EU to Update Data Privacy and Protection Rules
Specifically mentioning consumer data usage for behavioral advertising, a European Commission official told a U.S. business audience that rules governing data privacy and security are outdated.
Specifically mentioning consumer data usage for behavioral advertising, a European Commission official told a U.S. business audience that rules governing data privacy and security are outdated.
A data protection rule overhaul is in order, according to a European Commission official who spoke at the American Chamber of Commerce to the European Union today. Specifically mentioning consumer data usage for behavioral advertising, the Commission’s VP responsible for Justice, Fundamental Rights and Citizenship, Viviane Reding, told an audience in Brussels that rules governing data privacy and security are outdated.
“Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will,” she said, according to a copy of her speech posted on the EU website. She also said users must be allowed “informed consent” to the use of their personal data. However, while she stressed the need for updated data protections, she indicated a willingness to consider industry self-regulation as a means of enabling them.
In her newly-created role, Reding said it is her job to enforce fundamental rights including personal data protection and privacy, as established by the EU Charter. Her speech was given before an audience of U.S. companies doing business in Europe.
“[I]n the summer I will launch a public consultation on various longer-term possibilities, including an optional European contract law regime that would be based on a high level of consumer protection,” she said. She said the “makers and users of new technologies – the ‘merchants of data’ – will benefit from a consistent set of rules for 27 countries.”
Reding made a point of discussing online behavioral advertising, noting, “online operators use behavioral advertising to create profiles of users’ online activities to better target them with advertising.” She said the EU’s “data protection principles say that peoples’ emails and online activity can only be used this way if individuals are fully aware of the use and they do not object. So we need rules that make the obligations for respecting privacy rights very clear.”
In her speech, Reding made no distinction between aggregate data or non-personally-identifiable data and personally-identifiable data. Online ad firms often argue that the data they store and employ for ad targeting is not personally-identifiable.
In addition to control over online data, Reding said, “Users must have informed consent to use of their personal data. In practice, that means working to avoid ambiguous and confusing information or the absence of any real information.”
Reding also indicated a willingness to consider industry self-regulation as complementary to EU data rules. “Anyone who works with the internet knows that users’ confidence is paramount. That is why industry self-regulation could work well in this area to complete the existing rules. I am considering this approach as a way to have codes of conduct, the incorporation of ‘privacy by design’ principles and more use of Privacy Enhancing Technologies. I will study whether we can cut unnecessary red tape when existing rules are applied,” she said.
As the EU gears up to tackle new data privacy regulations, companies operating in the U.S. are girding for more data privacy rules here. In addition to an ongoing self-regulatory initiative among a coalition of advertising industry trade groups, draft privacy legislation has been circulated among interested parties and could be introduced as a House bill in the near future.
Follow Kate Kaye on Twitter at @LowbrowKate.