Euro commissioner tells Facebook it has nowhere to hide
Offshore servers no defence, Reding tells El Reg
Interview European Commissioner Viviane Reding was in the UK on Monday to warn banks that they will be required to immediately notify customers about data security breaches. The Register visited the Brussels justice minister and vice president at the Commission's London office yesterday lunchtime to learn more about her seemingly personal crusade to make the internet a better place for businesses and consumers.
The current European data protection law was written in 1995 when the internet was beginning to slowly enter the public consciousness. As a result, that legislation was introduced to address the handling of data by television broadcasters, printed publications and other businesses. But the framework is, Reding concedes, no longer fit for the digital age.
"There was no Facebook at that moment," she says.
Reding adds that the idea of obtaining prior informed consent from everybody who "utilises" an individual's data has become problematic now that internet usage has become so widespread.
In recent weeks Facebook has come under fire in Europe, after the world's largest social network rolled out its facial recognition technology to countries outside of the US, but switched the feature on by default without telling its users first.
Reding has seen a mood change and says there has been increased concern among citizens within the 27-bloc states in Europe about how their information is being used online.
"People ask: 'What are they doing with my data? What is this thing with photographs? It might be very interesting if I decide that I want this, but it cannot be imposed on me.' There are lots of questions about where we are going in this society."
As we reported earlier this month, it was national authorities in member states, such as the Information Commissioner's Office in the UK, that were tasked with fielding complaints about Facebook's latest privacy gaffe from irate EU citizens.
However Facebook, on a European level, isn't currently breaching data protection law when it makes stealth tweaks to its technology without first informing its users of the change. Reding hopes to close that loophole with the new legislation that's coming in the autumn.
"You cannot hide anymore by saying 'my server is in Honolulu and my other server is in Kiev and...' I don't care," warns the commissioner.
"The law is for everyone who does business on the territory of Europe, whatever the origin of the business might be. So you cannot hide anymore by saying ‘I do not have my headquarters in Europe’."
Of course, convincing Facebook, Google and other US-based companies to adhere to such rules could remain a stumbling block for Brussels.
Reding points to the recent privacy row over Google's Street View data slurp, which got conflicting responses from a variety of countries within the EU.
"The problem was that they got different answers in different member states. In Germany it was declared illegal, in France no one cared. So depending on the different mentality the law was applied in a different way… in future there will be one rule to apply to the whole territory of the European law," she explains.
"The companies will know when they want to come to Europe and target 500 million potential customers they will have to apply the same European law across the states."
But Reding admits that taking legal measures against, for example, the US would be tricky because it obviously isn't a member state.
The EC would still be working within the confines of its own jurisdiction. In other words, a data protection infringement complaint against the US "would be done through the nearest responsible national data protection authority," she says.
"We need rules that are clear and are applied to everyone. If not we take legal measures that we can take."
Cookies and milk for Santa Claus
The European data protection law plans are seen by UK Justice Secretary Ken Clarke as a dangerous move with the potential to compromise freedoms and security.
He lambasts Reding's "one size fits all" approach and says that "imposing a single, inflexible, codified data protection regime on the whole of the European Union, regardless of the different cultures and different legal systems, carries with it serious risks."
The commissioner rejects his comments. "I have not understood the criticism very well because the problem which UK companies have here is that if they want to conduct business in France or in Germany, they have to adapt to a different set of complicated and costly rules," she says.
"The British point of view to open the internal market has not changed. If you are an island and you want to take advantage of the European markets then you do not want to have the rule barriers in place."
Reding cites lots of examples where the so-called "one size fits all" model works within the legal framework of Europe.
"On mobile phone roaming prices the market was taking advantage of the still existing barriers," she says. "Making a lot of money off the back of those citizens who decided to go cross-border."
"I always meet people who are astonished that Christmas is on the 25th of December. I always encounter governments that are astonished that a law that has been voted for two or three years before has to be applied on that date… That is not just on the cookies, but a general problem, which I have normally.
"This decision doesn’t come out of the blue. That was the Council of Ministers plus the European Parliament who had done this together… You decide something, you apply it. If you don’t we bring the country to the court."
