The European Commission has today proposed a comprehensive reform of its 1995 data protection rules in a bid to not only strengthen online privacy rights but also, it claims, to boost Europe’s digital economy. The EU cites as reasons for the proposed reforms the developments in technology about the way data is collected, assessed and used. Additionally, it cites the divergence amongst the EU’s member states in their implementation and enforcement of the 1995 rules. The EU claims that a single law will obviate the current disparities in enforcement as well as do away with costly administrative burdens. Furthermore, the new rules, it contends, will boost consumer confidence in the Internet, providing a much-needed boost to growth, jobs and innovation in Europe.
The proposed rules are much stricter than the ones currently in place and violators will face hefty fines of up to two percent of the company’s global annual turnover. If approved, the legislation will go into effect in late 2013. The new rules not only apply to European online entities but also to entities located overseas that offer services to EU customers such as Google, Apple, Microsoft and Facebook.
Central to the rules is a person’s right “to be forgotten”, i.e., a person’s right to be removed from online databases. Under the new rules, consumers must affirmatively give their consent for their data to be shared. However, for many online businesses, tracking customers and their shopping preferences is integral to their business model. Some fear that enforcing this requirement would be draconian. For example, would an online company have to repeatedly require explicit consent from a consumer to share their data during an online transaction? Additionally, opponents to the proposed reforms claim that the new rules will inhibit the free flow of information and make it harder for global firms to operate in Europe because of the increase in administrative scrutiny and the increase in fines, which to a firm like Google amounts to hundreds of millions of dollars.
Proponents of the proposed rules argue just the opposite. They claim that the new rules will save businesses billions of dollars a year by buidling trust in online services. People will feel more secure about using the internet and the new uniformly-administered rules will foster a single digital market in Europe. For example, American companies operating in Europe will be regulated in one place, i.e. the state where its subsidiary is located. These entities will have to comply with a single set of European rules just like their European counterparts. If implemented, the rules will require companies to deal with a single national data protection authority in the EU country in which they have their base. The consumers, in turn, will be able to refer to the data protection authority in their own state even when their information is handled by a non-EU company.
Unquestionably, changes are coming to the way consumers’ online information will be handled and protected in the EU. This issue bears watching as it unfolds. The next step is for the proposals to be passed onto the European Parliament and EU member states for review and adoption.