Europe appears poised to enact strict new privacy regulations geared to protect consumer data, but the debate is far from over. Representatives of businesses, particularly e-commerce companies, are descending on Brussels to plead their case. Any company that sells anything to an EU citizen — even if that firm doesn’t have a presence in Europe — would be subject to the directive.
Both privacy advocates and representatives of businesses that handle consumer data are flocking to Brussels. Why? The EU has proposed a strict set of new data privacy rules that would restrict companies such as Facebook even more than they currently do.
Facebook, et al., have descended on the city in the hope of softening some of the restrictions, while privacy advocates such as John M. Simpson, the Privacy Project director at Consumer Watchdog, are there to keep the EU on its intended path.
“This is the battleground right now,” Simpson told the E-Commerce Times. “In this global, digital, highly interconnected world, it quickly becomes the case that companies want harmony in their standards. So, if the Europeans continue to their stand for basic human privacy rights, that will set a standard that will go worldwide and have tremendous benefits for the U.S. consumer.”
The Onus on Business
Businesses, not surprisingly, might not agree with Simpson’s characterization. As currently proposed, the law comes with significant financial penalties for infractions — 2 percent of a company’s annual turnover.
If approved by all 27 EU member states and the Parliament, the proposal could become a directive by the end of next year.
Essentially, the proposal, presented by EU Justice Commissioner Viviane Reding, calls for a single set of data protection rules that would eliminate unnecessary administrative requirements, such as notification requirements for companies.
Instead of companies having to notify data protection supervisors about their activities, they would only have to deal with a single national data protection authority in the EU where they had their main operations.
That is the good news for companies. The proposed directive would also come with very rigorous protections for consumers — chief among them a so-called “right to be forgotten.” In short, it would give consumers the right to have their data deleted from any record if there were no legitimate grounds for retaining it.
A Novel Approach
The “right to be forgotten” is a novel approach to privacy, Simpson said — and one that he believes has become essential in a digital environment. “In the old bricks-and-mortar world, these things took care of themselves. Now it is important for people to be able to have information deleted that no longer accurately represents who they are.”
There are other protections as well, he noted. The proposed law also calls for explicit consent to be monitored or tracked.
“A company cannot assume that just because someone signed up for something on a website, that means they are willing to be tracked forevermore from that point,” noted Simpson.
Reduced Administrative Burden
From the business perspective, there are some benefits to the proposed directive, Jim Halpert, a partner at DLA Piper, told the E-Commerce Times.
“It reduces the bureaucracy — the paperwork a company has to deal with under the current system,” he said.
Also, European data protection laws currently are not harmonized, which can be very cumbersome as well, noted Halpert. “Having one set of rules that would apply to much of the activities that businesses engage in would obviously be a help.”
That said, there is a significant downside as well, especially for e-commerce companies, he pointed out.
Any company that sells anything to an EU citizen — even if that firm doesn’t have a presence in Europe — would be subject to the directive, Halpert said. “How the European Union would enforce that is unclear — but for related businesses, this creates uncertainty.”
The rules would impose rigorous data minimization requirements that many firms would find burdensome, he noted. There is a “privacy by design” mandate in the proposed directive, which means tech vendors would have to bake into their products compliance with the data minimization rules.
Headed for Final Approval?
Of course, it may very well be that the final regulation will look different from the proposed version — perhaps a lot different, if critics have their way.
“The commission is under some extreme pressure to protect citizens’ information, with all the data breaches we have seen over the past two years,” Eloqua Chief Privacy and Security Officer Dennis Dayman told the E-Commerce Times.
Typically what happens is that with the first draft of any legislation the consumer is heavily favored, he said. “Remember, these are proposals and not a directive yet. So there is much to be discussed on the impact these regulations will have.”