The European Commission will review EU privacy rules in 2010 with the aim of increasing data protection for Internet services such as webmail, social networks and online banking, as well as in other non-virtual sectors ranging from finance to health care.
“Those who profit from the information revolution must respond to the public policy responsibilities that come with it,” made clear Information Society Commissioner Viviane Reding in a speech given last week at a conference in Brussels dedicated to data protection.
The telecoms package, aimed at reshaping the legal landscape of electronic communications in Europe, already contains new rules to tackle data breaches, an ever-growing phenomenon due to the multiplication of customised services.
“Protection against data breaches cannot be limited to electronic communications networks alone, but may need to be addressed in new EU rules which cover online services as well,” Reding said.
Online services include social networks, where sensitive data are often collected without users’ knowledge, e-commerce services such as eBay or Amazon, online banking, and webmail such as Gmail (Google) or Hotmail (Microsoft), which is increasingly replacing computer-based email services (such as Microsoft Outlook).
All the potential threats that online services pose to privacy are also expected to increase amid swift migration towards cloud computing, which sees not only messages, but also sensitive documents stored online rather than on personal computers.
The increased use of personal data concerns all service types, and not necessarily just Web-based ones.
Transport, finance and health care rely extensively on private information and might be subjected to tougher rules to prevent and inform users about data breaches.
The services of EU Judicial Affairs Commissioner Jacques Barrot “will assess the possibility to introduce a mandatory notification of personal data breaches” in line with “the ongoing public consultation on the legal framework for the fundamental right to protection of personal data,” reads an internal note.
Reding made clear that at the moment the Commission is only studying possible measures to protect users from data breaches. This could involve “the obligation to notify breaches,” a measure deemed user-unfriendly by many in the industry, since it could increase the perception of risk among users, resulting in less uptake of services.
The counter-argument is that trust in a service will increase if risks are correctly signalled and avoided, privacy watchdogs at the European Data Protection Supervisor’s office (EDPS) tend to underline.
The second option is to ensure “exemption from liabilities for operators if they can demonstrate that they have put in place certain minimum security standards,” said Reding. Under this scenario, service providers would not have to turn into informal patrols, but it implies extra costs for the industry as it requires updated security infrastructure and increased use of provisions such as encryption and secured access.
In any case, a review of the Data Protection Directive is scheduled for 2010.