Slashdot Mirror
New EU Legal Privacy Framework: We're Not Kidding
An anonymous reader writes "Viviane Reding, Vice-President of the European Commission announced today a new regulation for data privacy in Europe (PDF) in replacement of a 1995 Directive. Recently, privacy laws have been under a lot of criticism for their practical inability to ensure a high level of protection to EU citizens. The new data privacy framework will bring a lot of changes: 24 hours security breach notifications, mandatory security assessments, end of notifications to local data privacy agencies, mandatory data protection officers and huge administrative fines: up to 2% of the annual worldwide turnover (that would have meant $1.2 Billion for Microsoft in 2008). Indeed that's 'the necessary "teeth" so the rules can be enforced.'"
Where do I sign up to vote "yes please"?
No sig today...
Well, aren't our (european) data physically located in the US anyway?
How is any of this going to protect you from the police?
For justice, we must go to Don Corleone
No it can't just be ignored. If these laws pass, every EU country will be forced to implement them. The European Commission has very sharp teeth indeed on stuff like this, and does not take kindly to companies trying to ignore its rules.
I agree, but for a different reason. ACTA. This says that have to keep stuff secret, or not keep it, and ACTA says they have to keep it, and give it to the *IAAs. The media industry will not want this loophole.
The article could be misinterpreted to mean this is a done deal as is.
O2 must be glad they made their massive screw up before this came into effect...
It tries to claim jurisdiction over any company that handles the personal data of EU subjects. How exactly do they intend to enforce this over companies that have no physical presence within the EU?
The truth is that all men having power ought to be mistrusted. James Madison
Are these same rules going to apply to the EU, the member governments, and municipalities as well? Of course, collecting that 2% would be just book keeping ...
is it that bad seein a hot chick again? if i see a hot chick walkin down the hall i dont say "repost"
This will take care of your data - it will be safer with USA media corporations when your government hands them over.
I really hope this passes. It'll be interesting to see all the stuff that I thought I'd deleted off Facebook suddenly reappear* so that I can actually remove it permanently.
*Apparently FB doesn't actually delete anything and it's just hidden from the user.
Summation 2
I disagree that this may not go somewhere. Doesn't sound like an opt-in only scheme and there are different ways of enforcing such things that appeal to large bodies. Even if it was pushed in an unavoidable way at country level legislation many groups would find ways of circumventing it if it didn't suit. The reason things work is less to do with it being enforced and more to do with those adopting it see it has something in it for them. Many people are behind such ideas so thats a big plus for many large agencies and business etc etc since adopting something many are asking for can be very attractive even if the actual
That's roughly what a lot of people said before the EU went after Microsoft for anti-competitive behaviour, too. More than $1,000,000,000 in fines for defying sanctions later, those people had changed their tune.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Perhaps you haven't noticed, but being associated with Big Media is pretty much toxic for politicians right now.
Oh, and also in case you hadn't noticed, the EU hasn't actually signed ACTA yet. Technically they have until March next year, IIRC, though I expect someone will try to sneak it through in the very near future before the politicians realise it's too close to SOPA and PIPA (in some respects) and likely to cause similar grief.
Also, while the European Commission (the unelected guys who seem to be behind the secret negotiations) still publicly support ACTA, whether they can get it through the European Parliament (the elected guys who recently got new teeth under the Lisbon Treaty and seem to be enjoying exercising their powers) is a different question.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
How can a European Commission decide to charge 2% of the annual worldwide turnover, seems a little above their station...?
Every EU country will be required to implement them, not forced. Those that don't will face sanctions or possible expulsion, but if one of the big countries refuse, there is basically nothing that can be done other than all the other nations turning their noses up at them and writing them nasty letters.
You know, like we all do with France already. Well, at least I do.
Big Fines should go to the users harmed, not the State. A corporate screw-up should be punished, but the money shouldn't be flushed down some bureaucratic hole.
Also - who is responsible for the fine if the breach is due to "off the shelf" software?
This issue is a bit more complicated than you think.
No law like this will be passed on EU level unless it is absolutely certain that the core countries will adapt it without fuss.
In other news, Facebook, Google, et. al. run away screaming like little girls.
The idea is to create a fine that will actually hurt the companies. If they said X% of the turnover in EU, it would just give companies even more incentive (in addition to tax dodging) to claim their profits are actually from somewhere else.
I'm trying to come up with some sort of logical/ethical/economical/whatever reason for why EU shouldn't be able to fine X% of worldwide turnover but I can't come up with any.
The EU structure is designed explicitly to prevent those pesky citizens from having a voice in how they are to be lead. The EU is designed for EU bureaucratic elites to govern what were formerly nations in ways that best benefit EU bureaucratic elites and their financial backers.
