EDRi responds to data protection consultation

By EDRi · January 26, 2011

This article is also available in:
Deutsch: [EDRi Stellungnahme zum Konsultationsverfahren zur Datenschutz-Richtlinie | http://www.unwatched.org/node/2549]

Building on the analysis produced for the European Commission’s initial data
protection consultation in 2009, European Digital Rights has submitted its
second round of comments on the review of the 1995 Data Protection
Directive.

One of EDRi’s primary concerns with regard to the existing legal framework
is the lack of predictability – due to vast differences in the way basic
parts of the Directive are understood by Member States’ authorities and
courts as well as the powers and resources of national data protection
authorities. This led EDRi to the conclusion that a directly applicable EU
Regulation is needed, rather than the current situation, where 27 Member
States have to implement a Directive into their national law, leading to
these diverging implementations.

Another core problem to address is the plummeting costs of data processing
which causes more and more data to be collected and used. Such processing
will lead to ever-greater risks being taken with personal data unless legal
provisions ensure that the risk-reward balance for data processors is
adapted appropriately.

Processing of personal data by states comes in for particular criticism in
EDRi’s submission. The actions of Member States must be consistent with what
they expect from private companies, and there are many examples of this not
being the case. There are numerous examples of electronic patient records,
e-government systems and public transport payment systems which do not
respect “privacy by design”, data minimization and other key principles.
Worse still, the broad exception given to Council of Europe Member States in
that institution’s Recommendation on profiling, which accepts in principle
that the most basic of privacy protections, may be set aside by European
governments.

Regarding data processing by companies, EDRi welcomes many of the policies
described in the Commission Communication, such as data minimization, the
right to be forgotten, rights of access and erasure of data etc, but points
out that many of these rights are already in the existing legislation. The
task at hand, therefore, is not to re-legislate for existing rights, but to
establish why these rights are not readily enforceable.

Concerning new technologies, EDRi suggests that there are three trends
which need to be taken into account – the exponential growth in personal
data processing capabilities, the growing disconnection between data
processing and physical location and the Internet of Things.

In order to improve implementation, EDRi called for increased
implementation powers for national data protection authorities (DPAs) as
well as a targeted reduction in the administrative burden. The reduction of
the administrative burden should (and must) lead to national DPAs having
more time and resources to devote to practical improvements in privacy
protection for data subjects.

Both the change of legal environment as a result of the Lisbon Treaty and
the increasing trend for data collected by private companies to be used for
policing purposes means that it is essential to include data collected for
policing purposes in the Directive. A strong data protection framework is
the minimum price that should be paid for the levels of police and security
cooperation that are currently demanded and enacted within the EU and
between the EU and third states.

EDRi believes that a Regulation would be a better instrument to
ensure clarification and simplification of rules for international data
transfers. EDRi believes that the current “safe harbour” exceptions result
in an opaque and unaccountable situation for data subjects. At the same
time, EDRi feels very strongly about retaining the base principle that
personal data should not be exported to jurisdictions without safeguards
that are materially similar to those within the European Free Trade Area.

Finally, EDRi drew attention to a separate consultation that overlaps with
the Commission’s work on Data Protection – the Communication on the IPR
Enforcement Directive. This latter Communication seeks to undermine the
fundamental right to privacy by suggesting an opaque effort to “rebalance”
rights to the benefit of so-called property rights. It is entirely and
obviously unacceptable that the European Commission can simultaneously be
negotiating ratification of the European Convention on Human Rights and
seeking to undermine its core provisions.

EDRi response to 2010 Communication on Data Protection Directive revision
(15.01.2011)
http://www.edri.org/files/20110115_EDRi_data_protection_final.pdf

European Commission 2010 Communication on Data Protection Directive
revision (4.11.2010)
http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf

Data Protection Reform Strategy: EDPS sets out his vision for the new
framework (18.01.2011)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-01-14_Personal_Data_Protection_EN.pdf

Communication on IPR Enforcement Directive (22.12.2010)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0779:FIN:EN:PDF

EDRi response to 2009 Consultation on Data Protection Directive revision
(13.01.2010)
http://www.edri.org/edrigram/number8.1/position-data-protection-review

(Contribution by Joe McNamee – EDRi)