Policy Bites: EU Commission’s Proposed Data Protections

On the 25th of January 2012, the European Commission published a set of proposals relating to data protection. The proposals are not law and will not be law unless agreed by the members of the European Union but if they are agreed, they will make large changes the balance of power between EU citizens and all companies, giving greater power to the former and increased duties to the latter.

These complex proposals are intended to achieve a number of aims, which include:

  • Giving EU citizens’ greater rights over data about them, by
    • Requiring companies to be more explicit about what they are going to do with data when they ask for consent
    • Providing access to users’ data
    • Providing a ‘right to be forgotten’, i.e. a duty on companies to delete user data if the user chooses
  • Clarifying the responsibilities of companies by:
    • Harmonising data protection rights across the EU
    • Allow companies to work with the authority in the country in which they have their main EU base (rather than in every country that they operate)
    • Increasing penalties on companies that breach the rules (up to €2 million or 2% of global turn over)
    • Requiring companies to notify users of a data breach within 24 hours
    • Requiring companies with more than 250 employees to have a designated Data Protection Officer
    • Strengthen the duties on companies in non-EU States, i.e. when dealing with European citizens’ data, the above duties apply to companies wherever they are based

Industry Impact

Computer Games

Games increasingly have an online component either in the game itself or through the distribution of game software, patches etc. This means that more and more games companies are collecting user data, and thus will be impacted by these proposals should they be made law.

While computer games may still be seen as a fringe activity by some of the media, the EU Commission is certainly taking notice. In the proposal communication document they state on page 5:

Hackers attacked a gaming service which targets users in the EU. The breach affected databases containing personal data (including names, addresses and possibly credit card data) of tens of millions of users worldwide. The company waited for a week before notifying the users concerned.

The reform of the EU’s data protection rules will ensure this could no longer happen.”

Social Media

Social media may present a more complex case than computer games. By their nature social media sites have at their heart personal data. However social media also allows individual to upload data about each other and intertwine those data – meaning that the ‘right to be forgotten’ seems unclear at this point.

Biometric & Location data

The directive makes specific reference to ‘location data’; ‘physical identity’ and ‘genetic identity’, which means any company that is gathering and / or using one or more of these should keep a close eye on how the regulations take shape.

EU Proposal in detail

The details of the EU Proposal are contained in a set of documents released in January 2012. Key among these is the proposed directive itself, the main Articles of which are as follows:

A12(1) ‘Right of access for the data subject’:  people have the right to find out about the data companies hold about them
A12(2) ‘People also have the right to have a copy of the data’: this is intended to make it easier to move between services
A15 ‘Right to rectification’: people have the right to correct data about them
A16 ‘Right to erasure’: people have the right to get a company to erase data about them ‘without delay’
A28 ‘Notification of personal data breach’:  if a company is hacked and personal data is lost people must be informed within 24 hours
A33-34 ‘Transfer of personal data to third countries or international organisations’: the EU rules apply to any company that holds data on EU citizens

tVPN Comment

While the proposed regulations bring the online world closer to the EU’s vision of human rights they are likely to come as an unwelcome surprise to companies in the EU and a shock to those outside.

The difficulty, as with all such regulations, is going to be in the detail. While the commission explicitly talks about social media and games it is unclear what the rights to be forgotten and data portability are going to mean in practice. How will the rights of someone to say something about an individual sit with that person’s right to be forgotten? Will ones social network be seen as part of ones data that is transferred between services – if not, how effective is the right? And how much of this will extend into the world of game characters, achievements scores etc.

External Links

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • LinkedIn
  • Print this article!
  • Reddit
  • Tumblr
  • TwitThis

2 responses to “Policy Bites: EU Commission’s Proposed Data Protections”

  1. Network Data Host » Blog Archive » Policy Bites: EU Commission's Proposed Data Protections : the …

    [...] Policy Bites: EU Commission's Proposed Data Protections : the … Requiring companies to be more explicit about what they are going to do with data when they ask for consent; Providing access to users' data; Providing a 'right to be forgotten' i.e. a duty on companies to delete user data if the user chooses. Clarify the responsibilities of companies by … the Virtual Policy Network by the Virtual Policy Network is licensed under a Creative Commons Attribution 2.0 UK: England & Wales License. Based on a work at http://www.virtualpolicy.net. Policy Bites: EU Commission's Proposed Data Protections : the … [...]

  2. Network Data Host » Blog Archive » Policy Bites: EU Commission's Proposed Data Protections : the …

    [...] Policy Bites: EU Commission's Proposed Data Protections : the … Requiring companies to be more explicit about what they are going to do with data when they ask for consent; Providing access to users' data; Providing a 'right to be forgotten' i.e. a duty on companies to delete user data if the user chooses. Clarify the responsibilities of companies by … the Virtual Policy Network by the Virtual Policy Network is licensed under a Creative Commons Attribution 2.0 UK: England & Wales License. Based on a work at http://www.virtualpolicy.net. Policy Bites: EU Commission's Proposed Data Protections : the … [...]

Leave a Reply

You must be logged in to post a comment.