New online law will force sites to remove personal data
EMBARRASSING, inaccurate or simply personal data will have to be deleted from the internet and company databases if consumers ask, under a new set of European laws.
The move will mean that social networks such as Facebook or Twitter will have to comply with users' requests to delete everything they have ever published about themselves online. It will also mean that consumers will be able to force companies that hold data about them, such as for Tesco's Clubcard, to remove it.
The changes, which could take more than two years to implement, also include a new EU power to fine companies up to 2 per cent of their global turnover if they breach the rules.
Businesses will also have a new duty to inform regulators and anyone affected by data breaches “as soon as possible”. Commentators and lawyers have warned that in the case of large scale hacks, informing millions of users that their data is at risk could impose an unreasonable burden on firms, and risks dissuading the development of innovative services.
EU Justice Commissioner Viviane Reding, however, claimed her “proposals will help build trust in online services because people will be better informed about their rights and more in control of their information”.
Current rules were put in place in 1995. “Today vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds," said Commissioner Reding. "The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data."
The new laws will apply to any company offering services in an EU nation. They aim to make it easier for users to move their data from one service to another, such as from Facebook to LinkedIn, and will force companies and organisations to be clear about how they are using data. Any body with more than 250 employees will also be compelled to appoint a member of staff as a data protection officer.
The UK office of the International Chamber of Commerce said there would be benefits and costs to the new legislation. UK chief executive Stephen Pattison said that “Some of the proposed rules—such as the “right to be forgotten”—raise immediate concerns about compliance costs; but more fundamentally we need to understand how the legislation might impact on the development and deployment of new technologies and business models.
"Data is increasingly used to allow business to deliver new and improved services to their customers," Mr Pattison said. "In protecting individual privacy, we must be careful not to undermine what is now a key driver of competition, growth and innovation. It’s not clear that the Commission’s proposals strike the right balance”.
Mr Pattison added that EU plans should also be drafted in collaboration with other international legislation. The EU claims that current laws are often conflicting and cost businesses a total of nearly £2bn a year.
Quentin Archer, a partner at law firm Hogan Lovells, said that “The draft regulation will greatly increase the cost of compliance for business, particularly in the UK where we have enjoyed a relatively relaxed but pragmatic, business-friendly regime to date.”
Marc Dautlich, a partner rival firm Pinsent Masons, added that “While the new law aims to protect personal data some of the concepts will be extremely expensive for internet businesses to implement. For example the ‘Right to be Forgotten’ would mean that users could demand that social media networks such as Facebook erase any of their comments, not just from the network itself but the entire web, which would involve unprecedented co-operation with search engines to achieve.”