Protecting Privacy in the Age of Social Networks

In late January, the European Commission proposed a new regulation on the protection of personal data. It's a historic turn: after years of validity, Directive 95/32 is shelved. This norm for the first time considered privacy beyond the original concept of the right to be left alone, to view it as the continuous control on the handling of one's personal data. If the directive was forward-looking in 1995, it has now been made outmoded by the evolution of the network society.
What are the new ingredients for an effective protection of e-privacy? Firstly, it is a regulation instead of a directive. In fact, the former has a stronger impact on the legal systems of member states (it is immediately binding as it comes into force). It thus leaves less room for discretionary rules and imposes more uniformity across the Union. Secondly, it foresees the obligation for online companies to implement privacy by default in addition to privacy by design. The former forces Facebook and other social networks to offer users their services so that the information they post stays private by default, and only by having the explicit consent of users can these posts become public. Another fundamental principle is data portability: citizens will have easier access to their personal data, by being able to transfer them from one service provider to another, so that competition for Internet services is enhanced. Also the right of oblivion has been codified in the proposed regulation; this means the user can request that all his/her data be erased, if the provider has no legitimate cause to retain them.
The regulation has the intent to implement its legal discipline also outside the European Union, when the handling of data concerns the supply of goods and services to and the control of behavior of EU residents by companies established outside the Union. This aims to affect the giants of the web and their server farms in Silicon Valley, which have so far been shielded behind the no server, no law argument. It remains to be seen to what extent this principle will be enforced since there is divergence between the EU and the US on the issue.
In a recent interview on www.medialaws.eu, Francesco Pizzetti, head of the Italian Authority for the protection of privacy, argues that "in an increasingly transnational context, it would have been better not to erect a European fortress on privacy, as it seems it was done with this new regulation, which lacks the flexibility to make international agreements." Flexibility: this seems the missing ingredient in the Commission's proposal. There is time to add it before the regulation comes into force.