ENDitorial: EU Data Protection: state of the play, potential for enhancements

By EDRi · July 1, 2009

This article is also available in:
Deutsch: [ENDitorial: Datenschutz in der EU: der Stand der Dinge, Raum für Verbesserungen |]

With the title “Personal data – more use, more protection?” the European
Commission organised on 19 and 20 May 2009 a data protection (DP) conference
in Brussels. The purpose of the conference was to look for new challenges
for privacy and to kick off a process towards a new quality of data
protection for the European Union. On invitation of the European Commission,
Andreas Krisch participated on behalf of EDRi.

The topics of the one and a half day conference included a wide range of
areas related to data protection. Amongst them: data protection in the area
of law enforcement, data retention, the role of businesses as well as
supervisory authorities and consumer protection.

Following the presentations on data retention by Kurt Alavaara (National
Police Board, Sweden) and Francis Stoliaroff (Ministry of Justice, France) a
long debate on the legitimacy of the data retention directive took place.
Spiros Simits (Goethe-University Frankfurt am Main) argued that data
retention not only is in violation of fundamental rights and against the
German constitution but also violates the fundamental principles of data
protection, especially the principle of purpose limitation.

Panellist Douwe Korff (London Metropolitan University) concured by saying
that for vague purpose specifications the interpretation is different
in the member states. While some countries differentiate between the
purposes of prevention and prosecution of crimes others simply subsume these
with the term “police purposes” with huge implications regarding the
access to retained data. Furthermore, he made clear that communication
traffic data is personal data.

Finally Waltraud Kotschy (Austrian Data Protection Commission) joined the
discussion and stated that, in her view, it will be impossible to keep the
access to retained data restricted to cases of terrorism and organised
crime. Already now there are discussions in Austria on access to data for
purposes of copyright enforcement. These and similar discussions will gain
momentum once data retention is in place.

For all presentations and discussions of the first day of the conference a
webcast of 15 minutes of discussion with English, German and French
translations is available on the EC website and definitely worth viewing.

The role of business and personal data protection was the title of my
presentation. Starting with a general overview of commercial data collection
on shopping and communication habits, financial, location and movement
information, I argued that in many cases commercial data collection leads to
the use of these data by the state. Examples for this include but are not
limited to the SWIFT case where US authorities accessed data on EU
financial transactions, PNR data where the EU grants the US access to
passenger information and plans to access these data as well, and the
mandatory data retention where EU member states retain and access data on
communications of 490 million people.

Given these practices, the significance of commercial data collection cannot
be overestimated and the 1983 ruling of the German Constitutional Court
reasoning that “… an as such inconsequential date can get a new
significance;” and that “insofar there is no ‘inconsequential’ date anymore
under the conditions of modern data processing”, has more relevance today
than ever before.

At the same time, we see significant weaknesses at the counterparts of these
data controllers, the data protection authorities. On the one hand, they are
often confronted with very limited financial and personal resources and
therefore are also limited in their possibilities to enforce data protection
legislation. On the other hand, we also see problematic decisions – or at
least problematic reasoning – of data protection authorities (see Privacy
International on the UK Information Commissioner). In addition, it is also
clear that traditional means of oversight will be unable to cope with the
immense increase of the amount of data being processed. Present means for
individual data protection are also limited and often impose relatively high
financial risks for legal procedures in combination with relatively little
potential gains in individual cases.

Improvements of data protection and data protection legislation can
therefore be achieved by expanding the possibilities for individual data
(self-)protection (e.g. easier and less risky legal procedures; evaluation
of current practices regarding “informed consent” of data subjects), the
introduction of mandatory data breach notifications and punitive damages on
a per data basis in cases of data leaks. With regard to the area of
Radio Frequency Identification and the Internet of Things it will be
necessary to follow the developments carefully and to evaluate if current
data protection concepts still provide sufficient means to address the data
protection challenges introduced by these technologies.

Additionally, positive measures need to be also taken. Tools and mechanisms
that help businesses to prove and publicly communicate their compliance with
data protection legislation, like the European Privacy Seal (EuroPriSe),
should get a strong foundation in the European data protection legislation.
The introduction of mandatory data protection officers for companies would
not only help companies to establish data protection mechanisms in their
organisations and to work internally on improvements but would also bring
positive effects for the relationship between companies and their customers
by providing a competent contact person for questions related to data

Finally, better educational information on data protection is needed to
ensure that young people have access to relevant first hand information on
data protection and their possibilities to protect their privacy.

The future will show what this process towards a new quality of data
protection for the European Union brings. For the time being, it is to say
that the European Union has at least two faces when it comes to data
protection. On the one hand, important steps towards data protection in the
area of RFID and the Internet of Things are taken, but on the other hand,
the planned Stockholm Programme on Justice and Home Affairs policy for the
next five years describes the way towards a surveillance society in which
the floods of the digital tsunami threaten to overwhelm the data protection
rights of individuals in Europe.

Conference “Personal data – more use, more protection?” (19-20.05.2009)

Conference Programme “Personal data – more use, more

Webcast of the discussion on data retention (Simits, Korff, Kotschy and
others) at the conference

Webcast of the presentation by Andreas Krisch “The Role of Business and
Personal Data Protection”

PI calls for review of UK privacy regulator following series of failed
judgements (23.04.2009)[347]=x-347-564402

European Privacy Seal (EuroPriSe)

EDRi-gram: Stockholm programme – the new EU dangerous surveillance system

EDRi-gram: EU supports RFID with proper protection of consumers’ privacy

EDRi-gram: ‘Right to the silence of the chips’ in the new EC Communication (1.07.2009)

(Contribution by Andreas Krisch – EDRi)