Europe wants unified privacy approach: One data protection law, one single authority

Europe wants unified privacy approach: One data protection law, one single authority

Summary: European politicians are seeking simplifying and harmonising measures to the EU Data Protection Directive, which would allow businesses to have "one law" with "one data protection authority".

SHARE:

Viviane Reding, European commissioner for justice, fundamental rights and citizenship, proposed on Tuesday new data protection principles that would allow companies to work across all borders of the 27 member states without legal conflict.

Speaking at a data protection conference, Reding said that there should be "one [data protection] law and one single data protection authority" for each business, so that a business only needs to comply with the data protection laws in the jurisdiction where it has its main European headquarters.

For Facebook, this would be Ireland, while Twitter would have to comply with UK law, for example.

This fragmented approach has made it increasingly difficult for businesses to trade, and comply with the complicated rules and regulations. Reding said that these "unnecessary hurdles" were costing businesses €2.3 billion ($3.1bn) per year in administrative costs.

The new directive will update the EU's data protection laws, to not only patch holes created by U.S. law through the introduction of the Patriot Act, but also bring the ageing law up to speed on new and developing technologies, such as cloud computing.

Reding reiterated that European law would apply to any company operating within the European Union, even if the company is based outside the area, such as the United States.

Under the proposed EU-wide privacy law, the data protection agencies in each country would be granted greater powers to enforce locally ratified laws, and impose greater sanctions and penalties on those who flout the law.

As the New York Times highlights, in some member states, privacy officials can only recommend changes to better practices, rather than impose penalties.

Currently, the EU Data Protection Directive, ratified in 1995 and brought into member states' legal systems by 1998, offers basic principles and laws that can then be built upon by each member state. Germany for example has stricter laws than the UK, making trade between the two countries difficult.

The 16-year-old Data Protection Directive is set to be reviewed in January, with Internet companies and social networking sites, including Facebook, Twitter and Google, to be most affected.

While Commissioner Reding continues to sport the 'right to delete', where European citizens would be able to apply to social networks or companies to delete the data held on them, the UK data protection agency called the proposals "unenforceable" and that the proposed measures should not go ahead.

Data protection expert Richard Graham, a lawyer and partner with Edwards Wildman Palmer LLP, said that these changes would be welcomed by the industry, due to the administrative cost savings for businesses seeking to maintain compliance in member states.

But adding words of warning: "The potential changes relating to data portability, the right to be forgotten and data breach notification will require significant investment and further compliance activity in order for businesses to implement them effectively", adding: "This has cost implications for all organisations, including insurance companies, financial service institutions, social media organisations and search engine providers".

At this stage, businesses and governments alike have not been told how and when the reform of the Data Protection Directive will be implemented. Graham noted that should the original directive be revised, there is further risk of inconsistencies of implementation and interpretation at a member state level.

Related:

Topics: Storage, Data Centers, Data Management

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Not this again

    [ul][i]the data protection agencies in each country would be granted greater powers to enforce locally ratified laws, and impose greater sanctions and penalties on those who flout the law.[/i][/ul]
    Oh good. Non-tariff barriers to trade. Greece is angry with Germany, but they're prohibited from charging tariffs on German goods. So instead the Greeks carefully craft a "privacy law" that just so happens to fall most heavily on Machtsnicht GmbH.<br><br>What, nobody sees this coming?
    Robert Hahn
    • RE: Europe wants unified privacy approach: One data protection law, one single authority

      @Robert Hahn From the article: "a business only needs to comply with the data protection laws in the jurisdiction where it has its main European headquarters."

      I would imagine that German companies would have their European headquarters in Germany and so not be subject to Greek privacy laws under the updated regulations.
      magzilla
  • Shopping Around for Headquarters

    I can easily see this working like this: I move 10 people to a member state and make it the "Headquarters" of my company for COMPLIANCE purposes in the least restrive country - while the physical headquarters is in another. And all the support staff for the HQ is wherever it is cheapest to have them. Companies already do this for tax purposes (shell companies).

    It also would imply that you can violate any other countries privacy laws without worry as long as they comply with the HQ location laws - and cannot EVER be taken to court.

    Course to get around this the EU can just state that the EU laws trump any country laws and just have the EU make the rules in Brussels and be done with it. Basically stating that all countries now more like US states except that the EU (Federal) law trumps any states law and once the EU makes a law all nation laws covering the same are void and cannot be more or less than what the EU states.
    TAPhilo