Slashdot Mirror
New EU Legal Privacy Framework: We're Not Kidding
An anonymous reader writes "Viviane Reding, Vice-President of the European Commission announced today a new regulation for data privacy in Europe (PDF) in replacement of a 1995 Directive. Recently, privacy laws have been under a lot of criticism for their practical inability to ensure a high level of protection to EU citizens. The new data privacy framework will bring a lot of changes: 24 hours security breach notifications, mandatory security assessments, end of notifications to local data privacy agencies, mandatory data protection officers and huge administrative fines: up to 2% of the annual worldwide turnover (that would have meant $1.2 Billion for Microsoft in 2008). Indeed that's 'the necessary "teeth" so the rules can be enforced.'"
Where do I sign up to vote "yes please"?
No sig today...
The EU really has no teeth. The individual countries have laws which matter, but the EU is a lot like the UN -- it can publish stuff, but when push comes to shove, it can be ignored.
It would be nice to see privacy and data retention laws happen (especially laws about data expiring and being removed), but in reality, there is too much money to be made from it for even an agency as large as the EU to do much other than wag a finger.
Well, aren't our (european) data physically located in the US anyway?
How is any of this going to protect you from the police?
For justice, we must go to Don Corleone
The article could be misinterpreted to mean this is a done deal as is.
O2 must be glad they made their massive screw up before this came into effect...
It tries to claim jurisdiction over any company that handles the personal data of EU subjects. How exactly do they intend to enforce this over companies that have no physical presence within the EU?
The truth is that all men having power ought to be mistrusted. James Madison
Are these same rules going to apply to the EU, the member governments, and municipalities as well? Of course, collecting that 2% would be just book keeping ...
is it that bad seein a hot chick again? if i see a hot chick walkin down the hall i dont say "repost"
This will take care of your data - it will be safer with USA media corporations when your government hands them over.
I really hope this passes. It'll be interesting to see all the stuff that I thought I'd deleted off Facebook suddenly reappear* so that I can actually remove it permanently.
*Apparently FB doesn't actually delete anything and it's just hidden from the user.
Summation 2
I disagree that this may not go somewhere. Doesn't sound like an opt-in only scheme and there are different ways of enforcing such things that appeal to large bodies. Even if it was pushed in an unavoidable way at country level legislation many groups would find ways of circumventing it if it didn't suit. The reason things work is less to do with it being enforced and more to do with those adopting it see it has something in it for them. Many people are behind such ideas so thats a big plus for many large agencies and business etc etc since adopting something many are asking for can be very attractive even if the actual
How can a European Commission decide to charge 2% of the annual worldwide turnover, seems a little above their station...?
Big Fines should go to the users harmed, not the State. A corporate screw-up should be punished, but the money shouldn't be flushed down some bureaucratic hole.
Also - who is responsible for the fine if the breach is due to "off the shelf" software?
This issue is a bit more complicated than you think.
In other news, Facebook, Google, et. al. run away screaming like little girls.
The idea is to create a fine that will actually hurt the companies. If they said X% of the turnover in EU, it would just give companies even more incentive (in addition to tax dodging) to claim their profits are actually from somewhere else.
I'm trying to come up with some sort of logical/ethical/economical/whatever reason for why EU shouldn't be able to fine X% of worldwide turnover but I can't come up with any.
The EU structure is designed explicitly to prevent those pesky citizens from having a voice in how they are to be lead. The EU is designed for EU bureaucratic elites to govern what were formerly nations in ways that best benefit EU bureaucratic elites and their financial backers.
This is why the Euro debt crises is unfolding in its current forms. The entire purpose of pouring ever larger rescue funds into keeping the Euro solvent is so that losses can be transferred from banks to taxpayers.
Your input is neither required, nor desired, nor, in fact, even possible.
