The EC is looking to create a unified set of data protection rules for the EU’s 27 countries, while in the process doing some streamlining (dropping the requirement for companies to have a named data protection officer) and beefing up privacy protection. The rules are meant to be voted on in June, but the proposal as written is drawing a raft of criticism.
The Financial Times reports that a memo drafted by the Irish presidency, representing EU countries, notes that "several member states have voiced their disagreement with the level of prescriptiveness of a number of the proposed obligations in the draft regulation." The UK and the US have submitted their own notes on the matter, the FT said.
The issues, which European Parliament is expected to debate beginning this week, are far-ranging. For instance, when it comes to privacy, the rules would require explicit consent from individuals in order for companies to use their data—something that companies say would add an extra layer of complexity and oversight to its administrative processes that would be overly onerous. The rules would also require businesses to notify of personal data breaches within 24 hours—again, a stringent requirement that not all enterprises would be able to ability to easily comply with.
Some however, point out the level of risk involved. “We support the need to facilitate the data economy in Europe because free exchange, storage and analysis of personal data is essential to a healthy digital economy and society,” said Gary Clark, vice president of EMEA at SafeNet, in an email to Infosecurity. “However, we shouldn’t underestimate the impact that lack of consumer confidence will have on the economy if an organization receives a data breach and peoples’ personal data is taken without consequence.”
Another item in the proposal gives online users the “right to be forgotten,” so that individuals can essentially ask a Google or Facebook to delete every mention of them anywhere in their records. Proponents say the option will save teens from living with poor decision-making in terms of online sharing for the rest of their lives; opponents (i.e., Google) say the proposal would irrevocably harm its business value.
One amendment that Brussels is expected to debate is the idea of taking a "risk-based" approach, so that individual countries or businesses would be subject to the interpretation the law as appropriate. "If you have a butcher whose data processing only affects 20 local people, you need to be able to treat an infringement there differently from a company with private health records," said a spokesperson for the UK's Information Commissioner's Office told the Guardian.
“Regulations are key so long as they are enforceable and don’t have unintended consequences like inhibiting the economic development that European citizens desperately need to see,” said Clark. “But, any relaxation of red tape and harsh penalties needs to be mirrored by commercial and public sector bodies taking more ambitious, unilateral steps to strengthen data protection themselves. Greater reassurance and protection will be achievable when organizations that exchange and hold vast volumes of personal data re-build their data protection strategies around a secure breach approach that extends strong data encryption to all personal data.”