Viviane Reding, the justice and fundamental rights commissioner, had to struggle to have her proposals accepted by other commissioners, but eventually managed to pass a set of new rules that will significantly increase the rights of citizens - if member states and the Parliament do not water them down.
If approved, the new rules will give citizens the "right to be forgotten", enabling them to delete personal information that they no longer want to share with banks, online booking websites or social media. There will also be an expiration date on the use of such information by those holding the data.
These days, personal information is often given away without people knowing it. Information is “traded as a currency behind consumers’ backs,” said Monique Goyens from the European consumers’ organisation BEUC.
A major element of Reding's proposal therefore foresees that EU citizens will have to give their “explicit” consent before their data can be used.
See our video coverage here:
Defining personal data?
What remains unclear, though, is exactly what kind of data can be considered as personal information under the new rules. The definition initially included in the first Commission drafts was considered too broad and has since been narrowed.
But the definition is still open to interpretation and does not make clear, for example, whether internet 'cookies' can be considered as personal data. A Commission memo describes personal data as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address."
The definition is not only significant for online privacy, it could also have an impact on how smoothly the internet works. All kinds of data are routinely exchanged among computers without users’ being aware of it. If the requirement for prior consent becomes too systematic, citizens’ privacy will certainly be better protected but their web surfing experience might also be seriously affected, critics warn.
However, Commission officials offer assurances that consent will have to be given only once, and will not affect the way people use the internet.
Improvements for business
Clear data privacy rules should also offer predictability for businesses as EU-wide harmonisation is expected to help companies operate across borders with a single set of regulations. Brussels estimates the savings for businesses at around €2.3 billion a year.
And a number of exceptions are foreseen for small businesses, diminishing the bureaucratic burden related to data protection requirements.
The proposal also strengthens the role of national data protection authorities by giving them new powers and turning them into a single reference point at the national level for companies and citizens, “even when their data is processed by a company based outside the EU,” the Commission says.
Fines softer than initially envisaged
A key point relates to sanctions for data breaches or improper use of personal data, considered key to improve citizen confidence in the internet. Consumers will shy away from buying online if they are uncertain about the use made of their electronic data, goes the Commission argument. Recent cases of major losses of personal data involving Sony and Apple certainly did not help raise confidence in the internet.
Therefore, straightforward sanctions for those who “intentionally or negligently” suffer data breaches or process data without the explicit consent of users are clearly stated in the new proposed rules.
For the most serious violations, penalties can reach up to €1 million or up to 2% of the global annual turnover of a company. The original proposal made by Reding included fines of up to 5% of the turnover of a company. EurActiv understands that milder views prevailed within the Commission.
Notification of data breaches
Reding also gave ground on how and when companies should notify users of data breaches. She wanted consumers to be informed of the loss of their data in maximum 24 hours, otherwise fines would be imposed.
Neelie Kroes, the EU commissioner in charge of the digital agenda, considered such an obligation to be “disproportionate,” clearly making the point in a blog post.
Kroes eventually won the argument as the new text maintains the 24-hour term but adds a new clause loosening the obligation. The final text of the regulation, as approved by the college of commissioners, now reads: "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority.”