Forgot your password?
typodupeerror
Privacy EU Your Rights Online

New EU Legal Privacy Framework: We're Not Kidding 243

Posted by Unknown Lamer
from the yes-you-can-have-a-pony dept.
An anonymous reader writes "Viviane Reding, Vice-President of the European Commission announced today a new regulation for data privacy in Europe (PDF) in replacement of a 1995 Directive. Recently, privacy laws have been under a lot of criticism for their practical inability to ensure a high level of protection to EU citizens. The new data privacy framework will bring a lot of changes: 24 hours security breach notifications, mandatory security assessments, end of notifications to local data privacy agencies, mandatory data protection officers and huge administrative fines: up to 2% of the annual worldwide turnover (that would have meant $1.2 Billion for Microsoft in 2008). Indeed that's 'the necessary "teeth" so the rules can be enforced.'"
This discussion has been archived. No new comments can be posted.

New EU Legal Privacy Framework: We're Not Kidding

Comments Filter:
  • So... (Score:5, Insightful)

    by Joce640k (829181) on Wednesday January 25, 2012 @11:49AM (#38818617) Homepage

    Where do I sign up to vote "yes please"?

    • Re:So... (Score:4, Interesting)

      by Anonymous Coward on Wednesday January 25, 2012 @11:54AM (#38818687)

      Totally agree...this idea that businesses shouldn't be held responsible for their actions (or inactions) goes back to the business "revolution" of the 70s...the professional manager who operates without ethics, and who's only allegiance is to the shareholder (or their own salaries/bonuses)...it's about time governments started standing up for their citizens again....sign me up too!

    • by vlm (69642)

      Where do I sign up to vote "yes please"?

      How does someone of distantly European ancestry upgrade by moving back? Figure an average /.er, in other words highly skilled/educated but no Nobel prize, plenty of money but not a billionaire, etc. I liked visiting Ireland, although that was before the economic collapse...

      • Re:So... (Score:5, Interesting)

        by inviolet (797804) <`slashdot' `at' `ideasmatter.org'> on Wednesday January 25, 2012 @12:21PM (#38819035) Journal

        No it can't just be ignored. If these laws pass, every EU country will be forced to implement them. The European Commission has very sharp teeth indeed on stuff like this, and does not take kindly to companies trying to ignore its rules.

        Yep yep.

        As a US citizen now thoroughly ashamed of my society's behavior (esp. regulatory capture, as well as the all-classes corruption of the housing bubble), this news is the first time in my entire life that European society has seemed superior.

        It is quite a moment for me, coming as it is at the tail end of twenty years of staunch libertarian patriotism.

        • by rmstar (114746)

          It is quite a moment for me, coming as it is at the tail end of twenty years of staunch libertarian patriotism.

          Interesting. So you suddenly favor big government and regulation? How did that happen? (Just curious - I am not a libertarian).

        • Re:So... (Score:5, Interesting)

          by xaxa (988988) on Wednesday January 25, 2012 @12:35PM (#38819207)

          As a US citizen now thoroughly ashamed of my society's behavior (esp. regulatory capture, as well as the all-classes corruption of the housing bubble), this news is the first time in my entire life that European society has seemed superior.

          The first time ever? That's incredible.

          Europe and the US have different views (to varying degrees) on many topics. Money, commerce, society, art, sex, the poor, the rich, military, environment, privacy, citizen rights and restrictions, punishment, education, transport, sport, patriotism, police, tax ...

          Pick any one of those and I'll be able to describe things I like about Europe (and dislike about America), and vice-versa.

      • Re:So... (Score:4, Informative)

        by mrvan (973822) on Wednesday January 25, 2012 @12:41PM (#38819275)

        In the Netherlands, there is a "knowledge worker" rule that says that if you can find a job that requires a degree and pays X% better than minimum (or modal?) wage, it's easy to get a working permit, plus you get a huge tax break (although I think there are cutting down on the latter). Any decent sized company will have someone in the HRM department who knows these rules and can help with the paper work.

        If you are here 5 years and pass a test you can apply for citizenship but that might require renouncing your US citizenship.

        • The same rule is in effect in most countries, and that bar gets lower every year. IIRC the German "wage bar" is down to about 50k a year. Guess it gets harder and harder to find good floor sanitation technicians.

