Who has not had a conversation recently about new technology and their impact on our everyday life? We experience how life is simpler than before thanks to new technologies. Who doesn’t have a loved one living on the other side of the world but can appear closer thanks to video calling? Who has not shared pictures and videos with friends or made an online payment or created a profile on a social networking site?
Our lifestyle will continue to be deeply affected by new technologies and services but at what price? How many of us are aware of the fact that we leave digital traces with every step we take? This regularly happens when we use social networking sites, cloud computing, location-based services and smart cards, but even when cameras are used for surveillance, when we send location information with mobile phones, when a debit and credit card payment is made, when a registration form is filled to obtain a store loyalty card, when we book a flight on line, when we open a bank account.
“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds” said EU Justice Commissioner Viviane Reding, the Commission’s Vice-President. According to a Eurobarometer survey (IP/11/742), three quarters of Europeans think that disclosing personal data is part of modern life, but at the same time, about 70% of Internet users feel they are not in complete control of their data and are concerned their personal data may be misused. Furthermore, even where users are not asked to provide personal data when accessing services on the Internet, they can still be identified through several others digital traces (e.g. Internet Protocol address of their computer, digital cookies, etc.).
The progress of technology and new developments, such as cloud computing where individuals access computer resources remotely, represents a change in the way personal data is collected, accessed, used and transferred. If not otherwise controlled and regulated it clearly constitutes a threat to the right to the protection of personal data, recognized, among others, by Article 8 of the EU’s Charter of Fundamental Rights that states: “Everyone has the right to the protection of personal data concerning him or her”
Concerns related to privacy issues are far from being only theoretical questions. In fact, lately, Data Protection Authorities have been very busy dealing with new technologies, American IT giants and data protection issues. For example, Article 29 Data Protection Working Party adopted an opinion (n. 02/2013) with the purpose of warning businesses in the mobile industry that they must comply with EU Data Protection Law, if they target apps to EU users, regardless of where the businesses are located. Furthermore, the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority recently released a joint investigation that stated that Whats App violated privacy laws because users have to provide access to all phone numbers in their address book, including both users and non-users of the app.
It appears unmistakably that the current European framework and specifically the Directive 95/46, supplemented by other directives such as Directive 2003/98/EC, Directive 2002/58/EC and Directive 009/136/EC, is out of date and not effective anymore. In fact, when the regulations were adopted, new technologies barely existed. Hence there is a need to update the sector–specific discipline to ensure a more effective protection. The regulatory framework needs to be brought in line with technological developments.
On 25 January 2012, the European Commission (EC) proposed a comprehensive reform (both a Regulation and a Directive) of the data protection framework to strengthen online privacy rights and boost Europe’s digital economy. The Regulation would be directly effective and would regulate the processing of personal data and the free movement of such data (General Data Protection Regulation), while the Directive, requiring national incorporation, would regulate the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
The new rules aim to remove barriers to the internal market caused by the different legal approaches of the 27 EU countries and to create one single law so as to harmonise the data protection discipline within the EU. According to Viviane Reding, the new discipline will be technology neutral, future-proof and ready for the challenges caused by the latest technological and it will constitute an updated and modernized version of the principles enclosed in the current data protection directive.
Specifically, the proposals focus on strengthening the EU internal market and mainly reinforcing individuals’ rights throughout the creation of a single supervisory authority, a broader concept of personal data and new definitions of concepts such as biometric data, personal data breach, main establishment, extra –territorial coverage, the right to be forgotten and substantial proceed based sanctions.
The key points of the new legal framework are the following:
- the rules will apply to both domestic and cross-border transfers of data even though personal data is handled abroad by companies that are present in the EU market and offer their services to EU citizens.
- Wherever consent is required for data to be processed, it will have to be given explicitly.
- More transparency about how the data is handled, with easy-to-understand information, especially for children.
- A reinforced “right to be forgotten” will help people better manage data protection risks online.
- Individuals will have easier access to their own data and the right of data portability.
- Individuals will be able to refer cases where their data has been breached or rules on data protection violated to their home national data protection authority in their country, even when their data is processed outside their country.
- Companies will only have to deal with a single national data protection authority – in the EU country where they have their main establishment.
- EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behavior of citizens.
- Increased judicial and administrative in cases of violation of data protection rights.
- Increased responsibility and accountability for those processing personal data – through data protection risk assessments, data protection officers, and the principles of “privacy by design” and “privacy by default’”.
- Unnecessary administrative burdens such as notification requirements for companies processing personal data will be removed.
- National data protection authorities will be strengthened so they can better enforce the EU rules at home.
A better regulated data protection discipline will make individuals more confident about how their personal data is treated. A stronger data protection legal framework will help increase belief in online services, so that people can use new technologies more confidently. New and more effective rules for the free movement of data will also help businesses grow within a data protection framework that can be trusted.
In this regard, the speech of the Vice-President of the European Commission and EU Justice Commissioner Viviane Reding, at the second Annual Cloud Computing Conference/Brussels on the 7 March 2013 has been pertinent: “Data protection is a fundamental right in the EU. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society. Second, we have to fight for the data protection proposal because it will open up the EU’s the digital market. It is good for business. It meets the expectations of business to have a true digital single market with one single law for data protection. [The implementation of the current Directive is fragmented and complicated [omissis ]. One continent, one law. That’s what I call simplicity. That’s what I call opening a market.Third, we need to ensure that the same rules apply to all businesses providing services to EU residents. Non-European companies, when offering services to European consumers, will have to apply the same rules and adhere to the same levels of protection of personal data. [omissis ] Another challenge is to make sure that the new rules are technology-proof. The data protection package means that the same rules will apply irrespective of where the data is stored. And they facilitate the flow of data within the Cloud. We are building bridges, not firewalls. The final challenge relates to the speed with which we will reach a deal. The answer is simple. It is for this Parliament and for the current Members to deliver the reform. They have accompanied the file from the start. It will take the full span of the mandate. But they must finish the job.
Currently, Parliament’s political groups are discussing the amendments tabled to both the regulation and the directive ahead of the Civil Liberties Committee vote. Hopefully, a new regulatory framework will be promulgate soon before the next European elections in 2014. Once adopted, member states would have two years to adapt their national legislation to the new laws (both the regulation and the directive).