This is why the Euro debt crises is unfolding in its current forms. The entire purpose of pouring ever larger rescue funds into keeping the Euro solvent is so that losses can be transferred from banks to taxpayers.
Your input is neither required, nor desired, nor, in fact, even possible.
The EU isn't that weak. The EU is sort of a cross between the UN and the USA (If you consider each state to be sovereign states instead of egotistical providences). I don't know how close to which end of the spectrum it is, however.
by Anonymous Coward: I, for one, welcome the shift from car analogies to pizza analogies. um.. overlords?
Perhaps you haven't noticed, but being associated with Big Media is pretty much toxic for politicians right now.
Not really, considering that they're all associated with Big Media. In order for that to be a problem their political opponents would have to be able to point fingers and say "Look at him! He's in bed with Big Media!!", but none of them can do that without their hypocrisy being on display. The MAFIAA and these other organizations/business groups buy off everyone. Why throw your support behind one candidate that could potentially lose an election if you can afford to hedge your bets by supporting both? There's nothing to lose, and mountains of money and influence to gain.
This is the fundamental problem with politics in the United States as of late. In order to truly compete on the same level as these politicians you need to allow yourself to be corrupted by the same people they are. By the time you finally gain enough exposure to run for office beyond a local level, you've become the very person you're competing with. Selling out is as much a requirement for office in our government as being an American citizen. Even if you miraculously buck this trend and achieve some higher office, you have both parties and their considerable resources hammering you down pretty much constantly. They'll spare no expense to destroy you.
America! Fuck Yeah!!
Perhaps you haven't noticed, but being associated with Big Media is pretty much toxic for politicians right now.
It may be toxic, but they don't seem to care! http://torrentfreak.com/australia-us-copyright-colony-or-just-a-good-friend-120121/
Oh, and also in case you hadn't noticed, the EU hasn't actually signed ACTA yet. Technically they have until March next year, IIRC, though I expect someone will try to sneak it through in the very near future before the politicians realise it's too close to SOPA and PIPA (in some respects) and likely to cause similar grief.
Poland is looking to sign it now. That was the reason for all those attacks, and they seem to be pushing them forward against the public wishes. http://politics.slashdot.org/story/12/01/25/0211219/piratbyran-co-founder-says-stop-ddosing-polish-sites
Also, while the European Commission (the unelected guys who seem to be behind the secret negotiations) still publicly support ACTA, whether they can get it through the European Parliament (the elected guys who recently got new teeth under the Lisbon Treaty and seem to be enjoying exercising their powers) is a different question.
That would make sense, but the politicians all over the world seem to be doing the opposite of what is sensible. Once again, the entire world of elites are ignoring the people. And once again, there will come a point where the people remind them that they are outnumbered.
I have been studying this stuff for a while and I must say there is something good on the way Some hints, likes , +1: - it must now be passed through the European Parliament might take long (2 years) but Reding is know for pushing things through, after that we have the 2 years of transition period! - The legislation is very technology neutral, which is good, because it keeps the perspective on the consumer and not on technology. Hence capturing all aspects of cookies, webbugs, flashshit, browser fingerprints etc. - opt/in will be the standard, (and is the only way it makes sense to me) - more precise and transparent privacy notices, not something like "we share information only within our group" .... (btw. we are a giant with 5000 companies)
- It might be that the data portability changes the game. If they really adopt formats for export/exchange (which hardly worked in enterpise integration) this can move you from service A to B in theory, weaker lock-ins, more focus on consumer service.
lets hope!!
finally some good laws coming our way ...
to be precise: The important part is a regulation, hence it does not need to be transposed into national law! It is mandatory for the member states to comply. It is down to the European Parliament to adopt it, which of course has representatives from every member state.
One of the important rules is "If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter." In other words, merely consenting to a long EULA that involves transference of data isn't enough. There has to be a separate checkbox to allow redistributing data. EULAs that allow one party to change the terms at any time won't qualify, either.
This law simply looks like an empowering of the EU, and giving it the ability to assault companies and organisations. None of which really deals with the issue at all.
This law needs individual assertion. A citizen needs to have the right to have access to their data, and have rights to control it with limited caveats. Only laid out circumstances should exist where someone can hold your data (your employer for example) or government departments (your passport or health records) - and the citizen should have a right to challenge/edit or amend the data. In other cases of data usage (for example on the web, facebook, marketing companies) - citizens should have rights to (at least some of the) money earned from their data, a right to control what is held, and a right to have it removed on request. Where data is misused or abused, the citizen should have a direct route to compensation, with heavy compensation in cases of personal damage, damage to reputation, or so on.
