Recently an EU Parliamentary Committee passed a data privacy proposal which could have far reaching consequences for not only businesses, but also for individuals. Sam Costigan explores the impact of the new regulation.
On 21st October 2013 an EU Parliamentary Committee passed a data privacy proposal which could have far reaching consequences; not only for businesses but also for every day consumers.
Can we standardise EU data privacy laws?
It is quite widely publicised at the moment (and is particularly pressing in the data privacy world) that the proposed legislation touched upon in our last blog would have far reaching consequences. Some of the proposed changes are welcomed, at least in principle, such as ‘the right to be forgotten’ which seeks to bring more control to the everyday person to the release of his or her data. There is also call for standardised legislation and policy regarding international data in order to create a uniform EU data privacy platform. This would harmonise data privacy laws across the EU.
What are the downsides of the proposed regulation?
Conversely, there is opinion within the industry that the proposed regulation appears to repeat some of the same mistakes of the ePrivacy Directive. Having recently discussed this with a well regarded data privacy expert, he stated that “consent still being explicit in all cases is going to be hugely problematic for the industry, and could lead to click fatigue for individuals.”
He went on to say that the regulation seems to be repeating “…the mistakes of the ePrivacy Directive, which all of Europe agree set an impractically high standard for consent.” The implication of this appears to suggest that companies will be hindered by administrative burdens of consent, delaying what should be (and from an industry perspective, is wanted to be) a quicker process.
Is the proposed regulation a step too far?
There are also fears that some of the proposed clauses of the regulation go too far in their restrictive nature. To provide a simple example of this: if a customer decides that they no longer wish for their data to be held by a retail company they used to purchase from, they can request that such data is wiped from their records. On a larger scale, this would impact on a key aspect of the retail sector which seeks to adapt to market trends through the use of consumer data on spending habits, etc.
It would appear that Articles 19 and 20 of the regulation provide opt-out ability for the individual, should they refuse their data be processed and/or stored. Again, on speaking to the data privacy expert on this, they had the following to say on the fact that one could object to the processing of personal data based on ‘legitimate interests’: “… [in practice] any processing of personal data based on legitimate interests would work like ‘opt-out’ consent.”
This appears to put ultimate power in the hands of the individual, even over legitimate interests posed by the company requesting to process such data. Will this be considered a step too far in the bid to bring data privacy autonomy back to the individual?
We’re always keen to hear from you. Do feel free to share your thoughts and comments with us in our LinkedIn group.