Commission Proposes Stronger Data Privacy Legislation
Revising an old directive; renewed legislation with more teeth
After weeks of suspense and rumours, the European Commission introduced long-awaited legislation to update the 1995 Data Protection Directive, the primary instrument governing personal privacy in Europe. These widely-anticipated changes were spurred in large part by three distinct motivations: (1) the desire to provide users stronger rights over their personal information, (2) the need to adapt the 1995 pre-Internet Directive and (3) a wish to harmonise divergent privacy laws across all the European Union.
Ironically, these were the same exact goals 17 years ago when the European Union first passed the Data Protection Directive. At that time, there were few comprehensive privacy laws in Europe (or anywhere else, for that matter). The initial Directive required member states to pass enacting legislation codifying the principles contained within the document, whilst allowing for a margin of interpretation that would prove its limits in practice. Indeed in the intervening years the EU’s 27 member states have all implemented and interpreted the Directive in varying ways, leading to a fair amount of confusion to companies offering services across the internal market. And while each country is slightly different, enforcement has been consistently spotty across the continent, leaving users with the suspicion that their information is not adequately protected as companies utilise increasingly sophisticated technologies to track user behaviour.
The Commission has been working on the text of the legislation for over a year and has been consulting stakeholders for more than two years; in December, what was purportedly a near-final version was widely leaked and analysed. The most significant change in that draft was that the legislation was in the form of a regulation instead of a directive, meaning that it would be automatically binding on member states (rather than a mere instruction to national governments to pass consistent legislation). The draft contained other provisions designed to make complying with European privacy law simpler for companies — such as subjecting companies to the jurisdiction of one lead national data protection regulator, rather than 27 potentially different authorities. The draft legislation also eliminated the burdensome and often costly requirement to provide regulators with pro forma (and typically ignored) notification in advance of all data processing activity (and paying filing fees for the privilege).
On the other hand, the legislation provided new protections for users, such as a very strict data breach notification standard, a requirement that all consent to collect and use personal data needs to be upfront and explicit, and a so-called “right to be forgotten” — the ability of users to erase (at least some of the) information held about them by others. It also called for stronger powers for regulators, including the ability to obtain fines as high as 5% of global revenues for privacy violations (for a large international company, this could easily run to the hundreds of millions of dollars, though the legislation does include language that the penalty must be “proportional” to the scope of the violation). In response, many (especially in the United States) criticised the heightened user protections as being unworkable and unduly burdensome on industry; the United States Department of Commerce reportedly lobbied extensively to have the legislation revised prior to formal introduction.
The eventual version that was released by the Commission does address many of the criticisms that had been levelled, and appears to try to find middle ground between user’s rights, practical implementation and the costs imposed on businesses. For example, the compromises include a less prescriptive data breach rule and a 60% decrease in the maximum penalties a regulator can levy. The legislation still has its critics from both civil society and industry, and there will be intense lobbying as the bill is debated and amended in the European Parliament and Council (A side note to all this is that much online privacy won’t really be affected by this new law. In 2002, the European Union passed a specific law on e-Privacy that governs issues like cookies and online behavioural tracking. Of course, the Data Protection Regulation could be revised to specifically supersede the e-Privacy Directive if officials believe the Regulation is sufficiently robust to address the areas the Directive was written to address).
Although the particulars are still being worked out, the legislative proposal does make significant progress on the Commission’s primary focus on giving users strong, consistent protections across the Union. It represents a frank admission that the strong principles contained in the 1995 Data Protection Directive haven’t been implemented in a consistent and effective manner in practice to protect users, and that more rigorous laws are needed. If successful, the new regulation will better secure user data while offering companies a clear, predictable path to regulatory compliance; at worst, this same scenario could be playing out in another 20 years, as another Commission tries to find a new legal means to meaningfully protect personal information across Europe.
Justin Brookman is the Director of Consumer Privacy at CDT, the Center of Democracy & Technology. CDT is a non-profit public interest organisation working to keep the Internet open, innovative, and free.
Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.
ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views
People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.