Facebook hasn’t exactly had smooth relations with Europe. In September it had to turn off facial recognition in the EU, and then there’s the whole Europe vs Facebook transparency project kicked off by an Austrian law student who asked Zuck and co to send him everything they had on him — inspiring fellow users to flood Facebook with demands for their data. But operating conditions for Facebook in Europe look set to get a whole lot tougher if the European Commission’s proposals for comprehensive reform of EU Data Protection law come into full effect in the next few years.
The proposals were unveiled back in January by EU Justice Commissioner Viviane Reding. A large plank of the strategy is aimed at harmonizing data protection rules across the EU — which arguably will be a boon to businesses, certainly to startups, who are unlikely to have the resources to comply with multiple legal regimes across all the different EU Member States. But the EC also wants to give EU citizens’ more control over their data, including granting people the right to have data that companies and organisations hold on them deleted on request (a so called ‘right to be forgotten’), and a right to have their data ported to another service. Data holders must also notify service users of serious data breaches — “if feasible within 24 hours”.
The new rules will apply to any companies and organisations processing EU citizens’ data, even if they are entirely based outside the EU. To enforce the new rules, the EC is proposing to strengthen independent national data protection authorities — including giving them the ability to fine companies up to €1 million ($1.27 million) or up to 2 percent of their global annual turnover for violating the EU data protection rules.
Little wonder Facebook is lobbying the Commission hard on key portions of the proposals. Facebook has a team of lobbyists based in Brussels which it confirmed to TechCrunch are talking to the EC about the proposed Data Protection Directive. The right to be forgotten is an obvious sticking point for the social network, which has built a billion dollar business by encouraging people to share their personal data with others.
Speaking yesterday at a conference on digital privacy taking place in London, Facebook’s Simon Milner, director of public policy in the UK and Ireland, said: “The right to delete your online data is an important one, the right to erasure is a key principle. However, the right to be forgotten… raises many concerns with regard to the right of others to remember and to freedom of expression. It is important this can be implemented in practice, but as drafted the current proposal risks introducing measures which are both unreasonable and unrealistic.
“In terms of the deletion of data that has been copied onto another service, we think this obligation would be unreasonable, and simply not feasible for services like Facebook and others… it would fundamentally change how the Internet works. We’ve urged policy makers to consider fully the implications on… freedom of expression and finding the right balance on different uses of the Internet.”
Facebook also provided TechCrunch with the following statement
The revision of Europe’s Data Protection framework is an important opportunity to develop regulation that both protects privacy and supports the creation and growth of modern services over the global Internet. We welcome the move towards more harmonization of Data Protection laws in the EU which will help create legal certainty and confidence for companies to operate.
At Facebook privacy is at the core of everything that we do. Throughout the process of developing our products, we have dedicated privacy experts working with our engineers to ensure that the products are built taking into account any privacy implications and we recently established a dedicated data protection team in Ireland. We will continue to work closely with politicians and regulators in the EU in order to share our experience and expertise to contribute to achieving sound privacy regulation and a thriving digital sector.
Giving a speech late last month, Commissioner Reding hinted at some of the corporate kick-back the proposals are receiving — but also signalled she is unlikely to be swayed by the Facebook (and doubtless Google) lobby
… on the question of the possible administrative burden for companies: I have made concrete proposals to reduce this further. One of our main objectives with the Regulation is to greatly simplify the legal environment for EU business and lead to potential savings of around 2.3 billion EUR per year. A single set of rules is good for competitiveness, good for big business, good for SMEs. Our goal is certainly not to impose a bigger burden, and that is why SMEs are already exempt from some requirements, like having a Data Protection Officer. It has never been the Commission’s intention to apply the same rules to the small hairdresser as to a multinational;
I have today told Member States that the Commission is prepared to look at whether this SME exemption could be broadened to other areas and that we can also look to add further flexibility through an approach that takes into account the amount and sensitivity of the data processed. But let’s be frank: we should not fall into the trap of some lobbyists expressing concerns for SMEs but in fact referring to provisions relevant for large multinational firms.
An EC spokeswoman told TechCrunch that discussions in the European Parliament and the Council on the directive are “progressing well”, adding: “The European Parliament will publish its report early next year and the Irish EU presidency aims to achieve political agreement by the end of its presidency (summer 2013).”
It would take a further two years after the proposals had been adopted for the directive to take effect.