New EU Data Rules May Cost Business
Brussels -- 25 January 2012
I today urged caution over EU plans to introduce a new raft of rules on data protection. While at first glance the proposals look like a significant attempt to advance the single market and to offer important reassurances over data security, they were potentially so sweeping they could damage business and even allow wrongdoers to hide their past and escape the consequences.
Under the new rules set out by the Commission yesterday, companies and other organisations would be obliged to issue an alert about any data breaches within 24 hours. The proposals would also create a Europe-wide network of data protection supervisors and officers. They would also introduce a controversial "right to be forgotten", allowing people in a variety of different circumstances to demand that data about them be deleted.
In my position as the European Conservatives and Reformists Group's co-ordinator on the Justice and Home Affairs (LIBE) Committee, I welcome better data-protection for citizens but I put out a statement which urged caution.
"The proposal misses the mark in terms of common sense."
"Of course we encourage best practice in the processing, storage and handling of data, especially in the area of law enforcement exchange. However, we mustn't create rules that are draconian and burdensome to businesses.
"The information that new technologies hold is important for the economy, for the improvement of the services businesses provide, and for the prevention and detection of crime.
"A significant proportion of the public voluntarily hand over large amounts of detail regarding their life to social networking sites, "Twitter", and blogs. I accept we must protect their data and make their rights fully available, yet it seems this proposal is determined to place the entire burden of responsibility for people's internet profiles upon law enforcement agencies, businesses and other organisations. Instead there should be an element of personal responsibility, and personal choice when using your data.
"The idea that businesses would have to notify thousands if not millions of internet users for the most minor of technical breaches, as well as be responsible for changes, deletions, and requests on demand, would cause unnecessary burden for businesses in these challenging times. It would also cause needless worry for those people who use the internet.
"So many people walk into shops, supermarkets, petrol station, and recruitment offices, and hand over the same information without a second thought, and without the same assumed rights.
"We must balance carefully the need to protect the privacy and rights of individuals, both on and off the internet, especially the most vulnerable amongst us. However, it should be done in a practical, achievable and fair way, not only for internet users but to businesses as well."
BACKGROUND:
On 24 January the European Commission released new legal proposals regarding the handling of European citizen's data. The Commission put forward two proposals; a proposal for a Regulation on the General Data Protection Regulation, and a proposal for a Directive on the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
The newly proposed General Data Protection Regulation would see a single set of legal rules applied for the whole of the European Union on the handling of data. The proposal includes such measures as requiring organisations to notify users and authorities about data breaches within 24 hours, creating data protection supervisors and officers, as well as legislating on the controversial are of the "right to be forgotten". The proposal states that people will have the right to ask for their data about them to be deleted. All business and organisations will have to adhere to this rule unless there are legitimate grounds to retain the data. Internet users must also give explicit consent to use data about them, as well as those people who process and collect the data being required be notified when their data is collected, and be told for what purpose it is being processed and how long it will be stored.
