EU takes on Internet giants

The European Union is set for a major confrontation with global Internet giants over plans to give Web users greater control over personal data online.

But is it too late, and is the genie already "out of the bottle," as one tech expert says?

Proposals to make it easier for people to have personal data erased from the Web are at the center of the clash, which pits the EU and privacy-conscious citizens against Internet firms eager to monetize personal data to the greatest extent possible.

European Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding vows that forthcoming reforms will mean "people shall have the right - and not only the possibility - to withdraw their consent to data processing."

This so-called "right to be forgotten" is likely to put the EU in conflict with firms like Google and Facebook, who have already refused to sign a charter to the same effect in France. In the Czech Republic, the debate comes on the heels of a privacy dispute with Google about their Street View program, one that was settled in June with Google agreeing to simplify complaint procedures for those who feel their image or data was unfairly captured and distributed.   

Google and Facebook are pushing for self-regulation and trumpeting their right to freedom of expression, but the European Commission (EC) does not want these sites to have the final say.

While acknowledging privacy should be balanced with freedom of expression, Reding insisted she "could not accept individuals having no say over their data once it has been launched into cyberspace."

As the debate will reach a full-boil in the coming months, some experts are skeptical that the EU will be able to compel massive Internet companies to follow new rules.

"If Google, Facebook, Microsoft and Apple, et al, simply say 'no,' what is the EU going to do?" asked Kevin Townsend, a UK-based technology writer and the former founding editor of global technology news site ITsecurity.com. "Some of these companies are, financially, as big or bigger than some EU nations. They could and should be responsible for removing personal data, but they won't do it."

The proposals now being drafted update the EU's 1995 Data Protection Directive are to be submitted for debate and adoption within six months, Reding's spokeswoman Mina Andreeva confirmed.

Andreeva said the EC was still assessing different possibilities with a focus on "enhancing individual rights," including how to make it easier for someone to "have his or her personal data corrected, blocked or erased."

She pointed out that the existing rules do provide for citizens to seek the removal of certain data, but that "in practice it is difficult for an individual to enforce this right."

This is because the burden of proof currently rests upon the individual to prove the need to change or remove the data, a situation the EC now wants to reverse so firms would have to justify why they are holding on to the data.

The EC also wants to prevent international companies from sidestepping the new rules, with Reding insisting "there will no longer be any possibility for data controllers outside the EU to have a 'free ride' when operating in the EU."

This pits the EU directly against major Internet firms, many of which are based in the United States, where giving priority to freedom of expression is the norm.

While Americans do have some control over how certain kinds of data - like credit history - are handled, there is no overall data protection law in the United States. Moreover, Internet firms have been free to play by their own rules since self-regulation was first recommended by the Clinton administration for the emerging e-commerce sector in 1997.

Self-regulation

For its part, Google insists users are free to govern the data they provide for the company's own products but is less forgiving about data that turns up in Google searches. Jana Zichová, a spokeswoman for Google CR, said the company has "always believed users own the information they entrust to us."

She pointed to Google Dashboard, the company's latest privacy feature that allows users to manage all the data associated with different Google services they use on one page.

As for search results, however, Zichová said it was important to remember most data involved is not published by Google.

"Like the index of a book, Google search helps people find information written elsewhere," she said, adding it is Google's view that individual site publishers should have "responsibility for respecting the rights of the people involved."

Jakub Michálek, head of administration of the technology-oriented Czech Pirate Party, said his party supported both principles of data protection and freedom of expression.

He told The Prague Post the Piráti believed "the right to oblivion of information published online cannot be universal," citing public records as an example of data that should remain available.

However, Michálek said that in the case of social networks like Facebook, where "information is not public and the user has been assured that he or she can set the privacy settings," the sites should not be allowed to use that data publicly without consent, and users should be able to delete data at any time.

Michálek defended the position of search engines in the row, pointing out they "only transfer data and do not decide what data should be displayed."

He also said he believed the EC was exercising double standards by allowing governmental agencies greater freedoms under the 2006 Data Retention Directive, allowing them to keep personal details for up to two years and for police to obtain the content of e-mails and text messages with a court order.

For his part, Townsend believes that any new EU regulations will simply be a case of too little, too late.

"Huge international companies already have a business model built on the acquisition and sale of personal data, ultimately for marketing purposes," he said. "The genie is long out of the bottle and can't be put back now."

Townsend went as far as to suggest Google could "vanish in the EU" if it were unwilling to comply with the right to be forgotten and the EU was determined to enforce it.

While cautioning it was too soon to say which controls would eventually be adopted, Hana Štěpánková of the Office for Personal Data Protection said she believed the reforms would be characterized by the principles of "privacy by design, responsibility and accountability."

Štěpánková added she and the other members of the 47-state Council of Europe's data protection advisory group were considering new piracy controls as well.

- Klára Jiřičná contributed to this report.

Bill Lehane can be reached at
blehane@praguepost.com