BRUSSELS, Belgium ? The European Union Commissioner for Justice said Europe needs new cross-national data protection laws to countermand the ongoing backlash against business following the NSA PRISM spying scandal that rocked the world earlier this year.
Vivian Reding claimed the region’s economy will suffer unless new uniform data protection laws are created.
“Trust has been lost in all these spying revelations, she said. ?They are particularly damaging for the digital economy because they involve companies whose services we all use on a daily basis. But trust in the data-driven economy began to fall long before the first NSA slides were published. The data protection reform proposed by the Commission in January 2012 provides a response to both these issues: to Europeans’ concerns about PRISM as well as the underlying lack of trust.”
The NSA’s PRISM campaign was revealed earlier this year, when ex-CIA employee Edward Snowden leaked a number of classified documents to the media. The documents showed the NSA was gathering vast amounts of customer data from numerous big-name companies including Google, Yahoo, Facebook and Microsoft.
The EC commissioner cited recent estimates of the damage caused to the US cloud computing industry following PRISM as proof of her claim.
“The economic impact of these doubts has now been quantified,? Reding said. ?The Information Technology and Innovation Foundation (ITIF) estimates that the surveillance revelations will cost the US cloud computing industry $22-$35bn in lost revenues over the next three years.?
Reding said the incident proves the need for four key changes in European governments’ approach to data protection.
“First, territorial scope,? she said. ?The Regulation makes clear that non-European companies, when offering goods and services to European consumers, will have to apply the EU data protection law in full. European rules should apply from the moment of collection to the moment of deletion of the data.
“Second, international transfers. The Regulation establishes the conditions under which data can be transferred from a server in the EU to a server in the US. It is the transfer of data outside the EU which brings it within the reach of the NSA,” she said.
“Third, enforcement. The new rules provide for tough sanctions (up to two percent of a company’s annual global turnover) to make sure that companies comply with EU law. At the moment, when confronted by a conflict between EU and foreign law, foreign companies have no reason to hesitate. In future, they will think twice.
“Fourth, processors. The Regulation includes clear rules on the obligations and liabilities of cloud providers who are processors of data. As PRISM has shown, they present an avenue for those who want to access data.”
Reding said as well as restoring customers’ trust in businesses, the reform will help boost Europe’s digital economy, making it easier for companies to ensure they are compliant with data protection laws.
“Take a look at Europe’s current regulatory framework from a business perspective. It is no longer fit for purpose. It is fragmented and it is complicated. I say fragmented: a business operating in all 28 member states has to comply with a different set of rules in each country. It has to deal with a different data protection authority in each country. The reality is 28 different laws and 28 different interlocutors,” she said.
“I say complicated: the current rules ? a directive which dates back to 1995 ? are 12 pages long. But they are implemented differently in 28 countries. In Germany, for example, the current federal data protection law is 60 pages long. Take those 60 pages and multiply by 28 member states. Then you’ll get an idea of what the term ?regulatory complexity’ means in practice. A mountain of red tape which has an enormous cost.”
