Europe cares about privacy, that means you will have to

By Scott Bradner

In late January the European Commission published a proposal "on the protection of individuals with regard to the processing of personal data and on the free movement of such data." (http://www.statewatch.org/news/2012/jan/eu-com-general-dp-regulation-com-12-3-12.pdf) They also published introductory statement about the proposal (http://www.statewatch.org/news/2012/jan/eu-com-dp-commuication-com-9-3-12.pdf) and a staff analysis of the impact of the proposals (http://www.statewatch.org/news/2012/jan/eu-com-dp-ia-com-sec-72-12.pdf) The proposals are extensive, more than 100 pages covering every facet of the gathering, processing, movement and protection of data about people and very detailed.

In concept, the proposals do not differ all that much from the existing European approach to data collected by businesses about people. The principles are the same: get permission from individuals before you collect information about them, tell tem what the information will be used for, only collect what you actually need, only keep it for as long as you actually need to, protect the information properly and do not give the information to someone who will not protect it. But the new proposals add some new requirements and a lot of operational detail to these principles as well as some rather big teeth to be sure that the rules are followed. A company can be fined up to 2% of its worldwide cash flow for willfully disregarding the requirements.

One apparent major addition, the right to be forgotten, is, in part, a clarification of the idea that since you have to have permission to collect information about someone, if they withdraw that permission you need to delete what information you have collected. It is hard to tell exactly how the 9 paragraphs in Article 17 that describe the right to be forgotten will be interpreted when it comes to third parties such as search engines that just report on what information is out there. IT is also hard to predict how these rules will be interpreted when it comes to public information such as criminal convictions. It seems like it would be a really bad idea to let someone erase that kind of history.

Even if the proposals are accepted as-is it will be at least two years before they could go into effect so there is no immediate worry, other than the worry US companies should already have about the existing EU privacy rules. If you work for one of these companies and you have not looked into the US Department of Commerce Safe Harbor program (http://export.gov/safeharbor/) you should do so real soon now.

Naturally, the first reaction from US businesses is that the proposals would be a burden on business (http://www.networkworld.com/news/2012/012512-europes-proposed-new-data-laws-255302.html) rather than something that would be good for Internet users.

The EC's proposals again make the difference between the US and European approaches to personal privacy very clear. In Europe you, in theory, have the say on who collects information about you and your actions and what they do with that information. There is no such assumption in the US. In the US, what you want is irrelevant. Instead, companies can collect any information they can get their hands on and use it in any way they want. About the only restriction is that the company has to be truthful in anything they say about what they collect and what they do with it. Being anything but truthful can be seen as an unfair business practice by the Federal Trade Commission. (http://www.ftc.gov/opp/gpra/append1.shtm)

If you are a small player on the Internet scene you may not have to worry all that much about these proposed rules since it is unlikely that the EU will come after you, but the big guys, such as Google who is in a tiff with the EU over its restated privacy policy (http://www.nytimes.com/2012/02/04/technology/eu-backs-delay-in-googles-privacy-policy.html), are paying attention. (http://www.financialexpress.com/news/google-protests-eus-proposed-rules-on-privacy/905320/) A potential fine of $756 M will do that to you.

disclaimer: Even though Harvard might be on the hook for $74 M (http://vpf-web.harvard.edu/annualfinancial/) I have not seen an official university comment on the proposals so the above should be seen as my own view.