    • Re:So... (Score:5, Insightful)

      by Xest (935314) on Wednesday January 25, 2012 @12:11PM (#38818887)

      My only dissapoint is the constant bandying about of the fines thing. They point out that 2% is massive in monetary value, well yes, it can be, but it's not enough of a deterrent.

      In the UK, for companies like Phorm, and ACS:Law, this would be zero deterrent to what they did, the fines shouldn't be capped percentage wise, as only a fine of perhaps 80% of annual revenue would've been enough to make Phorm and ACS:Law start behaving. The $1.2bn figure for MS sounds a lot less scary when you consider for someone like Andrew Crossley at ACS:Law who really has been in gross breach of the UK's data protection act, were he bringing in £250,000 a year with his personal one man business, would only see a fine of £5000, still leaving him £245,000 to take home. Where the fuck is the deterrent in that? You could write it off as the cost of doing business and just carry on doing it.

      Jail terms for owners/execs, or completely uncapped fines left to the decision of the judge as to what size fine to levy would be the only real deterrents. That's the biggest problem I see with this proposed law - there's no worthwhile deterrent for companies with no positive image to protect (e.g. Phorm) in the fines, they're toothless as proposed right now.

      • Oh, but although the company is fined 2%, ordering your employees to do something illegal is criminal... So I don't think this would end as "the cost of doing business".

        • by Xest (935314)

          Unless there's some sanction for repeat offenders, they can just feign incompetence, so unless the authorities can find a whistleblower willing to act as a witness proving malice, there's little they can do to demonstrate it wasn't incompetence.

          • In general, fines are associated with a delay to remedy the situation. Then it becomes a repeat offence and the fines go up.

          • by Teun (17872)
            Claiming to be unaware of legislation is in a court no defence what so ever.
      • by Joce640k (829181)

        2% is massive in monetary value, well yes, it can be, but it's not enough of a deterrent.

        I don't think it's meant to be a 'deterrent'. Companies don't have data breaches on purpose, even the best security can be subverted.

        This is more to get them to have some security in place and to avoid coverups after it happens, eg. a decent security system doesn't let people take the data home for the weekend so no more 'lost laptops' (hopefully).

        • Re:So... (Score:4, Interesting)

          by Opportunist (166417) on Wednesday January 25, 2012 @01:32PM (#38819807)

          I'm in risk management. The fine is pretty much already a deterrent, or rather, it's a good incentive to invest a few bucks in security.

          Security, or rather, anything related to heeding a law in a company, is a game of chances. What's my gain to break the law (or ignore it), what's the cost of the fine and how likely is it to happen. These are, in a nutshell, the things I deal with on a daily base. Yes, laws and following them is not a matter of "being good" or "doing no evil". It is simply and bluntly a matter of cost and benefit.

          2% annual revenue as budget is a wet dream for security and risk management. And while we won't get it (not by a longshot), we can now easily argue with the increased monetary risk when it comes to the question whether and how much investment is necessary for security.

      • The problem is, if the fines get too high, companies start to evade them. It's easy for corporations (and yes, giving corporations "person" status was the first blunder and should be removed, but that's beyond the scope here).

        You fine me 90% of my annual revenue? The same nanosecond a new company is created, which just happens to have the same board, who scoops up everything from the yard sale the company you fined has after going bankrupt, including all brands and patents. How do you plan to avoid that? Sh

        • Re:So... (Score:5, Insightful)

          by gnasher719 (869701) on Wednesday January 25, 2012 @01:58PM (#38820119)

          You fine me 90% of my annual revenue? The same nanosecond a new company is created, which just happens to have the same board, who scoops up everything from the yard sale the company you fined has after going bankrupt, including all brands and patents. How do you plan to avoid that? Short answer, you can't. The company just went bankrupt due to the fine, in the bankruptcy process all liabilities get cut to a certain percentage and the new company can scoop up everything for a penny for the dollar. Yes, it's still some money lost, but we're a far cry from the 90% you wanted. if you're lucky, you get 1-2%. Which is pretty much where we're right now.

          Not that easy. If a company goes bankrupt and has sold on all kinds of stuff before the bankruptcy, all these sales can be invalidated, with more additional consequences.

