Let’s first get caught up on the status of the EU Commission’s proposed changes to the Data Protection Directive or DPD. At the beginning of July, an important committee vote in the EU Parliament was delayed till September, at the earliest. This has been the third delay of a vote to bring the new regulations—which include The Right to Be Forgotten and tougher rules on data retention limits—to the full Parliament. US social media companies, who have not been shy about expressing their objections to the new regulations, should not declare victory just yet.
In a TV interview this week, German Chancellor Angela Merkel called for Europe to stand together on data protection regulations and to move towards “harmonized” rules across all countries. This is, of course, a reference to the stalled data protection regulations, which would ultimately bring a single set of rules and consistent enforcement to the EU zone. Currently, each of the 28 member nations has their own data protection authorities along with slightly different laws based on the common DPD.
After the interview, Merkel was the recipient of a shout-out from Viviene Reding, the EU’s justice commissioner and an important proponent of the new regulation, who welcomed the Chancellor’s remarks.
The new data regulations can use all the help it gets: if they are not voted on before the EU Parliament elections in 2014, they may have to be scrapped and the process restarted. The public announcement from Merkel, though, may be just the push the need to become a European-wide law.
But US social media players—one in particular—are finding that the existing DPD still has some bite. Last month, separate data protection authorities in France and Spain wrote letters to Google demanding it provide more explicit information on its omnibus terms of service to users and to obtain consent before storing cookies. Google was given a deadline of a few months to comply.
These separate national regulators are basing their demands on a key concept embedded in the core Data Protection Directive: consumers own their data and companies, as “data controllers”, need their consent to process the data when it’s used outside of essential business functions. The EU battle over opt-in and cookies—E-Privacy Directive—has actually has been brewing for some time, but it was Google’s bold move early last year to consolidate all its separate ToS into a single document that pushed the regulators’ buttons.
I’m not sure what will be the fate of The Right to Be Forgotten and other stricter rules in the pending regulations.
But as for the data ownership philosophy expressed in the current laws? I think the EU will be standing firm and US companies should pay attention.