On November 4, 2010, the European Commission (the “Commission”) released a draft version of its Communication proposing “a comprehensive approach on personal data protection in the European Union” (the “Communication”) with a view to modernizing the EU legal system for the protection of personal data. The Communication is the result of the Commission’s review of the current legal framework (i.e., Directive 95/46/EC), which started with a high-level conference in Brussels in May 2009, followed by a public consultation and additional targeted stakeholders’ consultations throughout 2010. Although the Commission considers the core principles of the Directive to still be valid, the Communication equally acknowledges that the existing legal framework for data protection in the European Union is no longer able to meet the challenges of rapid technological developments and globalization.
The Communication identifies specific challenges, including the need to:
- Clarify and specify the application of data protection principles to new technologies (e.g., cloud computing)
- Increase harmonization between data protection laws of the EU Member States
- Simplify cross-border data transfers and make them less burdensome
- Increase effective enforcement by local data protection authorities
The Communication gives valuable indications on possible upcoming changes to the Directive, which will impact all businesses operating within the European Union. In particular, the Commission’s strategy to modernize the existing EU data protection framework is based on the following selected key objectives:
- Transparency: improving privacy notices by specifying what information they should contain and how they should be made available (e.g., in relation to minors) and possibly introducing EU model “privacy information notices”
- Personal data breach notification: examining the modalities to introduce a general personal data breach notification requirement
- Rights of the data subjects: improving the ways in which individuals can exercise their rights, for example, by introducing deadlines to respond to individuals’ requests and strengthening the “right to be forgotten” (i.e., the right for individuals to have their data deleted when they are no longer needed for legitimate purposes)
- Consent: clarifying and strengthening the rules on consent
- Sensitive data: examining whether to consider other types of personal data as “sensitive data” (e.g., genetic data) and further harmonizing the conditions under which they may be processed
- Remedies and sanctions: possibly expanding the right to bring an action before the national courts to data protection authorities and civil society associations (e.g., associations representing data subjects’ interests), and strengthening the existing provisions on sanctions
- Registrations: lessening the administrative burden by simplifying and harmonizing the current registration system (e.g., by drawing up a uniform EU-wide registration form)
- Applicable law: revising and clarifying the existing provisions on applicable law with a view to providing the same degree of protection for EU data subjects, regardless of their geographic location and of the location of the data controller
- Data Protection Officer: enhancing data controllers’ responsibility by making the appointment of a company data protection officer mandatory
- Data protection impact assessment: introducing an obligation to carry out a data protection impact assessment when specific risks are involved, for example, when sensitive data are processed or certain technologies are used (e.g., profiling or video surveillance)
- Privacy by design: examining the concept of “privacy by design” and its concrete implementation
- Accountability: possibly introducing a general obligation of “accountability” into the legal framework for the processing of personal data
- International data transfers: improving and streamlining the current procedures for issuing adequacy decisions and international data transfers
- Data Protection Authorities: strengthening, clarifying and harmonizing the status and powers of the national data protection authorities and improving cooperation between them
- Article 29 Working Party: better coordinating the work of the national data protection authorities via the Article 29 Working Party, and possibly creating a mechanism for ensuring consistency in the internal market under the authority of the European Commission
This Communication will serve as a basis for further discussion and assessment. The Commission calls upon stakeholders and the public to comment on the review’s proposals by January 15, 2011. The Commission’s intention is to present legislative proposals in 2011 aimed at revising the legal framework for data protection and assessing the need to adapt other legal instruments to the new data protection framework.
For further information, the Communication is available here.