I don't want Vivian Reading to give Facebook a multi billion dollar fine, that gets chucked down the back of the brussels gravy train, screw that for a game of soldiers, they already lose and waste far too much and abuse too much already. No, screw that, I want my own individual rights brought back in line so I at least have a recourse in all cases in terms of my data.
I believe that re-establishing the basics, and allowing a person to talk to an org with laid out and clear rights is a fair re-establishment of a status quo thats been blitzed for too long. I don't want or wish for the EU to gain powers for itself in my name, and to load up taxes and businesses for its own benefit.
All fines and reperations should be between the individual and the company that makes or causes the breach, government should not get its foot in there handing out red tape and crippling laws for its own benefits and empowerment.
We`re all equal
Everyone wants to be secure... no question. However, where do the fines go? To the government? This will just cause a 2% hike in all products and services. Companies factor these costs in to there prices. Enjoy the increased cost of goods to pay for more political power... no scandal here people, move along. As far as fines and damages are concerned, the majority will not go to users or states, they will go to the class action lawyers and governments.
The 24 hour security breach notification and stiff fines sound like a good idea. Punishing abuses, fraud, and negligence are one of a governments primary responsibilities. I'm also for forcing companies to disclose more information that potentially involves harming people (loss of private data, pollution, etc.). I'm not such a big fan of the mandatory officers and inspections. If you make the penalties big enough and force them to own up to their failures companies will determine how to achieve adequate levels of protection on their own. As always, companies/people will follow the incentives/disincentives.
"By using our service, you agree to having your personal information stored outside the EU..."
EU law has direct force in national law, EU law trumps national law, and questions of interpretation of EU law are handled by the EU court, whose decisions are binding for the national courts. The EU is very far from toothless in areas where it has legal competence.
If they are indeed replacing the '95 directive the "published document" will have the form of a EU directive, which member states are compelled to turn into national law. If they don't do so, the EC (or, I think, any citizen with standing) can sue them in the EU court for failing to comply.
What you are referring to as toothless is probably in issue domains like foreigh affairs and defense, where the member states have full competence and the only thing the EU can do is try to forge some sort of consensus.
The details of that enforcement are up to the member states, though. Quite often we've seen the meaning of laws bent by the legislation that puts them on the member states' statute books where individual states are either more or less in favour of said laws. There are lots of ways to interpret even the strictest sounding law, in terms of evidence required, leniency of punishment, etc.
No it can't just be ignored. If these laws pass, every EU country will be forced to implement them. The European Commission has very sharp teeth indeed on stuff like this, and does not take kindly to companies trying to ignore its rules.
How serious are they about data protection, if even the EU governments themselves are even ignoring the most basic principles of secure database deployment.
Case in point, recently the database of the Luxembourgish service medico-sportif was breached. No, not by an evil-genius uberhacker, but by a sportsman who saw a password on a note stuck to a medico-sportif doctor's screen ...
It turned out, that the service ignored the most elementary security precautions:
===> these data protection laws are only there to placate the public, so that they allow more and more data gathering, in the mistaken belief that such data will be safe with the government or whomever. But there is no real will to follow through with application of even the most basic security measures.
Who then handed it over by the request of the US company to get the data.
Habeas Corpus.
There is also the little problem that McKinnon never entered the USA, the US DoD sites let him in, and EVERY SINGLE hacking law would be neutered (as well as every single copy protection) if this were considered "safe transfer". After all, YOU didn't copy the movie, Microsoft (via their US program called "Windows") did. YOU didn't hack into the Amazon website, they let you in. You didn't spam someone, they accepted your data. And those chinese hackers? Completely legal to break US stuff in China.
Not quite. Yes, the local (read: national) government make the laws, but they cannot ignore a EU directive. It MUST be implemented. It's up to the national governments to do it, and they have some leeway how they implement it (in a nutshell, you can almost always be stricter but rarely more lenient), but not implementing it results in a quite serious fine.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The MAFIAA and these other organizations/business groups buy off everyone.
Everyone? They can't buy off the pirates, which are now popping up in every European country, and firmly intend to participate in the 2014 European elections...
Ok, so you may say, pirates are not in parliament yet, and 2014 will be too late to stop ACTA. However, even now, pirates are already creating enough of a stir that the current political parties are feeling compelled to adopt some of their stances about the internet. Case in point: the recent commemorations against "Vorratsdatenspeicherung" (preemptive data logging), where the pirates found some rather unlikely allies, including some parties who voted in favor of this directive 6 years ago
if they offered citizenships overseas for say, $100 a year. The additional rights and privacies would more than pay for the fee - and maybe get you out of NDAA Gitmo without passing Go.
