Europe wants unified privacy approach: One data protection law, one single authority

Viviane Reding, European commissioner for justice, fundamental rights and citizenship, proposed on Tuesday new data protection principles that would allow companies to work across all borders of the 27 member states without legal conflict.

Speaking at a data protection conference, Reding said that there should be “one [data protection] law and one single data protection authority” for each business, so that a business only needs to comply with the data protection laws in the jurisdiction where it has its main European headquarters.

For Facebook, this would be Ireland, while Twitter would have to comply with UK law, for example.

This fragmented approach has made it increasingly difficult for businesses to trade, and comply with the complicated rules and regulations. Reding said that these “unnecessary hurdles” were costing businesses €2.3 billion ($3.1bn) per year in administrative costs.

The new directive will update the EU’s data protection laws, to not only patch holes created by U.S. law through the introduction of the Patriot Act, but also bring the ageing law up to speed on new and developing technologies, such as cloud computing.

Reding reiterated that European law would apply to any company operating within the European Union, even if the company is based outside the area, such as the United States.

Under the proposed EU-wide privacy law, the data protection agencies in each country would be granted greater powers to enforce locally ratified laws, and impose greater sanctions and penalties on those who flout the law.

As the New York Times highlights, in some member states, privacy officials can only recommend changes to better practices, rather than impose penalties.

Currently, the EU Data Protection Directive, ratified in 1995 and brought into member states’ legal systems by 1998, offers basic principles and laws that can then be built upon by each member state. Germany for example has stricter laws than the UK, making trade between the two countries difficult.

The 16-year-old Data Protection Directive is set to be reviewed in January, with Internet companies and social networking sites, including Facebook, Twitter and Google, to be most affected.

While Commissioner Reding continues to sport the ‘right to delete’, where European citizens would be able to apply to social networks or companies to delete the data held on them, the UK data protection agency called the proposals “unenforceable” and that the proposed measures should not go ahead.

Data protection expert Richard Graham, a lawyer and partner with Edwards Wildman Palmer LLP, said that these changes would be welcomed by the industry, due to the administrative cost savings for businesses seeking to maintain compliance in member states.

But adding words of warning: ”The potential changes relating to data portability, the right to be forgotten and data breach notification will require significant investment and further compliance activity in order for businesses to implement them effectively”, adding: “This has cost implications for all organisations, including insurance companies, financial service institutions, social media organisations and search engine providers”.

At this stage, businesses and governments alike have not been told how and when the reform of the Data Protection Directive will be implemented. Graham noted that should the original directive be revised, there is further risk of inconsistencies of implementation and interpretation at a member state level.

Related:

• Updated European law will close Patriot Act data access loophole
• European ‘right-to-delete’ law: How enforceable is Facebook?
• Facebook, social networks, businesses ‘must adhere’ to EU law
• German regulators accuse Facebook of tracking users’ cancelled accounts
• What we missed this week: SOPA, Net neutrality, UK online outlaws, Google’s effect on spying