In January 2012, the European Commission (EC) released a sweeping set of proposals meant to protect privacy in the European Union in the Internet age. But in recent months, the proposed new regulation, which would update a key 1995 data protection directive, has come under criticism by organizations including a United Kingdom parliamentary body and a key European Union (EU) agency.
Both the U.K.’s Ministry of Justice and the EU’s European Network and Information Security Agency (ENISA) have released reports criticizing some main components of the regulation, which is meant to both upgrade privacy protections and harmonize data security laws throughout the EU. Both have sharply criticized one provision, often called the “right to be forgotten,” which lets users tell companies to delete personal data; they have said that it’s highly unrealistic in the modern technological environment. The U.K. has also said the proposed changes, which include significantly higher penalties for data privacy violations, would be too expensive and also generate excessive confusion.
These and other parties have also criticized other components of the new regulation, including a requirement that companies report any data breach within 24 hours. The regulation, which many say should be finalized by 2014 and go into effect two years later, would apply to both EU companies and any companies doing business with EU citizens.
ENISA, like many other organizations and governments, has called it imperative to update the continent’s data protection rules. But in a recent report, one main criticism was that “the right to be forgotten” is “generally impossible” in today’s open Internet environment. It also concluded that “there is a further need for clear definitions and legal clarifications.”
On the Internet, anyone can copy data and store it elsewhere, ENISA stated, and data can be hard to locate. The report also mentioned possible conflicts in cases where more than one person owns data; an example could include photos. Another could include a blog writer who uses a tweet from someone else, for instance. The issue could also grow complex when data is in the public interest.
The U.K. ministry report agreed about the right to be forgotten, and said the regulation in its current form, which when passed by the EU would then become law in all 27 countries, is overly constraining as well as confusing and unrealistic. “The Commission needs to go back to the drawing board and devise a regime which is much less prescriptive,” it said.
The committee took particular aim at the EC’s claim that harmonizing laws would result in considerable cost savings. The EC has estimated that the regulation would save 2.3 billion euros annually by reducing administrative, legal, and other costs. The committee, however, says that, due to costs, including increased regulatory expenditures and fines, the total cost in the U.K. by 2016-2017 would be about 200 million pounds annually. “The U.K. government is seriously concerned about the potential economic impact of the proposed data protection regulation,” stated Justice Minister Helen Grant in a written statement. “At a time when the Eurozone appears to be slipping back into recession, reducing the regulatory burden to secure growth must be the priority for all Member States. It is difficult therefore to justify the extra red-tape and tick box compliance that the proposal represents.”
One large part of the committee’s cost estimate includes a new rule in which companies could be fined up to two percent of annual revenue for a data privacy rule violation. The ministry said that the Commission had underestimated the cost of the fines because it projected that only about 1,000 additional breaches would be reported annually to supervisory authorities. The ministry estimates that the true number would be far higher. The committee also said nations should have “more discretion” over the penalties.