EU Parliament Almost Unanimously Passes New Data Protection Legislation
Headline: Today, the European Parliament passed the EU’s first major overhaul of data protection legislation since 1995. The parliament also approved a resolution calling for the suspension of the Safe Harbor agreement with the U.S.
I’m busy reading detailed analysis from Gigacom with numerous useful links on this legislation and its probable impact.
Assuming the legislation is upheld, my initial thoughts are that it will create major challenges for large numbers of firms that have created free, innovative offerings funded by advertising. It will also create operational and policy issues for global multinational companies based outside Europe but operating there. Notwithstanding the business and operational issues this legislation raises, it will be a good thing for individual personal data control and privacy if it leads to more use of Privacy by Design in products to prevent abuses from occuring in the first place, as well as regulatory interventions when still necessary.
It will be difficult for companies such as Facebook and Google to comply with this legislation and still maintain their profitability under existing business models. To date, it these companies have to some degree been fighting delaying actions against accommodating serious privacy reforms. Under the new European legislation, they won’t be able to risk the fines they could be hit with if they paper over privacy issues with inscrutable policies and legalistic defenses. Privacy must become the default setting, not the complex exception.
The bottom line is that these two U.S.-based tech giants and other large online services need to start seriously thinking about how they are going to embrace privacy concepts such as personal data collection minimization, opt in, informed consent, purpose-specificity and the right to be forgotten.
On the downside, it will be difficult for U.S.-based global companies that had been operating under Safe Harbor and following arguably reasonable practices, such as maintaining a directory of users and computers in a Microsoft Active Directory forest to facilitate coherent management of their IT environment. However, many such companies already maintain separate HR operations across the countries in which they operate, so the precedent is there for what is, in effect, identity federation. I recommend identity teams at such companies start drawing up plans for “de-forestation” and to operate instead using a federated model, whether with Active Directory Federation Services (ADFS) or third party identity federation services.
Last (for now) but not least, we must acknowledge that privacy-friendly concepts personal data collection minimization, opt in, informed consent, purpose-specificity and the right to be forgotten can be operationally challenging. My favorite example is this: what if a customer has bought a product from an online service that depends on access to his email address. Then, what if the service provider receives some automated notice to delete that customer’s contact information. This would put it in a difficult position!
So, let’s not be “Privacy Crazies”, let’s be “Privacy by Design Ambassadors.” As Dr. Ann Cavoukian likes to say, “privacy breeds innovation” and “we need position-sum solutions.”