EU Privacy Proposal Criticized

By John Wagley

01 March 2013

Print Issue: March 2013

IN JANUARY 2012, the European Commission (EC) released a sweeping set of proposals meant to protect privacy in the European Union in the Internet age. But in recent months, the proposed new regulation, which would update a key 1995 data protection directive, has come under criticism by organizations including a United Kingdom parliamentary body and a key European Union (EU) agency.

Both the U.K.’s Ministry of Justice and the EU’s European Network and Information Security Agency (ENISA) have released reports criticizing some main components of the regulation, which is meant to both upgrade privacy protections and harmonize data security laws throughout the EU. Both have sharply criticized one provision, often called the “right to be forgotten,” which lets users tell companies to delete personal data; they have said that it’s highly unrealistic in the modern technological environment. The U.K. has also said the proposed changes, which include significantly higher penalties for data privacy violations, would be too expensive and also generate excessive confusion.

These and other parties have also criticized other components of the new regulation, including a requirement that companies report any data breach within 24 hours. The regulation, which many say should be finalized by 2014 and go into effect two years later, would apply to both EU companies and any companies doing business with EU citizens.

ENISA, like many other organizations and governments, has called it imperative to update the continent’s data protection rules. But in a recent report, one main criticism was that “the right to be forgotten” is “generally impossible” in today’s open Internet environment. It also concluded that “there is a further need for clear definitions and legal clarifications.”

On the Internet, anyone can copy data and store it elsewhere, ENISA stated, and data can be hard to locate. The report also mentioned possible conflicts in cases where more than one person owns data; an example could include photos. Another could include a blog writer who uses a tweet from someone else, for instance. The issue could also grow complex when data is in the public interest.

The U.K. ministry report agreed about the right to be forgotten, and said the regulation in its current form, which when passed by the EU would then become law in all 27 countries, is overly constraining as well as confusing and unrealistic. “The Commission needs to go back to the drawing board and devise a regime which is much less prescriptive,” it said.

The committee took particular aim at the EC’s claim that harmonizing laws would result in considerable cost savings. The EC has estimated that the regulation would save 2.3 billion euros annually by reducing administrative, legal, and other costs. The committee, however, says that, due to costs, including increased regulatory expenditures and fines, the total cost in the U.K. by 2016-2017 would be about 200 million pounds annually. “The U.K. government is seriously concerned about the potential economic impact of the proposed data protection regulation,” stated Justice Minister Helen Grant in a written statement. “At a time when the Eurozone appears to be slipping back into recession, reducing the regulatory burden to secure growth must be the priority for all Member States. It is difficult therefore to justify the extra red-tape and tick box compliance that the proposal represents.”

One large part of the committee’s cost estimate includes a new rule in which companies could be fined up to two percent of annual revenue for a data privacy rule violation. The ministry said that the Commission had underestimated the cost of the fines because it projected that only about 1,000 additional breaches would be reported annually to supervisory authorities. The ministry estimates that the true number would be far higher. The committee also said nations should have “more discretion” over the penalties.

Another widespread concern has been the regulation’s requirement that companies report breaches in 24 hours, says Harriet Pearson, a partner at Hogan Lovells. In many U.S. states, companies are given 45 to 60 days. But “there’s been a fairly unanimous reaction to the 24-hour window as being extremely unreasonable and impossible to meet” in all but a few instances. It can be time-consuming to conduct a proper investigation.

The committee also raised concerns about the manner in which changes are being proposed. In addition to the new regulation, which mainly addresses substantive data privacy matters, a separate directive, which pertains to judicial matters, has also been released. Unlike the regulation, the directive would have to be approved and assimilated by individual nations before it went into effect. The committee said it would need to clarify how the directive would affect current police powers and how the country would reconcile differing provisions in the legal instruments over time and as court decisions separately affected them. One committee suggestion would be for the EC to create more consistency between the two proposals “from the outset.”

For its part, the EC has said it will continue to work towards reducing administrative burdens. In a recent speech to EU ministers, Vivane Reding, the EC’s justice minister, noted that such businesses are already exempt from certain requirements, including one requiring organizations to hire a data protection officer. Reding said the Commission is prepared to look at whether the SME (small- and medium-sized enterprise) exemption could be broadened to other areas and whether there could be more flexibility for such organizations based on factors such as the sensitivity and quantity of processed data.

But she said such considerations wouldn’t, for now, extend to larger organizations. “Let's be frank: we should not fall into the trap of some lobbyists expressing concerns for SMEs but in fact referring to provisions relevant for large multinational firms.”