The European Commission recently put together a new draft of their outdated Data Protection Laws. In our previous post in this series (EU Commission and Data Protection, Part 1 of 2), we outlined the key changes to the original 1995 directive. This final part of the series will focus on the U.S. response.
The EU Justice Commissioner, Viviane Reding, and the European Commission have announced their controversial new directives and left the world asking a fundamental question: How much control should each individual user have over their online identity?
The reforms make it clear that web sites, search engines and social networks are being held accountable for what they do with personal user data. And while EU is setting the pace, many major U.S. enterprises with European users are sucked into the mix.
How this will affect U.S. Businesses with European Users
At first glance it appears that users’ rights are being strengthened and, in an age where you can find anything about anyone anywhere, there may finally be a bit of control over what personal information is out there. But where users may be getting coddled, it’s nothing but a firm finger shaking at data businesses. With suggestions of fines for any data request violations or refusals to hand over data, businesses stand to pay out large sums for serious violations of the new data protection laws.
Now internet companies will have to receive ‘explicit’ consent to use any user’s data – this includes revealing when the data is collected, how long it is stored and possibly for what purpose.
While these are laws for EU governed users and businesses it reaches the U.S. borders in two ways. As mentioned earlier, in any situation where a U.S. company has EU users, the EU laws will apply in the EU country that it is being used. Secondly, this regulation reformation could easily be a sign of things to come in worldwide data protection laws. The EU may be setting the pace in protecting user data. And perhaps that is what put the U.S. so much on edge.
The U.S. Response
PCWorld.com reports that the U.S. Department of Commerce has spoken out about the 24-hour breach reporting saying it is “simply too short” and “could lead to ‘massive fines’ for companies” and “confusing ‘false alarms’ for consumers.”
The Wall Street Journal reports that Facebook is not pleased with the ultimatum of EU’s way or the highway. When 500 million consumers are on the line, companies with major global appeal like Facebook don’t tend to play nice. Chief Operating Officer of Facebook, Sheryl Sandberg “issued an implicit warning, drawing attention to the €32 billion ($41.72 billion) value that the company has generated for the European economy. Her implication was clear: You change things at your peril.”
The Financial Times reports that Google thinks the reforms will “break the internet.” Under the new directives it is entirely possible that, since an IP address can be considered personal information, every website may have to meddle with the user before allowing access – this could mean having to be perfectly clear what the site’s intentions are, asking if the user really wants to visit the site and asking if they would like their history of visiting the site to be erased when they leave.
Informationweek.com reports that Google could be in particularly hot water if it falls under these rules. With fines for violating EU’s new rules of €1 million or ‘up to 2% of the global annual turnover of a company’, “Google’s collection of Wi-Fi network data through its Street View cars, disclosed in 2010, could have cost the company $586 million, had the EU chosen to punish the company to the full extent of the law.”
Visiting Assistant Professor, Jane Yakowitz of Brooklyn Law School has arguably the strongest opposition to the EU data protection regulation, particularly the ‘Right to be Forgotten’, calling it a “miserable cookie directive.” Yakowitz casts serious doubts over the limits it places on data that won’t be erased if it is necessary for research purposes, freedom of expression or when required by law claiming it is “undermined both by the necessity language and by the downright draconian fines.” She calls for a SOPA and PIPA style protest to raise awareness before the draft is passed into law.
These issues will undoubtedly be tossed around and debated for some time. And with at least two years until the directives become law (it must be approved by EU’s member states and ratified by European Parliament and would enter the legal systems around 2014-2015), there is still the likelihood that some reforms will be amended while others rejected completely.
It is clear that the Regulation in its present, released and draft form today, has been considerably watered down since the leaked November version. The new directives and regulations deliberately shy away from going toe to toe with the USA Patriot Act and focus more on personal controls over data which can be seen as a bit of disappointment to many.
Especially to Sophie in ‘t Veld, Dutch MEP and Vice-Chair of the European Parliament’s Civil Liberties, Justice and Home Affairs committee. In a phone interview with Zach Whittaker, reporter for Zdnet.com, she explained that three separate letters were sent by MEPs to the Commission in regards to clarification on the reach of the U.S. Law. The answer was that the questions were ‘too difficult.’ As a result in ‘t Veld is disappointed on the new proposed laws calling them ‘watered down considerably, notably on the point of data jurisdiction.’
“What is the point in proposing new legislation if our own executive body [the Commission] is not going to enforce it?” she added before bringing the focus back to the U.S.’s unimpeded control over another country’s data: “Imagine if this were the Chinese. Would we still be so complacent?”