As some of you know there were privacy reforms that were released a few weeks ago by the European Union (EU). The European Commission is proposing a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy. Last week I spent the day at the United States Institute of Peace in Washington D.C attending the EU Conference on Privacy and Protection of Personal Data. This was the second event in the past two years allowing global stakeholders like legislators and business to sit down and talk face to face about technological progress and globalisation have profoundly changed the way data is collected, accessed and used.
What makes this of interest for US based stakeholders is that the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. The proposal reforms will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.
Attitudes towards data protection
- Just over a quarter of social network users (26%) and even fewer online shoppers (18%) feel in complete control of their personal data.
- 74% of Europeans see disclosing personal information as an increasing part of modern life.
- 43% of Internet users say they have been asked for more personal information than necessary.
- Only one-third of Europeans are aware of the existence of a national public authority responsible for data protection
- 90% of Europeans want the same data protection rights across the EU.
The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee the right of personal data protection in the future. They focus on: reinforcing individuals’ rights; strengthening the EU internal market; ensuring a high level of data protection in all areas, including police and criminal justice cooperation; ensuring proper enforcement of the rules; and setting global data-protection standards.With all this going on, we thought we might answer some additional questions for you so you can better understand how we are seeing this and reacting to it.What are the key changes in these reforms?
- A ‘right to be forgotten’ will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted.
- Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed.
- Easier access to one’s own data and the right of data portability, i.e. easier transfer of personal data from one service provider to another.
- Companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24 hours.
- A single set of rules on data protection, valid across the EU.
- Companies will only have to deal with a single national data protection authority – in the EU country where they have their main establishment.
- Individuals will have the right to refer all cases to their home national data protection authority, even when their personal data is processed outside their home country.
- EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behaviour of citizens.
- Increased responsibility and accountability for those processing personal data.
- Unnecessary administrative burdens such as notification requirements for companies processing personal data will be removed.
- National data protection authorities will be strengthened so they can better enforce the EU rules at home.
Q: How will the data protection reform affect social networks?
A: Social networks provide a useful tool for staying in touch with friends, family and colleagues, but they also present a risk that your personal information, photos and comments might be viewed more widely than you realise. In some cases, this can have financial, reputational and psychological consequences. The Commission is proposing a strengthened right to be forgotten so that if you no longer want your personal data to be processed, and there is no legitimate reason for an organisation to keep it, it must be removed from their system. Data controllers must prove that they need to keep the data rather than you having to prove that collecting your data is not necessary. Providers must take account of the principle of ‘privacy by default’, which means that the default settings should be those that provide the most privacy. Companies will be obliged to inform you as clearly, understandably and transparently as possible about how your personal data will be used, so that you are in the best position to decide what data you share.
Q: How do the current data protection rules hold back the single market?
A: As we said before, today’s data protection rules are divergent and inconsistent across the EU’s 27 member countries. Companies may have to deal with 27 different sets of data protection rules within the EU. The result is a fragmented legal environment with legal uncertainty and unequal protection for individuals. This has also caused unnecessary costs and a significant administrative burden for businesses. This complex situation is a disincentive for businesses – particularly small and medium-sized companies (SMEs) – to expand their operations across the EU and represents an obstacle to economic growth. The Commission is proposing new rules to remove barriers to the internal market which exist because of the divergent legal approaches of the 27 EU countries. This will create a ‘level playing field’ on data processing within the EU. The Commission will achieve substantial harmonisation of data protection rules at EU level, creating one single law applicable across the EU.
Q: How will the EU’s data protection reform make international cooperation easier?
A: Personal data is increasingly being transferred across borders – both virtual and geographical – and stored on servers in multiple countries both within and outside the EU. That is the nature of cloud computing. The globalised nature of data flows calls for a strengthening of the individual’s data-protection rights internationally. This requires strong principles for protecting individuals’ data, aimed at easing the flow of personal data across borders while still ensuring a high and consistent level of protection without loopholes or unnecessary complexity. To respond to these challenges, the Commission is proposing a system which will ensure a level of protection for data transferred out of the EU similar to that within the EU. This will include clear rules defining when EU law is applicable to companies or organisations established outside the EU, in particular by clarifying that whenever the organisation’s activities are related to the offering of goods or services to EU individuals, or to the monitoring of their behaviour, EU rules will apply.
There remains quite a lot of work to do before these reforms take effect and it is not yet known what form the final regulations will take. Industry stakeholders including businesses, trade associations, and Data Protection Authorities around the world have already or are preparing their comments to the European Commision regarding their concerns about areas of the proposed regulation. From a US perspective, while some of the proposed regulations are welcome such as having only a single set of rules to comply with, other areas are sure to raise significant concern as hurdles that may hinder global compliance. This underscores not only the different attitudes and approaches to data protection in the US and EU, but also the need for each to continue to pursue more harmonized frameworks as the global economy grows. The Internet has no borders, and regulations must recognize this in order to foster continued growth of the internet economy on both sides of the Atlantic.