Should Europe Regulate to Protect Personal Data on the Net?

Facebook had to back down when it proposed plans to keep personal data entered onto its site - as though it were its own personal property - even if the subscriber closed the account. Google's new Street View service which trained roving cameras on unsuspecting bystanders in 25 UK cities prompted Privacy International to file a complaint with the Information Commissioner. Google has since backed off.

No doubt, on-line media is pushing the boundaries of what many of us are comfortable with. Equally, the authorities, whose job it is to protect our privacy, are struggling to keep up with new innovations. However, do the actions of Facebook and Google prove that industry is capable of regulating itself because it is responsive to customer concerns? Or does it expose the fact that we are woefully ill-prepared for the fast moving developments in new Web 2.0 capabilities?

The European Commission is beginning to believe that new legislation is needed. The Commission recently filed a complaint against the UK government for allowing secret trials by BT and Phorm where internet users habits were monitired without permission. This has led to a Commission review of the regulary regimes in the EU 27 Member States.

It is necessary for industry and government to come together to map out a framework - ideally a voluntary but robust code of conduct - to counter the alarming increase in data privacy breaches. It is industry's interest to reach a consensus with the Commission since flagrant abuses of data protection serve only to damage the reputation of social network and on-line media sites.

It will be up to the industry to show the Commission that it is serious about data protection. Otherwise, new regulations will be introduced - and they could be highly restrictive.

There is every danger that new regulations could be over-imposing and heavy-handed. On 19 February 2009, the Article 29 Working Party concluded that the activities of search engines should "fall under the EU Data Protection Directive” which states that "personal data may be processed only if the data subject has unambiguously given his consent" – the so-called “opt-in” option. This move would represent a radical turnaround in comparison to how search engines have so far worked. Since a query is considered to be personal data, Google and Yahoo will be requested to ask the consent of every single user in order to store this information. Regulators also agreed that these provisions apply to search engines based outside EU, provided they "use automated equipment based in one of the member states for the purposes of processing personal data".

Perhaps the real issue is the enforcement of existing safeguards. They are simply ignored and the sanctions are weak. The EU Data Protection Directive is 14 years old - its provisions are outdated and unclear. It makes sense to review the legislation but it makes more sense to secure a clear commitment from the Commission that the industry can and will responsibly regulate itself.