New data-protection proposals from the European Union to help people regain control of personal information from sites like Facebook could prove as effective as commanding the tide, while hurting small firms and Web giants alike.
The new legislation, which European Commissioner Viviane Reding will present on Wednesday, is designed to give consumers ownership of their own data and to harmonize the patchwork of different laws in force across the EU's 27 countries.
The process will be long, with laws to replace the EU's 17-year-old data protection directive expected to come into effect only in two or three years' time.
But widely leaked drafts have already sparked concerns that some measures, such as the right to be forgotten, will be impossible to implement, while others, such as compulsory data protection officers, will be an undue burden on small firms. Still others, such as a requirement to notify users of data breaches within 24 hours, could be both.
It seems to have been their focus to write something very much directed at addressing the evils of U.S. technology companies without thinking of all the small European companies, said Mark Watts, data protection partner at law firm Bristows.
It's a missed opportunity in terms of trying to write a piece of legislation that matches the reality of sharing information these days.
The proposed new legislation envisages forcing social networks like Facebook to give users back data they have posted on the site in a format they can publish elsewhere if they choose to close their account.
RIGHT TO BE FORGOTTEN
The controversial right to be forgotten means Internet companies would be obliged to erase data and possibly also traces of it in search engines such as Google and elsewhere if members withdraw their consent for it to be used.
Such measures may prove popular with consumers, some of whom are increasingly concerned that pictures of wild nights out they unthinkingly post on Facebook could harm their future career chances, for example, but it will in practice be difficult to kill that many-headed snake.
Microsoft's Chief Operating Officer EU Affairs and Associate General Counsel Ronald Zink doubted any single company could be held responsible for erasing personal information from the entire Web.
He gave the example of a person using Microsoft's SkyDrive cloud-computing storage service for personal photos.
If one person puts photos on their SkyDrive and makes them available to everyone on the public Internet, and then later asks us for the content to be removed, we can take it off our servers, he said.
But are we really responsible for going to find every cached copy that may have filtered out there? What is the obligation beyond our set of properties? It's hard to know how you would pull back all the copies of a given piece of content.
Facebook has also objected to legislating the right to be forgotten, and the company's chief operating officer issued a veiled warning on Tuesday of the risk of discouraging global Web giants from doing business in Europe.
In a speech on Tuesday, Sheryl Sandberg spoke of Facebook's power to drive commerce, saying that over 9 million U.S. businesses used it, and that a brand could reach a million Facebook users in only four recommendation steps.
This is really serious stuff. This is about growth and this is about jobs, she told the annual DLD technology conference in Munich, Germany.
A document seen by Reuters on Tuesday suggests the EU may yet be preparing to soften its stance on proposed sanctions, data breach notifications and the extent to which website owners would be obliged to chase the removal of data from other sites.
Reding made her name as a consumer champion in her previous role as Commissioner for Information Society and Media, when she forced mobile telecoms companies to cut their roaming charges to customers for making and receiving calls abroad.
But critics say the legislation she is now proposing is too heavy-handed and will be cumbersome and expensive to implement, while proposed sanctions of up to 2 percent of a company's turnover are disproportionate.
Data privacy is an important individual freedom, and clearly it is important that the current law is updated, said James Mullock, head of data privacy at international law firm Osborne Clarke.
But it is fatuous to claim that complying with the rules will actually save companies money. On the contrary, these measures are likely to cost EU businesses billions to implement and even more to maintain on an ongoing basis.
Reding has said replacing 27 national data protection laws with a single European one will save 2.3 billion euros ($3 billion) a year in administrative costs.
Several lawyers and technology firms pointed out that fulfilling Reding's requirement to notify customers within 24 hours if their data had been lost, stolen or hacked was unrealistic and risked alarming customers unnecessarily.
In an interview with Reuters at the DLD conference, Reding defended the measures.
Isn't it shocking that these things are not done by the companies, that millions of data are lost or stolen, and the ones that have been robbed of the data aren't even informed? Isn't it awful? Isn't it terrible that we need to legislate?
OILING THE 21ST CENTURY
Most of the delegates at the annual DLD conference, which brings together technology leaders, start-ups and investors, knew little about the proposed measures, and of those who did, many thought the new rules were missing the point.
Regulators don't understand that data is the oil of the 21st century, said Stefan Gross-Selbeck, chief executive of German professional social network Xing. It's not mainly about ... bad things. It's about opportunity.
Andrew Keen, author of the book The Cult of the Amateur: How Today's Internet Is Killing Our Culture, said legislation would not change the fact that consumers were increasingly choosing to share their personal information online.
I'm not necessarily against the legislation. But it doesn't deal with the core issue -- that people are choosing to reveal their data via services like Facebook, Twitter, foursquare etc., he said.
So the challenge is educating consumers rather than punishing companies. I'm just not very confident the politicians can keep up with technology.
($1 = 0.7704 euros)
(Additional reporting by Leila Abboud in Paris and Francesco Guarascio in Brussels; Editing by Will Waterman)