CCIA's Response To EC's Data Protection Proposal

BY CCIA Staff
January 26, 2012
Yesterday the European Commission released their proposal for a new data protection law for the European Union. While CCIA is glad to see the EU working on updating the old Data Protection Directive from 1995, there are some aspects of the proposal that are serious cause for concern and we believe must be addressed if the new regulation is going to be an effective balance between the privacy rights of users and the innovation that drives new business on the Internet.
A few of our biggest concerns have to do with a blanket opt-in requirement, the concept of a “right to be forgotten,” and a 24 hour notice requirement in cases of data breaches. These elements have the potential to seriously disrupt expected web browsing experiences, place wildly disproportionate burdens on data collectors, or present a serious conflict with freedoms of expression.
The first large concern with the new regulation is the requirement for express authorized consent before any collection of data from users. Often referred to as “opt-in” consent (as opposed to opt-out consent), this approach can be appropriate in some circumstances. For example, when dealing with sensitive information related to health, religion, sexual orientation, or a number of other categories, explicit consent is the most careful and appropriate policy.
In other cases, however, opt-in consent is simply overkill. Web servers must collect some amount of information from a user, such as the IP address of the user’s computer, in order to respond to requests. Similarly, many web sites use tools called analytics that anonymously observe how users navigate through the site, in order to make modifications that help everyone. These uses, and many like them, pose little to no privacy threat. Presenting users with a description of the minor collection and asking for permission is more likely to be confusing than truly protective of privacy, and may lead some users to disregard privacy notices in general because they presume them to be minor.
The proposed requirement to provide notice to the national supervisory authority within 24 hours of a breach is also a serious concern. We believe that breach notification is essential to protect consumers against identity theft and to act as an incentive to ensure security of important systems. The fact is, however, that just 24 hours after a breach is discovered, the legal and security teams of the breached organization are still working to answer important questions. Forcing those teams to submit official government documents simply halts whatever mitigation or investigation processes are ongoing. More importantly, it is likely that they will simply not have all the information yet. The supervisory authorities would receive partial information that would have to be supplemented by later notifications in most cases anyway.
Finally, there are fundamental problems with the concept known as the “right to be forgotten.” These problems are both practical and philosophical. Practically, the proposal requires that a controller reach out to any other third parties that also have that data to force them to erase the data as well. While simple sounding, this would be an incredible undertaking. It would require a controller to keep detailed logs about every single party that downloads every piece of data available on a server, including some form of contact information for that party, and store it for as long as that data exists. Philosophically, a “right to be forgotten” runs counter to rights of free expression as laid down in Article 11 of the EU Charter on Fundamental Rights and the First Amendment to the United States Constitution. While Article 17(3) of the proposal attempts to create an exemption for this important right, it is vague enough, and the penalties for violation so incredibly severe, as to give any data controller pause over refusing a data erasure request on those grounds.
Overall, these issues pose such problems that we strongly encourage the Counci and the European Parliament to revisit the new proposal with an eye toward the consequences of the language chosen and to work with all stakeholders to reach a proposal that both protects consumers and preserves innovation. We look forward to working with both of them toward that end.

Related Articles

CCIA Encouraged By Second Meeting of EU-U.S. Trade & Technology Council

May 16, 2022

Brussels, BELGIUM — EU and U.S. diplomats met in Paris on May 15-16 for the second meeting of the EU-U.S. Trade & Technology Council. Leadership discussed ongoing strategies for strengthening the transatlantic partnership and to address global trade challenges, with a particular focus on transatlantic response to the Russian invasion of Ukraine. The two sides…

Foreign Subsidies: CCIA Offers Recommendations Ahead of Final Negotiations

May 4, 2022

Brussels, BELGIUM — Today, EU Member States and the European Parliament agreed their respective positions on the EU foreign subsidies proposal, clearing the way for negotiations on adopting the final legislation. The Computer & Communications Industry Association (CCIA Europe) acknowledges the swift progress on this complex file and offers recommendations to the EU institutions to…