Internet users in the European Union will benefit from greater control over their personal data if new proposals to reform the Data Protection Directive are implemented.
The European Commission on Wednesday presented sweeping changes to the old regulation, which dates from the pre-Internet Age.
The right to be forgotten is a significant step forward for online consumers in controlling who has access to their personal information. According to a Eurobarometer survey last year, only 26 percent of social network users and 18 percent of online shoppers feel in complete control of their data.
Under the new proposals, if a consumer asks for their information to be deleted and there is no legitimate grounds for retaining it, companies must comply or face a hefty fine. The new law would also simplify this procedure for consumers as their own national data protection authority would become their “one-stop-shop” for any complaints regardless of where the company is based.
Consumers must also be notified as soon as possible if there is any security breach that puts their information at risk. In practice this should be within 24 hours, said Commissioner Viviane Reding.
The rules would also enshrine a user’s right to data portability. For example social networks and photo sharing websites allow people to store hundreds of photos, but if a user wishes to move these photos to a new service provider, the original company must comply where technically possible. “Users should not be bound to one provider simply because it is inconvenient for them to move their data,” said the Commission.
Facebook said: “We welcome Vice President Reding’s view that good regulation should encourage job creation and economic growth rather than hindering it, and look forward to seeing how the E.U. Data Protection Directive develops in order to deliver these two goals while safeguarding the rights of internet users.”
The legislative proposals also take into account the special case of minors saying: “Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights.”
Before processing personal data, companies must obtain explicit and free consent. “In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment,” says the proposal. In practice this would mean that for example, an employer could not demand information from employees under the threat of losing their job.
Christian Toon, head of information security for Iron Mountain Europe, believes that the proposed regulation is good news for customers and should galvanize businesses to undertake a more critical review of their existing information management and security policies. “Many businesses of all sizes are falling short of what is required to manage information responsibly. In today’s increasingly scrutinized business environment, the lack of a solid and legally compliant information management policy is inexcusable. Regardless of turnover, sector or country of operation, making sure that employee and customer information is protected should be common practice, not a reaction to new legislation,” said Toon.
European consumer advocacy group BEUC welcomed the proposed legislation.
Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to jennifer_baker@idg.com.