EU Harmony. In January 2012, the EU announced proposed
reforms to its 1995 data protection rules in order to further strengthen online
privacy rights and regulate the enormous growth of data collection and
processing over the internet in this age of mobile and social computing, the
Internet of Things, Big Data and related analytics. In short, these reforms proposed:
- a single set of rules to apply across the EU and
its administration by a single national data authority within the home EU
country with the power to impose fines for non-compliance.
- In addition, EU people will have greater privacy
rights, including the “right to be forgotten” and the “right to port their
data” across service providers.
- EU rules would apply in cross-border transactions
for companies in non-EU countries handling services to EU citizens. Any serious data breaches would have to
be reported to authorities as soon as feasible within 24 hours. Additional costs would be incurred by
businesses.
Since then, some EU member
nations, major tech companies and other countries have criticized the proposal
as being too restrictive and a burdensome expense for (especially small)
companies.. Nevertheless, the EU
continues to move forward with an amended draft likely to happen later this
year with the objective of implementing a Regulation governing its member
nations in 2014.
American Federalism:
A Hodge Podge. In contrast, American
federal laws (see https://www.cdt.org/privacy/guide/protect/laws.php)
are generally weaker than European and other countries’ laws in the field of
consumer protection for data privacy and the “private life.” A year after the Obama administration called
for a draft of a consumer privacy bill of rights, none has been completed or
made public. There are no baseline privacy
laws protecting consumers. Instead there are sector specific privacy laws and self
regulated company privacy policies; consumer privacy laws vary by state (see http://www.ncsl.org/issues-research/telecom/state-laws-related-to-internet-privacy.aspx). Those who support this hodge podge of laws
insist that these methods encourage free commerce and growth of online
businesses.
New Balance: International Agreement or International
Chaos? There is no free lunch. My concern is that privacy laws will be so
onerous, complex and confusing that it will balkanize the Internet, preventing
cross-border transactions and increasing the hurdles for Internet entrepreneurship
of small and mid-sized businesses. Consumer
protection and data privacy laws will conflict with business, adding costs that
will have to be passed along to the consumer in the form of higher prices, more
advertising per view, and less innovation.
Should the EU adopt its proposed reforms independently, American
companies could find themselves subject to EU regulations when conducting
cross-border transactions with EU citizens even if there is no conflict with
American laws.
I believe that every nation
should have “baseline” privacy rules, including the US , but I wouldn’t go as far as the
proposed EU reforms. Businesses and/or
consumers alike have a:
- Right to know what data is being collected and
aggregated about them
- “right to be forgotten” but only where the user
pays the cost of undoing what the user posted “for free”
- copyright in posted content and a right to transfer
one’s post to other providers, for a reasonable porting fee
- right to know what data is known by a service
provider and the right to correct it.
The US and EU are set to
begin negotiations for a free trade agreement J une
2013. Hopefully common agreement on data
protection and privacy rules will be a part of it. More on this subject later.