As Privacy In Focus went to press, the European Commission (EC) released in draft form its plans for overhauling the European Union (EU) Data Protection Directive (Directive). The Directive is the legal foundation for the EU's strict privacy rules. Revising the law could help harmonize inconsistent member state laws, ease international data flows and resolve uncertainty about how EU law applies to new technologies. The draft demonstrates that the EC is pursuing these laudable goals. (For more background, please see "Whither EU Privacy?" September 2010 Privacy In Focus at www.wileyrein.com/Whither_EU.)
Yet, in the draft, the EC also exhibits a concerning distrust of the Internet, especially social networking, online advertising and cloud computing. Commercial use of these technologies is dominated by U.S. companies, so not surprisingly, the EC aggressively asserts extraterritorial jurisdiction. EU individuals should enjoy the same protection, says the draft, "regardless of the geographical location" of companies with EU personal data. Further, the draft espouses regulation that could upend online business—such as duties to allow a person to delete photos of himself or herself posted by a third party; to identify the many entities involved in an online advertising network; or to meet certain requirements before storing data "in the cloud." The EC's proffered rationales are rather conclusory in nature and exhibit little sense of proportion to actual privacy risk.
The EC presumably released its plans in draft form in order to solicit feedback. U.S. businesses may wish to participate in the Directive revision process to shape the amendments, likely to be adopted in 2011. In particular, companies with online business in the EU are at risk of finding, once the dust settles, that the new Directive is a worse deal than the old one.