Some U.S. tech industry officials said Wednesday that they worry that the European Commission's proposed changes to its privacy rules could be costly for them to comply with and may hamper innovation.
"We welcome revisions that would make it easier for global companies to demonstrate compliance with the EU privacy regime, and to ease the administrative burdens," Software and Information Industry Association Vice President Mark MacCarthy said in a statement. "However, SIIA is concerned that the breadth of these proposed regulations threaten the Internet economy and impede economic growth and job creation."
The release of the proposed changes to the commission"s 1995 data privacy directive is the first step in a lengthy process.The commission has called for simplifying the current compliance process that requires businesses to deal with data protection authorities in each EU member country. Under the proposed changes, companies would only have to deal with one data protection authority.
But the commission also calls for toughening the current rules by requiring companies to get express consent from European users before collecting or using personal data. It also would require companies to give users a "right to be forgotten," which would allow users to delete personal data when there is no "legitimate" reason to retain it.
The rules would apply to U.S. companies that do business in Europe or offer services or websites targeted at Europeans. This could include a U.S. based website used by Europeans, such as Google or Facebook. Industry representatives worry it will increase the cost of doing business and possibly hamper innovation.
It's unclear what impact the proposed changes will have on an agreement the United States negotiated with the EU in the late 1990s after the directive first went into effect. The privacy directive bars the transfer of personal data about Europeans to non-EU countries that don't have privacy protections deemed to be "adequate" by EU officials. U.S. companies that adhere to the privacy principles in the safe harbor agreement negotiated between the U.S. and EU were deemed to be in compliance with the directive even though the U.S. lacks a broad consumer privacy law.
But Christopher Wolf, director of Hogan Lovells' privacy and information management practice, said while the EU has been silent on the issue, he expects the safe harbor agreement may eventually have to be revised to reflect the changes to the EU's privacy rules.
Some U.S. privacy advocates said they hope the proposed changes will force some rethinking of the U.S. approach to privacy, which relies on a mix of industry self-regulation and narrowly targeted privacy laws aimed at specific sectors such as finance and health. So far, efforts to pass broad consumer privacy legislation in Congress haven't gone very far.
"Once Google and Facebook are following European rules, there will be no way for the companies to justify the obviously inadequate protection in the U.S.," John Simpson of Consumer Watchdog, a vocal Google critic, said in a statement. Google has come under fire after it said Tuesday that it plans to begin tracking users and collecting data about them as they move from one Google service to another.