Last week, European Commission vice-president for Justice, Fundamental Rights and Citizenship, Viviane Reding presented a draft set of reforms of the EU's 1995 data protection rules. The new rules have made more than a few companies unhappy, most notably Google and Facebook.
According to Reding's proposed reforms (as outlined in a press release and in supporting documents), there would be a single EU-wide set of rules for personal data protection, not the country by country hodgepodge of interpretations of the 1995 rules that exists now.
Personal data is defined in the privacy proposals as:
"Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking web sites, medical information, or a computer IP address. The EU’s Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet. "
In addition, companies and organizations would need to notify their national supervisory authority—the one in the country in which they are primarily based—of "serious data breaches" within 24 hours "if feasible." Serious breaches includes data that is "accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorised persons." This 24-hour reporting requirement will likely cause a lot of debate. In the regulatory description of the reforms (pdf), the section that defines "feasible" goes on for more than a page and is filled with numerous caveats.
Companies and organizations would also need to get explicit consent from web site visitors whenever personal data is being processed.
Further, under the proposals, EU citizens will have a limited "right to be forgotten." As described in this EU supporting document (pdf), the right to be forgotten is tied in with a concept of "privacy by default", i.e.,
"... if you no longer want your personal data to be processed, and there is no legitimate reason for an organisation to keep it, it must be removed from their system. Data controllers must prove that they need to keep the data rather than you having to prove that collecting your data is not necessary. Providers must take account of the principle of ‘privacy by default’, which means that the default settings should be those that provide the most privacy. Companies will be obliged to inform you as clearly, understandably and transparently as possible about how your personal data will be used, so that you are in the best position to decide what data you share."
However, according to this article in the New York Times, this right to be forgotten is not meant to apply to any information that appears about a person on the Web. The Times quoted Reding as saying:
“It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.”
The proposals are also meant to ensure that EU citizens will be able to get "free and easy" access to any personal data being kept by a web site, and be able to transfer it "easily" from service provider to service provider (Reding calls this the "right of data portability"). For example, a person on Facebook would be able to easily transfer all their personal information residing there to another social media site, and demand that Facebook delete all the information it had on that person.
The new rules, assuming they are adopted, will also apply to personal data that is handled abroad by companies that are offering services to EU citizens. Companies and organizations in violations of the proposed rules could incur penalties of up to €1 million or up to 2% of the global annual company turnover.
Reaction to the proposals was decidedly mixed. EU companies were unhappy but seemed to be resigned to the changes. Other companies, especially those outside the EU, like Facebook and Google, indicated that they would be looking to modify some of the proposals.
Facebook was subtle with its dismay, according to an article in the Wall Street Journal:
"Facebook Inc. Chief Operating Officer Sheryl Sandberg already issued an implicit warning, drawing attention to the €32 billion ($41.72 billion) value that the company has generated for the European economy. Her implication was clear: You change things at your peril."
Google was more direct. According to this story in the Financial Times of London, Google said that some of the proposed reforms could "break the Internet." As noted above, an EU citizen's IP address is considered to be personal information. As such, Google is concerned that every web site would first have to ask a visitor if they really wanted to visit the site, as well as inform them on what the site intended to do with any information related to the activities engaged in while visiting the site. Implied in the reforms is that the web site would also have to inquire whether the visitor wanted the fact that they ever visited the site erased when they left it as well.
Another WSJ article on the privacy proposals reported that the European Telecommunications Network Operators' Association which represents some 40 telecommunication companies worried about much the same thing and the proposed reforms' practicality:
"Repeatedly requiring explicit consent during an online experience undermines the goal of enabling consumers to make informed decisions in an environment that is not overly intrusive."
Google also wants clarification on the operational details of the proposed reforms which may affect its own privacy policies. Google is moving to harmonize its 70 different data privacy policies which include the capability for data to be shared among Google applications by the 1st of March.
The EU privacy proposals will now be sent to the European Parliament and EU member states. If adopted, it be two years before they become law. So it may not before late 2014 before the proposals take effect.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.