          And think what would happen to a company like Google, or Facebook, or Apple, or Microsoft. Going bankrupt is not an option. If Google sold patents to Google v.2 for a dollar each, and then declares bankruptcy, surely Apple and others would go to the courts and offer twice the money.

    • by ackthpt (218170)

      Where do I sign up to vote "yes please"?

      Sadly, not in the US of A. The EU may be screwed up in some ways, but on this item they have a firm grip of reality. Well done.

  • by jggimi (1279324) on Wednesday January 25, 2012 @11:58AM (#38818733)
    The article could be misinterpreted to mean this is a done deal as is.
    • As someone who is involved in putting in place processes to cope with legislation like this I can only say it sounds like yet another ludicrous set of disincentives for small businesses. So every business needs a data protection officer, the ability to respond to a query within 24 hours, gold plated toilets, forms to fill out in triplicate. I'm all for ensuring consensual use of personal data but I am completely against legislation which mandates a bureaucratic process to implement it which means that I end

      • by Teun (17872) on Wednesday January 25, 2012 @01:40PM (#38819897) Homepage
        This applies to companies with more than 250 employees, I wouldn't call them small.
        A quick scan does not seem to forbid the outsourcing of this function meaning specialist companies will be available to manage oversee your privacy compliance.

        Important is the rule this Privacy Officer needs to be totally independent of the management.

        The easiest and for me obvious way for any company to lower the amount of effort controlling this privacy sensitive data is to only keep the absolute minimum of it.

  • O2 (Score:4, Interesting)

    by CheeseyDJ (800272) on Wednesday January 25, 2012 @11:58AM (#38818735)
    O2 must be glad they made their massive screw up [bbc.co.uk] before this came into effect...
  • It tries to claim jurisdiction over any company that handles the personal data of EU subjects. How exactly do they intend to enforce this over companies that have no physical presence within the EU?
    • by Xest (935314) on Wednesday January 25, 2012 @12:05PM (#38818831)

      Well the obvious answer is that they can't if it really has no EU ties, just like they can't do anything about sites outside the EU hosting child porn currently.

      But that's just the way the world works, it's designed with that knowledge, but it wont protect companies like Facebook, Google, Apple etc. as they do have a prescence, and even if they withdrew that prescence they could potentially still harm those companies by preventing EU firms advertising with them for example.

      I'm sure firms will argue it'll cause some competitive disadvantage, but I'm not convinced that's true- I'd argue the opposite if anything, users across the globe should feel far more comfortable using companies that adhere to these rules, than those that don't.

      So I don't really see how it'll be a failure, it'll force all major online firms to adhere to it because they do have an EU prescence, and from there anyone else that doesn't comply will have the disadvantage of being much less attractive to customers. Who wants their data held by some fly by night company that has no restrictions on what it can do with that data when they can instead use a company with more ethical rules surrounding what it can and will do with your data?

      • by CTalkobt (81900)

        The intent I fully and whole-heartily agree with... However, 2% of _world_wide_revenues_ is what concerns me. I'd rather see it phrased as 2% of world-wide revenue apportioned to user base / affected users (affected or not by breach).

        Hence, the larger the breach, the larger the fine. I could easily see Company A arguing to US regulators : "We shouldn't have to pay for US users as the EU already fined us for everyone.".

    • In the same way that U.S. authorities enforced the warrant against MegaUpload (HK based company, owned by german-finnish citizen currently residing in NZ ...): Uni-, bi-, multiliteral contracts, I guess.

      But I fear for our good-but-still-not-enough german laws. I'll bet they'll be watered down to a great degree.

      • Uni-, bi-, multiliteral contracts

        Erhm ... that's lateral, of course ...

      • In the same way that U.S. authorities enforced the warrant against MegaUpload (HK based company, owned by german-finnish citizen currently residing in NZ ...): Uni-, bi-, multiliteral contracts, I guess.

        But I fear for our good-but-still-not-enough german laws. I'll bet they'll be watered down to a great degree.

        I would be fun to see the UK extradite from the US for a change...

