CCIA's Response To EC's Data Protection Proposal

BY CCIA Staff
January 26, 2012
Yesterday the European Commission released their proposal for a new data protection law for the European Union. While CCIA is glad to see the EU working on updating the old Data Protection Directive from 1995, there are some aspects of the proposal that are serious cause for concern and we believe must be addressed if the new regulation is going to be an effective balance between the privacy rights of users and the innovation that drives new business on the Internet.
A few of our biggest concerns have to do with a blanket opt-in requirement, the concept of a “right to be forgotten,” and a 24 hour notice requirement in cases of data breaches. These elements have the potential to seriously disrupt expected web browsing experiences, place wildly disproportionate burdens on data collectors, or present a serious conflict with freedoms of expression.
The first large concern with the new regulation is the requirement for express authorized consent before any collection of data from users. Often referred to as “opt-in” consent (as opposed to opt-out consent), this approach can be appropriate in some circumstances. For example, when dealing with sensitive information related to health, religion, sexual orientation, or a number of other categories, explicit consent is the most careful and appropriate policy.
In other cases, however, opt-in consent is simply overkill. Web servers must collect some amount of information from a user, such as the IP address of the user’s computer, in order to respond to requests. Similarly, many web sites use tools called analytics that anonymously observe how users navigate through the site, in order to make modifications that help everyone. These uses, and many like them, pose little to no privacy threat. Presenting users with a description of the minor collection and asking for permission is more likely to be confusing than truly protective of privacy, and may lead some users to disregard privacy notices in general because they presume them to be minor.
The proposed requirement to provide notice to the national supervisory authority within 24 hours of a breach is also a serious concern. We believe that breach notification is essential to protect consumers against identity theft and to act as an incentive to ensure security of important systems. The fact is, however, that just 24 hours after a breach is discovered, the legal and security teams of the breached organization are still working to answer important questions. Forcing those teams to submit official government documents simply halts whatever mitigation or investigation processes are ongoing. More importantly, it is likely that they will simply not have all the information yet. The supervisory authorities would receive partial information that would have to be supplemented by later notifications in most cases anyway.
Finally, there are fundamental problems with the concept known as the “right to be forgotten.” These problems are both practical and philosophical. Practically, the proposal requires that a controller reach out to any other third parties that also have that data to force them to erase the data as well. While simple sounding, this would be an incredible undertaking. It would require a controller to keep detailed logs about every single party that downloads every piece of data available on a server, including some form of contact information for that party, and store it for as long as that data exists. Philosophically, a “right to be forgotten” runs counter to rights of free expression as laid down in Article 11 of the EU Charter on Fundamental Rights and the First Amendment to the United States Constitution. While Article 17(3) of the proposal attempts to create an exemption for this important right, it is vague enough, and the penalties for violation so incredibly severe, as to give any data controller pause over refusing a data erasure request on those grounds.
Overall, these issues pose such problems that we strongly encourage the Counci and the European Parliament to revisit the new proposal with an eye toward the consequences of the language chosen and to work with all stakeholders to reach a proposal that both protects consumers and preserves innovation. We look forward to working with both of them toward that end.

Related Articles

CCIA Encouraged As Bill Aimed At Boosting Interoperability, Efficiency In Government Software Licensing Advances From Committee

Sep 28, 2022

Washington – The Computer & Communications Industry Association applauded the Senate Homeland Security and Governmental Affairs Committee for advancing legislation that would promote interoperability and efficiency in federal software procurement. The bill, “Strengthening Agency Management and Oversight of Software Assets Act” (SAMOSA, S. 4908), sponsored by Senator Gary Peters (D-Mich.) and Senator Bill Cassidy (R-La.),…

Product and AI Liability: Updating EU Rules for Digital Age Requires Balanced Approach

Sep 28, 2022

Brussels, BELGIUM — Today, the European Commission presented its new Artificial Intelligence (AI) Liability Directive and proposed a revision of the EU Product Liability Directive (PLD). With these initiatives the Commission wants to bring Europe’s product liability regime and consumer protection into the digital era. The Computer & Communications Industry Association (CCIA Europe) commends the…

European Media Freedom Act: Fight Against Disinformation and Illegal Content Requires Balanced Relationship Between Media and Online Platforms

Sep 16, 2022

Brussels, BELGIUM — The European Media Freedom Act presented by the European Commission earlier today seeks to introduce new rules to safeguard the independence and pluralism of Europe’s media. The “must-carry” obligation included in the proposal, however, could be abused to force social media and other online platforms to spread disinformation or illegal content, the…