Europe to issue tough new data-protection rules soon
MUNICH/PARIS (Reuters) - The European Union will propose tough new rules in the coming days on how corporations handle Internet users' personal data, a long-awaited move that could have far-reaching implications for Web giants such as Google Inc and Facebook.
Viviane Reding, vice president of the European Commission, said in a speech on Sunday that the new data-protection legislation was needed to protect users and cut red tape for businesses in Europe.
"Only if consumers trust that their data is protected will they entrust companies with it ... We need individuals to be in control of their information," Reding said at the DLD conference of tech industry leaders in Munich.
But Reding also emphasized a need to simplify Europe's approach to online data protection, arguing that the current system was too cumbersome and costly for business.
"In Europe we have too many rules, conflicting rules," she said. "The extra cost to business of this fragmentation is 2.3 billion euros ($3 billion) a year."
Europe's new data-protection rules are expected to be issued on January 25.
The EU regulation will need to be approved by national governments, some of which, such as France and Germany, may resist seeing their oversight on privacy matters shift to Brussels.
The legislative process is likely to take at least two years, so the rules could still change considerably. Internet companies will not be required to comply before 2014 or 2015.
The new rules come amid widespread change in how people use the Internet. Social networks such as Facebook and LinkedIn have attracted nearly a billion users, while so-called cloud computing services, which allow businesses and people to stock data on distant servers and access it anywhere, are going mainstream.
The questions of who owns such data, to what end companies can use it and for how long remain major issues of debate among Internet firms, governments and consumers.
Facebook, the world's largest social network, has been investigated by U.S. and European regulators for its treatment of user data and privacy policies. In November, it signed a settlement with the U.S. Federal Trade Commission that will subject it to 20 years of independent audits, and it recently signed an accord with Ireland's privacy regulator on how it treats international users' data.
There has also been a series of high-profile breaches such as one at Sony Corp's online videogame network last year in which hackers stole the data of some 77 million users.
According to a draft obtained by Reuters, the EU proposals would bolster significantly regulators' powers on fighting data-protection breaches, requiring companies to notify regulators when data has been stolen or mishandled.
The proposals also give member states new powers to fine companies up to 1 percent of their global revenues for violating EU data rules. The Financial Times reported in December that the rules would allow for fines up to 5 percent of global revenues, so the EU may have reconsidered its approach since then.
The proposals grant broad, new rights to individuals, including a so-called "right to be forgotten" that would allow people to request that their information be erased and not disseminated online.
The rules also create a "right to data portability" to ensure that people can easily transfer their personal information between different companies or services.
Such rules could force social networks to change the way they handle users' data.
In written comments submitted to the EU last year, Facebook expressed concerns that the EU's approach in some areas was too proscriptive for the fast-changing world of the Internet and urged caution on proposals for stiffer sanctions.
"There is a risk that an excessively litigious environment would impede the development of innovative services that can bring real benefit to European citizens," the company wrote.
Participants at the DLD conference were also divided about coming EU changes.
Stefan Gross-Selbeck, CEO of Germany's professional social network Xing, said his company was still subject to harsher rules than its U.S. counterparts.
"I appreciate the EU commitment to create a level playing field in Europe ... But the regulation that Facebook's founder Mark Zuckerberg is subject to is nothing compared to what I'm subject to."
Chris Poole, founder of the online community 4chan that is a haven for hackers, welcomed the prospect of even tougher enforcement on companies that mishandle users' data.
"I would love to see some regulation that would hold Sony responsible," he said, referring to the PlayStation data breach last year. "They deserve to be punished." ($1 = 0.7740 euros)
(Additional reporting by Claire Davenport and Justnya Pawlak in Brussels; Editing by Dale Hudson)