As an IT-security specialist i read a lot of standards, guides, frameworks and drafts on all matters of information security.
When the EU Data Protection Regulation draft was first published in January 2012, i was eager to see what visions the EU had on EU citizens rights to privacy vs. free flow of data and the notion of lawfulness of data usage. I think the draft touches down on some very important issues. Things we could benefit from, if rules and regulations where centralized, but with the current NSA scandal, there are EU forces that wants to tighten the regulation even more with the danger of pushing EU towards a dangerous protectionistic path.
One example is the suggestion of an EU based internet. The internet cannot be closed down this way and would be a huge mistake. We must remember that the idea behind the draft is to create some common rules to protect EU citizens personal data and provide easier cross-country flow of data, not trying to build rules that mitigates espionage and foreign countries intel.
I not going to get into all the specific sections and wordings of the reform draft, but I do want to comment on some of the ideas proposed.
There is a lot on stake for EU companies with global presence along with US and asian tech-companies including outsourcing vendors. The current financial crisis will impact how the development of the EU Data Protection Regulation progresses and if they will be successfull in implementing it in it's current form. There's no doubt that incorporating the regulation in the member states has to be backed up by an "technology and infrastructure upgrade". My guess is there's going to be a long delay from implementation of the regulation in EU and actually being able to apply the regulation. There's a risk of rendering some of the content outdated as technology and the way use use technology evolves and mutates.
The fear of slowing down a already hurting global/EU economy would anytime outweigh most of the proposed suggestions in the draft and bring on strong lobbying forces.
How are countries with a hurting economy going to be able to or want to pay for a infrastructure that supports the requirements (tracking data, rights to be forgotten, etc.) when they see no financial benefits from it but only obstructions and costs.
The UK, Germany and the US has already tried everything to slow down the implementation process of the draft and the proposal is no more on its fast-track as was announced by Viviane Reding some time ago.
Here are some concrete examples that, in my my opinion, needs some more reworking:
The right to be forgotten & Rights to data portability
I think the thought here is noble but is kind of nonsense in reality. The definition lacks any in-depth description on how it's going to be implemented and there's too many scenarios where it would be practically impossible. When it comes to member states and institutions sharing data on health, tax, police investigations, etc. there will of course be some restrictions on the possibilities of "rights to be forgotten".
Some key issues:
The lack of IT systems providing proper life-cycle management of citizen data providing opt-out and portability options, its just an empty declaration of intent. Even today in Denmark are archiving citizen data and provides cross-system integration for citizen such as Borger.dk using the social security number as an primary key, it's impossible to provide options that are close to what the reform suggest. In this social connected world with Facebook, gmail, Dropbox, Hotmail.com/Office360, Flickr, Twitter and Instagram, it seems to me an almost impossible task and one that would be expensive. Costs that consumers would end up paying. We must remember that a majority of the above companies have made a business out of data mining users and their behaviors.
The sum of information that for instance Google has on your activity including activities such as search history, sites visited, e-mails, Google Now and activity on gmail, should also be considered personal data that could be exploited. How would "rights to be forgotten" be enforced on Google?
If we were to be able to perform a "rollback" of personal data effectively or be able to facilitate an export and deletion of personal data, we'll need IT-systems that a better at tracing, mapping and storing personal data. This is also going to make IT-systems more interesting for cyber criminals and thereby making citizens more vulnerable for data/identity thefts. This would require more secure administration of those systems and perhaps an agreed upon standard across the EU.
We could start by requiring companies to describe exactly what user information they store. This should include what type of information they track/store on data-subjects, how they are being utilized (including sharing with third parties) and describing how they are storing these data securely and deleting them, when a data-subject no longer has any dealings with the company. This could for instance be presented during sign-up so that data-subject are made aware what the implications of using a specific service are.
Right now a lot of companies have some of the information hidden in a long EULA's that nobody reads, instead of presenting it separately like in a matrix with one axis displaying what type of user information is being recorded and another axis showing who has access including all third parties and have a short description on how secure they are managing the personal data lifecycle process from start to end.
Data breach notification (in 24 hours)
There has already been a lot of controversies surrounding the proposed fines and the commission has tried to reword it some.
A 2% fine based on global turnover if a data subject hasn't been notified in 24 hours seems like a lot, if it's a big global company. I'm hoping it's going to be scalable and based on the severity of the incident.
Data Protection Officer (DPA)
The idea of requiring companies with more than 250 employees to designate a DPA is a good idea, but requiring the DPA to monitor the implementation of the regulation could become difficult, because the draft regulation is not a operational guide with a lot of concrete requirements and the section describing data protection by design, default and data security isn't very concrete.
Obligation for Controller and processor of data
I like the idea of data controllers having to perform a mandatory Data Protection Privacy Impact Assessment and the requirements is also described relatively detailed.
They could have been more detailed in their requirements for "Data protection by design and default" and "data security". It's to vaguely defined.
With all the talk of NSA being able to tap into Angela Merkels phone, wiretapping transatlantic data lines between Google Data centers and lots more some political forces are now trying to change the proposal to address/counteract NSA espionage, which is plain stupid and futile and not what the reform of the EU Data Protection should be about.
It's naive to think that we can regulate our way out of cyber warfare or state sponsored espionage such as the things we have seen from NSA. It seems to me that it's a typical move by politicians to "please the crowd" instead of providing the EU with quality legislation and long term visions.
I don't think the US, China, Russia or other countries for that matter will check with any EU legislation before engaging in tracing, monitoring, espionage or hacking activities. If a country has the cyber capabilities they will use it. If we try to block companies from trading and from using cross-border IT-services to much, we could end up hurting the economy instead.