January 26, 2012
Yesterday the European Commission released their proposal for a new data protection law for the European Union. While CCIA is glad to see the EU working on updating the old Data Protection Directive from 1995, there are some aspects of the proposal that are serious cause for concern and we believe must be addressed if the new regulation is going to be an effective balance between the privacy rights of users and the innovation that drives new business on the Internet.
A few of our biggest concerns have to do with a blanket opt-in requirement, the concept of a “right to be forgotten,” and a 24 hour notice requirement in cases of data breaches. These elements have the potential to seriously disrupt expected web browsing experiences, place wildly disproportionate burdens on data collectors, or present a serious conflict with freedoms of expression.
The first large concern with the new regulation is the requirement for express authorized consent before any collection of data from users. Often referred to as “opt-in” consent (as opposed to opt-out consent), this approach can be appropriate in some circumstances. For example, when dealing with sensitive information related to health, religion, sexual orientation, or a number of other categories, explicit consent is the most careful and appropriate policy.
In other cases, however, opt-in consent is simply overkill. Web servers must collect some amount of information from a user, such as the IP address of the user’s computer, in order to respond to requests. Similarly, many web sites use tools called analytics that anonymously observe how users navigate through the site, in order to make modifications that help everyone. These uses, and many like them, pose little to no privacy threat. Presenting users with a description of the minor collection and asking for permission is more likely to be confusing than truly protective of privacy, and may lead some users to disregard privacy notices in general because they presume them to be minor.
The proposed requirement to provide notice to the national supervisory authority within 24 hours of a breach is also a serious concern. We believe that breach notification is essential to protect consumers against identity theft and to act as an incentive to ensure security of important systems. The fact is, however, that just 24 hours after a breach is discovered, the legal and security teams of the breached organization are still working to answer important questions. Forcing those teams to submit official government documents simply halts whatever mitigation or investigation processes are ongoing. More importantly, it is likely that they will simply not have all the information yet. The supervisory authorities would receive partial information that would have to be supplemented by later notifications in most cases anyway.
Finally, there are fundamental problems with the concept known as the “right to be forgotten.” These problems are both practical and philosophical. Practically, the proposal requires that a controller reach out to any other third parties that also have that data to force them to erase the data as well. While simple sounding, this would be an incredible undertaking. It would require a controller to keep detailed logs about every single party that downloads every piece of data available on a server, including some form of contact information for that party, and store it for as long as that data exists. Philosophically, a “right to be forgotten” runs counter to rights of free expression as laid down in Article 11 of the EU Charter on Fundamental Rights and the First Amendment to the United States Constitution. While Article 17(3) of the proposal attempts to create an exemption for this important right, it is vague enough, and the penalties for violation so incredibly severe, as to give any data controller pause over refusing a data erasure request on those grounds.
Overall, these issues pose such problems that we strongly encourage the Counci and the European Parliament to revisit the new proposal with an eye toward the consequences of the language chosen and to work with all stakeholders to reach a proposal that both protects consumers and preserves innovation. We look forward to working with both of them toward that end.