TrustArc Blog

Too prescriptive for innovation? The current impasse with the proposed EU regulation

November 12, 2012

Saira Nayak
Policy Director | TRUSTe
@SairaNayak

 

It’s hard to say what the future is for the proposed EU data protection regulation.  Nearly a year after its announcement in January 2012, the proposed reg – in particular it’s more prescriptive requirements – continue to engender controversy and discussion among stakeholders on both sides of the Atlantic.  Industry opposition to the more burdensome requirements has grown louder; even the US Chamber has gotten involved in the lobbying effort to alter the proposals.

The concerns with the proposed reg aren’t just limited to industry.  Yesterday, the UK ICO Commissioner, Christopher Graham, told an audience that the proposed reg is unworkable for regulators– because of its prescriptive proposals (it forces them to fine companies for example), and requirements that would require a large staff to implement (a resource many DPAs don’t have in Europe).

Additional concerns with the proposed reg were summarized in last week’s report by  the UK House of Commons Justice Select Committee, who told the European Commission that they would need to “go back to the drawing board” on the current Data Protection proposals.

Yet it’s unclear whether the primary author of the proposed reg, EU Commissioner Viviane Reding would agree – which means we may be at an impasse.  Reding of course is the EU’s Commissioner for Justice, Fundamental Rights & Citizenship – data protection falls within her portfolio.

In particular, Reding is a supporter of the most prescriptive of requirements – a proposed expanded right of access known as the “right to be forgotten.” While certain aims of the “right to be forgotten” are laudable, it’s difficult to implement technologically and as the UK Justice Select Committee points out could create unrealistic expectations. To fully comply with this right, and provide the individual access to their data at any point in time, companies would need to store and secure data indefinitely – and this will impose costs, since much of the data will be, by definition, personal and probably linked to some sort of customer profile (e.g. a wall post on Facebook).

Reding has indicated that she is prepared ‘to introduce further flexibility’ in the proposed EU Data Protection Regulation, ‘provided it does not run against the objectives of achieving a more harmonised legal environment’. She is due to speak again on these issues at a Press Conference on 29 November 2012.

In the meantime, the discussion continues. Next week in Brussels, three separate conferences will address important issues around the feasibility of certain provisions in the EU’s proposed regulation (TRUSTe will be participating in two of these events):

  • The EU E-Commerce Conference will discuss the impact of these proposals on e-commerce.  On Wednesday, November 14th, TRUSTe’s Danilo Labovic will present research on consumer perceptions of privacy regulations – and how those perceptions can impact your business (for more details, click here)
  • The European Child Online Safety Conference will explore how the proposed reg will impact children’s privacy – and the delicate balance that regulators must take between empowering young users while also providing their parents the necessary tools to monitor childrens’ online activities.
  • The IAPP data protection Congress, with attendance by EU and US regulators, as well as CPOs and privacy practitioners from companies all over the world, will look at several topics – from certification to enforcement – under the proposed reg .  On Thursday, November 15th, I’ll be speaking on a panel exploring the role of third parties, such as accountability agents, in certification and data protection.  The panel will be moderated by Florence Raynal of France’s CNIL and we will also be joined by Jean Gonie, head of EMEA Privacy for Microsoft.  Further details are available here.