Facebook and Google 'must follow' EU privacy rules

Global companies with a footprint in Europe will be subject to new European data privacy laws, according to justice commissioner Viviane Reding
Written by Tom Espiner, Contributor

Google, Facebook and other global companies that operate in Europe could face legal action if they do not adhere to EU privacy laws, justice commissioner Viviane Reding has said.

Viviane Reding

Justice commissioner Viviane Reding has said Google, Facebook and other global companies could face legal action if they do not adhere to EU privacy laws. Photo credit: European Commission

Data protection authorities in member states will have powers over companies even if they are not European, Reding stressed in a 'privacy platform' meeting in Brussels on Wednesday. Her speech gave an update on the European Commission's progress in formulating proposals to revamp European data protection laws.

"A US-based social network company that has millions of active users in Europe needs to comply with EU rules," Reding told the meeting. "To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers."

In May, Facebook came under fire from European data protection advisers after the social-networking site made some of its users' profile information public without asking permission. In addition, Google was targeted by privacy authorities in individual EU countries after its Street View cars harvested data from unsecured Wi-Fi networks.

Under the Commission's proposals, any data protection infraction by a global company that affects European citizens could lead to enforcement action.

National privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers.
– Viviane Reding

"Facebook, Google, and Microsoft are all providing services," justice commission spokesman Matthew Newman told ZDNet UK. "We wanted to make it crystal clear that no matter where they are [based], and no matter where their servers are, they need to comply with EU rules. We didn't want a get-out clause."

Newman said that he was not aware of any data protection infractions by these companies that had occurred outside Europe and had affected EU citizens. Nevertheless, the Commission wants to "close off that possibility", he said.

Google declined to comment on the proposals, while Facebook and Microsoft had not responded to a request for comment at the time of writing.

In her speech, Reding also reiterated her call for citizens to have a "right to be forgotten" online, which would make it easier for them to remove embarrassing photos from social-networking sites, for example. The measure would compel companies to allow a user to delete all their data from the provider's servers.

"When modernising the legislation, I want to explicitly clarify that people shall have the right — and not only the 'possibility' — to withdraw their consent to data processing," she said.

Reding did not give any details as to how the EU would enforce the privacy laws outside its borders. Newman said the method was still being decided, adding that the measures would entail some kind of legislation or regulation.

Information Commissioner's Office

In the UK, the privacy watchdog is the Information Commissioner's Office (ICO), which is funded by the Ministry of Justice (MoJ). The ministry said that before it extends the scope of the privacy watchdog to overseas companies, it will have to weigh up the impact of the move.

"The UK recently provided the Information Commissioner's Office with additional powers and penalties," said an MoJ spokesman, referring to the ICO's power to fine organisations up to £500,000 for data breaches, granted in April 2010.

"The consideration of any new powers should be informed by an assessment of the effectiveness of existing powers, the costs and benefits of any proposed powers, and the findings from the UK's call for evidence on the data protection legislative framework," he told ZDNet UK.

In January, the UK government called for interested parties to comment on the current European Data Protection Directive. Those opinions will be taken into account in negotiations this summer for the revamp to EU-wide data protection laws.

Co-ordinated approach

Reding said that Google's collection of internet traffic from unsecured wi-fi networks in 2010 had not met with a co-ordinated response from European privacy watchdogs.

"In recent months you may have heard about concerns in many member states related to online mapping services, including pictures of streets and people's homes," said Reding. "A more co-ordinated approach at EU level is needed to address such cases in a consistent and effective way. We had the proof that how we are doing things now is neither consistent nor effective."

We can't have a single market if we have divergent ways of dealing with the same problem.
– Matthew Newman, justice commission spokesman

The ICO was criticised for its handling of the Google Wi-Fi investigation for a number of reasons, with one MP likening the watchdog to the Keystone Kops.

Commission justice spokesman Newman told ZDNet UK that a lack of privacy consistency across Europe was not good for businesses, or for Europe.

"Google said that its Street View [cars] had inadvertently collected Wi-Fi traffic, but different countries had different responses to exactly the same problem," said Newman. "Some countries said Google should delete the data, while some said Google should keep the data in case of legal action. We can't have a single market if we have divergent ways of dealing with the same problem."

Newman said that the Commission was looking at ways to integrate the Article 29 Working Party, an EU privacy body, more closely with national privacy authorities.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards