Blog

Forget Me Not?

Europe is hot in the headlines with its proposed way to significantly reduce the risks associated with stori

Europe is hot in the headlines with its proposed way to significantly reduce the risks associated with storing old data: One-Size-Fits-All and Forget It! According to ZDNet, here are a few highlights: One regulation, less fragmentation The current Data Protection Directive had to be implemented into the legal system of Europe’s 27 member states. This led to all countries having the same framework, but some legal systems having stronger and more protective rules than others. Germany’s data protection laws have the same elements as every other European country, but are far stricter than the ‘lenient’ UK’s laws, as an example. The new Data Protection Regulation is a ‘one-size-fits-all’ legal instrument, and removes the need for member states to interpret the laws. It also makes way for better cross-border data transfers between European countries, and will save around €2.3 billion ($3.1bn) each year in ‘administrative’ costs. The new Criminal Justice Directive will cover all matters pertaining to law enforcement, investigation, detection, or prosecution of criminal offences. Right to be forgotten This one is a tricky one, and details are still yet to be finalised. This ‘pet project’ of the European Justice Commissioner, Viviane Reding, will in effect allow European users to wipe their online slate clean. It will allow users to have their photos, details, and other data removed from websites, social networks, and search engines. Users will have the right to demand that data held on them be deleted if there are “no legitimate grounds” for it to be kept. This includes if a user leaves a service or social network, like Google or Facebook, the company will have to permanently delete any data that it retains. Search engines will also have to comply with this rule. The practicalities of search giants like Google complying, which has already warned that this may harm innovation, remains unclear. ZDNet's Zack Whittaker also summarized what US businesses need to know in terms of the reaching affects: A European Commission spokesperson confirmed to ZDNet that the proposed measures are “focused on younger people”, particularly teenagers, students and young adults, in a bid to “protect the consequences of putting photos and other information on social network websites”. It does not guarantee the right to have data held by local and European law enforcement agencies deleted, however. But the proposed “right to be forgotten” laws have already been met with harsh criticism from the wider Web industry. It will create a right that will not only be difficult to implement, but could have a detrimental effect on the use of the Web in Europe. Sheryl Sandberg, Facebook’s chief operating officer, gave an insight on what the wider argument could be amongst businesses and European regulators. While Web companies provide employment and spur on economic growth — such as seen with Facebook’s impact on the European economy — governments should not get in the way. The Sony breach is a reference point for this, particularly because of the impact level it had on consumers and businesses alike: Businesses are expected to lobby heavily for amendments that benefit them, and reduce the long-term workload that would be expected as part of the new Regulation’s finer details. Details of data breaches — something every company will have to deal with at some point — also takes a high standing in the Regulation. Since the Sony breach, where over 70 million user accounts were hacked, Europe is responding by enforcing a “24-hour rule”. “Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay. As a general rule, without undue delay means for me ‘within 24 hours’,” Reding said in a speech earlier this week. But should a company not be aware of a hack, a breach, or a data loss for 24 days, let alone 24 hours, it applies more pressure on companies to be aware of their own internal security matters and data protection policies. Businesses will have a two or three year grace period with compliance, but nonetheless, the European data reforms are sparking a global shake-up. We'll be watching this one closely...