/ Technology

New EU rules could give you control of your personal data

Today the European Commission published its proposals for long awaited new laws on how companies collect and use your personal data. But will these new rules really hand back control of your personal data?

These new EU data protection rules outline how our data is used and attempt to ensure that it remains under our control when it’s online.

Amongst other things, the proposals argue that companies must seek our explicit consent if they want to use our personal data, make it easier for us to transfer our data from one service to another, and to delete information about us at our request.

If companies violate these rules, they could be fined €1m or 2% of their global annual sales.

One big step for your online rights

The new proposals are badly needed. The current laws were written over fifteen years ago, a time before the widespread use of the internet. Now almost everything, from staying in touch with friends to online banking, is performed online.

Are the proposals good for consumers? Yes, I think they are. Last year the European Commission announced its intention to put consumers at the heart of the laws, and they appear to have done just that.

We’re particularly pleased to see some of the changes we’ve been calling for here at Which? for the past two years, such as a short deadline for companies to inform victims that their data has been breached. There are also provisions to allow you to claim compensation should a company lose or misuse your personal data.

Do you have a right to be forgotten?

Perhaps the most controversial of the proposals is the so-called ‘right to be forgotten’. This will let consumers request that their personal information is permanently deleted if there’s no reason for a company to keep it.

The Commission has made it very clear that this right is aimed at allowing consumers to retain control over their data, and to restrict how companies currently hold on to it. Take Facebook as an example – if you delete your profile, you’d expect all that information to be removed immediately, but at the moment this is kept on file.

However, some commentators have raised concerns over the impact this new right could have on the freedom of press. Could it allow anybody to essentially erase themselves from history? Commissioner Viviane Reding, the driving force behind the new rules, approached this criticism when she announced the proposals:

‘The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a data base. The archives of a newspaper are a good example.

‘It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.’

The Commissioner’s intent seems very clear: the changes are about giving consumers more control over their online data. But will the new law achieve its stated aims or will companies simply find new ways to mine and use our personal data?

Whatever the case, by the time these new rules are agreed and passed, which could take over three years, it’s likely that the technological landscape will have changed dramatically.

Alexander Hanff says:
26 January 2012

Generally the proposals are quite good but there are a couple of big issues.

Primarily, the issue of US law infringing on the fundamental rights of EU citizens. One of the biggest issues we face with regards to data protection and privacy is raised by the PATRIOT Act and Foreign Intelligence Surveillance Act (FISA) which allow US law enforcement to obtain data from any US company even if that data is held outside the US. These are very controversial laws which just this week led to a decision in Norway to ban the use of Google Apps by Public & Private sector to store personal data.

In the original leaked draft of the proposals before Christmas, there was a section dedicated to this issue (originally A42 then I believe A45 in a later draft) which would require US companies to contact the Data Protection Authority (DPA) of the relevant EU member state in the situation where US Law Enforcement request access to data pertaining to EU Citizens as such activity would not be acceptable under European Data Export and Data Protection rules.

In the document released yesterday this section had been relegated to a recital which was weaker than the original text (unfortunately I can’t seem to locate the recitals at this time so I can’t quote the actual wording) and frankly without stronger provisions against PATRIOT/FISA data protection is effectively meaningless given how much of our personal data is controlled by US corporations.

I would have liked to see a much stronger stance from the Commission on this issue as it would have been good for citizen’s fundamental rights but also it would have had the potential of encouraging growth in this sector across Europe, providing more competition and allowing us to move away from US companies.

A prime example is Cloud Computing – currently data in the cloud is often stored on US servers or servers owned by US companies, which puts this data at risk under PATRIOT and FISA – had the Commission taken a stronger stance we would likely see more European companies entering this market, which is not only good for citizen’s rights but good for the economy and would have created a significant increase in jobs (at a time where it is sorely needed).

I welcome the Commission addressing the issue of Data Protection Authorities (The Information Commissioner in the UK for example) that fail to act or are unable to act on breaches of the relevant data protection laws. Under the new proposals, the Commission would be able to intervene directly, which is important particularly in the UK where our regulator repeatedly fails to enforce the law against global corporations. This is down to Regulatory Capture (which basically means the Regulator is “captured” by the industry they are supposed to regulate).

This has been a real problem in the UK for many years to the point where global corporations are effectively above the law due to the ICO’s refusal to persue enforcement action against them and has led to significant criticism of the ICO at all levels (including Parliamentary).

So in light of the 2% of revenues (or 1M Euros) fine Rob mentioned in this article, those fines are likely to only ever be levied against public authorities, which effectively means the public pay these fines through taxes, in effect punishing the victims.

The chance of ICO ever issuing such a fine against a large global company (like Google for example) would seem to be less than slim as such a fine would almost definitely lead to a legal challenge through the courts, which the ICO have insufficient resources to fight, whereas the rich corporations have almost limitless resources and armies of lawyers to pursue.

The Commission state that DPAs need to be properly resourced but in the current economic climate where public services are being cut dramatically, an already severely underfunded ICO is unlikely to get the support it needs from the treasury to meet these requirements.

One thing I would like to point out is that the right to be forgotten and the requirement of explicit consent to process data has always been the case since the original 1995 Directive these proposals are set to update – the problem is there has been no harmonisation across Europe to make these rights comprehensive. The aim of the proposals is specifically to address this lack of harmonisation in an attempt to set a level playing field across all Member States (which currently isn’t the case with the 95 Directive) as well as modernising the 95 Directive to make it more appropriate in our tech centric world.

I could go on but I still haven’t finished reading the entire document and I don’t want to dominate the comments. So in summary, Well done Vivian Reding and her team, generally an improvement on the 95 Directive, but still some fundamental issues I would like to see resolved before this has a genuinely positive impact for citizens. I look forward to seeing how these proposals evolve through the European Parliament and Council, there is a long road ahead of us.

allan kirkwood says:
28 January 2012

I do get a bit worried, as a complete novice, when I read proposals re changing British law, to suit a disparate group of Coumtries, all with many varied ways of life, thinking, upbringing, mores, and standards of behaviour which are alien, not just in the UK, but ones next door neighbour, who may be only a few miles away.
Yet these Laws spread across a whole continent.
I voted for a Common Market, not a ”common” Law, which does not differentiate between myself, and someone with a totally different Ethos, in another Country.’

Alexander Hanff says:
28 January 2012

The UK has one of the worst privacy and data protection records in the developed world and that is with these EU wide regulations in place. I can promise you, given my experience in this sector, if industry were left unchecked in the UK and these laws didn’t exist, the UK would be a very different place and I would be willing to bet you wouldn’t like it.

Some of the things I see industry and government trying to get away with where people like myself have to step in and prevent, would truly leave you in despair.

“Some of the things I see industry and government trying to get away with…..”. Concrete examples please, Alexander.

Alexander Hanff says:
28 January 2012

Virgin Media and CView, Phorm, Intercept Modernisation Program (IMP), Identity Cards, RIPA Abuse; to name just a few

As Alexander says the issue is one of US law infringing on the fundamental rights of EU citizens. It is also another example of the big USofA bully. ITAR is another example. It amazes me that a single country should think it has the right to pass laws that affect other countries and their citizens. I for one would fully support the EU in taking the the strongest stance against any such infringements of our privacy.