Europe is considering a sweeping new law that would force internet companies like Amazon.com and Facebook to obtain explicit consent from consumers about the use of their personal data, delete that data forever at the consumer’s request and face fines for failing to comply.
The proposed data protection regulation from the European Commission, a copy of which was obtained by The New York Times, could have significant consequences for all internet companies that trade in personal data, whether it is pictures that people post on social networks or what they buy on retail sites or look for on a search engine.
The regulation would compel websites to tell consumers why their data is being collected and retain it for only as long as necessary. If data is stolen, sites would have to notify regulators within 24 hours. It also offers consumers the right to transport their data from one service to another — to deactivate a Facebook account, for example, and take one’s trove of pictures and posts and contacts to Google Plus.
The proposed law strikes at the heart of some of the knottiest questions governing digital life and commerce: who owns personal data, what happens to it once it is posted online, and what the proper balance is between guarding privacy and leveraging that data to aim commercial or political advertising at ordinary people.
“Companies must be transparent about what they are doing, clear about which data is being used for what,” the European Commission’s vice president for justice, Viviane Reding, said in a recent telephone interview. “I am absolutely persuaded the new law is necessary to have, on the one hand, better protection of the constitutional rights of our citizens and more flexibility for companies to utilize our continent.”
Reding is scheduled to release the proposed regulation on Wednesday in Brussels. The European Parliament is expected to deliberate on the proposal in the coming months, and the law, if approved, would go into effect by 2014.
The regulation is not likely to directly affect American consumers. For American companies, its silver lining is that it offers one uniform law for all 27 countries in Europe. Currently each country, and sometimes, as in the case of Germany, each state, has separate laws about data protection.
Even so, many of the provisions are likely to be costly or cumbersome. And the proposed penalties could be as high as 2 percent of a company’s annual global revenue, according to a European diplomat who did not want to publicly discuss unreleased legislation.
“Individuals are getting more rights. The balance is tilting more to the individual versus the companies,” said Françoise Gilbert, a lawyer in Palo Alto, California, who represents technology companies doing business in Europe. “There is very little that’s good for the companies other than a reduction of administrative headaches.”
Perhaps for historical or cultural reasons, Europeans tend to be more invested in issues of data privacy than Americans. Certainly, the proposed regulation is evidence that European politicians consider it to be a more urgent legislative issue than members of the United States Congress. Privacy bills have languished on Capitol Hill. Those that have been proposed, by Senator John Kerry and others, have none of the strict protections included in the draft European regulations.
For the most part, American companies have pushed for a system of self-regulation and regard European-style regulations as a hindrance to innovation.
Ronald Zink, chief operating officer for European affairs at Microsoft , pointed to the potential difficulty of obtaining explicit consent. He gave the example of Microsoft’s Xbox Kinect system, which stores body measurements so it can visually recognize repeat players. He worried that the proposed law would require players to provide consent every time they played a game, even if the information never left the game console, requiring more time and effort on the player’s part.
“We have designed the product to be private,” Zink said. “We put a lot of thought into how this controls our work in terms of privacy by design.”
One of the most contested provisions of the European law is the so-called right to be forgotten, which refers to an internet user’s right to demand that his or her accumulated data on a particular site be deleted forever. “When a citizen has asked to get it back, then the data has to be given back,” Reding said in the interview. “When an individual no longer wants his data to be processed, it will be deleted.”
Critics warn that it is not so simple. Data does not always stay in one place; if it is transferred to another company it cannot easily be withdrawn. A company might license some of the data it collects to a third party to analyze market sentiments or social trends: reviews of kebab joints in Amsterdam or public opinion about burqas. Moreover, it may be less feasible to erase someone’s credit history, for instance, or employment record than to, say, do away with her shopping history on Amazon .
“You’re not going to get a unilateral right for someone to say I want you to destroy all the information you have about me,” said David Hoffman, global privacy officer for Intel. “It would be preferable for people to be able to post something and then realize they made a mistake and have it taken down. However, if you were going to do that by law, it’s not going to apply in all contexts, because of situations where it is perfectly reasonable to expect an organization to be able to keep the data.”
Reding sought to temper expectations when she said in a speech at a technology conference in Germany on Sunday that the law would apply to information that a user had furnished to a website, and was not meant to erase unfavorable content about the person online.
“It is clear that the right to be forgotten cannot amount to a right of the total erasure of history,” she said. “Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.”
Malte Spitz, a Green Party politician from Germany and an advocate for strict data protection laws, said the regulation should restrict how companies hold onto personal information. “Lots of companies are collecting as much information as possible, and lots of this information isn’t really necessary,” Spitz said. “The right to be forgotten will change the work of companies that are doing profiling or targeted advertising.”
Facebook, which has been investigated by European regulators for its data retention practices, warned last year against rules that might not keep up with the pace of change on the Internet. “There is a risk that an excessively litigious environment would impede the development of innovative services that can bring real benefit to European citizens,” the company said in comments submitted to the European Commission, according to Reuters.
The European regulation, once passed, could serve as a template for other countries, as they draft or revise their data protection policies. “There are very few countries that don’t copy what is happening in Europe,” said Gilbert, who has written a book on privacy laws worldwide.
Kevin O’Brien contributed reporting.