European Commission calls for single privacy law in wake of PRISM snooping

Filed Under: Featured, Law & order, Privacy

Padlock image courtesy of ShutterstockEurope needs new cross-national data protection laws in order to restore trust in the data-driven economy.

That's according to Viviane Reding, vice president of the European Commission and EU commissioner for justice.

Speaking to delegates at the European Data Protection Conference in Brussels, she said:

Trust in the data-driven economy, already in need of a boost, has been damaged. This is a source of concern because of the potential impact on growth. Collected, analysed and moved, personal data has acquired enormous economic significance. According to the Boston Consulting Group, the value of EU citizens' data was €315 billion in 2011. It has the potential to grow to nearly €1 trillion annually in 2020.

Trust has been lost

Reding said that restoring trust and growth were both imperative and that they could be delivered at the same time through the European Union's data protection reform. This, she said, "will restore the trust of EU citizens by putting them back in control of their data" and, secondly, will, "boost growth through opening the European Union's market in data."

"Trust has been lost in all these spying revelations. They are particularly damaging for the digital economy because they involve companies whose services we all use on a daily basis," she said.

Reding acknowledged that PRISM, the US data gathering surveillance program, had a large impact on the erosion of trust but noted that:

Trust in the data driven economy began to fall long before the first NSA slides were published. The data protection reform proposed by the Commission in January 2012 provides a response to both these issues: to Europeans’ concerns about PRISM as well as the underlying lack of trust.

Using cloud computing as an example Reding said, "trust is bankable," as she detailed how American spying revelations had left 56% of the respondents to a Cloud Security Alliance survey declaring hesitance to work with any US-based cloud service providers.

"The Information Technology and Innovation Foundation estimates that the surveillance revelations will cost the US cloud computing industry $22 to $35 billion in lost revenues over the next three years," she said, whilst making the point that EU cloud providers, operating under a higher standard of data protection, would be able to deliver a much more compelling selling advantage.

Safeguarding data protection

Reding said that such figures highlight the need for change in European governments' approach to data protection and she drew attention to safeguards that the Union can employ:

First, territorial scope. The Regulation makes clear that non-European companies, when offering goods and services to European consumers, will have to apply the EU data protection law in full. European rules should apply from the moment of collection to the moment of deletion of the data.

Second, international transfers. The Regulation establishes the conditions under which data can be transferred from a server in the EU to a server in the U.S. It is the transfer of data outside the EU which brings it within the reach of the NSA.

Third, enforcement. The new rules provide for tough sanctions (up to 2% of a company's annual global turnover) to make sure that companies comply with EU law. At the moment, when confronted by a conflict between EU and foreign law, foreign companies have no reason to hesitate. In future, they will think twice.

Fourth, processors. The Regulation includes clear rules on the obligations and liabilities of cloud providers who are processors of data. As PRISM has shown, they present an avenue for those who want to access data.

Reding also made the point that current data protection regulations are overly bureaucratic in nature and need simplifying into one set of rules that would be consistently applied across the region.

She noted how a company that trades in all 28 Member States may have to navigate and comply with 28 different laws, some of which are both long and complex. In Germany, for example, their own interpretation of EU data protection law is some 60 pages in length.

[If you] take those 60 pages and multiply by 28 Member States. Then you'll get an idea of what the term 'regulatory complexity' means in practice. A mountain of red-tape which has an enormous cost.

Proposals to reform data protection rules within the European Union have been debated for the last two years. Now, perhaps, an accord will be struck between Members as they look to protect citizens from unwanted surveillance.

Image of padlock courtesy of Shutterstock.

, , , , ,

You might like

4 Responses to European Commission calls for single privacy law in wake of PRISM snooping

  1. stevansky · 711 days ago

    For all the hoopla and furor vented over the NSA I find the access and control over our digital devices and personal information that we grant to apps every day just as unsettling. How many take the time to look over the list of permissions you are giving an app when you install it? Things like access to your personal information, coarse and fine location based on your network and GPS, your accounts, storage, hardware controls, device calls, system tools. I swear some of these apps have more control over my device that I do myself! And I've begun deleting some of them for this very reason. We shouldn't have to accept all this pilfering every time we install something. Apps should be required to give you an option to "opt out" of any or all of this garbage.

  2. Larry Marks · 709 days ago

    When I was invited to upgrade the "free" NavFree maps in my Android phone, I was notified that they now want access to my contact list. Guess I will stay with the old maps for a while.

  3. Andrew · 709 days ago

    Stevansky, I agree with you mate !

  4. John Smith · 708 days ago

    Stevansky and Andrew - if you're technically inclined I highly recommend looking into Android package 'PDroid' - its got several variants, and is basically the highly-flexible app-level security. Instead of denying apps access to data on your phone, it gives them falsified data so they can keep on functioning correctly. For example, if an app that you dont really trust wants your Identity and Phone Number, you can tell PDroid to report to that app that your Identity is "John Smith" and your Phone Number is "0123456789".
    Other Android security suites have tried just denying access to these details when apps request them, but this has the unfortunate side-effect of causing a lot of apps to crash when they get "Access Denied" on a functional call they're expecting to return some details - PDroid avoids this issue by delivering false data to the app.
    At the moment - it's unfortunately non-trivial to install, and you will need a rooted phone, so as a said right at the start of this comment, it's for the technically inclined only :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.