Guest Post by: Jo Stratmann
Last week we held a senior executive round table event at Claridges and one of the topics of discussion was about the proposed European Union (EU) directive on data privacy and the potential impact of this on social media.
As current EU data laws were created in 1995, before the rise of Facebook and other social networking sites, the EU has proposed a new directive on data privacy which is due to come into place in January 2012.
In essence, European politicians are seeking to simplify the EU Data Protection Directive in order to give businesses within the EU only “one law” with “one data protection authority”. Proposed changes to the data law aim to unify the existing legislation of each EU Member State, making it easier for businesses to transfer data.
According to Reuters, EU officials expect the draft legislation to be ready early next year (as early as January 2012) but it could take up to 18 months for the bill to become law, meaning that businesses will still have to comply with disparate laws and often conflicting decisions made by data protection authorities (DPAs) in each of the 27 Member States.
The main changes to the proposed EU directive on data privacy that could affect the commercial use of social media largely revolve around data ownership. The directive places the control of data in the hands of individuals in order to foster a greater sense of trust with customers through transparent data processing. With this in mind, businesses must obtain explicit, specific consent from individuals and detail how this information will be used by them and any third parties.
Other changes to the proposed EU directive that could affect social media are:
- Increased data portability – it will be simpler to transfer data to alternative service providers.
- The ‘right to be forgotten’– the directive proposes to instate the ‘right to be forgotten’ so that an individual can request the deletion of data.
- Compelled disclosure – data controllers will be obliged to notify those individuals concerned and the relevant DPA of any data breach as and when it is discovered.
- A ‘one-stop-shop’ – one law and a single DPA for each business to be determined by the Member State (ie, country) in which the business has its main operations.
- Abolish processing – the directive will dispense with the general requirement to notify DPAs of data processing.
While Mark Zuckerberg has managed to appease the Federal Trade Commission in the USA by agreeing to get permission from users before exposing more of their data, as well as allowing external audits of his privacy systems, he still has a long way to go in the EU, particularly with regards to Germany and their strong opinion about data privacy, so it will be interesting to see the how Facebook itself is treating data by the time this directive comes in to play.