The European Commission launched on Wednesday a bid to make companies, including Internet giants such as Google or Facebook, give people more control of their personal data or be fined up to one million euros. The proposal championed by EU Justice Commissioner Viviane Reding would force all companies to get explicit consent from customers to collect their data, explain how it will be used, and allow users to totally erase their information. Failure to comply could cost a company a fine of up to one million euros ($1.30 million), or two percent of annual turnover.
“Personal data is in today’s world the currency of the digital market, and like any currency it has to be stable and it has to be trustworthy,” Reding told a news conference after the EU executive endorsed her proposal. “Only if consumers trust that their data is well protected, will they continue to entrust businesses and authorities with it, buy online, accept new services,” she said. Citing a survey showing 72 percent of Europeans worry their data may be misused, Reding pressed her case to give people “the right to be forgotten” from the Internet by allowing them to make their data vanish from the web. With each country in the 27-state European Union enforcing its own data protection laws, the legislation would create a single EU law for all nations as well as companies offering services in Europe, even if servers are overseas. This would save businesses 2.3 billion euros a year by eliminating a costly mountain of red tape that companies must navigate, Reding argued. Reding’s goal is to give people greater control over their information in an era of social networking websites and “cloud” computing, technology allowing people to store pictures, documents and other data online. Another innovation would allow consumers to take data from one website, say Facebook, and move it to another like Google+. But privately some EU officials say Reding’s legislation is too complex and ambitious to enforce in a world of companies with global reach. Sources said the Luxembourg politician had to tone down some provisions. A previous draft of the legislation, for instance, had called for stiffer sanctions of 5.0 percent of turnover. Reding denied that the legislation, which now goes to the EU Parliament and national governments for approval, was watered down. But she acknowledged that it generated a lot of debate. “Some say it goes too far, and the others say it does not go far enough. I say I am somewhere down the middle,” she said.
Reding wants national data protection authorities to have the power to deal with complaints, carry out investigations and impose sanctions. The goal is to give people a “one-stop shop” to deal with data protection concerns. For example, a man in Austria could go to his national authority to ask Facebook, which has its European headquarters in Ireland, to erase his data, said Reding. Companies, for their part, would have to appoint a data protection officer, a requirement that already exists in Germany. Reding said small companies would be exempted from that rule. “This is a world of breathtaking possibilities and it should stay so,” Reding said. “It should be a world of innovation but of course there are also dangers around these new technologies, especially concerning the losing of control of one’s personal data.”