EU to tighten data protection

One check mark makes all the difference. With just one click Internet users will be able to signal whether or not they allow the disclosure of their data. At least that's how it should be from now on if you ask European privacy groups.

The European Parliament Committee on Civil Liberties, Justice, and Home Affairs (LIBE) on Monday (21.10.2013) drafted a new data protection enactment. The actions of the committee, which oversees the protection of the civil rights of EU citizens as well as the protection of their personal data, are seen as a reaction to the direction the EU Commission took towards more data protection a year ago.

Going in the right direction

Data protectionists in many countries agree that tightening directives are urgently needed. At the moment, Internet users are often forced to pass on personal data without even realizing it. This is possible because of clauses hidden in page-long "terms and conditions" agreements or default settings.

Companies that do not have their headquarters in the European Union can moreover avoid regulations on data protection. Or they can look for a country within the EU with less tight regulations such as Ireland and Great Britain. Both countries are especially popular locations for Internet company headquarters.

Now Europe's patchwork system of Internet privacy is about to change with new EU-wide uniform regulations. The LIBE committee is suggesting methods to make it easier for Internet users to delete their personal data. They,moreover, want to require Internet companies to explicitly ask users before their data can be stored online. Additional regulations would include the right to be told which companies, authorities or secret services their data is passed on to.

According to Thilo Weichert, the data protection officer for the German state Schleswig-Holstein, these measures are going in the right direction. After all, the normal Internet user will benefit from them the most. "The Internet user then has a better option to push through his or her rights and has the state support from regulatory authorities, consumer's association and jurisdiction," he said.

No more confinements

Benjamin Bergemann from the consumer protection association "Digital Society" welcomes the plans to tighten regulations for the benefit of the consumer. The data protection activist especially praises the agenda item "data portability."

"It means that I can take my data from one online service to the next. So if I don't want to have a Twitter account anymore, then the company has to give me all contact details in electronic form so that I can switch to a different provider."

So far, Bergemann said, many do not say good-bye to their previous social media providers so they won't "lose all of their personal data and friends" and "have to start from scratch." In the future, being confined to one provider would not be allowed anymore.

Serious shortcomings

In many ways the proposal by the LIBE committee goes beyond the draft of the EU Commission and even won praise from critics. However, it also has a handful of major shortcomings, according to Bergemann.

For instance, measures against "profiling" (process of construction and application of profiles generated by computerized profiling technologies) are not strict enough. Also, it would still be possible to infer information about consumer behaviour, preferences, and special interests of the Internet surfers from their IP addresses.

This so-called "tracking" currently makes it possible for companies to customize advertisements to an Internet user. Ads pop up time and time again even when Internet users begin surfing on a different website. And it is exactly this data, which seems so harmless, that is captured and evaluated by the United State's controversial NSA's spy software called "XKeystore."

Who profits?

The trade in Internet data is a billion-dollar business. Search engines such as market leader Google or social networks like Facebook and Twitter generate a nearly inexhaustible reservoir of data that the companies use to generate revenue. For example, Google reported profits of three billion US dollars (€ 2.2 billion) from revenues of almost 15 billion US dollars (€ 10 billion) in the third quarter of this year.

The search engine giant is particularly under fire because it automatically transfers the data of its users to other sectors of the company, such as the company-owned social network Google+.

With companies like Google and Facebook raking in profits, it is surprising then that it is lobbyists from non-Internet corporations who are mostly opposing the new data protection plans. "It is mainly traditional models such as German address distributers as well as banks and insurances that have their own interests in finding out as much as possible about the liquidity of their customers," said Bergemann.

With stricter privacy protection, it would be harder for these companies to access lucrative consumer data. According to Bergemann, Facebook and Google are affected by the plans as well, but they've been operating with the approval of their customers from the beginning, so they would not be hit by the stricter regulations.

Drastic penalties

Data protection officials like Weichert say it is important that an EU-wide data protection regulation also consolidates responsibility for Internet security, thereby giving citizens clear contact persons. Companies would moreover need to fear that threatened penalties would be imposed in order for legislation to become effective.

In the current draft of the regulation the maximum fine is set at five percent of the annual turnover or 100 million euros ($ 137 million). That's a sum that even the wealthy search engine Google can't pay from its petty cash.