EU moves forward with data protection regulation as trust in U.S. Internet companies, government is shaken


The European Council published on May 31 a proposed compromise draft (.pdf) of the General Data Protection Regulation, potentially moving the European Union closer to final rules that will address personal data, consent and the right to be forgotten in the Internet economy.

The draft follows an March announcement that the Civil Liberties, Justice and Home Affairs committee within the European Parliament received more than 3,000 ammendments to the proposed regulation.

One criticism has been the difficulty of implementation and cost associated with rules, such as obtaining explicit consent for utilizing personal data, establishing private sector data protection officers and requiring data portability between service providers. At one point the United Kingdom expected (.pdf) regulation to cost the British economy £100 million to £360 million annually.

The Council's proposal incorporates some changes in favor of entities that collect and manage personal data. It would, for example, permit companies to analyze and process personal data for statistical purposes if they first anonymize that data.

As for consent, the Council says companies wouldn't need consent for every case where analysis or processing will be applied. Instead, consent would only be needed once for all purposes, which must be clearly stated and distinguishable.

"When the processing has multiple purposes, unambiguous consent should be granted for all of the processing purposes," says the draft.

The council would also not require companies to provide notice when using publicly-available information and would extend the deadline for data breach notifications to 72 hours versus 24 hours.

The continuing push for data privacy rules in Europe comes at a time when personal data use by U.S. companies is being questioned. Revealtions earlier this month that a National Security Agency program intercepts communications content handled by most major U.S. Internet companies has also sparked criticism in Europe.

European Commission President Viviane Reding called the program "more evidence that something fundamental has to change if we want to stop citizens from worrying about somebody watching every time they visit a Web site or write an e-mail."

In a June 17 New York Times editorial, Reding added that this level of surveillance would likely be considered unconstitutional for U.S. citizens, but Europeans are "at a severe disadvantage" and are unable to use the American judicial system for recourse.

"This lack of trust is highly damaging to citizens' faith in the rule of law," she said.

The EU data protection regulation, on the other hand, addresses European citizens' privacy concerns, she said, adding that politicians in Europe and beyond should embrace a system of strong data protection.

"The E.U.'s data protection reform is the right tool to earn citizens' trust. It is within our reach. It is time to act," she said.

For more:
- download the draft compromise text (.pdf)
- read the Reding's editorial

Related Articles:
UK denies wrongdoing and EU demands answers on U.S. surveillance
EU official: No contradiction between increased data regulation and digital economy
New EU data protection draft somewhat limits right to be forgotten