BRUSSELS (Reuters) - Europe proposed strict new data privacy rules on Wednesday, putting greater responsibility on companies such as Facebook to protect users’ information, and threatening those who breach the code with hefty fines.
But the move, which legislators say is designed to better defend children against predators, has rattled major technology and Internet-based companies, with executives concerned the legislation will be almost impossible to implement in full or will do serious damage to their business models.
The proposals, which are expected to become law by the end of 2013 if approved by all 27 EU member states and the European Parliament, were drawn up after a two-year examination of shifting Internet use and the behavior of consumers using sites such as Yahoo!, Google and Facebook.
Viviane Reding, the European commissioner in charge of data privacy, said the proposed laws were necessary if consumers’ data and privacy were to be better protected in the modern age.
A breach of the rules could mean fines of up to two percent of a company’s annual turnover, which in the case of Google could mean up to $800 million.
“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data,” Reding told reporters.
“A strong, clear and uniform legal framework at EU level will help to unleash the potential of the digital single market and foster economic growth, innovation and job creation.”
But companies are wary of critical parts of the legislation, including what Reding calls “the right to be forgotten” - effectively the right for an individual to request that their data be withdrawn from websites and online databases.
Access to a certain amount of personal information - and the digital trace that people leave after using the Internet for any length of time - is a critical element in the business model of companies from Amazon to Groupon.
Lawyers say the EU risks setting up a legislative landscape at sharp variance with that of the United States, where federal law puts less of the burden of responsibility on companies.
Some warn that the proposed new rules in their current form will be too complicated and expensive to implement.
“This is a missed opportunity,” said Mark Watts, data protection partner at technology law firm Bristows.
“The Commission had the opportunity to write a law that both protects consumers and which recognizes the reality of global data sharing and new technologies, such as social networking and cloud computing.”
“Setting businesses an unachievable goal, whether they are European or the US technology giants that the Commission unfairly seems to be seeking to curb, is unhelpful in terms of compliance and frankly bad for consumers.”
At the same time, the Commission, which has responsibility for drafting laws for the EU’s 500 million citizens, is under pressure to protect consumers.
“The Commission is caught between a rock and a hard place as it seeks to level the playing field for business and better protect consumers,” said Jane Finlayson-Brown, a partner at Allen & Overy, a law firm.
“There are real and significant concerns with the form of the regulation.”
While Google is one of the biggest companies that could be affected, it offered a cautiously positive reaction.
“We support simplifying privacy rules in Europe to both protect consumers online and stimulate economic growth,” said Al Verney, the company’s spokesman in Brussels.
“It is possible to have simple rules that do both. We look forward to debating the proposals over the coming months.”
That is a line backed by others, with many officials recognizing that the shape of the law could change between now and once it is finally approved and comes into force.
As well as corporate concern, arguments against the “right to be forgotten” have come from historians and U.S. authorities, who have argued that valuable information that forms part of the historical record could be lost under the legislation.
The International Chamber of Commerce said the proposed new rules raised immediate concerns about compliance costs and long-term worries about how innovative companies can be.
“In protecting individual privacy, we must be careful not to undermine what is now a key driver of competition, growth and innovation,” Stephen Pattison, the UK CEO of the ICC said.
As well as the right to be forgotten, some companies are also concerned about guidelines on user consent, which would require companies to secure a user’s formal approval to hold their data rather than default authority to do so.
ETNO, a Brussels-based lobbying group for telecoms companies and internet providers said the stipulation would cripple businesses that retain their customers’ attention by providing content based on their browsing history.
“Repeatedly requiring explicit consent during an online experience undermines the goal of enabling consumers to make informed decisions in an environment that is not overly intrusive,” said Luigi Gambardella, ETNO’s chairman.
Michal Fertik, founder and chief executive of Reputation.com, disagreed, saying most of the objections came from large incumbent Internet companies with vested interests.
“The devil’s going to be in the detail ... but as a matter of principle I think the right to be forgotten is important,” said Fertik, whose company helps its clients manage their online reputation and defend their privacy.
“It’s an unlevel playing field. If you run an Internet media business, it’s impossible to care deeply about privacy because commercially the only thing you’ve got to sell is users’ data,” he said.
“It’s an accident of the Internet that the Internet is basically an advertising business right now,” said Fertik. “The policy might be bad for one of the big Internet media companies today but it will be good for 1,000 new companies tomorrow.”
Additional reporting by Georgina Prodhan in London; editing by Luke Baker and Helen Massy-Beresford