Reding's 'right to be forgotten' bill polarises Euro biz world
Rewriting data protection law in internet age
EU Justice Commissioner Viviane Reding will imminently table a draft bill that will – if passed in Parliament – require internet firms to be upfront about the user data they hold.
The proposal has already been slammed by many businesses in the UK, where opposition to the draft regulation has been particularly fierce.
Reding's "right to be forgotten" on the internet plan forms part of a huge legislative overhaul of Europe's 1995 data protection law, which the commissioner has labelled as outdated.
EU observers, businesses and politicos agree with her that the current legislation is in desperate need of a rewrite, but Reding's draft proposal has drawn fire from many.
"The old adage of 'Be careful what you wish for' is apt in relation to the proposed rewrite of data protection laws. Companies have been struggling with unharmonised regulation across Europe for years, but the Commission's focus on the rights of the individual has resulted in some ideas that are widely seen as unworkable or which will lead to significant costs," said Jane Finlayson-Brown, a partner in Allen & Overy's data protection team.
She said the draft bill contains "several draconian new requirements" that could prove "impossible to enforce".
"The new 'right to be forgotten' is particularly contentious," Finlayson-Brown added.
"While attractive to users of social networks, it will apply generally and will require many organisations to re-engineer business processes and technologies.
"The question that many people will ask, given the economic climate and the associated costs of compliance, is whether this additional requirement is really worthwhile given that individuals' personal data are so widely and voluntarily made available on the net."
Law firm Osborne Clarke echoed that criticism. Its head of data privacy, James Mullock, said: “It’s rather odd that Commissioner Reding is claiming that the new rules will cut EU companies’ running costs.
"Leaked versions of what is expected to be announced... clearly show the EC’s train of thought is to increase the overall regulatory burden on business and require more time, personnel and cash to be thrown at compliance.”
He highlighted the amount of policing work that would be required by the likes of the Information Commissioner's Office in the UK, if the draft bill - as it currently stands - trickles its way into national law books within the 27-member states' bloc.
“Data privacy is an important individual freedom, and clearly it is important that the current law is updated. But it is fatuous to claim that complying with the rules will actually save companies money," Mullock added. "On the contrary, these measures are likely to cost EU businesses billions to implement and even more to maintain on an on-going basis.”
The Business Software Alliance also waded in with its own unsurprising attack on Reding's proposal.
“The Commission’s proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information," said the BSA's European government affairs director, Thomas Boué.
"The rules should focus more on the substantive outcomes that matter most to citizens. The risk in the proposal’s current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth," he added.
“Done well, a harmonised data-protection framework will create a more cohesive Single Market by eliminating unnecessary confusion among service providers and users.
"But there is a critical balance to be struck. The rules should protect people’s privacy rights while also ensuring they have access to the full complement of services the internet has to offer.”
But not everyone has reacted negatively to the proposed regulation.
Document management outfit Iron Mountain said the draft bill might help force internet businesses to take a long, hard look at their current security policies.
“Many businesses of all sizes are falling short of what is required to manage information responsibly,” said the company's head of information security Christian Toon.
“In today’s increasingly scrutinised business environment, the lack of a solid and legally compliant information management policy is inexcusable.
"Regardless of turnover, sector or country of operation, making sure that employee and customer information is protected should be common practice, not a reaction to new legislation," he added.
Facebook said: "We welcome Vice President Reding's view that good regulation should encourage job creation and economic growth rather than hindering it, and look forward to seeing how the EU Data Protection Directive develops in order to deliver these two goals while safeguarding the rights of internet users."
The Register will bring you full coverage of Reding's data protection announcement later today. Stay tuned... ®
Sponsored: Are DLP and DTP still an issue?