I have been studying this stuff for a while and I must say there is something good on the way Some hints, likes , +1: - it must now be passed through the European Parliament might take long (2 years) but Reding is know for pushing things through, after that we have the 2 years of transition period! - The legislation is very technology neutral, which is good, because it keeps the perspective on the consumer and not on technology. Hence capturing all aspects of cookies, webbugs, flashshit, browser fingerprints etc. - opt/in will be the standard, (and is the only way it makes sense to me) - more precise and transparent privacy notices, not something like "we share information only within our group" .... (btw. we are a giant with 5000 companies)
- It might be that the data portability changes the game. If they really adopt formats for export/exchange (which hardly worked in enterpise integration) this can move you from service A to B in theory, weaker lock-ins, more focus on consumer service.
lets hope!!
finally some good laws coming our way ...
One of the important rules is "If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter." In other words, merely consenting to a long EULA that involves transference of data isn't enough. There has to be a separate checkbox to allow redistributing data. EULAs that allow one party to change the terms at any time won't qualify, either.
This law simply looks like an empowering of the EU, and giving it the ability to assault companies and organisations. None of which really deals with the issue at all.
This law needs individual assertion. A citizen needs to have the right to have access to their data, and have rights to control it with limited caveats. Only laid out circumstances should exist where someone can hold your data (your employer for example) or government departments (your passport or health records) - and the citizen should have a right to challenge/edit or amend the data. In other cases of data usage (for example on the web, facebook, marketing companies) - citizens should have rights to (at least some of the) money earned from their data, a right to control what is held, and a right to have it removed on request. Where data is misused or abused, the citizen should have a direct route to compensation, with heavy compensation in cases of personal damage, damage to reputation, or so on.
I don't want Vivian Reading to give Facebook a multi billion dollar fine, that gets chucked down the back of the brussels gravy train, screw that for a game of soldiers, they already lose and waste far too much and abuse too much already. No, screw that, I want my own individual rights brought back in line so I at least have a recourse in all cases in terms of my data.
I believe that re-establishing the basics, and allowing a person to talk to an org with laid out and clear rights is a fair re-establishment of a status quo thats been blitzed for too long. I don't want or wish for the EU to gain powers for itself in my name, and to load up taxes and businesses for its own benefit.
All fines and reperations should be between the individual and the company that makes or causes the breach, government should not get its foot in there handing out red tape and crippling laws for its own benefits and empowerment.
We`re all equal
Everyone wants to be secure... no question. However, where do the fines go? To the government? This will just cause a 2% hike in all products and services. Companies factor these costs in to there prices. Enjoy the increased cost of goods to pay for more political power... no scandal here people, move along. As far as fines and damages are concerned, the majority will not go to users or states, they will go to the class action lawyers and governments.
The 24 hour security breach notification and stiff fines sound like a good idea. Punishing abuses, fraud, and negligence are one of a governments primary responsibilities. I'm also for forcing companies to disclose more information that potentially involves harming people (loss of private data, pollution, etc.). I'm not such a big fan of the mandatory officers and inspections. If you make the penalties big enough and force them to own up to their failures companies will determine how to achieve adequate levels of protection on their own. As always, companies/people will follow the incentives/disincentives.
"By using our service, you agree to having your personal information stored outside the EU..."
Who then handed it over by the request of the US company to get the data.
Habeas Corpus.
There is also the little problem that McKinnon never entered the USA, the US DoD sites let him in, and EVERY SINGLE hacking law would be neutered (as well as every single copy protection) if this were considered "safe transfer". After all, YOU didn't copy the movie, Microsoft (via their US program called "Windows") did. YOU didn't hack into the Amazon website, they let you in. You didn't spam someone, they accepted your data. And those chinese hackers? Completely legal to break US stuff in China.
if they offered citizenships overseas for say, $100 a year. The additional rights and privacies would more than pay for the fee - and maybe get you out of NDAA Gitmo without passing Go.
