The EU plans sweeping changes to its dated data protection law, including the "right to be forgotten" and 24-hour breach notification. The changes could have far-reaching implications for the Net industry.
Tougher rules on data protection are coming to the European Union with far-reaching implications for Web giants like Google and Facebook.
On Wednesday, the European Commission will propose sweeping changes to its 1995 Data Protection Directive, including the "right to be forgotten" and 24-hour breach notification.
The proposed legislation, consisting of both new rules and clarification of existing ones, comes amid big changes in how people use the Internet. Many hundreds of millions of people now subscribe to social networks like Facebook and LinkedIn as well as to cloud-computing services, which store data on servers outside of the 27-nation bloc that can be accessed anywhere.
Yet questions of who owns what data and how it should be used and for how long remain contentious issues among consumers, Internet companies and regulators alike, and have fueled some heated debate in recent years.
"I am not surprised by the discussions surrounding the proposal," Viktor Mayer-Schönberger, a professor at the Oxford Internet Institute and author of "Delete: The Virtue of Forgetting in the Digital Age," told Deutsche Welle.
"To put things into perspective, the Data Protection Directive in the 1990s took many years and a concerted effort under the German EU Presidency to get through. The debate then was much more contentious than now."
Several details of Europe's proposed new law were unveiled Monday at the Digital Life Design conference in Munich by Justice Commissioner Viviane Reding, who spoke of the need to protect users and cut red tape for businesses.
"We need individuals to be in control of their information," Reding told industry leaders, adding that consumers will only entrust companies with their data if they know it is protected.
Reding also stressed the need to simplify Europe's current data protection system, arguing that it's too complex and costly. She estimated the added cost to business due to conflicting laws at 2.3 billion euros ($3 billion) a year.
Viktor Mayer-Schönberger argued for similar measures in his 2009 book, "Delete: The Virtue of Forgetting in the Digital Age"
Good for consumers
The new bill promises users options like "the right to be forgotten" and "data portability." While the one option allows them to request that their information be deleted, the other makes it easy for them to take their data elsewhere, for instance, by moving from Facebook to LinkedIn. Users will also be given easier access to data held on them.
"It will be a major step forward to have strong data protection authorities with strong powers implementing a uniform law," said Joe McNamee, advocacy co-coordinator with European Digital Rights in Brussels. "This is good for consumers."
Companies will be required to disclose security breaches within 24 hours under normal circumstances. The addition of this rule is seen by some experts as a reaction to the Sony PlayStation breach last April when the Japanese consumer electronics giant took several days to inform millions of users that their data may be at risk.
Companies could also face fines of between 1 and 4 percent of their global revenues for violating EU data rules. There was some talk, initially, of the fine being as high as 5 percent.
The new laws also patch some transatlantic flaws between US law and existing EU rules in handing over data and protecting it.
"Overall, the proposed changes will reduce the amount of reporting for companies and thus bureaucracy, and should end the patchwork enforcement," McNamee told Deutsche Welle. "All this is good for businesses."
The EU legislative process can take between two and three years to turn the draft legislation into law. The current directive, ratified in 1995, took three years before EU member states enacted the law in their own legal systems.
McNamee warns, however, that no one should hold their breadth just yet.
"It pretty much never happens that a draft directive is not amended to some extent," he said. "So it won't be approved as it stands. The big question is: What will be amended?"
Author: John Blau
Editor: Cyrus Farivar