The European Commission has given details of a far-reaching strategy to strengthen data protection laws.
Citizens should have the 'right to be forgotten', the Commission said in a statement on Thursday. Justice spokesman Matthew Newman told ZDNet UK on Friday that data entered on social-networking sites is currently too difficult to delete.
"At the moment the process [of data deletion] is rather cumbersome, and it's not clear that it has all been deleted," said Newman. "If you decide you don't want to have data on a site, you should be able to withdraw consent and have the data deleted." According to the Commission's statement, people should be able to give informed consent about how their data is collected and processed, for example when surfing online.
"Existing rules that require consent are not always being followed," said Newman. Although the Commission refused to name any companies, Facebook, the most widely used social network, does not allow a user to delete all their profile details from the company's servers, even if they deactivate their profile.
Police and criminal justice system data protection rules will also be overhauled, said the Commission. While law enforcement must be able to carry out investigations, data access must be proportionate, and citizens should have the right to give consent as to how their data is used, said Newman.
"It's important that people's rights are respected in police and judicial co-operation," said Newman. "If there is an ongoing police investigation, we can't compromise that, but you will have rights to know what information is being collected about you and give consent."
The proposals, which are the product of a policy review, are ultimately designed to be included in an overhaul of the Data Protection Directive, following consultation. The revamped directive framework is due to be discussed by the European Parliament in 2011.
The principle of consent is likely be written into the legislation, said Newman, and will cover the use of deep-packet inspection, a monitoring technique that examines every packet of data.
"The general principle of consent will [almost] certainly be part of the legislation," said Newman. "The directive is technologically neutral, but if there are instances of deep-packet inspection, organisations [performing the inspection] will need to have consent."
The proposals for updating the Data Protection Directive, which is 15 years old, will include data protection for information passed outside of Europe, according to the Commission's statement.
The Commission is also in the process of reviewing the Data Retention Directive, which specifies that ISPs should store communications traffic data for between six months and two years.