :
The regulation would compel Web sites to tell consumers why their data is being collected and retain it for only as long as necessary. If data is stolen, sites would have to notify regulators within 24 hours. It also offers consumers the right to transport their data from one service to another — to deactivate a Facebook account, for example, and take one’s trove of pictures and posts and contacts to Google Plus.
The so-called “right to data portability” is one of the broader rights that the European Commission is planning to give to citizens, as an attempt to improve competition in this field, Reding said at yesterday’s press conference.
The package of laws seems to have a good timing in this respect: yesterday, Google announced that it would revise its privacy policy by following its users activities across all the websites. Most importantly, users won’t be able to opt out, reports the Washington Post:
But consumer advocates say the new policy might upset people who never expected their information would be shared across so many different Web sites.
[...] “Google’s new privacy announcement is frustrating and a little frightening,” said Common Sense Media chief executive James Steyer. “Even if the company believes that tracking users across all platforms improves their services, consumers should still have the option to opt out — especially the kids and teens who are avid users of YouTube, Gmail and Google Search.”
According to the Washington Post, “Google’s move is aimed squarely at Apple and Facebook — which have been successful in building unified ecosystems of products that capture people’s attention.”
The changes will take effect starting March 1st (“Google was quick,” joked Commissioner Reding during the press conference, when she was asked to comment).
A single set of laws to foster competition
At the DLD conference, Reding also pointed out that the current EU data protection rules date back to 1995, way before the shaping of the Internet as we know it. As that Directive provided only a general framework, there are currently different laws for each of the 27 countries that form part of the European Union.
This law will be applied instead to all EU Member States, providing a “a regulatory 'one-stop-shop' for businesses for all data protection matters” Reding said at the DLD conference (held in Munich), and added:
companies across Europe will be themselves responsible and accountable for the protection of personal data in their business field. They will have to appoint a data protection officer – a requirement that businesses here in Germany are already very familiar with. The scrapping of the general notification rule alone brings about savings worth 130 million euro a year.
Germany is one of the countries with the strictest data protection laws and today Reding declared that such measures were taken into account when writing the proposal, which, if approved, will come into force by 2014.
But Germany is hardly the only country in Europe raising concerns about how companies handle personal data: on Tuesday the Financial Times reported that Norwegian public sector organisations won’t be allowed to use Google Apps after the Norwegian data protection authorities decided that Google had provided insufficient information about its storage of personal data.
There is no doubt that this step by the European Union could heavily impact Internet companies, argued Reuters, that had obtained the draft in advance:
The EU proposals would bolster significantly regulators' powers on fighting data-protection breaches, requiring companies to notify regulators when data has been stolen or mishandled.
The proposals also give member states new powers to fine companies up to 1 percent of their global revenues for violating EU data rules.
The attempt to set a global standard worries international companies that see these measures as too restrictive, compared to the ones in the US. While Microsoft Europe's COO, Ron Zink commented that the proposals might be "too prescriptive", Facebook declared that "There is a risk that an excessively litigious environment would impede the development of innovative services that can bring real benefit to European citizens," Reuters reported last Monday.
The right to be forgotten
Another important pillar of the law is the “right to be forgotten”, which would allow people to request that their personal information to be deleted from a social network and not disseminated online.
This measure, explained Reading in a Q&A after the conference, is mostly aimed at youngsters that are growing up “immersed” in social networks but are not fully aware of the consequences of sharing personal information online.
This explanation, though, seems to contain a counter-argument in itself: will this measure foster a responsible way to handle one’s own presence online or will it instead turn out as a way to underestimate the consequences, given the chance to delete personal data whenever we want to?
And this measure can also raise concern when it comes to public life. In today’s press conference Reding hinted that search engines won’t be included in the law, but how personal data belonging to public persons will be handled or how this law could impact history is yet to be defined.
Reding assured that this won’t be an absolute right:
There are cases where there is a legitimate and legally justified interest to keep data in a data base. The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.
Memory and history seem rather unusual words in a fast-paced, changing world, but nonetheless are part of it and are shaped by how technology works.
Government rules on these matters can have an impact even stronger than expected by legislators themselves, a fact that the European Parliament will definitely have to take into account when discussing this proposal, in the best interest of its citizens.