New EU Legal Privacy Framework: We're Not Kidding

An anonymous reader writes "Viviane Reding, Vice-President of the European Commission announced today a new regulation for data privacy in Europe (PDF) in replacement of a 1995 Directive. Recently, privacy laws have been under a lot of criticism for their practical inability to ensure a high level of protection to EU citizens. The new data privacy framework will bring a lot of changes: 24 hours security breach notifications, mandatory security assessments, end of notifications to local data privacy agencies, mandatory data protection officers and huge administrative fines: up to 2% of the annual worldwide turnover (that would have meant $1.2 Billion for Microsoft in 2008). Indeed that's 'the necessary "teeth" so the rules can be enforced.'"

So...

[Joce640k]

Where do I sign up to vote "yes please"?

Re:Doubt it will go anywhere

[houstonbofh]

I agree, but for a different reason. ACTA. This says that have to keep stuff secret, or not keep it, and ACTA says they have to keep it, and give it to the *IAAs. The media industry will not want this loophole.

Re:Doubt it will go anywhere

[Anonymous Brave Guy]

That's roughly what a lot of people said before the EU went after Microsoft for anti-competitive behaviour, too. More than $1,000,000,000 in fines for defying sanctions later, those people had changed their tune.

Re:This looks like a failure waiting to happen

[Xest]

Well the obvious answer is that they can't if it really has no EU ties, just like they can't do anything about sites outside the EU hosting child porn currently.

But that's just the way the world works, it's designed with that knowledge, but it wont protect companies like Facebook, Google, Apple etc. as they do have a prescence, and even if they withdrew that prescence they could potentially still harm those companies by preventing EU firms advertising with them for example.

I'm sure firms will argue it'll cause some competitive disadvantage, but I'm not convinced that's true- I'd argue the opposite if anything, users across the globe should feel far more comfortable using companies that adhere to these rules, than those that don't.

So I don't really see how it'll be a failure, it'll force all major online firms to adhere to it because they do have an EU prescence, and from there anyone else that doesn't comply will have the disadvantage of being much less attractive to customers. Who wants their data held by some fly by night company that has no restrictions on what it can do with that data when they can instead use a company with more ethical rules surrounding what it can and will do with your data?

Re:Doubt it will go anywhere

[Anonymous Brave Guy]

Perhaps you haven't noticed, but being associated with Big Media is pretty much toxic for politicians right now.

Oh, and also in case you hadn't noticed, the EU hasn't actually signed ACTA yet. Technically they have until March next year, IIRC, though I expect someone will try to sneak it through in the very near future before the politicians realise it's too close to SOPA and PIPA (in some respects) and likely to cause similar grief.

Also, while the European Commission (the unelected guys who seem to be behind the secret negotiations) still publicly support ACTA [europa.eu], whether they can get it through the European Parliament (the elected guys who recently got new teeth under the Lisbon Treaty and seem to be enjoying exercising their powers) is a different question.

Re:So...

[Xest]

My only dissapoint is the constant bandying about of the fines thing. They point out that 2% is massive in monetary value, well yes, it can be, but it's not enough of a deterrent.

In the UK, for companies like Phorm, and ACS:Law, this would be zero deterrent to what they did, the fines shouldn't be capped percentage wise, as only a fine of perhaps 80% of annual revenue would've been enough to make Phorm and ACS:Law start behaving. The $1.2bn figure for MS sounds a lot less scary when you consider for someone like Andrew Crossley at ACS:Law who really has been in gross breach of the UK's data protection act, were he bringing in £250,000 a year with his personal one man business, would only see a fine of £5000, still leaving him £245,000 to take home. Where the fuck is the deterrent in that? You could write it off as the cost of doing business and just carry on doing it.

Jail terms for owners/execs, or completely uncapped fines left to the decision of the judge as to what size fine to levy would be the only real deterrents. That's the biggest problem I see with this proposed law - there's no worthwhile deterrent for companies with no positive image to protect (e.g. Phorm) in the fines, they're toothless as proposed right now.

Re:So...

