European Union (EU) has been working in the direction of making consumers’ data and information safe and secure. In time of blatant e-surveillance from countries like United States, India, United Kingdom, etc this is a welcome step. At Perry4Law we welcome this initiative of EU as this would go a long way in strengthening civil liberties protection in EU cyberspace. We also welcome the efforts of EU to strengthen consumer rights by introducing effective dispute resolution mechanisms while engaging in online business and transactions.
The developments of privacy and data protection at the EU are systematic and consistent in nature over a long period of time. Some significant developments in this regard are draft European Parliament Legislative Resolution for General Data Protection Regulation 2009-2014 (PDF), European Parliament’s support for Commission’s efforts to foster EU Citizens’ Rights Memo 14-185 (PDF), MEPs anti surveillance stand against U.S. NSA (PDF), etc. The latest to add to this civil liberties protection list is supporting vote of European Parliament for EU data protection reforms (Word) that have now become irreversible in nature. The new Data Protection Regulation was approved with 621 votes for, 10 against and 22 abstentions.
There had been concern that any delay in the vote would see the whole process put into the hands of a new parliament following elections in May. The current parliament will now speak to ministers from the EU’s member states and agree on a timetable to implement the law.
“Most people are entirely unaware that their rights are being violated when online due to what are now everyday business practices. Those who are aware, have negligible ability to control how this data on their daily lives, buying behavior, social media use, political views, hobbies, financial data and health records is collected and processed,” said Monique Goyens, director general of The European Consumer Organisation.
Although the vote was welcomed by consumer groups, the tech industry is concerned that it will place more burdens on businesses. For instance, the Industry Coalition for Data Protection (ICDP), a group of 16 associations representing European and international companies, described the new law as an “overly prescriptive, freeze-frame approach that would be unworkable in practice, even for data protection authorities”.
The new law includes higher fines for breaches of data protection law in the EU, up to 5 percent of worldwide revenue or a fine of €100 million (US$138 million), whichever is greater. The original draft of the text had called for 2 percent, but the European Parliament decided to raise it.
Citizens will also gain the so-called right to be forgotten. Businesses must comply with any demand by a customer for the erasure of their personal data when there are no legitimate grounds for retaining it. However the European Commission pointed out that this is not a right to re-write history: legitimate reasons to retain data include, for example, newspaper archives.
Explicit consent is also required for businesses wishing to process data. Organisations processing people’s data must provide standardised information policies to explain what they are doing with it and why. Businesses and organisations will be required to inform users, paying or not, about data breaches “without undue delay”. There is much debate about what constitutes “undue delay” 24 hours is considered to be sufficient time for any organisation to notify users. The cyber security breaches also need a mandatory reporting mechanism that is presently missing world over.
Cyber law due diligence for European business has already been prescribed by the EU. As per the new EU framework, member states must take necessary measures to make sure that firms who indulge in any kind of cyber crime can now be held accountable. The rules allow member states to serve punishment even if an employee carried out hacking without bosses’ knowledge. This is more on the lines of “strict liability” that business houses and owners must keep in mind. Similarly, this would also require the businesses to appoint chief information officers and chief technology officers so that their business interests can be adequately safeguarded.
Under the new regulation, users will have the right to demand that businesses send them all the information they have stored about them. Where requests to access data are ‘excessive or repetitive’, smaller companies will be allowed to charge a fee for providing access. A one-stop-shop principle, allowing business to deal with just the data protection authority where they are based, not all 28 across the EU, will be enacted. However, the data protection authority in each member state will be empowered to impose sanctions as well as regular inspections of companies found to be in breach of the rules.
The new law would apply to all companies handling EU citizens’ data, whether they are based in the EU or not. Thus, companies located in other jurisdictions and handling EU citizens’ data would also be covered. The EU has to manage the conflict of laws in cyberspace as different countries may have different laws in this regard. For instance, India has neither a privacy law nor a data protection law (PDF). How the EU norms would apply to Indian BPO and KPO companies and firms is yet to be ascertained by EU.
The new regulation would replace the 1995 legislation, but the new rules still need to be backed by EU governments, some of which have so far been stalling on the reform.
Meanwhile in a separate vote the European Parliament approved calls to put data sharing with the U.S. on hold. The report condemns the mass surveillance programs by EU member states as well as those by the U.S., and calls for the suspension of the Terrorist Finance Tracking Program (TFTP) agreement and the Safe Harbor agreement. TFTP allows the U.S. access to EU citizens’ banking transfers while Safe Harbor is a voluntary program, enforceable by law, whereby U.S. companies promise to manage EU citizens’ data securely.
But the most far-reaching element of the resolution, drawn up after 16 hearings over six months, is that parliament should withhold its consent to the final Transatlantic Trade and Investment Partnership (TTIP) deal with the U.S. unless it fully respects EU fundamental rights. Despite the strong words, it is not within the European Parliament’s power to implement them. Any suspension of agreements would have to come from the European Commission. Nevertheless the mood of European Parliament is now well known.