The European Commission recently issued a detailed strategy underlining its revision – and modernisation – of EU data protection rules.
The strategy document issued on 4 November is essentially a roadmap for EU policy changes in data protection, and follows a public consultation that initially began in 2009 to review the current legal framework – in place since 1995. According to the strategy document, the next generation of EU data protection rules will be drafted with the aim of achieving five distinct policy goals.
- The first of these goals, individuals’ rights, envisages a fundamental right to the protection of personal data. The European Union seeks to create legislation that will minimise the collection of personal data, and at the same time increase transparency to individuals about how, why and by whom their data is collected, and for how long it is kept. In this respect, the Commission has proposed a “right to be forgotten” online. That is, individuals who wish to have their online data deleted, for instance from social networking sites, should be able to rely on the total removal of their personal data. Much attention is likely to be focused on the protection of individuals’ data that is gathered and retained inadvertently.
- The second over-arching goal is to improve uniformity among EU Member States’ national laws to facilitate EU Single Market integration. The Commission is concerned that the divergent approaches taken by Member States implementing the existing EU Data Protection Directive has created significant administrative burdens for companies, and, in some cases, conflicting rules. The Commission aims to reduce these burdens and conflicts through legislative tools, set to be proposed in mid-2011.
- The third policy goal deals with police and criminal justice. The Commission is notably non-specific as to how it seeks to reconcile law enforcement needs for data with its goal of promoting individual privacy. Instead, the Commission notes that the specific needs of this sector “will be” taken into account, and that the specific rules applicable to data retention – namely, the 2006 Data Retention Directive – are under review.
- The fourth policy goal relates to data transfer outside of the European Union. The Commission’s strategy again lacks specific proposals in this area, but rather states a broad goal to improve and streamline procedures for international data transfers. Issues related to data transfers outside of the European Unoin – particularly with the United States – have proven controversial in the past. Specific negotiations in October 2010 between the United States and the European Union likewise revealed that a future, over-arching data protection agreement between them is unlikely to cover data-heavy sectors, such as travel (passenger name records), IT and telecoms.
- The fifth policy goal is to ensure more efficient enforcement. In particular, the Commission will seek rules that aim to strengthen and harmonise the role and powers of national data protection authorities. The importance of enforcement was underscored when, on 5 November, the Organisation for Economic Cooperation and Development (OECD) revealed that its systems had been hacked by cyber-criminals seeking to steal its economic data.
Overall, the strategy document contains few surprises and is in line with the Commission’s prior consultation and public statements. Broader questions remain as to specifically how the Commission intends to tackle complicated issues, for example those involving individual rights and the “right to be forgotten”, cloud computing, inadvertent data collection, technology neutrality, issues particular to specific sectors and third country data transfers. The Commission will also undoubtedly face challenges when drafting rules flexible enough to keep pace with rapidly evolving technology.
Stakeholders have until 15 January 2011 to comment on the Commission’s proposals, after which the Commission will generate specific legislative proposals, likely in mid-2011. These proposals will then face a long road before being implemented, since the Commission will need to “negotiate” the rules with the European Parliament and Council.