Europe Continues Wrestling With Online Privacy Rules

http://www.nytimes.com/2013/06/07/technology/europe-still-wrangling-over-online-privacy-rules.html

Version 0 of 1.

BRUSSELS — More than a year ago, the European Union’s top justice official proposed a tough set of measures for protecting the privacy of personal data online.

But because of intense lobbying by Silicon Valley companies and other powerful groups in Brussels, several proposals have been softened, no agreement is in sight and governments are openly sparring with one another over how far to go in protecting privacy.

On Thursday, justice ministers from the European Union’s 27 member states agreed to a business-friendly proposal that what companies do with personal data would be scrutinized by regulators only if there were “risks” to individuals, including identity theft or discrimination.

The ministers debated a proposal that would no longer require companies to obtain “explicit” consent from users whose personal data they collect and process, instead of “unambiguous” consent, which is considered to be a lower legal threshold. And they discussed a proposal on balancing an individual’s right to data protection with other rights, including the freedom to do business.

The ministers deferred discussion of the other most fractious provision, the so-called right to be forgotten. But in recent weeks, public comments by lawmakers and draft language suggested a softening of approach.

“The right to be forgotten has been softened, made more palatable,” said Viktor Mayer-Schönberger, professor of Internet governance at the University of Oxford. “But it is by no means dead.”

Although a final version of the legislation is not expected to be completed for many months, and maybe not until next year, the developments on Thursday are an early signal that the technology industry’s lobbying efforts are gaining some traction.

The lobbying has been “exceptional” and legislators in Europe need “to guard against undue pressure from industry and third countries to lower the level of data protection that currently exists,” said Peter Hustinx, the European data protection supervisor, referring to countries outside of the European Union.

“The benefits for industry should not and do not need to be at the expense of our fundamental rights to privacy and data protection,” Mr. Hustinx warned in e-mailed comments.

In the last year, American technology companies have dispatched representatives to Brussels and issued white papers through industry associations arguing that stringent privacy regulations would hamstring businesses, already suffering from the recession in Europe.

United States government officials have also made trips across the Atlantic to press policy makers like Viviane Reding, the union’s justice commissioner, who drafted the original, strict measures, to press for a less restrictive approach to data privacy.

The industry’s arguments have found a ready audience among some European governments. They include Ireland and Britain, where there are acute worries that the European Union is failing to take advantage of growth opportunities from Internet businesses that might help revive the economy. Apple, Facebook and Google all have European headquarters in Dublin.

“Europe is not sleepwalking into unworkable regulations,” said Richard Allan, Facebook’s director of policy for Europe, echoing a cautious optimism among industry officials about the data privacy law. “What’s positive is that over the last year, the debate has broadened out. There are other voices in the debate, who are saying: ‘Hang on a minute. What about the economic crisis?’ ”

The proposed law would affect most companies that deal in personal information — including pictures posted on social networks or information on what people buy on retail sites or look for using a search engine.

Whatever is enacted would serve as the privacy law in every country in the European Union and potentially have a bearing on other countries drafting data protection laws of their own.

The ministers took up their version of the law on Thursday; another version is under discussion by the European Parliament.

The Parliament is considering its version while intense lobbying is being conducted by companies, governments and other organizations that have submitted about 4,000 amendments. The various versions will need to be reconciled before they can become law.

“Ultimately, nothing is agreed until everything is agreed,” Alan Shatter, the Irish justice minister, who was the chairman of Thursday’s meeting, told his colleagues.

The liberal-leaning language on obtaining consent from Web users was suggested by the Irish. Another provision the Irish suggested would remove the restriction on companies to collect only a “minimum” amount of data. That could be important for any company that wants to use the data it collects in new ways.

But Chris Grayling, the British justice secretary, said those concessions were not enough. He said the rules were still overly burdensome for European businesses, along with United States technology giants.

Although the most contentious provision — the right to be forgotten — did not come up on Thursday, language is circulating that could limit it. The provision as originally conceived would enable users to demand that their accumulated data be deleted forever. But it has raised questions about what to do with data that is in turn shared with third-party companies.

The softer language would tweak it so that the data may not necessarily disappear from the Internet as a whole, but be scrubbed from the site where it was originally posted.

The shift, said David A. Hoffman, global privacy officer for Intel, shows “a much greater degree of nuance.”

Mr. Hoffman added, “They are going to move it much closer to a more limited, balanced ability for individuals to access their data and then to request their data be corrected, amended or deleted.”

That is fairly close to what exists in most European countries now.

Also still to be debated are the sanctions for breaking the law, which could include fines of up to 2 percent of a company’s annual worldwide sales.

Ms. Reding sharply disagreed with some of the modifications put forth by the Irish. And she won strong backing during the meeting from Italy and France for maintaining robust rules requiring companies to give consumers every chance to guard their privacy online.

The French justice minister, Christiane Taubira, said at the meeting: “Not saying anything is not the same thing as saying yes, so we think it’s very important that we have explicit consent. We have to protect people.”

<NYT_AUTHOR_ID> <p>James Kanter reported from Brussels and Somini Sengupta from San Francisco.