Proposal made for sweeping data protection in EU 

The European Commission proposed sweeping reforms Wednesday to protect the confidentiality of personal data online including a "right to be forgotten," which would let people have information about themselves deleted if there was no legitimate reason to retain it.

The Commission said the proposal would safeguard people's privacy and save companies money, but some business interests have already said they will lobby for changes.

If the directive is ultimately adopted, it would update one from 1995, when fewer than 1 percent of Europeans used the internet. To take effect, it needs the approval of the European Council — the 27 European Union heads of government — as well as the European Parliament.

The "right to be forgotten" could greatly enhance the rights of people who use social media sites, which sometimes take down photos and posts at a user's request but retain the information instead of deleting it.

The commission, which is the EU's executive branch, cited the case of Max Schrems, 24-year-old Austrian law student who asked Facebook to send him a record of his personal data from three years of using the site. What he received was 1,222 pages of information — including chats he had deleted more than a year earlier, "pokes" dating back to 2008, invitations to which he had never responded, and hundreds of other details.

For businesses, the primary attraction of the proposal is that they would have just one set of rules to follow rather than 27 different sets, one for each country in the European Union. And they would report to only one data protection authority.

EU Justice Commissioner Viviane Reding, who outlined the proposal Wednesday, said that would save businesses about euro2.3 billion ($2.98 billion) a year.

Personal information covered by the proposal would include names, photographs, email addresses, bank details, social networking posts, medical information, and various other data.

"The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in control of their personal data," Reding said.

Reding said many Europeans fear their personal data could be misused, and she argued that, if public trust improved, internet businesses would grow significantly.

But representatives of internet business interests complained that, while the proposal would eliminate the red tape involved in dealing with 27 different data protection authorities, it added new requirements that would be expensive and burdensome, which could inhibit growth in the digital sector.

"The Commission's proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store and manage information," said Thomas Boue, Director of European Affairs for the Business Software Alliance. Members of the alliance include Microsoft, McAfee, Adobe, Intel and other internet giants.

"The risk in the proposal's current design is that it will bog down companies with onerous compliance requirements, which could inhibit digital innovation at the expense of job creation and growth."

Wim Nauwelaerts, a Brussels-based legal expert, said the "right to be forgotten" was unclear and would be difficult to implement. Would companies have to delete information only from their own servers and databases or would they also have to try to find other places on the internet to which the information had spread, he asked.

Companies dealing with personal data would face various other mandates, including:

— An obligation to notify national authorities and the individuals involved of serious data breaches as soon as possible, within 24 hours if feasible.

— A requirement to get explicit rather than assumed consent for personal data to be processed.

— An obligation to allow people easier access to their personal data and the ability to transfer their personal data more easily from one service provider to another.

Businesses with fewer than 250 employees would be exempted from some of the requirements, such as the need to appoint a data protection officer.

Breaches of the rules could be punished by fines of up to euro1 million ($1.3 million) or up to 2 percent of the annual revenues of the company.

Gary Clark, an expert with the internet security company SafeNet, said the proposed regulation is needed. "The proposed regulation will give consumers more control over their privacy and will force organizations to reconsider how private data is being handled and stored," he said.

The directive would take effect two years after its adoption.


Raphael Satter in London contributed to this report. Don Melvin can be reached at


Full text of the proposal:

Pin It

Speaking of...

More by The Associated Press

Latest in Nation

© 2018 The San Francisco Examiner

Website powered by Foundation