A three-year process to introduce stricter privacy rules for all countries in the European Union came closer to completion late last month, as the European Council agreed on a directive to create a “single digital market” and build the public’s trust in how data are collected, stored, and used.
European Commission head Věra Jourová declared the data protection regulations on track for adoption in 2015, going into effect over 2016 and 2017. The directive focuses not only the need for organizations to safeguard data, but for European citizens to understand the process. Officials also emphasize the costs and benefits that could come by harnessing Big Data – with the approval of citizens.
“It will ensure a high level of protection for citizens. It will equip them to exercise their fundamental rights in the digital world. This will increase their trust in the digital economy,” said Commissioner Jourova. “It will also be good for businesses and innovation. It will provide businesses with modern common rules that apply to all providing services in the EU. It will also do away with unnecessary formalities such as notification procedures, reduce costs and apply modern concepts such as privacy by design and the risk based approach. It will be technologically neutral and not close the door to future innovations.”
While privacy regulations in the United States have concentrated on reacting appropriately to data breaches and alerting the public to the loss of personally identifiable information, the EU approach, updated version of regulations developed in 1995, appears to take the view that organizations that do not comply with data security rules should be penalized, but that individuals should be able to proactively control how their data can be used. Europe in the digital age has not evolved in the same privacy-driven culture as the U.S.; a recent survey conducted by the European Council showed that when Europeans think about their data, they worry more about how it is legitimately used by those who collect it, rather than how it is illegally accessed and misused by hackers.
Public Opinion
The recently released “Eurobarometer” on data protection found that 31 percent of European residents feel they have “no control” over their data, while only 15 percent feel they have “complete” control.
For many of those surveyed, individuals tend to be more concerned over their activities being tracked by use of payment cards, on the Internet, through telephone conversations, or being recorded in spaces such as bars and restaurants. The highest level of concern over the recording in public or private was shown in the United Kingdom and Ireland.
“Unsurprisingly, respondents who do not trust companies or institutions to protect their personal information are more likely to express concern about these issues. For example, 62% of people who do not trust online businesses to protect their information, are concerned about the recording of their behavior via payment cards, compared to 47% of people who do trust these companies,” the EC noted.
Respondents were also asked whether they were aware of large-scale data collection by governments – the results showed an even split in awareness. Of those who had heard about data collection projects, most (46 percent) said it negatively affected their trust of the government on data, while 11 percent reported a positive impact. Another 40 percent said it made no difference to them.
“It is also important to recognize that most respondents accept, in the digital age, that data collection is a part of modern life – so long as it remains within appropriate boundaries. In this respect, seven in ten respondents think that their explicit approval should be required before any kind of personal information is collected and processed in all cases,” explained the EC. “The level of trust in online companies remains noticeably low: less than a quarter of Europeans trust online businesses like search engines to protect their personal data. This highlights the need for further reform of the data protection landscape in Europe, both to provide companies with clear standards which they need to meet, and to give members of the public confidence that their rights are in fact being protected. This is doubly important since around two thirds of respondents think it should be the job of the company or public authority handling their data to inform them should their data be lost or stolen.”
Role for Insurance
In March, the UK government and insurance broker Marsh collaborated on a report illustrating ways in which privacy goals could be achieved through better cybersecurity as well as increasing the popularity of cyber insurance.
“Insurers tend to conflate cyber with data breach given the well-developed demand for that cover driven by U.S. regulation; however, UK firms have broader concerns about possible damage from cyber risk, including business interruption, damage to property, and theft of intellectual property. This report therefore focuses on the cause of cyber risk regardless of the consequence, and specifically on cyber attacks – that is, deliberate attempts to cause harm via digital channels. We focus on attacks because while more than 60% of incidents reported to insurers are the result of accident, the majority of the high-severity losses stem from actions designed to cause harm,” explained the authors of the report. It has been expected that stricter notification requirements and privacy regulations will drive the insurance market growth as penalties for misusing or losing consumer data.