NYT: New Player in E.U. Data Privacy Battle

http://www.nytimes.com/2012/11/21/technology/new-player-in-eu-data-privacy-battle.html

November 20, 2012

New Player in E.U. Data Privacy Battle

By KEVIN J. O'BRIEN

BERLIN -- In the mid-1990s, Alan Shatter, a lawyer from South Dublin in the lower house of Parliament, played a role in bringing together diverse elements of society to lift a constitutional ban and legalize divorce.

This January, when Ireland assumes the rotating presidency of the European Union, Mr. Shatter, who is now Ireland's minister of justice, equality and defense, will take on another big challenge: putting together an agreement to extend the Union's 17-year-old data protection law to Web businesses and the digital economy.

Mr. Shatter is Ireland's lead negotiator on the issue in the Council of Ministers, the legislative body in Brussels that acts as the European Parliament's upper house. The Union's 27 members are at odds over how to apply E.U. data protection laws in the digital world, and an agreement could require companies like Google, Microsoft, Apple, Facebook and Amazon to provide the bloc's 503.7 million consumers with far greater control over their online data than people have in the United States.

An important part of the proposal, which is now before two committees in the European Parliament, would require Web companies to ask E.U. citizens for their explicit consent before collecting online data and tracking Internet activity used to tailor marketing and advertising to individuals.

The proposal, which was drafted by Viviane Reding, the vice president of the European Commission, has been welcomed by E.U. privacy regulators, who are battling Google over its data collection practices.

But it is opposed by many large Web businesses, as well as by the American Chamber of Commerce to the European Union. Opponents view the prior consent clause as an onerous condition that threatens an Internet financial model that relies on advertising to pay for content.

That has raised concerns among E.U. lawmakers, who are afraid that overly burdensome regulation would stifle Internet commerce and job growth.

Into this predicament steps Mr. Shatter, 61. In an interview, he said that he looked forward to working on advancing the data protection proposal, which has been packaged as a "regulation," a rarely used binding form of E.U. law that would take effect immediately upon adoption in Brussels and apply to all 27 member countries.

"There is a need to improve trust and confidence to reassure people that their personal data won't be misused," Mr. Shatter said. "Putting stronger data protection standards in place will make individual citizens across Europe more trustful of the technology and its use."

Mr. Shatter said he would aim for a compromise that recognized the growing importance of the digital economy to the European Union, as well as the need for hard-and-fast legal protections for E.U. citizens, who are increasingly making their purchases and many everyday decisions via the Internet.

Without privacy constraints, those movements online can be tracked.

"I think it is possible to reconcile the legitimate and economically important activities of the advertising industry with privacy issues," he said. "I don't think we can commoditize individuals and simply regard them as something of business value to be sold on."

Such strict new rules would replace a law from 1995, which was conceived as more of a legal directive that effectively limited the possibilities of wide-scale data mining for direct marketing or other commercial purposes.

Because of the existing law's optional nature and a loophole allowing companies to collect data for "legitimate interests," Internet companies have been able largely to evade the directive's principle of obtaining prior consent.

Mr. Shatter has been part of a lot of groundbreaking. His law firm, Gallagher Shatter, was the first in Ireland to represent and win a civil judgment for a victim of sexual abuse by a Catholic priest, which it did in the early 1990s. Mr. Shatter, who is also a trained professional mediator -- a skill that could serve him well -- has published several books on Irish family law, as well as the 1989 novel "Laura," a story about a custody battle involving a fictional politician.

But obtaining a consensus in the Council of Ministers, whose cooperation is important to passage of a revised data protection law, will not be easy, said Simon Davies, a founder of Privacy International, an advocacy group based in London, and a lecturer at the London School of Economics. Mr. Davies is advising the European Parliament on the legislation.

"The problem is not that the will to reform isn't there. It is," Mr. Davies said. "Everyone agrees in principle that we need to do this, but the devil is in the details. When you move into the details you find major ideological divides on both sides."

Ireland, with its educated work force and 15 percent corporate income tax rate, has become the European base for U.S. technology giants, including Microsoft, Facebook and Google.

In the past, the country's data protection commissioners have attempted to mediate disputes over privacy issues between data protection hard-liners from Germany and France, and those advocating less regulation, like Britain.

Mr. Shatter said Ireland had a "pivotal role" to play in resolving outstanding online privacy issues. Final adoption of a new data protection law is unlikely to take place before the second half of next year, when Ireland will no longer hold the E.U. presidency. At best, Mr. Shatter can aim to win consensus on the main issues: prior consent and an effective enforcement mechanism that relies on substantial fines.

Mr. Shatter said the prior consent requirement was essential for the law to gain political backing, as were details on how to penalize companies financially if they ignored the law.

Currently, most national regulators can levy limited fines of only a few thousand, or in rare cases, a few hundred thousand, euros, the equivalent of a rounding error in the profits of many global technology companies.

The current proposal puts more bite into those penalties, allowing regulators to assess fines of as much as 2 percent of a company's annual sales.

"Without a legal regime that provides sanctions for rule breaking, rules won't generally be complied with by some of those engaged in Web-based businesses," Mr. Shatter said, without endorsing specific levels of fines.

That may not sound appealing to Web businesses, but Mr. Shatter is an optimist. His political slogan on his personal Web site is: Look forward with hope.