The Obama Administration and several leading online companies are fearful that the EU’s interest in strengthening privacy safeguards will undercut the data collection, profiling, and interactive ad targeting of U.S. digital marketers.Â The U.S. wants to seek a “separate, but equal” privacy and consumer protection regime–claiming that whatever we do in the U.S. on privacy should be treated as the equivalent by the EU.Â Self-regulation and those silly icons won’t work, as we know.Â This week, EU Justice Commissioner Viviane Reding laid out a vision to better protect EU citizen privacy.Â Here’s an excerpt from it that should help guide the debate here–and with the negotiation between the US and EU on a new “safe harbor” treaty on data privacy:
EU Commissioner Reding’s speech this week reveals the battlelines bet. co’s, US, EU
Peoplesâ€™ rights need to be built on four pillars:
The first is the â€œright to be forgottenâ€: a comprehensive set of existing and new rules to better cope with privacy risks online. When modernising the legislation, I want to explicitly clarify that people shall have the right â€“ and not only the “possibility” â€“ to withdraw their consent to data processing. The burden of proof should be on data controllers â€“ those who process your personal data. They must prove that they need to keep the data rather than individuals having to prove that collecting their data is not necessary.
The second pillar is “transparency”. It is a fundamental condition for exercising control over personal data and for building trust in the Internet.
Individuals must be informed about which data is collected and for what purposes. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated. They must be told about the risks related to the processing of their personal data so that they don’t loose control over their data or that their data is not misused. This is particularly important for young people in the online world.
I want to make sure that greater clarity is required when signing up to social networking. Unfavourable conditions â€“ restricting control of users over their private data or making data irretrievably public â€“ are often not clearly mentioned. In particular, children should be fully aware of the possible consequences when they first sign up to social networks. All information on the protection of personal data must be given in a clear and intelligible way â€“ easy to understand and easy to find.
The third pillar is “privacy by default”. Privacy settings often require considerable operational effort in order to be put in place. Such settings are not a reliable indication of consumers’ consent. This needs to be changed.
The “privacy by default” rule will also be helpful in cases of unfair, unexpected or unreasonable processing of data â€“ such as when data is used for purposes other than for what an individual had initially given his or her consent or permission or when the data being collected is irrelevant. “Privacy by default” rules would prevent the collection of such data through, for example, software applications. The use of data for any other purposes than those specified should only be allowed with the explicit consent of the user or if another reason for lawful processing exists.
The fourth principle is “protection regardless of data location”. It means that homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed. They should apply whatever the geographical location of the service provider and whatever technical means used to provide the service. There should be no exceptions for third countries’ service providers controlling our citizens’ data. Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.
For example, a US-based social network company that has millions of active users in Europe needs to comply with EU rules. To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers.
Stakeholders at a recent public consultation on data protection asked me to make clear that our data protection rules also apply to data retention. Storage of data is already included in the broad definition of “processing” but the general public is unaware that processing includes storing / retention.