Sweeping Privacy Changes Include Online Consent Rules, ‘Right to be Forgotten’
Revamped data protection rules will make Europe an “international standard-setter” in the privacy arena, Justice Commissioner Viviane Reding said Wednesday. The reform package, which must be approved by the European Parliament and Council of Ministers, includes a regulation with general rules for data protection (DP) and a directive governing use of personal data in criminal investigations and prosecutions. It updates 1995 rules that aren’t “fit for the digital age,” Reding said. It requires explicit consent to use personal data and provides a “right to be forgotten” when consumers withdraw personal information from social networks and other sites, she said. Any company that wants to do business in Europe will have to comply, she said. In a related privacy move, Digital Agenda Commissioner Neelie Kroes continued her push Tuesday for a ‘Do-Not-Track’ industry standard.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Personal data is the currency of today’s digital market, Reding said at a news briefing. But people fear they'll lose control of their information, discouraging them from buying goods and services online, she said. Companies face many, sometimes contradictory, DP requirements across Europe and a load of different reporting rules, all leading to legal uncertainty and fragmentation, she said.
Under the proposal, there will be one set of rules for all EU members and one DP authority in each, setting up a one-stop-shop that will cut administrative burdens and save businesses around €2.3 billion ($3 billion) annually, Reding said. Small and mid-sized organizations will receive special care to help them grow, she said. Reform will ensure clear rules for international data transfers within a single company, she said.
For Europe’s 500 million citizens, the measures will boost trust in privacy and ensure they're well-informed about what’s done with their data, Reding said. The legislation will require privacy policies to be clear and written in understandable language, she said. Users will have to explicitly consent to the use of their personal data, and will be able to port the data from one provider to another, she said. Mandatory data breach notification is also part of the package, she said. Violations of the law could lead to fines of up to €1 million or up to 2 percent of a company’s annual global sales, she said.
Asked how the EU will enforce the law against social networks, most of which are based in the U.S., Reding said the rules apply to any company that wants to take advantage of the golden opportunities of the digital market, wherever it’s headquartered. American businesses with subsidiaries in Europe will be subject to EU law just like anyone else, she said.
Reding was massively lobbied on some provisions, she said, so she generally took the middle ground. The U.S. Department of Commerce made its feelings known in informal notes circulated in December and earlier this month, which were made available on the European Digital Rights (EDRI) website. Commerce opposed the right to be forgotten and the requirement for a uniform approach to explicit consent for all Internet services. Its January memo said the draft regulation asserts jurisdiction over most global websites, negatively affecting worldwide businesses and consumers. The concept of claiming jurisdiction over those who operate websites without a legal nexus in the country is exactly what the U.S. was proposing in the Stop Online Piracy Act and PROTECT IP Act, EDRI said tartly in its Jan. 18 newsletter.
Europe’s privacy chief called the proposed regulation a “huge step forward” for data protection but said there’s room for improvement. The draft regulation is an “excellent starting point” for adoption of DP rules robust enough to “face the information technology-driven challenges before us,” said European Data Protection Supervisor Peter Hustinx. However, he said provisions for privacy in police matters were inadequate.
Separately, the EC is pushing for an industry Do-Not-Track standard that will make compliance with DP and privacy laws simpler for users and advertisers, Kroes said Tuesday at a meeting of the World Wide Web Consortium’s tracking protection working group in Brussels. Industry has a self-regulatory initiative for online behavioral ads, but EU data protection authorities say the code alone won’t solve the issue of tracking via cookies, malware and spyware, she said in a blog post on Friday.
DNT would describe the technical details of a “signal” users can send to providers via their online equipment, including Web browsers, Kroes wrote. The signal indicates their preferences regarding tracking, letting companies know whether they have consent or not, she said. Kroes pressed companies to agree on a standard by June.