Proposed EU data rules a 'tax' on business say critics
- 8 March 2012
- From the section Technology
Businesses have expressed concern about proposed EU data protection rules which include a "right to be forgotten".
The European Commission has said it would set out details of the planned changes later today.
It has already said that individuals would be able to ask for data about themselves to be deleted unless it was being kept for a "legitimate" purpose.
The boss of one tech-focused organisation described the proposals as a "tax" on firms holding customer data.
Elements of the new regulation and directive wereunveiled by the Justice Commissioner, Viviane Reding, at the Digital Life Design conference in Munich on Sunday.
She said: "It is... important to empower EU citizens, particularly teenagers, to be in control of their own identity online.
"If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system."
The rules also involve a requirement that companies "swiftly" notify individuals if any of their personal data is lost, stolen or hacked. The commissioner said that this should normally happen within 24 hours.
Companies would also have to appoint a data protection officer - an obligation already imposed on many German firms.
The commissioner said that by simplifying the current "patchwork" of rules and cutting red tape, businesses could expect to save a total of 2.3bn euros ($3bn, £1.9bn) per year.
However, it is expected that firms that fail to comply with the rules could be fined.
One lawyer told the BBC that the benefits would be outweighed by the new burdens placed on businesses.
"The one bit of a good news is that they result in harmonisation across Europe which is better than the existing situation with 27 different national laws, but the content of some these proposals is very onerous," said Marc Dautlich, head of information law at Pinsent Masons.
"These are all going to involve costs and resource. And in a difficult economic climate."
Adam Malik, organiser of the Digital London conference, said that he accepted that customers had a moral right to ask for data deletion, but the new rules - as he understood them - could place some enterprises in jeopardy.
"This is just an additional tax on all businesses which hold electronic customer records," he said.
"Also we need clarity on what is personalised data. Lots of lawyers will be happy about this directive for years to come - meanwhile innovation is discouraged."
Security company FireEye also expressed concern about the suggested data loss demands.
"Reporting within 24 hours of discovery is admirable but if the company wasn't aware of the breach for 24 days then where do all involved stand?" asked its director of European operations, Paul Davis.
But others were more positive about the proposals.
"Businesses can either see it as a glass half empty or a glass half full," said Alan Mitchell, strategy director of Ctrl-Shift, a technology consultancy whose clients include the UK government.
"This legislation will enable UK and EU business to lead this growing market and develop new technologies and businesses."
The rules need to be approved by the EU's member states and ratified by the European Parliament before they can come into effect.
That could take two or more years, during which time they may be amended or rejected outright.