Internet giants such as Facebook and Google could soon be forced to reveal more to European Internet users about what they are doing with personal data.
On Thursday the European Commission published a proposal that paves the way for stricter data protection rules. Under the Lisbon Treaty, adopted last year, legislation can now be applied on an EU-wide basis, giving the Commission the power to crack down on social networking sites and other Internet companies that gather user data. Currently, data protection policies are often unclear, non-transparent and not always fully compliant with existing rules, said the Commission.
Data managers should ensure that individuals are kept clearly informed about how, why and by whom their data is collected and processed, according to the Communication on Data Protection. Citizens should also be told how long their data will be kept and how they can change or delete their data, it says. The aim of the new proposal is to increase transparency for citizens, said a Commission spokesman.
The Data Protection Directive was adopted in 1995 and has been widely criticized as being extremely out of date. Thursday’s communication is based on two years’ effort to take into account technology developments over the past 15 years.
If adopted, the new rules will require Internet companies to get consumers' explicit consent before downloading their personal data. This will have enormous implications for social networking sites such as Facebook.
The Commission has already received complaints about Facebook’s privacy policy, as user profiles do not disappear for good when deleted and can be reactivated. This has led to fears that the data could still be used by the company. The Commission referred to this concern saying that consumers should have a "right to be forgotten" and that should be able to rely on the service provider to remove personal data, such as photos, completely.
This week Facebook told U.S. lawmakers it had taken steps to prevent the sharing of personal information about users, including temporarily suspending certain applications from its site.
A second aim of the new proposal is to harmonize legislation across the E.U. This could have implications for companies such as Google, which was found guilty of breaking British privacy laws on Wednesday. U.K. authorities found that Google illegally collected data from personal wireless networks as part of its StreetView application. France, Germany and other countries are continuing to investigate, but new legislation could see the company investigated on a pan-European level.
Some business groups have already raised concerns about how this will affect companies operating in the E.U.
The proposal also wants websites to more clearly inform users how their Internet use is being monitored for the purposes of behavioral advertising and to strengthen procedures for international data transfers. Under the so-called "adequacy procedure," the Commission verifies that a third country provides an adequate level of protection of personal data.
A public consultation on the proposals will take place until January 15 via the Commission website and legislation will be proposed later in 2011. The Commission is also reviewing the 2006 Data Retention Directive which was adopted to harmonize member states’ different laws on data retention.