In late January, the European Commission published a proposal "on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
The commission also published an introductory statement about the proposal and a staff analysis of the impact of the proposal. The proposal is extensive, more than 100 pages covering every facet of the gathering, processing, movement and protection of data about people. In concept, the proposal does not differ all that much from the existing European approach to data collected by businesses about people. The principles are the same: get permission from individuals before you collect information about them, tell them what the information will be used for, only collect what you need, only keep it for as long as you need to, protect the information properly and do not give the information to someone who will not protect it.
But the new proposal adds some requirements and a lot of operational detail to these principles as well as some rather big teeth to be sure that the rules are followed. A company can be fined up to 2% of its worldwide cash flow for willfully disregarding the requirements.
One apparent major addition, the right to be forgotten, is, in part, a clarification of the idea that since you have to have permission to collect information about someone, if they withdraw that permission you need to delete what information you have collected. It is hard to tell exactly how the nine paragraphs in Article 17 that describe the right to be forgotten will be interpreted when it comes to third parties such as search engines that just report on what information is out there. It is also hard to predict how these rules will be interpreted when it comes to public information such as criminal convictions. It seems like it would be a really bad idea to let someone erase that kind of history.
Even if the proposals are accepted as-is it will be at least two years before they could go into effect, so there is no immediate worry, other than the worry US companies should already have about the existing EU privacy rules. If you work for one of these companies and you have not looked into the US Department of Commerce Safe Harbor programme, you should do so real soon.
Naturally, the first reaction from US businesses is that the EC proposal would be a burden on business rather than something that would be good for Internet users.
The EC's proposal again makes the difference between the US and European approaches to personal privacy very clear. In Europe you, in theory, have the say on who collects information about you and your actions and what they do with that information. There is no such assumption in the United States. In the US, what you want is irrelevant. Instead, companies can collect any information they can get their hands on and use it in any way they want. About the only restriction is that the company has to be truthful in anything they say about what they collect and what they do with it. Being anything but truthful can be seen as an unfair business practice by the Federal Trade Commission.
A potential fine of $756 million will do that to you.
Disclaimer: Even though Harvard might be on the hook for $74 million, I have not seen an official university comment on the proposal, so the above should be seen as my own view.