On 25 January 2012 the EC proposed a uniform legal framework for providing legal certainty on data protection. The most notable proposed change is that from a European Directive to a Regulation (the Proposed Regulation) to ensure directly enforceable implementation across all Member States. The Proposed Regulation sets out general rules on data protection that would modernise and further harmonise the data protection regime created by the Data Protection Directive (95/46/EC).
While the European Data Protection Supervisor (EDPS) has stated that it is a huge step forward for data protection in Europe, it still fails to offer a comprehensive set of data protection rules for the EU.
Privacy International’s analysis concurs with this sentiment.
It suggests that the Proposed Regulation goes some way to ensure that data protection law responds to contemporary and emerging threats to the right to privacy, and commends the introduction of additional controls for individual consumers with regards to access, correction and deletion and the provision of greater power for independent authorities to ensure effective enforcement. It also welcomes the emphasis on responsibility and accountability through privacy by design and the introduction of data breach notification for all industry sectors.
Privacy International, however, also express concern over various weaknesses that may undermine individuals’ rights. It is advocating for more specific, comprehensive protection including:
- A stronger definition of consent to make it ‘provable’.
- A clearer definition of processing on the grounds of ‘legitimate interests’.
- Data Breach notification limited to serious risk to avoid notification fatigue.
- Inclusion of information about profiling and security measures to individuals.
- Deletion of the provision allowing further non-compatible use on the basis that it undermines the very basis of data protection.
While most of us welcome the idea of great harmonization of data protection law across the EU, Privacy International’s views are at odds with the other fundamental purpose of data protection law, which is the free flow of data and while individuals’ rights should be protected, the EU has the unenviable task of ensuring that it is done in a way that does not thwart business and have a dampening effort on the EU’s goals for the future of its digital economy.