Money: US
commerce: US
society: US
art: US
sex: Europe
the poor: US
the rich: US
military: US
environment: US
privacy: Europe
citizen rights and restrictions: US
punishment: US
education: Europe
transport: US
sport: US
patriotism: US
police: Europe
tax: US
If a company is convicted of Capital Crimes then all the CxOs and the board of Directors is blacklisted from being involved with a company AND IT SHOULD BE A FELONY FOR A COMPANY TO ATTEMPT A HIRE for the period of 10 years. I would say that the execs being PERSONALLY on the hook should work.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
As much as people seem to clamor for various forms of privacy protection the data shows they only care about it when prompted with questions. People are readily willing to give up privacy for small rewards and don't want to bother with the various protective measures already in place. There is nothing any law can do to really enforce data privacy when consumers don't find that privacy valuable enough to vote with their feet or use existing privacy controls.
There are really two types of `privacy' (often it's more about public but not readily discovered information) violations possible.
1) Security breeches by hackers or data theft by employees.
2) The sharing of personal data with institutions/people the user would object to viewing that information.
There is little regulation (perhaps government supported security information/response/prosecution centers could help) of companies can do about hackers or data theft. Sure, you can fine companies for data breeches and force publication but this creates an unfortunate incentive for companies not to discover security breeches. A well designed law would impose increased penalties for breeches exposed by outside agencies, e.g., law enforcement but even this law would create incorrect incentives for the current executives whose interests are still likely to reduce spending on discovering breeches in the hope that the bad news won't come on their watch.
Besides, I'm highly skeptical that poor security would be remedied by even larger financial incentives.
It's not even clear if such remedies are even desirable. A better law would simply demand appropriate compensation for people harmed by leaked credit cards and the like and leave it up to the companies (and consumers) what level of security is appropriate. Sure, we would be much safer if we replaced credit cards with fancy cryptographic two factor authentication but the costs in convenience and money would far far exceed the costs of making people whole from credit card theft.
This leaves the 2nd issue. The problem here is that the difference between desirable functionality and privacy violations here depends on the user's preferences. Does the user value getting to see free TV episodes more than the cost of having their viewing history shared with advertisers? What about discounts on medical products for similar sharing?
Sure, the law can require all sorts of consent and legal hoops to jump through but as long as people view actually making these calls as too burdensome to warrant real thought/action all you end up with is annoying privacy policies and click through agreements no one reads.
While popular with voters who think they care about privacy as long as they aren't willing to seriously consider it in their consumer choices (evaluating for themselves how seriously a company is committed to protecting their information from inappropriate revelation) such laws are likely to impose more burdensome regulatory costs than benefits to the consumer.
If you liked this thought maybe you would find my blog nice too:
The rules proposed seem quite reasonable, and if you can't be bothered to secure my data, then I don't want you in business in the first fucking place.
Its not the rules that will be unreasonable. They'll sound like peace, motherhood and apple pie which nobody could possibly object to.
The problem will be the inevitable requirement to maintain a metric shedload of paperwork to prove you've followed every last fucking detail of the rules, including the ones that are self-evidently inapplicable to your situation, or make no technical sense... If you work for an organization, make that the imperial shedload of paperwork to prove that you've adhered to your Data Protection Officer's ultra-cautious over-interpretation of the rules (and/or the ones who your IT manager hypes up to ensure that he gets a pay raise for added responsibilities). Be assured that the detailed rules will be so complex and open to interpretation that if you do get investigated the auditors will find something wrong.
Of course, that only affects the conscientious people that you would like to do business with (and then screw up because they were too busy filling forms to actually attend to their systems). The real cowboys know how to dodge and weave and will probably ignore the law, find loopholes or just plain lie on their paperwork.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
Why isn't the US doing it? It has a far larger foreign debt. The EU is not insolvent in any respect of the word. Greece is not representative of the EU.
All this talk of fining a company 2% of its worldwide revenue is fine up to a point, but the point is how do you fine a group that gives it product away for free. Take FreeBSD (please) as an example. If they do not have a source of revenue, in other words they have a $0 based ROI, how can you fine them? Do you go after the individual authors and developers?
Pigskin-Referee
Linux: Yesterday's technology, tomorrow
I'm sure our politicians would like to erase their timeline as well...