EU Privacy Rules Rewrite Still StalledMany Issues Have Yet to be Resolved
Despite the European Union Parliament's recent endorsement of a proposed rewrite of Europe's vaunted privacy rules, the rewrite remains stalled, and the situation likely won't be resolved this year (see: EU Data Protection Reform Endorsed).
Until just a few months ago, the EU looked set to soon finish overhauling its 1995 Data Protection Act. High on European government officials' agenda has been rethinking rules for collecting and sharing data for the Internet age, as well as tackling the 28 different EU member states' differing interpretations - and enforcement - of privacy rules. Rewriting the privacy rules could also streamline compliance, collectively saving businesses € 2.3 billion ($3.1 billion U.S.) per year, by some estimates.
In large measure, those savings would stem from a new "one-stop shop" process introduced by Viviane Reding, who as EU Commissioner for Justice is in charge of Europe's privacy rules. Her proposal mandates that European privacy investigations be coordinated across all 28 member states, rather than being allowed to run separately, as is now the case. According to the UK's Information Commissioner's Office, the one-stop-shop proposal is a "fundamental part of the reform process" that would deliver "regulatory simplicity" for all.
Legal Objection Triggers Delay
But the EU privacy rewrite process derailed in December, when Hubert Legal, the aptly named senior legal advisor for the European Council - which represents the EU's national governments - criticized the one-stop shop proposal. In particular, Legal argued that it would undermine Europeans' rights by subjecting them to linguistic and financial barriers, should they have to file complaints with regulators in the country where an alleged violation took place, the Financial Times reported.
Reding, the EU justice commissioner, responded forcefully, saying in a speech in Brussels earlier this year that the one-stop shop provision passed legal muster, and that a draft EU privacy law was ready to go. "Discussions are mature. The text is ready. It is just a matter of political will," she said.
But many EU watchers believe that one unresolved concern underlying Legal's objection is that the one-stop shop could allow each individual European country's privacy watchdog - a.k.a. Data Protection Authority - to project much more cross-EU power than before.
Reboot Before 2015: Unlikely
With upcoming changes in both the EU Parliament and the European Commission, which is the EU's executive body, Legal's objection created a delay that will likely postpone the passage of any new EU privacy rules until at least 2015. "With that delay, and the fact that the EU will have a new Parliament and new Commission officials, the prospects of all three required entities - the Parliament, the Commission and the Council [of Ministers] - agreeing on a regulation [this year] are remote," attorney Christopher Wolf, who leads the privacy and information management practice group at Hogan Lovells, a Washington-based law firm, says in an interview with Information Security Media Group.
And the EU Parliament's March 12 vote endorsing the reforms likely won't speed things up. Indeed, the Council of Ministers has yet to vote on approving the reform, and, according to Trevor Hughes, president and CEO of the International Association of Privacy Professionals, some countries are still lobbying against it.
Until the reform does come to a vote, what can businesses expect? "We can expect to see a continuation of increased enforcement efforts in jurisdictions like France, Germany, Spain and Italy," Wolf says. "Throughout the EU, we can expect greater scrutiny of data practices by regulators. Given recent well-publicized data breaches in the U.S., we can expect a focus on data security."
Or as Omer Tene, IAPP's vice president of research and education, says in a blog post: "Until the May elections for the European Parliament and subsequent formation of a new commission, privacy folks can return to their day jobs and focus on existing law."
EU Privacy: Changes To Watch
When EU officials do resume hammering out new privacy rules, what key issues will they likely debate, and how might these new rules impact businesses? Here are six of the primary issues to watch:
1. Binding Regulation or "Harmonized" Directive?
One proposal is to change Europe's privacy rules from being a directive - meaning each EU country then "harmonizes" the rules with their national laws - to a regulation, which when passed would take effect immediately and become binding. If that happened, businesses would only have to prove compliance with a single EU law, rather than each member state's interpretation. But some countries, including Germany, have warned that they won't accept any new privacy law that weakens the privacy rights and protections their citizens already enjoy.
Some EU officials, meanwhile, argue that EU privacy rules should remain a directive, although Reding isn't one of them. "A directive would mean the status quo," she said in her speech in Brussels earlier this year. "It would mean 28 member states doing what they want. It would mean data protection on paper but not in practice."
2. One-Stop Shop to Streamline Compliance
Many EU ministers have backed the aforementioned one-stop-shop proposal, which would likely mandate that EU members coordinate privacy investigations, as well as allow businesses found to violate those laws to negotiate a single, "global arrangement" with everyone involved, Wolf says. In other words, the new approach would mirror how U.S. states' attorneys general - and the Federal Trade Commission - often coordinate their investigations, rather than subjecting a business to up to 51 different inquiries.
The IAPP's Tene says that the one-stop-shop concept is perhaps "the central pillar" of EU privacy reform. Hence the delay when the European Commission objected to the measure on legal grounds.
3. Stronger Sanctions Eyed
In return for creating a one-stop shop to make compliance easier, Reding had proposed that the EU gain the ability to fine privacy rule violators up to 2 percent of their annual revenue. Accordingly, regulators could have hit Google with a $1 billion fine, instead of the mere $2 million in fines - or 0.004 percent of Google's 2012 profits - imposed after data protection authorities in Spain and France separately ruled that Google violated privacy rules. Without stronger penalties, many EU officials have argued, citizens won't have the ability to hold businesses that use their personal information accountable.
4. Online Behavioral Advertising
Exactly what rules should govern how businesses are allowed to collect, resell, share, study or use people's personal information? Until the EU agrees on new privacy rules, that remains an open question. But expect future debates to center on online behavioral advertising rules, which some ministers would like to restrict or even prohibit. Many businesses, however, warn that restricting advertising may undercut the revenue that powers many of today's "free" websites.
5. Customer Access to Personal Data
Another proposal that's being debated would give consumers the right to see whatever information about them is being held by a business or government agency. Critics, however, have warned that the cost of creating this single view of a customer's information could be substantial. Verifying the identity of the person requesting their personal information would also pose its own privacy challenges.
6. Data Minimization vs. Big Data Benefits
Some EU ministers are pushing for data-minimization rules that would require businesses to refrain from collecting any data for which they didn't already have an explicit, predefined use. But in this era of big data, many leading businesses and technologists have warned that new discoveries - technological, sociological, medical and beyond - often don't stem from a priori assumptions, but rather from studying data and discovering new, unexpected connections. "A completely rigid enforcement of privacy principles would prevent those societal benefits," says Hogan Lovells' Wolf, who also chairs the Future of Privacy Forum.
EU Privacy Reform: Still Waiting
With the above issues remaining unresolved, it's not yet clear how the EU's revised privacy regulations will impact businesses. What is known, however, is that almost two decades after inaugurating pioneering privacy protections, if European officials agree on revised rules, they could well apply for the next 20 years - as well as inspire related efforts in other countries. As Google Chief Privacy Officer Peter Fleischer says: "Whatever comes next will be the most important privacy legislation in the world, setting the global standards."
(Matthew J. Schwartz is a Scotland-based writer specializing in security and IT issues.)