E.U. Debates Which Nation Will Regulate Web Privacy
E.U. Debates Which Nation Will Regulate Web Privacy
By MARK SCOTTMAY 26, 2014
LONDON — The new European Parliament that was voted into office over the weekend, despite having a different political makeup, is widely expected to reach a final agreement this year on stricter online privacy rules that have long been in the works.
The rules, which have been discussed since 2012, would be stricter than those in the United States. They would create one law across the European Union to protect several aspects of online privacy, which is enshrined as a fundamental right in Europe, including restrictions on what information could be shipped overseas. And they would impose multimillion-dollar fines on any company that misuses Europeans’ data.
Still, a crucial question remains: Which European regulator will have the final say in enforcing the rules?
Under the proposals, companies will be able to operate throughout the region if they fulfill the requirements — and the interpretation — of European rules from only one country’s privacy authority. Companies currently must comply with the regulator in each of the 28 countries in the union in which they operate.
Lawmakers in favor of the proposals say that leaving the oversight with one country’s office gives companies more clarity about the rules. But consumer groups in Europe have warned that if the current proposal stands, technology companies — including American giants like Microsoft, Amazon and Google — could set up shop in the European country with the most lenient interpretation of data privacy.
“This issue has become more political than technical,” said Raegan MacDonald, European policy manager for the digital rights group Access in Brussels. “Who gets to decide on these matters is very important.”
The legislation is expected to be completed in the first half of next year. It has gained momentum since the revelations from Edward J. Snowden, the former National Security Agency contractor, about the spying activities of American and British intelligence agencies. Before the rules go into effect, though, each country in the union must reach a final agreement with the European Commission, the union’s executive arm, and the European Parliament.
The proposals build on existing rules from the 1990s, providing citizens with greater control over what data is collected, where it is kept, and which companies and governments have access to it. The rules also restrict what information can be sent to countries that do not replicate Europe’s data protection laws.
To police the new rules, international companies with European customers — even if they do not have offices in the region — would have to comply with the controls or face fines totaling 2 to 5 percent of their global revenue, or $137 million, whichever is greater.
“The reforms in Europe will affect companies’ global operations,” said Wim Nauwelaerts, a data protection partner at the law firm Hunton & Williams in Brussels. “The fines are Europe’s big stick to ensure people take this seriously.”
Faced with the prospect of tougher privacy rules, companies like Facebook and eBay have lobbied hard since the proposals were first outlined to limit the legislation’s impact, saying that Europe was creating strict laws that make it difficult for companies to invest in the region’s lackluster economy.
Industry groups have raised fears that the new laws would add extra costs, because companies must explicitly tell consumers on a regular basis how their data is used, and limit what information is sent to countries that do not comply with Europe’s privacy rules. Yet companies have supported giving one regulator sole control over interpreting European rules. That, they say, adds regulatory certainty because companies will be responsible to just one authority across the region.
“We’re concerned that the new rules will remain as fragmented as they are today, but it will cost more to comply,” said John Higgins, director general of Digital Europe, a trade body in Brussels whose members include Microsoft and Apple.
Some national governments, however, have balked at these changes. Countries like Germany believe their domestic privacy rules, which are some of the most stringent in the world, may be watered down if other regulators gain greater control.
European lawmakers also have criticized the rules because citizens may not have the money, or even the language skills, to bring complaints against companies in other European countries.
Already, questions about who monitors and regulates online privacy are bubbling to the surface. Two weeks ago, the union’s highest court ruled that people could demand that Google take down links to information about them on the Internet.
This so-called right to be forgotten, which is an important part of Europe’s new data protection legislation, allows individuals — European Union citizens and others — to force global tech companies to remove links to their past activities, as long as people are not deemed to be public figures like celebrities or politicians.
Analysts say the legal decision will force Google and other search companies to field a wave of requests that online links be taken down. But the ruling must be carried out by data privacy regulators at 28 different agencies across the union, which could lead to jurisdiction-shopping.
“Data protection can’t survive on a national level,” said Peter Schaar, a former federal data protection commissioner in Germany. “We need to have an international approach.”
If the final privacy decisions will eventually rest with an individual regulator, many consumer groups expect Ireland to become the de facto arbiter on privacy matters for the union. Many American technology companies are based in Ireland because of low tax rates, and digital rights advocates say that Ireland is already known for taking a more moderate view on online privacy issues than are regulators in places like Germany and France.
Others have called on individual countries’ regulators to continue to play a role by acting as intermediaries between individuals and the privacy authority that holds the main responsibility for policing each company. That, industry lobbyists say, may lead to national regulators’ continuing to vie for control over privacy matters, despite regulatory efforts to make it easier to deal with individual complaints.
Whatever the outcome, European politicians say their policies will have more bite than the current rules — as well as those on the books in the United States.
“Lobbyists need to understand that we’re creating a global digital standard,” said Jan Philipp Albrecht, a German politician and a leading supporter of the new privacy rules. “This is important for all of our citizens.”