"A 'right to be forgotten' will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted." This is the first statement on the European Commission information paper about the EU data protection reform, being discussed now in the European parliament and the EU council.
If enacted, European citizens will have a legal framework to stop companies tracking their shopping habits, their movements on the Web, their location on cellphones, and any other type of data processing that is not required to provide the service the customers require.
According to the EU commission, 90 percent of Europeans want the same data protection across the EU, and 43 percent of Internet users say they have been asked for more personal information than necessary.
But not everyone is happy about the new rules. Social networking sites and marketing companies, major European banks, insurance companies, and retailers are claiming that the new rules will hurt their business, since they could not exchange information freely without consent.
And they will require explicit consent. Under the new rules, they can’t just include consent in a standard contract and use it for everything else; every request to process individual data needs to be explained separately, and the customer will have the choice to opt-in.
For example, a cellular provider can’t force a customer to opt-in for the storage of their location information, nor can a credit card company process the information about their customers' shopping habits and sell it to a marketing firm.
And there is the “right to be forgotten.” Anyone in the EU will be able to ask any service provider or company for complete details of the data they hold about them, and request the complete erasure of the information, except the one that companies need to keep required by law.
One of the key provisions of the law is that companies will only have to deal with a single national protection authority in the EU country where they have their corporate headquarters. A Dutch bank needs to deal with the data protection authority in the Netherlands, not with every country’s data agency where they do business in the EU.
Also, companies without legal presence in the EU need to comply with the rules, “if they offer goods or services in the EU or monitor the online behaviour of citizens.”
The EU commission claims that “individuals can be confident that they can go online and take advantage of new technologies, regardless of where they come from, whether it’s shopping for a better deal, or sharing information with friends around the globe... This will help stimulate the internal market, boots growth, create jobs and foster innovation.”
With 70 percent of Europeans "concerned that their personal data held by companies may be used for a purpose other than that for which it was collected," the new regulations will help people feel more confident online, but will also mean a change of habit for commercial companies, especially banks, marketing firms, and retailers, in the way they take advantage of the information they have about their customers.
CIOs will need to be prepared to make up for the lost revenue; install new ways of getting permissions from customers; delete requested records in a cost-effective, non-labor intensive way; and otherwise deal with a law that changes the very foundations of the way they operate. Will you be ready?