EU Proposes Tough New Data Protection Rules for 2014
The European Union is challenging big businesses to an internet-privacy showdown, with proposed data-protection laws that focus on the rights of the individual and make heavy demands on companies.
The new rules will affect companies worldwide because they apply to all companies operating within the E.U., regardless of where they are based.
The proposals, by E.U. Justice Commissioner Viviane Reding, include the "right to be forgotten" online --including consumers' ability to withdraw at any time the consent to use of their data -- and a compulsory data-protection officer for all companies with more than 250 employees.
The World Federation of Advertisers has expressed its concerns about the regulation and vows to fight. "The scope of legislation has been increased spectacularly," said WFA Managing Director Stephan Loerke. "It deals with anonymous cookies in the same way it deals with data about religious beliefs or personal-health records. This approach lacks proportionality."
Speaking at a conference in Munich on Tuesday, Ms. Reding said, "Personal data is the currency of the digital market, and like any currency it needs stability and trust. We want to eliminate distrust and to enhance opportunities for business, and protection for individuals."
James Mullock, a partner at law firm Osborne Clarke and head of the data-protection team, said, "This is being sold by the E.U. as making life easier and less costly for business. I struggle with that . It's not a fair appraisal of what's been presented here. The aim is to encourage responsibility, but it will add an onerous burden on business and take up more time and resources."
The laws will not be implemented until 2014, leaving a window for consultation and formal stakeholder hearings. "This is the beginning of a long discussion," Mr. Loerke said. "Everybody is calling for growth, but in this shape the regulation undermines the digital ecosystem."
In a statement about the new data-protection regulation, Facebook subtly hinted that it is also up for a battle. "We agree … that the new regulations should foster growth. … We will continue to work with politicians and regulators to share our experience and contribute to achieving sound privacy regulation and a thriving digital sector."
The WFA also objects to the data-protection regulation classifying anyone under 18 as a child and considers 13 to be a more reasonable age.
However, Mr. Mullock said he believes that the E.U.'s new data-protection act is in tune with the times. "At its heart, it's going with public opinion," he said. "The sensible message is that if digital business is to continue expanding, it needs to do so responsibly."
However, unlike the data-protection regulation, the e-privacy laws have been issued as a directive, which means that countries can interpret them individually, leading to an inconsistency that makes life harder for businesses. The Netherlands, for instance, has gone for full opt-in procedures, while the U.K. has taken a less hard-line approach.
The WFA has responded to the e-privacy directive by leading an alliance of European trade bodies and media owners in plans to introduce an online advertising icon, similar to the device used in the U.S., that allows users to dig deeper into privacy settings if they wish to.
The alliance hopes to launch the ad icon system across all 27 member states in June. By then, they say the icon will reach 80% of online behavioral ads in the major markets -- the U.K., Germany, France, Italy and Spain -- and 70% in other markets.
"It will avoid iTunes syndrome," said Mr. Loerke, "where you ignore 15 pages of text and just click 'agree' at the bottom. Consumers would be bored and annoyed if they were asked to do this 20 times a day."