• The upcoming EU Privacy Directive aims at a moving target
• Reviewing internal data management policies may be one good outcome
We all know that the Internet can come back to haunt us with personal information that we wish had been deleted a long time ago – from youthful debauchery and outdated purchasing habits to run-ins with the law. We also know that many Web sites storing this information show little interest in complying with such deletion requests from individuals. Given its commercial value, we also see that companies with such information are very loath to make it easy for individuals to move such information about themselves to other platforms. A third issue that needs to be addressed is the wide range of different national privacy policies that makes life difficult for companies storing personal data across many countries. Any new legislation must strike a critical balance between an individual’s right to privacy and what’s feasible (i.e., what can companies ‘reasonably’ do, what can authorities monitor and enforce, and how is privacy actually perceived by specific user communities – especially in social networks where users want to follow each others’ private lives). The legislation is clearly addressing a moving target and will be criticized severely, no matter how it shapes up. But retaining legislation that everyone agrees is obsolete is clearly not an option – so whatever comes out in the end – it will require a rethink across the industry.
For companies that store and handle personal information, the legislation will inevitable require a review of their information management policies – which is not necessarily a bad thing, as compliance both with legislation and internal governance, risk, compliance (GRC) policies are high-priority in many companies, and more legal pressure may increase company funding of better information management systems. We can also hope that an EU-Directive spanning an important economic region will have a rub-off effect on other countries and regions making trans-border data retention policies and management less onerous for commercial operators. It may also affect the turf wars between major Internet operators like Google and Facebook that have tried to siphon off personal information from each other. Additionally, much personal information may be stored simply to comply with possible future legal requirements such as call logs. Then there are the issues around news organisations and the public interest in their older reports that contain personal information, and the more sociological issues of related to what different user communities consider ‘private’. Certainly the 500 million Facebook users differ dramatically from their parents in this respect. So what does it mean for your business – more bother or clearer demarcation lines?