monday, 14 december of 2015

Tech Firms Gird for New EU Privacy Law

Technology firms are girding for tough provisions in a new privacy law that European Union officials are likely to agree upon Tuesday, setting up for what executives say could be years of court battles.

The European Parliament, representatives of the national governments and the European Commission—the bloc’s executive body—have been negotiating for the past four years to agree on a final version of the EU-wide data-protection law, which would replace a patchwork of 28 different sets of national laws.

“We’re quite happy with what’s on the table,” said a European Commission official. “Our line has always been that we cannot accept lower protection of users’ data [from the current rules].”

The commission says the new regulation will tighten privacy protections for online users and strip away costly red tape for businesses.

The proposed law has been subject to intense lobbying particularly from technology firms. In negotiations over the summer, some of the toughest provisions on issues such as user consent and notifications of government surveillance were softened. But executives spanning sectors from cloud computing to online advertising say the new law is likely to raise risks and costs for their businesses in Europe.

“The risk is that it pushes companies to say it isn’t worth the risk to innovate in Europe,” said Alexander Whalen, a senior policy manager for Digital Europe, which represents companies including Microsoft Corp. and Alphabet Inc.’s Google.

Parliament and commission officials and representatives from member states all say they expect to clinch a deal Tuesday evening, but a number of open issues still need to be resolved.

EU officials are negotiating on the fines that should be imposed on companies that violate the new rules. The commission had initially proposed a maximum fined of 2% of global revenues, while the Parliament has pushed for a 5% levy. Governments originally sided with the commission on the 2% cap but recently have agreed to raise the ceiling to as high as 4%.

The commission official says negotiators are likely to settle at a cap of 4%.

EU officials say the maximum fines would only be imposed in cases of serious or repeat violations but not for minor breaches. National data-protection authorities will have the power to impose fines on companies directly, instead of having to go through courts, as is now the case in some countries.

But large, multinational companies would be disproportionately affected by sanctions that are calculated on the basis of global revenue, said Rene Summer, Director of Government and Industry Relations at Swedish telecommunications firm Ericsson AB.

“Even if something goes wrong only in a small part of the company that operates in the EU, the entire organization is fined,” Mr. Summer said. Fines should be proportional to the actual processing activity and the harm caused, he said.

The institutions are also still debating phrasing in the law around the permission users need to give businesses so they can process users’ data.

The new EU-wide rule will also likely extend responsibility for privacy breaches beyond just the companies that collect and use personal data. The data-center and cloud-computing firms used by those companies would now also be liable.

Executives at enterprise-services and cloud-computing firms say they worry that the law shifts the burden of proof, and could drag their companies into litigation where they would have to prove they weren't at fault in their clients’ privacy violations.

Another concern for tech firms is a last-minute boost in the age of consent for use of personal data to 16-year olds. If the rule is enforced, it could lead companies to simply stop offering services to people under 16, one U.S. tech executive said.

The institutions will also discuss on Tuesday requirements for companies to employ a data-privacy officer. At issue is whether small and medium-size companies should be exempt from that clause or whether it should apply depending on the firm’s business sector and the risks involved in data processing.

Small firms have expressed concern about the possible requirement since startups can initially only afford a handful of employees.

The new law, which businesses would have two years to implement before it is enforced, would also enshrine the controversial “right to be forgotten,” which would allow people to request the deletion of personal data from online platforms like Facebook Inc. or Google.

(Published by The Wall Street Journal - December 13, 2015)

latest top stories

subscribe |  contact us |  sponsors |  migalhas in portuguese |  migalhas latinoamérica