NET RESULTS:Many web giants have European bases here. The data protection office must be assisted as arbiter in disputes over privacy issues, writes KARLIN LILLINGTON

IF FULLY implemented, the European Commission’s new proposals on data protection, announced last week, would give Europeans the most significant privacy safeguards in the world, especially in the confusing arena of internet and mobile communications and social media use.

No longer will companies, online or bricks and mortar, be able to collect, store, sell on or otherwise use personal data – something that regularly happens in the background when people visit web pages, download and use apps, or post to their social media profiles – without asking for explicit permission.

At the moment, “permission” for such uses is typically granted somewhere in the terms and conditions for sites, services and apps – buried away in documents no one reads because they often are dozens of pages long and written in lawyer-speak. (And that is another part of the new proposals: requests for permission must be written in normal language.)

The argument is sometimes made that people actually don’t care about privacy any more. They give away all sorts of personal details on Facebook, goes the reasoning, and giving up privacy is therefore the “new” privacy in the online world.

But there’s plenty of evidence that people do care about their privacy. The problem is rather that they have little or no idea what information is gathered and how it is used, because they are not informed by the organisations that take their data.

This is especially true of free services and applications – meaning a lot of social media services, online games, quizzes and amusements, and apps downloaded to mobile devices.

For example, I wrote late last year about a report from Dublin-based mobile security company AdaptiveMobile, which looked at 40 different free apps and found that “significant volumes of data are collected by these applications and games”, which include some of the most popular on the market: Angry Birds, Fruit Ninja Free, Twitter, Facebook, the eBay Android app, Mouse Maze and Zombie Life.

Yet when the company surveyed 1,000 smartphone users in the UK, over half were unaware there could be privacy risks in downloading free apps. About nine in 10 said they would be either “very” or “quite” concerned about personal information being collected from their phone, and 69 per cent said it was completely unacceptable for apps to take information from users without permission.

Clearly people do care. They also almost certainly assume there are better controls, regulations and privacy protections that there have been – until now.

They also are concerned – overwhelmingly so – about the fact that their personal information can live on forever online. A 2010 survey by researchers at the University of California, Berkeley, found 92 per cent of people questioned said that they believed there should be a law requiring deletion of personal data after a certain point.

And that is exactly what will be on offer with the new EU data protections: a “right to be forgotten” that will enable Europeans to have data they have posted themselves, to Facebook, say, or Google+, permanently deleted on request, unless organisations can show good reason why it should be retained.

Needless to say, these proposals – as well as provisions for significant fines of up to 2 per cent of annual revenue for companies that repeatedly fail to comply with the regulations or commit large data breaches – have been criticised by businesses.

They argue that these regulations are costly and unworkable and, in particular, could limit the growth and development of internet and mobile services in an increasingly “social” online world.

At the announcement of the proposals, EU commissioner Viviene Reding argued to the contrary – that European surveys have shown over 70 per cent of EU citizens are seriously concerned about how their data is taken and used by organisations. Better inbuilt privacy controls would build trust and encourage use of services, products and retail sites, rather than hinder such activity.

She said too that a pan-European, unified set of data protection and privacy regulations handled by the data protection authority in the country used as the main European base for a company (which is often Ireland, in the case of multinational internet and technology companies) reduces costs and uncertainty and eases market access and operational complexity.

There’s no doubt the regulations will cause headaches for companies – primarily because at last they will have to seriously consider and provide for data protection and privacy up front, with buy-in from the individual whose data they wish to access. Despite concessions here and there by some companies – generally after public outcry, or under direction from regulatory bodies – data privacy until now has remained a matter of what you can avoid doing, rather than what you do for consumers.

A more clarified data protection regime will be helpful to companies, yes, and certainly save some costs, but I doubt many firms will see that this outweighs the hassles of meeting the new obligations. That’s their problem: solid privacy options are badly needed, especially online.

Meanwhile, the proposed regulations will have more significant impact here. The State’s policy of actively seeking multinational internet and telecommunications companies for inward investment means Ireland will be the data protection authority regulating them for all of Europe, and will carry new, resource-demanding responsibilities.

We therefore must fund our data protection office appropriately to give it the ability to deal promptly and comprehensively when appeals involving these multinationals land here.

This is critical both to maintain Ireland as an attractive location for inward investment – but also to ensure we do not then neglect our own data protection and privacy cases to cater primarily to the multinationals.

Twitter: @klillington