With European Data Rules Come a Need for a Cop

With European Data Rules Come a Need for a Cop
The new European Parliament that was voted into office over the weekend, despite having a different political makeup, is widely expected to reach a final agreement later this year on stricter online privacy rules that have long been in the works.

The rules, as shaped over the last three years, would be stricter than those in the United States. They would create one law across the Continent to protect several aspects of online privacy, which is enshrined as a fundamental right in Europe, including restrictions on what information can be shipped overseas. And they would slap multimillion-dollar fines on any company that misuses Europeans' data.

Still, a crucial question remains up for debate: Which European regulator will have the final say over enforcing the rules?

Under the proposals, companies will be able to operate throughout the Continent if they fulfill the requirements - and interpretation - of European rules from only one country's privacy authority. The companies currently must comply with the regulator in each of the 28 countries of the European Union in which they do business.

Lawmakers in favor of the proposals say that leaving the oversight with one country's office gives companies more clarity about the rules. But consumer groups in Europe have warned that if the current proposal stands, tech companies - including American giants like Microsoft, Amazon and Google - could set up shop in the European country with the most lenient data privacy interpretation.

"This issue has become more political than technical," said Raegan MacDonald, European policy manager for the digital rights group Access in Brussels. She added, "Who gets to decide on these matters is very important."

The law is expected to be finished in the first half of 2015. It has gained momentum since the revelations from Edward J. Snowden, the former National Security Agency contractor, about the spying activities of American and British intelligence agencies. Before the rules go into effect, though, each of the European Union's 28 countries still must reach a final agreement with the European Commission, the union's executive arm, and the European Parliament.

The proposals build on existing rules from the 1990s, providing citizens with greater control over what data is collected, where it is kept, and which companies and governments have access to it. The rules also restrict what information can be sent to countries that do not replicate Europe's data protection laws.

To police the new rules, international companies with European customers, even if they do not have offices on the Continent, would have to comply with the strengthened controls or face fines totaling 2 percent to 5 percent of global revenues, or $137 million, whichever is greater.

"The reforms in Europe will affect companies' global operations," said Wim Nauwelaerts, a data protection partner at the law firm Hunton & Williams in Brussels. "The fines are Europe's big stick to ensure people take this seriously."

Faced with the prospect of tougher privacy rules, companies like Facebook and eBay have lobbied hard since the proposals were first outlined in 2012 to limit the legislation's impact, saying Europe is creating strict laws that make it difficult for companies to invest in the Continent's lackluster economy.

Industry groups have raised fears that the new laws would add costs, as companies must explicitly ask users on a regular basis how their data is used, and limit what information is sent to countries that do not comply with Europe's privacy rules. Yet companies have supported the changes that give one regulator sole control over interpreting European rules. That, they say, adds regulatory certainty because companies will be responsible to just one authority across the Continent.

"We're concerned that the new rules will remain as fragmented as they are today, but it will cost more to comply," said John Higgins, director general of Digital Europe, a trade body in Brussels whose members include Microsoft and Apple.

Some national governments, however, have balked at these changes. Countries like Germany believe their domestic privacy rules, which are some of the most stringent in the world, may be watered down if other regulators gain greater control.

European lawmakers also have criticized the rules because citizens may not have the money, or even the language skills, to bring complaints against companies in other European countries.

Already, questions about who monitors and regulates online privacy are bubbling to the surface. Two weeks ago, the Continent's highest court ruled that people could demand that Google take down links to information about them on the Internet.

This so-called right to be forgotten, which is an important part of Europe's new data protection legislation, allows individuals - both citizens of European Union nations and potentially others as well - to force global tech companies to remove links to their past activities, as long as people are not deemed to be public figures like celebrities or politicians.

(Also see: Google Starts Receiving Take-Down Requests After EU Court Ruling: Report)

Analysts say the legal decision will force Google and other search companies to field a wave of new complaints, as people request that online links be taken down. But the ruling must be carried out by data privacy regulators at 28 different agencies across the European Union, which could lead to jurisdiction-shopping.

"Data protection can't survive on a national level," said Peter Schaar, a former federal data protection commissioner in Germany. "We need to have an international approach."

If the final privacy decisions will eventually rest with an individual regulator, many consumer groups expect Ireland to become the de facto arbiter on privacy matters for the Continent. Many American tech companies are based there because of the country's low tax rates, and digital rights advocates say that Ireland is already known for taking a more moderate view on online privacy issues than regulators in countries like Germany and France.

Others have called on individual countries' regulators to continue to play a role by acting as intermediaries between individuals and the privacy authority that holds the main responsibility for policing each company. That, industry lobbyists say, may lead to national regulators' continuing to vie for control over privacy matters, despite regulatory efforts to make it easier to deal with individual complaints.

Whatever the outcome over who makes the final rules, European politicians are sure that their policies will still have more bite than the existing rules - and those currently on the books in the United States.

"Lobbyists need to understand that we're creating a global digital standard," said Jan Philipp Albrecht, a German politician who is a leading supporter of the new privacy rules. "This is important for all of our citizens."

© 2014 New York Times News Service


For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Samsung Making Budget Android KitKat Phone to Compete With Moto E: Report
China Tells US to Stop Its 'Unscrupulous' Cyber-Spying

Related Stories

Share on Facebook Tweet Snapchat Share Reddit Comment




© Copyright Red Pixels Ventures Limited 2022. All rights reserved.