This article is part of our special report Data protection.
After much internal strife, the European Commission published today (25 January) a broad legislative package aimed at safeguarding personal data across the EU. The proposal, if approved, is expected to strengthen citizens’ rights and could have a far-reaching impact on the way online data are collected and processed.
Viviane Reding, the justice and fundamental rights commissioner, had to struggle to have her proposals accepted by other commissioners, but eventually managed to pass a set of new rules that will significantly increase the rights of citizens – if member states and the Parliament do not water them down.
If approved, the new rules will give citizens the "right to be forgotten", enabling them to delete personal information that they no longer want to share with banks, online booking websites or social media. There will also be an expiration date on the use of such information by those holding the data.
These days, personal information is often given away without people knowing it. Information is “traded as a currency behind consumers’ backs,” said Monique Goyens from the European consumers’ organisation BEUC.
A major element of Reding's proposal therefore foresees that EU citizens will have to give their “explicit” consent before their data can be used.
See our video coverage here:
Defining personal data?
What remains unclear, though, is exactly what kind of data can be considered as personal information under the new rules. The definition initially included in the first Commission drafts was considered too broad and has since been narrowed.
But the definition is still open to interpretation and does not make clear, for example, whether internet 'cookies' can be considered as personal data. A Commission memo describes personal data as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address."
The definition is not only significant for online privacy, it could also have an impact on how smoothly the internet works. All kinds of data are routinely exchanged among computers without users’ being aware of it. If the requirement for prior consent becomes too systematic, citizens’ privacy will certainly be better protected but their web surfing experience might also be seriously affected, critics warn.
However, Commission officials offer assurances that consent will have to be given only once, and will not affect the way people use the internet.
Improvements for business
Clear data privacy rules should also offer predictability for businesses as EU-wide harmonisation is expected to help companies operate across borders with a single set of regulations. Brussels estimates the savings for businesses at around €2.3 billion a year.
And a number of exceptions are foreseen for small businesses, diminishing the bureaucratic burden related to data protection requirements.
The proposal also strengthens the role of national data protection authorities by giving them new powers and turning them into a single reference point at the national level for companies and citizens, “even when their data is processed by a company based outside the EU,” the Commission says.
Fines softer than initially envisaged
A key point relates to sanctions for data breaches or improper use of personal data, considered key to improve citizen confidence in the internet. Consumers will shy away from buying online if they are uncertain about the use made of their electronic data, goes the Commission argument. Recent cases of major losses of personal data involving Sony and Apple certainly did not help raise confidence in the internet.
Therefore, straightforward sanctions for those who “intentionally or negligently” suffer data breaches or process data without the explicit consent of users are clearly stated in the new proposed rules.
For the most serious violations, penalties can reach up to €1 million or up to 2% of the global annual turnover of a company. The original proposal made by Reding included fines of up to 5% of the turnover of a company. EURACTIV understands that milder views prevailed within the Commission.
Notification of data breaches
Reding also gave ground on how and when companies should notify users of data breaches. She wanted consumers to be informed of the loss of their data in maximum 24 hours, otherwise fines would be imposed.
Neelie Kroes, the EU commissioner in charge of the digital agenda, considered such an obligation to be “disproportionate,” clearly making the point in a blog post.
Kroes eventually won the argument as the new text maintains the 24-hour term but adds a new clause loosening the obligation. The final text of the regulation, as approved by the college of commissioners, now reads: "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority.”
EU Justice Commissioner Viviane Reding said: “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information.”
“The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation,” she added in a note.
The group of Greens in the European Parliament welcomes the proposals. The MEP responsible for home affairs, Jan Philipp Albrecht, said: “The proposals would ensure EU-wide enforceable rules on data protection and privacy, drawing a line under the crusade by certain businesses to avoid regulation. The proposed rules will, however, create greater legal certainty for businesses, ending the unfair competition for lower data protection standards and the related economic costs.”
“We particularly welcome the proposals to impose conditions and time limits on the use of data from individuals who volunteer their private information. In the current online era it is easy for internet users to lose sight of private data that they volunteer online or simply forget, making it all the more important to ensure safeguards are in place. To this end, the proposals for sanctions against major online businesses that abuse private data are also welcome,” he added.
Consumers organisation also welcomed the proposals. Monique Goyens, director general of BEUC, commented: “In recent years personal data has been traded as a currency behind consumers’ backs. Particularly online, users have found themselves having dramatically less control of their most personal data.”
“But now the Commission has drawn a clear line in the sand. All the elements for a strong, user-centric legal framework are here. These must not be just virtual benchmarks, they must become our everyday standards. Today the EU is taking a large step towards giving data rights back to its rightful owners, individuals themselves,” she said.
