European Commission takes next step towards data protection review

By EDRi · November 17, 2010

This article is also available in:
Deutsch: [Europäische Kommission setzt den nächsten Schritt zur Überprüfung der Datenschutzrichtlinie |]

The European Commission has published a Communication on “a comprehensive
approach to personal data protection in the European Union”, as the final
stage in the consultation process leading to a review of the 1995 Data
Protection Directive.

Based on its work on this dossier to date, the Commission has identified the
need to address several key priorities, the first of these being to adapt to
the impact of new technologies. Three further priorities (enhancing the
single market, providing stronger institutional arrangements and improving
coherence) address a core problem that unites pretty much everybody
concerned with the current framework – the lack of consistency and
predictability in the implementation of the Directive. This consistency will
be tested by the broader applicability of the Directive as a result of the
Lisbon Treaty. A further priority will be to strengthen international
measures, to ensure protection of personal data on a global level,
particularly as a result of developments such as outsourcing.

These priorities are honed down it the Commission’s Communication into
several specific objectives.

The first objective is the strengthening of individuals’ rights. The
Commission raises the issue of the definition of personally identifiable
data in this context and says that additional measures are needed. The aim
is to ensure a coherent application of data protection rules, taking into
account the impact of new technologies on individuals’ rights and freedoms
and the objective of ensuring the free circulation of personal data within
the internal market.

The second objective is more difficult still – to increase transparency for
data subjects. The Commission proposes three different strands of action on
this point. It suggests a general principle of transparent processing,
bolstered by specific obligations on what information to provide and how to
provide it and with standard EU forms for data controllers. Finally, as it
was almost unavoidable after the introduction of a sector-specific breach
notification obligation in the e-privacy Directive, the Commission suggests
a general breach notification obligation.

The third objective is a clearer power of citizens to have control over
their own data, where theoretical rights granted by the existing Directive
are currently very difficult to enforce in practice. The aim of the
Commission is to improve the procedures for exercising the rights of access,
rectification, erasure and blocking of data – including the “right to be
forgotten” – and “data portability” (“as far as technically feasible” –
which will obviously need to be carefully worded to avoid businesses
devising systems to make this technically unfeasible).

The fourth objective is to increase the level of awareness of data
protection rights in Europe, including funding for this via the EU budget
and through an obligation on Member States to raise awareness.

Fifth, the Commission sets an objective of ensuring free and informed
consent but, unsurprisingly, as this is a particularly difficult issue, it
makes few proposals at the moment, beyond suggesting that self-regulatory
initiatives designed to develop solutions consistent with EU law may be a
way of making progress.

The sixth objective is updating the protection for sensitive data, in
particular with regard to the extension of the definition of sensitive data
and harmonizing the conditions for processing such data.

Finally, and importantly, the Commission wishes to prioritise the issue of
making remedies and sanctions more effective. It suggests that this could be
done via group actions and strengthening existing provisions on sanctions.

With regard to the single market, the Commission recognizes the failures of
the existing framework and undertakes to “examine the means to achieve
further harmonisation of data protection rules at EU level.” The Commission
aims to achieve this in part through a simplification of the current
notification system. Following from this, it will seek to solve the issue of
applicable law, which is causing problems for companies established in
several EU Member States. The Commission undertakes to examine how to revise
and clarify the existing provisions on applicable law.

The Commission is keen to ensure that simplification of procedures will not
lead to a weakening of rights and therefore aims to create specific
obligations including data protection impact assessments and the use of
privacy enhancing technologies. This approach would be bolstered by
self-regulatory initiatives such as codes of conduct.

The Commission ambitiously aims to address the problems of data protection
in the field of police and judicial cooperation. While there is a Framework
Decision on this subject, it does not cover domestic processing of data and
also is too weak with regard to purpose limitation. To overcome these and
other problems, the Commission suggests considering the extension of the
application of the general data protection rules to the areas of police and
judicial cooperation in criminal matters and considers the possibility of
specific and harmonised provisions in the new general Data Protection
Framework, for example on data protection regarding the processing of
genetic data for criminal law purposes or distinguishing the various
categories of data subjects (witnesses, suspects etc.) in the area of police
cooperation and judicial cooperation in criminal matters. In addition, it is
contemplating a specific consultation on the revision of current supervision
systems in this area and the alignment of existing sector-specific rules to
the general data protection framework.

With regard to the many and varied problems related to international data
transfer, the Commission says that it intends to examine how to improve and
streamline the current procedures for international data transfers, to
clarify the Commission’s adequacy procedure and better specify the criteria
and requirements for assessing the level of data protection in a third
country or an international organisation. It will also look at defining core
EU data protection elements, which could be used for all types of
international agreements.

Consultation – A comprehensive approach on personal data protection in the
European Union (4.11.2010)

Council Framework Decision on the protection of personal data processed in
the framework of police and judicial cooperation in criminal matters

(Contribution by Joe McNamee – EDRi)