Reding is unable to comment on what this means for the UK government, which freed up web owners in Britain from the burden of implementing the changes requiring websites within the EU to obtain a visitor's consent to install a cookie in their browser. It effectively deferred enforcing the law for one year.
"It's much too early to say [on UK] as it’s only some days into the law," she says. "I have already spoken to ministers here [and told them] that Christmas is on the 25th."
Elsewhere, the EC is already taking legal action against the UK government for alleged failures over regulating Phorm and for lacking proper data protection laws. The Commission believes the green light given for BT's use of the web monitoring software without gaining prior consent from its customers is illegal.
It's unclear if the UK Home Office's recent plans to change the Regulation of Investigatory Powers Act (RIPA) to demand full consent to monitoring of individuals' private communications will appease Brussels regulators.
But with the case remaining "under investigation", Reding tells us that she's unable to provide further comment on the matter.
More generally she points out that "there is a big business on selling information, but people are not aware of it".
She says they are "very naive, very often. Informed consent means they know their data can be sold to a third party for this and this utilisation."
But Reding wants that decision to be in the hands of the individual, while still allowing companies to use methods such as targeted advertising, which she sees as "an interesting business model".
US and them. Data, research and commercialisation
"I have some problems with the US, which has a more relaxed vision of what needs protection on the subject of personal data," says the commissioner.
But Reding says she is negotiating with US Attorney General Eric Holder specifically on data protection laws, in an effort to reach a bilateral agreement on both sides of the pond.
She adds that "common standards" are needed between Europe and the US. "If we disagree somebody else might set the whole standard."
The commissioner is convinced that the US is finally starting to take a European approach to data protection, especially in light of the recent high-profile hacks that have affected millions of gamers on Sony Playstation and more recently Sega.
"The US have started to think in a different way," she says. "September 11 scared a whole population and pushed the thinking purely to more security. Tackling problems wholly through the security prism and neglecting completely the element of personal rights.
"I think a equilibrium is starting to take place there. We want rights and security to be on an equal footing… To keep this balance is the way we should proceed in politics."
She says such a desire is not about "building new barriers but to create a security for the individual, which in turn brings ecommerce trust from the individual".
But cross-border trade online, even within the EU, remains a big problem, and Reding claims that changes to the legislation to simplify such business transactions will fix this.
"Merchants do not want to pay the price of adapting their rules to different laws. It's too expensive... due to the patchwork nature of consumer laws in Europe."
According to EU statistics, 75 per cent of merchants hesitate about selling goods cross-border, while just seven per cent of Europeans buy online from another member state.
That's a fact that perplexes Reding.
"Data protection ranks very highly on my list because I see that in times of crisis you must provide legal certainty and open the market," she says.
"You've got it at your fingertips, you have the market but the market is not utilised. Getting rid of the barriers is the answer."
She also frets over development of products in Europe, where the subsequent technology often resurfaces in the US as a consumer product.
"Why is it that we in Europe develop in research, we find, we discover and then all of a sudden we do not jump from research to commercialisation?" asks Reding.
Europe has been slower to adapt to ecommerce, she admits.
"When it comes to commercialisation of our World Wide Web [which was invented by Sir Tim Berners Lee at Cern in Geneva] we had developed it but then we were incapable of bringing it to commercial life."
Returning to her message that for businesses to flourish in the EU they need to gain the trust of their customers, Reding calls on the tech world to provide an "in-built privacy system" within their products.
Reding, of course, previously heralded the development of (radio-frequency identification) RFID technology, which arrived sans a privacy framework.
"Yes, I championed RFID and it was really still in the pre-commerce research stage at that point. I had warned industry at that moment that if it wanted RFID to fly, you must build in security. You must have privacy by design, which is something in the data protection reform. For new services, for new items, instead of letting them grow and then see that there is a problem, why not build in privacy options first?"
A new privacy framework is finally being put in place for RFID that will come into effect later this year. But it offers only a voluntary code that many smaller companies within the EU may choose to completely ignore. ®