Luigi Gambardella, executive board chairman of ETNO, which represents the main telecoms operators and internet service providers in the EU, said: “The ongoing review is a unique opportunity to develop sound data protection rules which are technologically neutral, future proof, applicable to all players offering services to citizens in the European Union and flexible enough to allow for the development of new services in Europe. The Commission’s proposal is an important step towards achieving a world-class privacy protection framework.”
But not everybody is happy. Despite the pro-business changes brought to the original proposal, the digital industry is not satisfied. Thomas Boué, of the Business Software Alliance (BSA), which represents among the others Microsoft, Apple, Intel, Siemens and Symantec, said: “The Commission’s proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information. The rules should focus more on the substantive outcomes that matter most to citizens.”
“The risk in the proposal’s current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth,” he added.
Wim Nauwelaerts, legal expert at Hunton & Williams’ Privacy and Data Security practice in Brussels, commented: “There are many elements of the proposal that will be welcomed by the business community. These include harmonization of the law, so that we will finally have a pan-EU approach to data protection, rather than 27 different approaches; and the elimination of certain bureaucratic formalities, such as notification requirements”.
However, “while the proposal eliminates certain bureaucratic requirements, others are being introduced. For example, in many routine situations, companies will have to perform privacy impact assessments, the minimum cost of which has been estimated by the Commission’s own impact assessment at €14,000,” he added.
Moreover, “introduction of the so-called “right to be forgotten” goes beyond a justifiable desire to enhance individuals’ ability to erase their personal data in the Internet and creates a right that will be difficult to implement and that may have a chilling effect on the use of the Internet in the EU.”
The European data protection supervisor (EDPS) Peter Hustinx welcomed the new steps towards data protection in Europe but criticised the rules for the police and justice area as "inadequate".
"This proposal is an excellent starting point for the adoption of European rules on data
protection robust enough to face the information technology-driven
challenges before us.”
However, "he Commission has not lived up to its promises to ensure a robust system for police and justice. These are areas where the use of personal information inevitably has an enormous impact on the lives of private individuals. It is difficult to understand why the Commission has excluded this area from what it intended to do, namely proposing a comprehensive legislative
Axel Voss MEP (EPP) said: "This is a major step forward to a comprehensive set of rule. The digital revolution and the increasing volume of online communication and transactions require a thorough overhaul. Citizens will benefit from EU-wide data protection rules and business will profit from one single piece of legislation for the entire EU."
Timothy Kirkhope MEP, The European conservatives and reformists group's coordinator on justice and home affairs welcomed better data-protection for citizens but said: "The proposal miss the mark in terms of common sense"
"Of course we encourage best practice in the processing, storage and handling of data, especially in the area of law enforcement exchange. However, we mustn't create rules that are draconian and burdensome to businesses."
The Secretary General of the European consumer voice in standardisation (ANEC), Stephen Russell welcomed the new proposals but commented: "We are not certain self-regulation is the best way to ensure data protection rules are applied to technological developments. We note in particular that existing provisions on self-regulation have rarely been used so far”.
Claude Moraes, S&D spokesperson for civil liberties, justice and home affairs, said:"Our priority is data privacy rights for EU citizens and we will be scrutinising the proposal to ensure that data protection rules are updated and upgraded without derogations."
“We cannot have two-tier systems on citizens’ rights. Privacy rights should also be strictly enforced in criminal investigations and judicial procedures."
"The new rules should also apply to third-country service providers as data exchange is not confined to the EU's borders. Ensuring data privacy rules apply to European service providers only would not be enough to guarantee full protection for our citizens."
Existing European Union rules on data protection were adopted in 1995, when the full potential of the internet had not yet been fully exploited. According to the European Commission, in 1993 the internet carried only 1% of all electronic information, while by 2007 the figure was more than 97%.
While rising numbers of tailored products and services offer increased benefits for consumers, they also rely enormously on the use of personal data.
Private information can range from financial data, such as credit card numbers or bank account deposit details, to sensitive information concerning health conditions or sexual and political orientation. Many consider also location data or online identifiers, such as cookies, as personal data.
The possibilities for misusing or abusing this information are infinite. And EU citizens are becoming increasingly aware of it. According to a recent Eurobarometer poll, mandated by the EU executive, 70% of those surveyed were concerned that personal data is used by companies for purposes other than for what it was collected, while 64% feel that information on how their data is processed is unsatisfactory.
- 2014: Target-year to have new data protection legislation adopted
EU official documents
- European Commission:Press release on data protection overhaul (25 Jan. 2012)
- European Commission:FAQs on data protection overhaul (25 Jan. 2012)
EU Actors positions
- European Data Protection SupervisorEDPS welcomes a "huge step forward for data protection in Europe", but regrets inadequate rules for the police and justice area.
NGOs and Think-Tanks
Surveys and data
- Eurobarometer:Eurobarometer poll on data protection (16 June 2011)
- European Commission:Kroes’ blog post on data protection (13 Jan 2012)