The European Commission has set out its strategy for modernising the legal system for data privacy. This will be achieved through amendments to the current 1995 Data Protection Directive (95/46/EC) (the "Data Protection Directive"), an instrument negotiated in the early 1990s which is, not unexpectedly, showing its age in an era of social networking, behavioural advertising and cloud computing.
The strategy for reform is set out in the recent Communication to the European Parliament and other EU institutions (COM(2010) 609 final). The proposals are not certain to be adopted in their entirety; in fact, the Communication accompanies a further public consultation (open until January 2011) in which views are invited on the strategy.
The Commission points out that the means of collecting personal data have become more elaborate and less easily detectable; the range of information has also increased e.g. geo-locators and accordingly the associated risks to individuals are also on the rise, such as identity theft.
The Commission has identified 5 key objectives for reform:
- Strengthening individuals' rights in light of the impact of new technologies
- Improving harmonisation of protection within the European Union
- Revising data protection rules in the area of police and judicial cooperation in criminal matters
- The global dimension of data protection – promoting high standards of data protection worldwide
- Strengthening and clarifying the roles of the national Data Protection Authorities
The Communication contains a large number of ideas but these are presented at a fairly high level. Some of the proposals are consistent with requests from industry but their effectiveness and the burden they impose will depend greatly on the detail of the legislative proposals.
Even if not all of these reforms find their way into the final legislation, data privacy is set to become a more complex and onerous area of compliance for businesses in years to come. Greater prominence will need to be given to information governance within organisations, including ensuring that there is oversight at a senior level.
On a more positive note the Commission's proposals recognise many of the areas of difficulty under the current regime, such as lack of harmonisation and the cost and administrative burden often associated with transferring data outside the EEA.
Greater burden for business
The following recommendations appear likely to make data privacy compliance more onerous for business
- Informing individuals: greater efforts are likely to be required to ensure individuals are well and clearly informed in a transparent way about the processing of their personal data, particularly in an online environment. Behavioural marketing is specifically mentioned as an area where individuals are less likely to know and understand if their personal data are being collected. Children are singled out as needing specific protection measures as they tend to underestimate risks linked to the use of the internet.
- Breach notification: extending mandatory personal data breach notification to all sectors. The Commission will consider who should receive notifications and the criteria for triggering the obligation to notify. Ongoing implementation of amendments already made to the e-Privacy Directive (2002/58/EC) means that from May 2011 it will be compulsory in the telecommunications sector to report data security breaches.
- Remedies and sanctions: making it easier for data protection actions to be brought before the national courts e.g. by Data Protection Authorities and consumer groups; explicitly including criminal sanctions for serious breaches.
- Better enforcement: strengthening the role of the Data Protection Authorities and providing them with the necessary powers and resources properly to exercise their tasks both at national level and when cooperating with each other.
- Internal compliance: ensuring that data controllers put in place effective policies and mechanisms to ensure compliance. This could include making it compulsory for each data controller (subject to a threshold) to appoint a Data Protection Officer or to carry out privacy impact assessments in specific cases. Possibly a general accountability principle could be introduced (essentially this means having a comprehensive data protection compliance programme and being able to demonstrate it).
Positive aspects of the proposals
There are a number of proposals which should ease the burden for data controllers. These include the following.
- International transfers of data: improving and streamlining the current procedures and simplifying the rules for international transfers. This may include defining core EU data protection elements which could be used for all types of international agreements.
- Consent: clarifying what the requirements are for a valid consent and making efforts to ensure greater harmonisation across the EU. Currently, in some countries consent to processing has to be provided in writing and signed by the individual, whereas in others it can be implied by conduct.
- Adequacy criteria: providing more visibility and clarity of the European Commission's adequacy procedure (for finding countries meet the EU standard for data protection, i.e. the "White List").
The consultation closes in January 2011 and the legislative proposals are expected to be available in the second quarter of 2011, although they have been delayed once already.