A recent article by PCWorld proposed a bill of rights for digital consumers. Many of the rights focus on reasserting control over how companies manage and use our personal data and digital assets.
Key suggestions include the following:
- reasonable protection of your data and digital assets, with compensation for their loss or theft
- a right to ‘quit’ a service, allowing you to transfer your data to another provider
- a ‘right to know’ what is being done with your data, informing you about whether it is being shared with or given to third parties (such as governments or companies).
A common way that companies communicate these terms is through privacy policies. Sadly, privacy policies are often convoluted and unclear. Even if you plough through the legalese, you are rarely in a position to renegotiate terms anyway. If you don’t agree, you can’t use the service, and that’s that.
The thing to note here is that this PCWorld article was written from a US perspective. It struck me how many of the rights suggested already exist, or are at least on the horizon, in Europe.
Privacy and data protection in the EU today
Probably the most important information privacy legal tools in the EU are the EU Data Protection rules, the 1995 Data Protection Directive (DPD) and the amended 2002 Privacy and Electronic Communications Directive (PECD).
These include comprehensive rules for public and private bodies on access rights, user consent, data minimisation requirements and many good governance obligations on data controllers.
Enforcement of these rights is through adjudication of the European Court of Justice. In the UK, that’s the job of the underfunded Information Commissioners Office.
Broader privacy protections exist within the European Convention on Human Rights and EU Charter of Fundamental Rights.
It is true that new technologies can often challenge, and even frustrate, established legal norms, but at least we have a comprehensive system of rules in place.
For example, the growth of online connectivity, networked services and ubiquitous computing has seriously challenged pre-internet definitions of consent and personal data in the Data Protection Directive (DPD).
Advisory Article 29 Working Party does indeed provide EU Member States with some guidance on data protection law compliance in new online technologies, like behavioural advertising, but it of course required wholesale reform of the pre-existing DPD.
Last month, the EU Commission released their draft data protection reforms. And what is notable is that the Data Protection Directive has been replaced with an EU Regulation. This harmonisation measure means the law, if passed, will be enforceable across all 27 EU member countries, unlike a Directive that has to be adopted into national law by each country.
The shiny new law will introduce pro-consumer rights including a broader interpretation of what data is personal, demand ‘explicit’ consent for data processing, develop a right to be forgotten, a right to object to data profiling and require greater portability of electronic data.
Plus, in respect of data loss, there are new 24-hour data breach notification obligations.
So for consumers, this law provides rights that are fit for the internet age. Industry and government might however regard them as creating a bigger burden. These higher standards may impact US companies involved in marketing services, like cloud computing, to EU customers.
The new higher standards will likely also expose further inadequacies in the voluntary “US-EU Safe Harbor program”, when EU personal data is processed in the US.
EU head and shoulders above the US
In the US, the Data Protection picture is more fragmented, with use of industry self-regulation, sector-specific standards (for finance, children rights, federal bodies and healthcare), and state-level rules. Broad constitutional privacy protections in the Fourth Amendment exist too.
The US Federal Trade Commission plays an enforcement role, has privacy guidelines, and pushes initiatives like Do Not Track for online marketing.
But there is no single body with a sole data protection focus in the US.
And perhaps European consumers should be really thankful for the comprehensive standards of data protection. Although not perfect, it is head and shoulders ahead of what the US is currently offering its residents.