In adopting a resolution on the need for a comprehensive approach to data protection in Europe, the European Parliament notes that the current regime is strong but can be improved. Areas of focus are: the need for full harmonisation, the protection of children using social networks, and that all EU citizens should have the right to know what information is being stored and for what purpose.
On 6 July 2011, the European Parliament adopted a resolution calling for stronger rules on personal data protection.
The resolution is designed to influence the revision of the existing EU data protection framework (due to be launched by the European Commission after the Summer). Although the resolution notes that the current EU Regime under Directive 95/46 is strong, it identifies a number of areas that can be improved in light of changing use of technology and patterns of data sharing.
The key areas the resolution addresses are the need for children using social networks to be protected by EU data privacy rules and that all EU citizens should have the right to know what information is being stored and for what purpose. The resolution also states that people must be able to have their data easily deleted, corrected or blocked, be informed about any misuse or lapses in data protection, and that the process for international transfer needs to be simplified and reviewed.
NEED FOR COMPREHENSIVE, MODERN RULES
The European Parliament found that the EU needs comprehensive, modern rules to protect fundamental rights, in particular privacy, whenever personal data is processed “within and beyond the European Union”. Data protection rules must also be extended to the areas of police and judicial cooperation between EU countries.
The updated data protection law should include “severe and dissuasive sanctions”, including criminal penalties, for misuse and abuse of personal data. National data protection authorities should be given the necessary resources and be granted harmonised investigative and sanctioning powers.
When personal data is transferred and processed outside the European Union, the draft resolution says that: “it is imperative that data subjects’ rights are fully enforced”. International data transfer procedures must be improved and “ambitious core EU data protection aspects to be used in international agreements” must be devised by the Commission.
The resolution also states that data protection law should recognise formally the need to “specifically protect children and minors”, as young people have growing access to internet and digital content and tend to divulge personal data on social networking sites. It is also suggested that media literacy should be included in formal education, to instruct children and minors how to act responsibly in the online environment.
Freedom of the Press
The Committee notes that the current Data Protection Directive obliges Member States to provide for exemptions from data protection rules when personal data are used solely for journalistic purposes or the purpose of artistic or literary expression. To safeguard press freedom, Members of the European Parliament urge the Commission to ensure that these exemptions are preserved.
No artificial barriers to data protection
The resolution also states that companies should avoid erecting unnecessary barriers to the individual’s right to access, amend, or delete his or her personal data, and in this respect it also backs the idea of requiring firms to appoint “company Data Protection Officers”.
Lastly, the individual’s consent to use of his data should be considered valid “only when it is unambiguous, informed, freely given, specific and explicit”.
Following on from the European Data Protection Supervisor and the Article 29 Working Party, the resolution contains increasingly familiar themes. The focus now will turn to the Commission, which should publish its formal legislative proposal later this year.
A comprehensive framework covering data processing “within and beyond the European Union” echoes the warning from EU Justice Commissioner Viviane Reding to non-EU operators, particularly social networking sites, that if they target the European Union they will be required under the new regime to abide by strict EU data protection rules (although it is not clear how this will be enforced). Last but not least, the specific need to protect children is likely to be expressly acknowledged in the new framework, with privacy by design obligations likely to provide that protection in principle.