        • by delinear (991444)
          Unfortunately, due to the our government basically bending over for the US when the extradition laws were last redrafted, it's a lot more difficult to get an extradition from the US to the UK than it is vice versa (basically we have to argue the evidence in a court before their judges, they, on the other hand, only need make an accusation).
    • by gstoddart (321705)

      It tries to claim jurisdiction over any company that handles the personal data of EU subjects. How exactly do they intend to enforce this over companies that have no physical presence within the EU?

      If they target the region, that's having a business there under their jurisdiction. I assume there's a google.fr and a facebook.de ... that pretty much makes you covered under their laws.

      And, let's face it ... the USA is extraditing people who committed no crime in their own country and SOPA would have allowed t

      • Like most people on slashdot, you think of big companies like Google or Amazon or Facebook, but what about a small two or three person startup?
        • by gstoddart (321705)

          Like most people on slashdot, you think of big companies like Google or Amazon or Facebook, but what about a small two or three person startup?

          If they're receiving and storing personal information, then they need to obey the law. Why should being a small company exempt you?

          Google et al are directly gathering more personal information, and, as we've seen [slashdot.org], they're getting more aggressive about it.

  • by sithkhan (536425) <sithkhan@gmail.com> on Wednesday January 25, 2012 @11:59AM (#38818759)
    Are these same rules going to apply to the EU, the member governments, and municipalities as well? Of course, collecting that 2% would be just book keeping ...
    • by Spad (470073)

      The existing data protection regulations apply to government agencies as much as anyone else and as far as I can tell, so would these new ones.

  • I really hope this passes. It'll be interesting to see all the stuff that I thought I'd deleted off Facebook suddenly reappear* so that I can actually remove it permanently.

    *Apparently FB doesn't actually delete anything and it's just hidden from the user.

  • by NotQuiteReal (608241) on Wednesday January 25, 2012 @12:16PM (#38818961) Journal
    Big Fines should go to the users harmed, not the State. A corporate screw-up should be punished, but the money shouldn't be flushed down some bureaucratic hole.

    Also - who is responsible for the fine if the breach is due to "off the shelf" software?
    • by tgd (2822)

      Big Fines should go to the users harmed, not the State. A corporate screw-up should be punished, but the money shouldn't be flushed down some bureaucratic hole.

      Why do you think these sort of laws are put in place? Laws can be written such that a civil lawsuit can be brought for damages, or they can be written to bring heavy fines. Which do you think a government is more likely to pass?

  • Consent and EULAs (Score:5, Interesting)

    by Animats (122034) on Wednesday January 25, 2012 @12:45PM (#38819323) Homepage

    One of the important rules is "If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter." In other words, merely consenting to a long EULA that involves transference of data isn't enough. There has to be a separate checkbox to allow redistributing data. EULAs that allow one party to change the terms at any time won't qualify, either.

  • Red tape and garbage (Score:2, Interesting)

    by AdmV0rl0n (98366)

    This law simply looks like an empowering of the EU, and giving it the ability to assault companies and organisations. None of which really deals with the issue at all.

    This law needs individual assertion. A citizen needs to have the right to have access to their data, and have rights to control it with limited caveats. Only laid out circumstances should exist where someone can hold your data (your employer for example) or government departments (your passport or health records) - and the citizen should have

    • by dkleinsc (563838)

      I don't know about the EU, but in the US, a criminal penalty does not prevent a civil lawsuit for defamation and/or breach of contract. So, if Facebook broke the rules, Vivian Reading would give Facebook a multi-billion euro fine, and all that criminal evidence would make the class-action lawsuit a relatively simple affair (because the evidence is already introduced in the criminal proceeding, so proving Facebook broke the rules is quite easy).

  • The 24 hour security breach notification and stiff fines sound like a good idea. Punishing abuses, fraud, and negligence are one of a governments primary responsibilities. I'm also for forcing companies to disclose more information that potentially involves harming people (loss of private data, pollution, etc.). I'm not such a big fan of the mandatory officers and inspections. If you make the penalties big enough and force them to own up to their failures companies will determine how to achieve adequate
  • by ThatsNotPudding (1045640) on Wednesday January 25, 2012 @02:23PM (#38820411)
    if they offered citizenships overseas for say, $100 a year. The additional rights and privacies would more than pay for the fee - and maybe get you out of NDAA Gitmo without passing Go.

Men love to wonder, and that is the seed of science.

Working...