Reflections of the Draft EU Data Protection Report in the US

U.S. Tech Firms Facing Stronger European Data Protection Measures

In the end, all of those trans-Atlantic flights may not have paid off.
Over the last year, representatives of the United States government and American technology companies have repeatedly traveled to Brussels and Strasbourg in the hopes of containing an effort by the European Commission to strengthen data protection rules for citizens of the European Union.
But on Tuesday morning, Jan Philipp Albrecht, a representative of the European Parliament reviewing the draft regulation, made public a report in which he proposed even stronger measures.
Mr. Albrecht’s proposals represent his own opinions and may not be approved by his parliamentary colleagues. Even so, his recommendations indicate that American lobbying efforts are up against European momentum.
“I think they are trying to slow a moving train, which is difficult to do,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, an advocacy group in Washington.
Last January, the European Commission introduced a draft proposal for new data protection rules. The proposed rule would supersede a data protection directive from 1995, which laid out principles for each member state to enact individually.
The draft regulation clarifies and elaborates on those original principles — such as the need for companies and institutions to obtain citizens’ consent before collecting information about them.
It would grant European Union citizens a fundamental new right: data portability or a citizen’s right to easily transfer his or her own personal posts, photos, and video from one online service site to another.
And it comes with a big stick: Companies that violated the rule would be liable to penalties of up to 2 percent of worldwide revenues.
Although the effort is intended to standardize and consolidate the enforcement of data protection regulation across the 27 European Union countries, some American regulators, industry groups and scholars have objected. They say the draft rule was overly broad and burdensome for technology companies to carry out.
Now Mr. Albrecht has proposed further strengthening the data protections by granting citizens additional control over information collected about them — like the right not to be subject to profiling. In his report, Mr. Albrecht, a member of the German Green Party who is the representative of the European Parliament committee reviewing the draft proposal, also said citizens must consent to data collection by opting in and not be asked to opt out by changing a preselected option like a already-checked box.
“The use of default options which the data subject is required to modify to object to the processing, such as preticked boxes, does not express free consent,” Mr. Albrecht wrote.
In a phone interview, Mr. Albrecht said the European Parliament was likely to strengthen parts of the proposed regulation. “There is a huge interest of European citizens in having strong data protection,” Mr. Albrecht said.
That could pose challenges to technology companies.
Granting people the right to transfer the updates and photos they posted on Facebook to Google Plus, for example, may sound perfectly reasonable, said Yianni Lagos, a legal and policy fellow at Ohio State University and the co-author of a recent analysis of the European draft regulation published in the Maryland Law Review. But the proposed rule broadly requires that a company transfer a person’s data “without hindrance” and in a commonly used format.
“We’re not exactly sure what that means,” Mr. Lagos said.
“The largest challenge is the concept of interoperability,” Mr. Lagos said. “Translating from a coded format to a commonly used format, that is what will be difficult and costly to achieve.”
Unhindered transfer of a person’s entire record could also increase the breadth of identity theft, Mr. Lagos said: “One-time access by a hacker could turn into a lifetime data breach.”
Technology companies, he added, must now face the increased liability that could come with the proposed penalty for violators.
“The big difference is the fine,” Mr. Yianni said. “Now there’s a lot more reason to comply.”

Source:
http://bits.blogs.nytimes.com/2013/01/08/u-s-tech-firms-facing-stronger-european-data-protection-measures/

0 yorum: