CCIA's Response To EC's Data Protection Proposal

January 26, 2012
Yesterday the European Commission released their proposal for a new data protection law for the European Union. While CCIA is glad to see the EU working on updating the old Data Protection Directive from 1995, there are some aspects of the proposal that are serious cause for concern and we believe must be addressed if the new regulation is going to be an effective balance between the privacy rights of users and the innovation that drives new business on the Internet.
A few of our biggest concerns have to do with a blanket opt-in requirement, the concept of a “right to be forgotten,” and a 24 hour notice requirement in cases of data breaches. These elements have the potential to seriously disrupt expected web browsing experiences, place wildly disproportionate burdens on data collectors, or present a serious conflict with freedoms of expression.
The first large concern with the new regulation is the requirement for express authorized consent before any collection of data from users. Often referred to as “opt-in” consent (as opposed to opt-out consent), this approach can be appropriate in some circumstances. For example, when dealing with sensitive information related to health, religion, sexual orientation, or a number of other categories, explicit consent is the most careful and appropriate policy.
In other cases, however, opt-in consent is simply overkill. Web servers must collect some amount of information from a user, such as the IP address of the user’s computer, in order to respond to requests. Similarly, many web sites use tools called analytics that anonymously observe how users navigate through the site, in order to make modifications that help everyone. These uses, and many like them, pose little to no privacy threat. Presenting users with a description of the minor collection and asking for permission is more likely to be confusing than truly protective of privacy, and may lead some users to disregard privacy notices in general because they presume them to be minor.
The proposed requirement to provide notice to the national supervisory authority within 24 hours of a breach is also a serious concern. We believe that breach notification is essential to protect consumers against identity theft and to act as an incentive to ensure security of important systems. The fact is, however, that just 24 hours after a breach is discovered, the legal and security teams of the breached organization are still working to answer important questions. Forcing those teams to submit official government documents simply halts whatever mitigation or investigation processes are ongoing. More importantly, it is likely that they will simply not have all the information yet. The supervisory authorities would receive partial information that would have to be supplemented by later notifications in most cases anyway.
Finally, there are fundamental problems with the concept known as the “right to be forgotten.” These problems are both practical and philosophical. Practically, the proposal requires that a controller reach out to any other third parties that also have that data to force them to erase the data as well. While simple sounding, this would be an incredible undertaking. It would require a controller to keep detailed logs about every single party that downloads every piece of data available on a server, including some form of contact information for that party, and store it for as long as that data exists. Philosophically, a “right to be forgotten” runs counter to rights of free expression as laid down in Article 11 of the EU Charter on Fundamental Rights and the First Amendment to the United States Constitution. While Article 17(3) of the proposal attempts to create an exemption for this important right, it is vague enough, and the penalties for violation so incredibly severe, as to give any data controller pause over refusing a data erasure request on those grounds.
Overall, these issues pose such problems that we strongly encourage the Counci and the European Parliament to revisit the new proposal with an eye toward the consequences of the language chosen and to work with all stakeholders to reach a proposal that both protects consumers and preserves innovation. We look forward to working with both of them toward that end.

Related Articles

Oxford Economics presents study on digital services in the EU, offers recommendations for upcoming Digital Services Act

Nov 20, 2020

Brussels, BELGIUM — Oxford Economics has released a study examining digital services in Europe. The study investigates how digital services weave into Europe’s economy and society and explores online content moderation best practices to fight against the dissemination of illegal content, products and conduct online. The Computer & Communications Industry Association commissioned the study to…

CCIA Weighs In On European Commission Request For Input On Trade Strategy

Nov 16, 2020

Brussels, BELGIUM — The Computer & Communications Industry Association filed comments with the European Commission as it crafts a trade strategy for the digital age. The EC consultancy is an opportunity to accelerate the digital transformation of Europe’s trade policies. CCIA encouraged the EU “to pursue an ambitious trade agenda that includes the strengthening of the…

DSA: Unlocking the Benefits of Digital Services in Europe

Nov 12, 2020

Join us to discuss the role of digital services in Europe as Oxford Economics unveils a new CCIA-commissioned study on “Digital Services in Europe” on 20 November. The study investigates how digital services weave into Europe’s economy and society and explores online content moderation best practices to fight against the dissemination of illegal content, products…