March 17, 2014
On 12.3.2014 the European Parliament (EP) Plenary Session adopted stricter rules upon the protection of personal data. The reform comes to address a string of obsolete rules dated back to the 1995 Directive regarding the protection of personal data on commercial transactions and on the web, leaving though some space for further considerations.
Amidst the most important amendments is the data transfer to non-EU countries, the amount of the deterrent fines, and the better protection on the internet. Regarding the first one, from now on any firm should inform, apart from the national authority of personal data of each member-state, the person concerned of the request. In practice, this means that whenever a company, a social media business or any service provider wants to collect personal data for commercial purposes, it should first get in contact with each one of the EU citizens.
The second amendment refers to the fines that firms should face whenever they breach this rule, which comes up to €100 million, or up to 5% of their annual worldwide turnover. The proposition of the European Commission (EC) was much lower regarding this issue (i.e. € 1 million or 2% of global turnover), but the proposition of the EP finally passed.
The third amendment refers to the online protection of personal data, where it was given the right to EU citizens to erase personal data or to limit profile aspects linked with the prediction of a person’s performance at work, economic situation, location etc.
These were the major fields that the reform tightened up the existing legal framework. Notwithstanding, there are at least three major concerns that have not been elaborated during the Plenary session of the EP:
1. How an EU citizen could erase personal data from the internet?
2. What has been done with the personal data already acquired during the previous years from commercial firms?
3. Why the EC has proposed a lower fine given the gravity of the issue?
None of the above questions find clear answers, especially given the preliminary character of the amended rules -which are to be ratified and further elaborated after the composition of the next EP.
Regarding the first concern, there is no prediction on how someone could erase personal data online. Thereforie, and for the time being, EU citizens data is accessible to firms, and protection remains an empty letter.
Regarding the second concern, it is certain that all data that has been gathered the previous years remain at the disposal of commercial firms. The one thing that is guaranteed is that during the semester following the EU elections on May, all personal data will be somehow thawed until further notice.
Regarding the third concern, the EC has endeavored to lower the fines of the firms breaching the law under the wider framework of the necessary amendments that need to be made in the field of industrial espionage, online criminal recording, and preliminary investigations. The proposal of the EC is possibly driven by the same rationale, that is, from the same purposes that are intended to be brought in debate regarding adjacent regulations tapping on online spying.
It is of our firm belief that the debate over the protection of personal data should be enriched and elaborated more eloquently and precisely. In this respect, our latest poll in Bridging Europe unveils the deep concerns of the EU citizens, that still feel no protection regarding the existing legal framework against impoper use of personal data.