EU Data Rules Worse Than SOPA?

Last week, the European Commission (EC) released a draft revision of its 1995 data protection rules for the stated purpose of strengthening online privacy rights and Europe's digital economy. But the rules threaten the viability of data-driven businesses, from Google to credit bureaus, critics contend.

The EC says that a single streamlined set of rules will save businesses billions in administrative work. The rules require: notification of national data authorities as soon as possible following a serious data breach; explicit rather than assumed consent for data collection; easier consumer access to data and easier transfer of that data to other providers; and support for a "right to be forgotten," which gives consumers the option under some circumstances to have their data deleted from third-party service providers.

The fine for violating these European Union (EU) data rules is substantial: up to 1 million Euros or up to 2% of global annual revenue. Under this regime, Google's collection of Wi-Fi network data through its Street View cars, disclosed in 2010, could have cost the company $586 million, had the EU chosen to punish the company to the full extent of the law.

[ Sometimes data protection means less privacy. Read Stolen iPhone Saved By iCloud. ]

Google helped lead the protest against SOPA and PIPA, U.S. legislation that would have harmed the Internet and forced Internet companies to protect content companies. The EU data rules don't threaten the flow of information in the same way. Rather, they threaten the existence of information online, through rules like Article 17, the "right to be forgotten and to erasure," and Article 20, which forbids the exclusive use of automated data processing for determining, among other things, creditworthiness or work performance.

Try to imagine an information economy starved of information. The concept clearly has potential problems.

"Article 17 will give EU residents an unprecedented inalienable right to control and delete facts that were once voluntarily communicated by the subject," explained Jane Yakowitz, visiting assistant professor of Brooklyn Law School, in an online post.

EU justice commissioner Viviane Reding described that right thus in a statement last week: "If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system."

Article 17 has some limits. The proposed rules recognize that people can't have the right to erase history, hinder free expression, harm public health, or impede scientific research with their desire to delete their data.

But Yakowitz argues the limits are undermined by restrictive wording and draconian fines. "I am disappointed, but not surprised, to see the EU continue a misguided attack on the information economy," Yakowitz wrote. "The right to be forgotten unequivocally favors the interests of the data subject, no matter how selfishly motivated, over the interests of data controllers and other consumers. Moreover, by making the right of erasure inalienable, the EU prevents its own citizens from participating in a business model that allows consumers to trade their information for stuff they want--convenience, discounts, or content."

In an email, Yakowitz explained that her objection to the rules is that they do not attempt to evaluate and balance competing interests.

Google's global privacy counsel, Peter Fleischer, through his personal blog, also expressed concern about the "right to be forgotten."

"While I strongly believe that people should have the right to complain to third-party websites about information that is published there about them, I am deeply skeptical that the laws should obligate such third parties to delete information on request of data subjects," he wrote. "This raises troubling questions of freedom of expression."

How much control should people have over the data shadows they cast online? And how much control should companies have? Or governments?

Fleischer says there should be more public debate about what the "right to be forgotten" means and about how it applies to search engines that index public information. Giving people too much power to control information about them online would make privacy rights trump the right to free expression, he argues, and would turn third-party Web services like Google into de facto censors.

Yakowitz suggests that tech companies form a protest movement similar to that which derailed SOPA and PIPA, to make sure the draft data rules get changed prior to a final vote. She proposes that Google block every search result involving anyone with first name "John," that Internet retailers stop accepting cookies (which would prevent any e-commerce), and that publishers double the number of ads on their Web pages to compensate for revenue lost to data starvation.

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)