By Zachary Laven --- European Affairs editorial assistant
The European Commission’s proposal for a sweeping overhaul of rules protecting individuals’ privacy in on-line data was unveiled Wednesday as a modernizing step that could reassure users and streamline procedures for companies in this complex new legal and technical environment.
In presenting the plan, Justice Commissioner Viviane Reding said that the new integrated system will give Europe’s citizens easier access to their personal data and result in saving businesses an estimated 2.3 billion euros a year. The proposals will impose a single set of privacy standards in the EU’s 27 member states for the first time, overriding often divergent national rules.
Violations of the new rules, under the Commission’s proposal, could result in fines amounting to 1 million euros or two per cent of the offending company’s global turnover.
Even compliance with the prospective EU regime, according to some in the private sector, could prove expensive for many companies -- including a wide swath of U.S. companies, some with only minimal involvement in Europe.
The EU’s current data-protection rules date from the 1995 Data Protection Directive, and a key improvement under the Commission’s up-date would bring the existing situation, involving separate national systems in the 27 member states into a single pan-European law.
According to Commissioner Reding, “the protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data.” If Europeans feel more confident that their personal data is secure, she said, they will be readier to make greater use of the internet in sensitive areas such as business transactions and electronic medical record-sharing. “A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation,” she said in Brussels in releasing the draft data-protection bill.
Key provisions of the proposal include requirements that:
- Companies provide clear rules as to what information is being collected and how it is being used.
- Rules be relaxed for data transfer between multinational corporations once it is approved by one data authority in the EU system. Thus, companies will now only be required to deal with a single data authority in their base EU country.
- Companies with more than 250 employees will be required to assign a data protection officer to its staff, although SMEs (small businesses) will be exempt from this.
- The ‘right to be forgotten’ is recognized in the sense that where there is no “legitimate” legal reason for businesses to keep data, users will have a legal right to have it deleted.
- Companies will be required to report promptly any breach of data (ie thefts of personal information due to hackikng). The new EU goal is 24 hours – in contrast to some incidents in which companies have withheld disclosure for days while investigating.
As the Financial Times reported, the new proposals are being examined very keenly by technology companies such as Google and Facebook, which store large amounts of personal data. But the new EU privacy rules will impact the entire corporate landscape: any company maintaining databases that include personal information – be that customer records, internal human resources directories or any other list – will have to comply with the new rules, and be able to show how and why they are using personal data.
They cited provisions that mandate more stringent conditions on companies’ ability to transfer data about individuals (including personnel within a single multinational corporation) along with another innovation – a “right to be forgotten” for individuals who want to eliminate on-line data about themselves. This protection could be very costly to implement for companies with big on-line businesses and extensive data banks that include social networking and other personal data.
Washington is also expected to weigh in on the issue since the Commission’s draft directive says that EU rules should apply to all companies, from anywhere, that “offer their services to EU citizens.” To some U.S. lawyers, that provision could be interpreted as applying to U.S. companies whose involvement in Europe is confined to advertisements for their services in some European media.
“We have been pushing for harmonization of privacy laws for several years, but we are concerned that these proposals may be too prescriptive,” said Ron Zink, Microsoft Europe’s chief operating officer and associate general counsel.
On a more welcoming note, other executives said that the most tangible impact for companies is that all their privacy issues in the EU will now be tackled by a single EU data protection regulator, which will be that of the country in which they have their main European operations.
A new European Data Protection Board, made up of the EU’s 27 national regulators and the EC, will co-ordinate cross-border cases, such as the one faced last year by Google’s Street View service, which prompted separate investigations in a dozen EU countries.
“That’s a big plus for companies, as dealing with 27 different national regimes is both expensive and cumbersome,” according to Christopher Kuner, a privacy specialist at a Brussels-based law firm quoted by the Financial Times.
Questions about the new proposal will get momentum from the power of big on-line firms such as Google and Facebook, which demonstrated their new political punch last week by derailing US Congressional draft legislation aimed at clamping down against internet piracy.
The clout of internet giants, in mobilizing their private and corporate customers, came as a surprise in Washington, which has buzzed over the role of social media in the “Arab spring” -- only to be surprised to see it in action on the domestic political scene in the U.S. There are signs that these companies are hoping to have a similar impact in Europe on issues affecting the internet.
There is a separate transatlantic divergence brewing up over the issue of data storage known as “cloud-based computing.” Digital agenda commissioner Neelie Kroes has promised to present a European “cloud strategy” this summer as part of a plan to reform the online market in the EU. But White House officials have already indicated that they expect to argue with the EU plan because, the U.S. specialists say, European frameworks of data-protection conflict with the technological imperatives of modern global systems of data dispersal and retrieval.
Zachary Laven