Money: US
commerce: US
society: US
art: US
sex: Europe
the poor: US
the rich: US
military: US
environment: US
privacy: Europe
citizen rights and restrictions: US
punishment: US
education: Europe
transport: US
sport: US
patriotism: US
police: Europe
tax: US
If a company is convicted of Capital Crimes then all the CxOs and the board of Directors is blacklisted from being involved with a company AND IT SHOULD BE A FELONY FOR A COMPANY TO ATTEMPT A HIRE for the period of 10 years. I would say that the execs being PERSONALLY on the hook should work.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
True. And they will, because it actually simplifies things, like removing obligatory reporting to state-level data protection authority. And in most states personal data protection is already strong, so business won't have change much.
The change will be dramatic to overseas companies. That is a reason for, not against.
As a computer, I find your faith in technology amusing.
As much as people seem to clamor for various forms of privacy protection the data shows they only care about it when prompted with questions. People are readily willing to give up privacy for small rewards and don't want to bother with the various protective measures already in place. There is nothing any law can do to really enforce data privacy when consumers don't find that privacy valuable enough to vote with their feet or use existing privacy controls.
There are really two types of `privacy' (often it's more about public but not readily discovered information) violations possible.
1) Security breeches by hackers or data theft by employees.
2) The sharing of personal data with institutions/people the user would object to viewing that information.
There is little regulation (perhaps government supported security information/response/prosecution centers could help) of companies can do about hackers or data theft. Sure, you can fine companies for data breeches and force publication but this creates an unfortunate incentive for companies not to discover security breeches. A well designed law would impose increased penalties for breeches exposed by outside agencies, e.g., law enforcement but even this law would create incorrect incentives for the current executives whose interests are still likely to reduce spending on discovering breeches in the hope that the bad news won't come on their watch.
Besides, I'm highly skeptical that poor security would be remedied by even larger financial incentives.
It's not even clear if such remedies are even desirable. A better law would simply demand appropriate compensation for people harmed by leaked credit cards and the like and leave it up to the companies (and consumers) what level of security is appropriate. Sure, we would be much safer if we replaced credit cards with fancy cryptographic two factor authentication but the costs in convenience and money would far far exceed the costs of making people whole from credit card theft.
This leaves the 2nd issue. The problem here is that the difference between desirable functionality and privacy violations here depends on the user's preferences. Does the user value getting to see free TV episodes more than the cost of having their viewing history shared with advertisers? What about discounts on medical products for similar sharing?
Sure, the law can require all sorts of consent and legal hoops to jump through but as long as people view actually making these calls as too burdensome to warrant real thought/action all you end up with is annoying privacy policies and click through agreements no one reads.
While popular with voters who think they care about privacy as long as they aren't willing to seriously consider it in their consumer choices (evaluating for themselves how seriously a company is committed to protecting their information from inappropriate revelation) such laws are likely to impose more burdensome regulatory costs than benefits to the consumer.
If you liked this thought maybe you would find my blog nice too:
The rules proposed seem quite reasonable, and if you can't be bothered to secure my data, then I don't want you in business in the first fucking place.
Its not the rules that will be unreasonable. They'll sound like peace, motherhood and apple pie which nobody could possibly object to.
The problem will be the inevitable requirement to maintain a metric shedload of paperwork to prove you've followed every last fucking detail of the rules, including the ones that are self-evidently inapplicable to your situation, or make no technical sense... If you work for an organization, make that the imperial shedload of paperwork to prove that you've adhered to your Data Protection Officer's ultra-cautious over-interpretation of the rules (and/or the ones who your IT manager hypes up to ensure that he gets a pay raise for added responsibilities). Be assured that the detailed rules will be so complex and open to interpretation that if you do get investigated the auditors will find something wrong.
Of course, that only affects the conscientious people that you would like to do business with (and then screw up because they were too busy filling forms to actually attend to their systems). The real cowboys know how to dodge and weave and will probably ignore the law, find loopholes or just plain lie on their paperwork.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
Ok, so you may say, pirates are not in parliament yet [...]
You could say that.
You'd be wrong, of course, but you could certainly say it.
Why isn't the US doing it? It has a far larger foreign debt. The EU is not insolvent in any respect of the word. Greece is not representative of the EU.
All this talk of fining a company 2% of its worldwide revenue is fine up to a point, but the point is how do you fine a group that gives it product away for free. Take FreeBSD (please) as an example. If they do not have a source of revenue, in other words they have a $0 based ROI, how can you fine them? Do you go after the individual authors and developers?
Pigskin-Referee
Linux: Yesterday's technology, tomorrow
I'm sure our politicians would like to erase their timeline as well...
That's roughly what a lot of people said before the EU went after Microsoft for anti-competitive behaviour, too. More than $1,000,000,000 in fines for defying sanctions later, those people had changed their tune.
Yeah, I remember. The tune changed to "Evil Soshalizm is suing a Glorious American Company. Thats unfair!"