According to a report in Reuters, this week the EU will offer a sweeping set of new rules that would dramatically impact how internet companies can use personal data. There would also be new penalties available for data breaches and rules violations. The article, based on a draft of the rules, says the proposed regulations include the problematic “right to be forgotten,” which became an issue last year for Google in Spain.
The proposed rules will be released this week. However to take effect they still must be ratified by member states, which could take up to two years (or more). If enacted the new privacy rules would limit the discretion of internet companies like Google, Bing and Facebook over the use and control of individuals’ data.
Here’s how Reuters characterizes what’s in the draft proposal:
[T]he EU proposals would bolster significantly regulators’ powers on fighting data-protection breaches, requiring companies to notify regulators when data has been stolen or mishandled.
The proposals also give member states new powers to fine companies up to 1 percent of their global revenues for violating EU data rules. The Financial Times reported in December that the rules would allow for fines up to 5 percent of global revenues, so the EU may have reconsidered its approach since then.
The proposals grant broad, new rights to individuals, including a so-called “right to be forgotten” that would allow people to request that their information be erased and not disseminated online.
The rules also create a “right to data portability” to ensure that people can easily transfer their personal information between different companies or services.
I suspect the new rules would declare all user-created content the property of those individuals and not the sites that house such data. Currently Facebook for example, does not claim ownership of the content created by its users. But it claims a “worldwide license to use any IP content that you post.” The capacity of sites to establish such terms unilaterally would be limited by the new rules.
The “right to be forgotten” would grant individuals broad new control over the dissemination of their data online. Hypothetically it would allow individuals to request removal of negative articles, links and other content from the search index and social sites. While the press in Europe would likely not be affected, internet companies and especially search engines and social networks would.
While we’ll have to wait and see what the new rules hold, the right to be forgotten is particularly challenging to contend with. If a doctor were given a negative review on Yelp for example, that doctor could potentially request that it be removed from Google’s index. What if the review or reviews were both accurate and damaging to the doctor’s reputation and business? How would such a dispute be resolved and how might such scenarios compromise expression and the online experience as a whole?
The Europeans have historically been much more zealous about data protection and personal privacy than US regulators. In some instances that’s warranted but they may be doing a disservice to themselves and the internet as a whole if the new privacy rules are too restrictive or unworkable as a practical matter.
The formal unveiling of the new rules this week will probably be the opening salvo in a contentious Continental debate over privacy that will also take place at the national level in most of the member countries.
- Google Confronting Spain’s “Right To Be Forgotten”
- Spain To Google: Anyone Can Potentially Censor Your Index
- Spanish Want Google To Police Libel On The Internet
- Obscure Belgian Case Threatens To Open Copyright “Pandora’s Box” For Google In Europe
- Free Speech Battle In India: Google, Facebook Summoned By Court Over “Inflammatory Images”