[Spad]

Note that it's 2% of turnover, not profit; a 10% fine would ruin a lot of businesses, which is not the intent of the law.

Re:So...

[TheRaven64]

Although repeated infringements can quite easily ruin a company, and that is the intent of the law: companies should never be in the situation of deciding that ignoring a law and regularly paying the fines is just the cost of doing business.

Big Fines can be OK...

[NotQuiteReal]

Big Fines should go to the users harmed, not the State. A corporate screw-up should be punished, but the money shouldn't be flushed down some bureaucratic hole.

Also - who is responsible for the fine if the breach is due to "off the shelf" software?

Re:Doubt it will go anywhere

[Alkonaut]

No law like this will be passed on EU level unless it is absolutely certain that the core countries will adapt it without fuss.

Re:data location?

[SomeKDEUser]

Funny thing: some rights, you cannot sign away. So the EULA is irrelevant. For example, no contract of indentured servitude is legal. In the same way, you cannot sign away your right to privacy.

Re:Doubt it will go anywhere

[mrvan]

EU law has direct force in national law, EU law trumps national law, and questions of interpretation of EU law are handled by the EU court, whose decisions are binding for the national courts. The EU is very far from toothless in areas where it has legal competence.

If they are indeed replacing the '95 directive the "published document" will have the form of a EU directive, which member states are compelled to turn into national law. If they don't do so, the EC (or, I think, any citizen with standing) can sue them in the EU court for failing to comply.

What you are referring to as toothless is probably in issue domains like foreigh affairs and defense, where the member states have full competence and the only thing the EU can do is try to forge some sort of consensus.

Re:So...

[delinear]

Do you think, when people lose their personal data because a company didn't secure it properly online or because an employee of that company had a laptop full of data and left it on a train, that's somehow the responsibility of the people and not the company? Short of becoming a hermit your data will end up in third party hands and you have very little control over what happens next, even if you give them the data in expectation of total privacy. Governments are some of the worst offenders when it comes to losing public data, and unfortunately there's not a lot you can do to avoid at least being in their databases.

Re:So...

[s73v3r]

Shut the fuck up, seriously. This idea that companies should not be held responsible for their actions is completely asinine.

If you don't want companies to be held responsible, go find somewhere without "government intervention". I hear Somalia is lovely this time of year.

Re:This looks like a failure waiting to happen

[s73v3r]

Good fucking riddance. If they can't actually secure my private data, they shouldn't be in business in the first fucking place.

You people always bitch and moan about "regulations being a burden!", but for some reason, you think it's completely fucking ok for companies to just not give two shits about someone's data.

Re:So...

[gnasher719]

You fine me 90% of my annual revenue? The same nanosecond a new company is created, which just happens to have the same board, who scoops up everything from the yard sale the company you fined has after going bankrupt, including all brands and patents. How do you plan to avoid that? Short answer, you can't. The company just went bankrupt due to the fine, in the bankruptcy process all liabilities get cut to a certain percentage and the new company can scoop up everything for a penny for the dollar. Yes, it's still some money lost, but we're a far cry from the 90% you wanted. if you're lucky, you get 1-2%. Which is pretty much where we're right now.

Not that easy. If a company goes bankrupt and has sold on all kinds of stuff before the bankruptcy, all these sales can be invalidated, with more additional consequences.

And think what would happen to a company like Google, or Facebook, or Apple, or Microsoft. Going bankrupt is not an option. If Google sold patents to Google v.2 for a dollar each, and then declares bankruptcy, surely Apple and others would go to the courts and offer twice the money.

Re:Here's mine

[chill]

art: US? Seriously? Have you ever BEEN to Europe?
transport: US? Seriously? Where do you live that has better transit systems than most of (modern) Europe?
punishment: US? Is that YOU getting punished or your desire for strict punishment on OTHERS? The latter -- US, the former, Europe.

Re:You Can't Vote

[Arancaytar]

And yet somehow, bureaucratic oppressive Europe got awesome privacy legislation. What did the democratic land of the free get? SOPA.

Life is good here in the socialist hellhole. ;-)