EU Unveils Web-Privacy Rules
WSJ: Proposed Changes Aim to Cut Red Tape, but Some Tech Firms Fear Added Burdens
BRUSSELS—Companies could be fined up to 2% of global annual turnover if they breach new data protection rules proposed Wednesday by the European Commission that aim to simplify the laws and reduce red tape.
The changes, the first overhaul to the data protection rules since 1995, when the Internet was used by just 1% of Europeans, would also mean that European Union rules would apply if data are handled abroad by companies that offer their services to EU citizens, such as Google Inc., Apple Inc., Microsoft Corp. and Facebook.
Reaction to the proposals was mixed, with an industry lobbying group saying the new rules could create more bureaucracy rather than cut it.
"The real concern is that many of the proposed rules will inhibit the free flow of information globally and make it difficult for global businesses to operate and invest in Europe due to greater legal uncertainty, increased administrative burdens and the risk of fines," said James Lovegrove, managing director of TechAmerica Europe, a not-for-profit association representing U.S.-based technology firms in Europe.
But European Union Justice Commissioner Viviane Reding said the overhaul will save businesses around €2.3 billion, or around $3 billion, a year, as well as providing much-needed economic growth for the EU.
"My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information," she said in a statement. "A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.
She said U.S.-based companies that have subsidiaries in Europe "are going to be regulated in a one-stop shop, in the state where their subsidiary is. They will have to apply European law like everybody who is doing business in Europe."
If the changes are adopted, companies will deal with a single national data protection authority in the EU country in which they have their main base. Meanwhile, individuals can refer to the data protection authority in their own country even when their data are processed by a company based outside the EU.
Companies who break the rules would face fines from strengthened national regulators. "They will be empowered to fine companies that violate EU data protection rules," Ms. Reding said. "This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company."
There will also be clarification of a "right to be forgotten," under which individuals will be able to delete uploaded personal data if there are no legitimate grounds for retaining them.
The proposals emphasize that consumers must give their explicit consent for their data to be shared, Ms. Reding said.
"The question [is] how do you future proof this; she's trying to create a regime that will have some staying power," said Ronald Zink, Microsoft's Chief Operating Officer with responsibility for EU Affairs and Associate General Counsel. "The goal of [the] new proposal is to reduce the burden while increasing privacy protection; I'm optimistic this can be done."
While he wouldn't comment on compliance costs for Microsoft, Mr. Zink noted that the cost of data protection is more burdensome on SMEs than large companies: often four times more expensive in relative terms.
"Regulators globally have been calling for shorter, simpler privacy policies—and having one policy covering many different products is now fairly standard across the web," Google's blog said. "We believe this new, simpler policy will make it easier for people to understand our privacy practices."
Describing how the commission's proposals would work in practice, Ms. Reding used the example of an Austrian student wanting to retrieve data from a social networking website with its EU headquarters in Ireland. Under the new system, the student would complain to the Austrian regulator, who would refer to their Irish peer, who would resolve the issue with the U.S. company's EU operation, then report back.
"The latest draft still includes a number of draconian requirements for businesses that will be difficult to implement for many," said Jane Finlayson-Brown, a partner in London-based law firm Allen & Overy's data protection team.
The European Telecommunications Network Operators' Association, ETNO, which represents 40 telecoms companies, said that rules on consent need to be consumer-friendly. "Repeatedly requiring explicit consent during an online experience undermines the goal of enabling consumers to make informed decisions in an environment that is not overly intrusive," it said.
The proposals will now be passed on to the European Parliament and EU member states when they meet at EU councils and will take effect two years after they have been adopted.