EDPS urges the updating of the EU legal framework for data protection

By EDRi · May 5, 2010

This article is also available in:
Deutsch: [EDPS drängt auf Überarbeitung der EU-Rahmenbedingungen für Datenschutz | http://www.unwatched.org/node/1906]

During his speech on 27 April 2010 at the European Privacy and Data
Protection Commissioners’ Conference in Prague, the European Data Protection
Supervisor (EDPS) Peter Hustinx asked the European Commission to continue
its efforts in updating the present legal framework for data protection.

Hustinx expressed the idea that in a society affected more and more by
globalisation and technological development, there must be a legal context
to avoid the increasing loss of relevance and effectiveness of data
protection and therefore the European Commission should be ever more
proactive in updating the relevant legal framework.
“The stakes are not more and not less than how to ensure privacy and data
protection in a highly developed Information Society of 2015, 2020 or
beyond,” said Hustinx.

The EDPS mentioned there had been progress lately in this direction. In the
Spring Conference of European Data Protection Commissioners that took place
in April 2009 in Edinburgh, discussions were started related to the
evolution of the Data Protection Directive 95/46/EC and later on in May
2009, at the European Commission’s conference in Brussels, a consultation
was launched on the future of the present legal framework for data
protection in the European Union and on how to respond to the challenges of
technological change and globalisation. The Article 29 Working Party and the
Working Party on Police and Justice, issued in December 2009 a substantial
joint contribution to the public consultation. The main idea of the
contribution is that although the main principles of data protection are
still valid despite new technologies and globalisation, data protection in
the EU needs a better application of these principles. EDRi has also
submitted a response to the consultation recommanding the inclusion of
stronger principles ensuring data minimisation and the clarification of the
term “personal data”.

While appreciating the steps forward made in the discussion of the issue,
Hustinx believes the Commission must continue its efforts in this direction.
“An ambitious approach is the only way in which we can ensure that our
privacy and personal data are well protected, also in the future. It is
essential that the Commission comes up with proposals that take into account
what is really needed and does not settle for less ambitious results,” said
the EDPS.

In order to achieve an effective legal framework, Hustinx insisted on a few
key conditions that the future directive must observe which include the
integration in ICT of “privacy by design”(privacy and data protection
compliance designed from the beginning into information systems and
technologies and at all stages of their development) and “privacy by
default”(parameters controlled by users). Another key element should be more
accountability for controllers. “Accountability requires that controllers
put in place internal mechanisms and control systems that ensure compliance
and provide evidence – such as audit reports – to demonstrate compliance to
external stakeholders, including supervisory authorities.” This would bring
“added value for an effective implementation of data protection in practice,
over and above the mechanisms that are currently available in the Directive.”

The Commission is to issue its conclusions and proposals on the issue by the
end of this year with a possible review of the EU Data Protection Directive.

“The Strategic Context and the Role of Data Protection Authorities in the
Debate on the Future of Privacy” (29.04.2010)

EDPS Press Release – Reform of EU Data Protection law: EDPS calls on the
European Commission to be ambitious in its approach (29.04.2010)

The Future of Privacy – ARTICLE 29 Data Protection Working Party and Working
Party on Police and Justice Joint contribution to the Consultation of the
European Commission on the legal framework for the fundamental right to
protection of personal data (1.12.2009)

EDRi-gram: EDRi position on data protection (13.01.2010)