“The new regulation has implications for both civil liberties and the internal market,” Corazza Bildt, a member of Sweden’s Moderate Party, told a gathering of data privacy experts in Stockholm on Monday.
The seminar, arranged by the American Chamber of Commerce in Sweden and the US business analytics firm SAS Institute, looked at the would-be implications of draft privacy protection legislation introduced in early 2012 by European Justice Commissioner Viviane Reding.
The draft legislation would replace the EU’s 1995 Data Protection Directive, which was drawn up prior to widespread use of the internet and the explosive growth in personal computers and smartphones of the last decade.
Among other things, the new regulation calls for stronger privacy protections for European consumers, including more control over the storage and dissemination of their personal data.
It would also clarify where companies operating in several EU members states should turn when it comes to abiding by the regulation.
The draft has since been reviewed by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee, which has also presented a modified version of the legislation referred to as the Albrecht Draft, named after the German Green Party MEP Jan Philipp Albrecht who led the parliamentary review.
The contentious legislation, scheduled to be passed next year and come into force in 2015, has prompted a heated debate among privacy advocates, business groups, and data protection officials about what sort of protections should be given to different types of data.
They have also debated the potential implications the rules will have for innovation, cross-border trade, and consumer privacy rights.
According to Corazza Bildt, it is nearly impossible to avoid “ideological battles” related to the thorny issue of protecting personal data, while at the same time attacking the Albrecht Draft for having the potential to “restrict, damage, and revolutionize” the way the internet is used.
“We’re already sharpening our knives when it comes to amendments,” she said.
The issue has also grabbed the attention of the Swedish government, which is calling for a “technology neutral” and “future proof” approach that avoids having rules based on any specific technology.
“The new rules must be relevant for at least ten years and allow for innovation and new business models,” said Magnus Graner, a top advisor to Swedish Justice Minister Beatrice Ask.
And while the government wants technology-neutral laws, they should be tailored after the data in question, said Graner. He outlined the desire to develop a “risk-based” approach that includes different rules and sanctions for different types of data.
The protections afforded someone’s health information, for example, should not be treated in the same way as an email exchange between friends or the exchange of business contact information between companies.
“Of course, the devil is in the details,” said Graner, echoing a common theme regarding the difficulty of drawing up a common set of rules that would end up defining when data became “personal”.
“There is also the need for great caution in order not to overburden corporations and public authorities,” he added.
Sweden was held up by many at the seminar on Monday as a leader when it comes to data protection, having passed its first law in 1973.
Currently, Sweden employs a “risk-based” or “differentiated” approach to data protection that has been an inspiration in drafting new EU rules.
Sweden also employs an “abuse model” of enforcement, whereby specific data handling practices are not sanctioned until it becomes clear that people’s data is being misused.
“First we issue a warning explaining that the practices aren’t in line with the rules, and if the behaviour doesn’t stop, then we always have the threat of fines,” Hans-Olof Lindblom, general counsel for the Swedish Data Inspection Board (Datainspektionen) explained.
He said his agency is concerned about the draft EU legislation because it threatens to undermine the respect his agency has built up as a trusted arbiter of data protection issues.
“It’s really about credibility,” he said.
“If we are forced to abide and enforce a set of unworkable rules, people will lose faith in our agency.”
Lindblom hopes that the views of his agency and the Swedish government will be taken into account in any final legislation, but admitted it is too early to tell what will happen.
Rene Summer, head of government relations for Swedish telecom giant Ericsson, echoed Lindblom’s hopes that new EU rules would incorporate a more “participatory” approach to enforcement.
“We need to be able to learn from our mistakes,” he said.
“There needs to be other enforcement strategies other than blunt fines.”
He warned that refusing to include a more differentiated approach to EU data privacy rules would end up “deflecting internet and communications technology investments away from the EU”.
And while Summer’s company shared the policy goal of data protection with policymakers in Brussels, Summer argued that “the path chosen by the EU is not a good one”
“If European policy makers want to make the EU and attractive place for IT companies to invest and do business, there needs to be more room for discretion on and judgment,” he said.