EU’s New Data Protection Rules
On January 25, the European Commission proposed new data protection legislation. The rules include the "right to be forgotten," under which individuals will be able to delete uploaded personal data if there are no legitimate grounds for retaining them.
The rules would apply if data are handled abroad by companies that offer their services to EU citizens (e.g., Google Inc., Apple Inc., Microsoft Corp. and Facebook). Breaching the rules would be fined by €1 million or up to 2% of the company’s global annual turnover. According to Viviane Reding, the The EU's justice commissioner, the new rules would save businesses about around €2.3 billion ($3 billion) a year.
"My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information," she said in a statement. "A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation."
Needless to say, many are not happy.
"The latest draft still includes a number of draconian requirements for businesses that will be difficult to implement for many," said Jane Finlayson-Brown, a partner in London-based law firm Allen & Overy's data protection team.
“The real concern is that many of the proposed rules will inhibit the free flow of information globally and make it difficult for global businesses to operate and invest in Europe due to greater legal uncertainty, increased administrative burdens and the risk of fines," said James Lovegrove, managing director of TechAmerica Europe, a not-for-profit association representing U.S.-based technology firms in Europe.
If the changes are adopted, companies will deal with a single national data protection authority in the EU country in which they have their main base. Meanwhile, individuals can refer to the data protection authority in their own country even when their data are processed by a company based outside the EU.
Ronald Zink, Microsoft's Chief Operating Officer with responsibility for EU Affairs and Associate General Counsel commented:"The question [is] how do you future proof this; the European Commission is trying to create a regime that will have some staying power. The goal of [the] new proposal is to reduce the burden while increasing privacy protection; I'm optimistic this can be done."
Google reacted on its official blog, announcing that it will streamline its privacy policy from 70 documents to a single main privacy policy. "Regulators globally have been calling for shorter, simpler privacy policies—and having one policy covering many different products is now fairly standard across the web," Google's blog said. "We believe this new, simpler policy will make it easier for people to understand our privacy practices."
The proposals will now be passed on to the European Parliament and EU member states when they meet at EU councils and will take effect two years after they have been adopted.