EU Targets Criminal Penalties for Data-Privacy Lapses

European Union regulators may propose expanded criminal penalties to enforce data protection rules that limit what companies and governments can do with personal information.

People should also have the right to have their details deleted and to remove lists of friends, photos or medical records, according to a European Commission document obtained by Bloomberg. The proposals may also make it easier for data protection authorities and consumer groups to file lawsuits over privacy breaches.

Google Inc. and Facebook Inc. are among several Internet companies that have come under European scrutiny for possible privacy breaches. Data-protection officials have criticized Facebook, the largest social-networking site, for putting users’ personal information and privacy at risk with recent policy changes.

It’s “essential to have effective provisions on remedies and sanctions” including “criminal sanctions in case of serious data protection violations,” the paper from the EU’s executive agency says.

Privacy violations can be punished with jail time in Italy, where a court in February sentenced three Google officials to six-month terms, which were suspended. They were held responsible after a group of Turin school students filmed themselves bullying an autistic classmate and uploaded a clip to Google Video in 2006.

Wireless Data

A U.K. privacy group, Privacy International, asked London police in June to investigate whether Google should face criminal charges for collecting wireless data.

“If it strikes you as being surprisingly harsh to propose criminal penalties for privacy violations, in fact in the U.S. it’s not,” said Marc Rotenberg, an executive director at the Washington-based nonprofit Electronic Privacy Information Center. “We would do it for wiretapping, we would do it for violations of the Federal Privacy Act.”

Google spokesmen Al Verney and Bill Echikson didn’t immediately respond to e-mails seeking comment on the possible EU measures.

EU Justice Commissioner Viviane Reding has called for Internet users to have “effective control of what they put online and be able to correct, withdraw or delete it at will.”

Changes could be made to the commission’s document before regulators discuss it on Dec. 4. They will then ask for support from national governments and EU lawmakers before they draw up draft legislation in mid-2011.

No Decision

Matthew Newman, a spokesman for Reding, said there is no decision on whether the EU’s data protection proposals should set mandatory rules across the 27-nation bloc or only suggest guidelines for countries to follow.

Data protection regulators from 30 European countries have pushed search-engine operators including Google, Microsoft Corp. and Yahoo! Inc. to limit the amount of time they store search records to no more than six months. Because the companies rely on user queries to target advertising, shortening the time that search engines keep such records may cut into advertising revenue.

Yahoo spokeswoman Sophia Parviez declined to comment because the EU plan hasn’t been published. Facebook’s press department didn’t immediately respond to an e-mail seeking comment.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE