Sometimes it’s easy to work out who owns something; you walk into a shop, hand over some money and walk out with some goods. There is a clearly-defined moment when ownership of the goods passes from the shop to you.
But ownership is often unclear, and nowhere more so than with our so-called “personal data”. Information about each and every one of us sits on countless databases; who we are, where we’ve been, what we’ve bought, what we’ve been doing, when we’ve been doing it and with whom. Our personal rights about our personal data are governed by a set of rules drawn up in 1995, several lifetimes ago in the internet age when only 0.4% of people were online compared with around 33% today1.
So the EU is drawing up a new Data Protection Directive that will change the lives of every individual and company in Europe. Here are some of the proposals aimed at building greater trust in online dealings (both commercial and social):
A right to be forgotten. The Directive will mean that individuals own their data and companies only borrow or rent it, meaning that individuals will be able to tell companies to delete all the data they have about them. There will also be the right of “data portability” – the ability for individuals to move data from one organisation to another.
New rules on data breaches. Organisations will have to tell customers if their information has been obtained by hackers, usually within 24 hours.
Significant fines. Data breaches, or failure to comply with the new Directive, could see organisations fined up to two per cent of their annual global turnover.
A single set of rules. There will be consistency across all EU member states (and these rules extend to EU-based organisations handling EU citizen data abroad). This should encourage more cross-border commerce as individuals will have a guarantee about the security of their data. It will also make it easier for pan-European companies, who currently have to comply with multiple sets of regulation.
Data Protection Officers. Companies with more than 250 employees will have to appoint someone to ensure they comply with the regulations.
Some of the major players have already been tightening up their privacy rules but these proposals (expected to come into effect in 2014) are far more sweeping, will be costly to implement and even costlier NOT to implement.
1 http://www.internetworldstats.com/emarketing.htm (accessed 17 February 2012)