The European Union (EU) has enacted tough new laws that will tighten up the use of personal data by organizations operating within the EU.
The new framework, which was agreed upon yesterday, comes at the same time the privacy regulator in Belgium announced legal action against Facebook. Facebook allegedly tracked non-Facebook users across the EU through cookies and third party sites.
The European Council — the EU’s governing body — noted in a statement that all members had reached an agreement on general data protection regulations, which the EU hopes to introduce by year’s end.
The twin aims are to enhance the level of personal data protection for individuals and to increase business opportunities in the Digital Single Market.
“Personal data must be collected and processed lawfully under strict conditions and for a legitimate purpose. Data controllers (those responsible for the processing of data) must respect specific rules, such as the requirement for unambiguous consent by the data subject (the individual whose personal data is being processed), in order to be allowed to process personal data,” the statement notes.
The EU wants to give citizens more control by:
- Offering them easier access to their data
- Providing more detailed information about what happens their data once they decide to share it
- Strengthening data protection rights give data subjects more control over their personal data
- Rigorously enforcing the ‘right to be forgotten principal’
- Limiting the automatic processing of personal data including performance at work, health and economic status
“EU laws are now lagging behind the pace of technologies and business practices. Our personal data is collected, then used and transferred in ways most consumers are oblivious to. An appropriate update must put control of personal data back in the hands of European consumers,” Monique Goyens, director general of the European Consumer Organization said.
No Agreement Yet
However, according to Carsten Casper, Managing VP for Privacy and Digital Workplace Security at Gartner Europe, a full agreement is far from complete.
“All they did was decide on a roadmap how to reach consensus for that upcoming EU General Data Protection Regulation. It is a long political process, which will hopefully result in a new law at the end of the year, but even that is not guaranteed,” he told CMSWire.
“Reactions along the legislative process have been mixed with some saying the draft of the new law is too strict (consumer-friendly) whereas others say it is too weak (business-friendly).”
He added that until the actual regulations are enacted it would be impossible to assess their impact on the industry.
The proposal would take the regulation of some matters out of the hands of national regulators in countries including Ireland and France.
While many vendors using data-heavy applications have expressed reservations about any such regulations, they have not issued any public statements.
However, given that it offers ordinary citizens the power to sue companies that own data as well as those that process it on their behalf — including cloud computing providers — it will affect a number of vendors.
Facebook vs. Belgium
Google is already in the wars with European regulators. And later this week Facebook is heading to court over allegations raised by the Belgian Privacy Commission. That investigation concluded that Facebook was in breach of privacy regulations. It noted:
“Facebook monitors its users in a variety of ways, both off and on Facebook. While Facebook provides users with high-level information about its tracking practices, we argue that the collection or use of device information envisaged by the 2015 DUP does not comply with the requirements of article 5(3) of the e-Privacy Directive, which requires free and informed prior consent before storing or accessing information on an individual’s device."
Facebook disputes the allegations.
It is unlikely that the case will make very much progress on Thursday, but it is a case that it’s likely to create a stir on both sides of the Atlantic.