In today’s age of of rapid technological developments, globalization and the ever-more elaborated and hard-to-detect ways of collecting personal data, the question arises whether the existing EU data protection legislation is still enough to effectively cope with the task of protecting an individual’s personal data. To this end in May 2009 the European Commission launched a review of the current legal framework followed by a public consultation. Read about what the consultation revealed and the steps proposed for modernising EU personal data protection after the jump.
Modernization of EU personal data protection
The Commission found that while the core principles of the 1995 Data Protection Directive still hold valid, several issues can be identified as presenting a challenge for data protection. Among these are the impact of new technologies, the lack of harmonisation among Member States’ data protection legislation, globalization and international data transfers, the lack of a better enforcement of data protection rules, and the need for better coherence of the data protection legal framework.
In its communication of 4 November 2010 to the European Parliament the European Commission consequently laid down its approach for the modernization of the EU personal data protection legal system, addressing the new challenges for the protection of personal data with the goal of guaranteeing that the fundamental right to data protection for individuals is fully respected within the EU and beyond.
The key objectives of this comprehensive approach to data protection are the strengthening an individual’s rights, enhancing the internal market dimension, revising the data protection rules in the area of police and judicial cooperation, the global dimension of data protection and a a stronger institutional arrangement.
Strengthening of rights and enhancing the market dimension
The strengthening of an individual’s rights is to include appropriate personal data protection in all circumstances in line with the EU Charter of Fundamental Rights, as well as clear and transparent informing of individuals of how and by whom their data is being collected.
To this end the Commission plans to draw up one or more EU standard forms and examine the possibility of introducing a personal data breach notification. The Commission also wishes to enhance control over one’s own data, improving among other an individual’s “right to be forgotten” i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. The Commission aims to raise awareness about data protection, aims to clarify and strengthen the rules on informed consent, and wishes to harmonise the conditions for processing sensitive data. In order to ensure the enforcement of data protection rules, the Commission will consider strengthening the existing provisions on sanctions and extending the power to bring an action before the national courts to data protection authorities and to civil society associations, as well as to other associations representing data subjects’ interests.
The modernisation of the EU data protection system also foresees enhancing the internal market dimension, which includes increasing legal certainty by further harmonisation of EU data protection rules and reducing the administrative burden of data controllers. This will be done by simplifying and harmonizing the current notification system, possibly by introducing a uniform EU-wide registration form.
The Commission will also examine how to revise and clarify the existing provisions on applicable law in order to improve legal certainty, clarify Member States’ responsibility for applying data protection rules and ultimately provide for the same degree of protection of EU data subjects, regardless of the geographic location of the data controller.
The Commission aims to enhance data controllers’ responsibility by making mandatory the appointment of an independent Data Protection Officer and implementing data protection impact assessments in specific cases (when sensitive data are being processed, or when the type of processing otherwise involves specific risks). The Commission will also explore the feasibility of establishing EU certification schemes in the field of privacy and data protection.
Judicial cooperation, global dimension and stronger institutional arrangement
Revising the data protection rules in the area of police and judicial cooperation in criminal matters, the Commission will examine the need to introduce specific and harmonised provisions in the new general data protection framework (for example on data protection regarding the processing of genetic data for criminal law purposes), and assess the need to align the existing various sector specific rules adopted at the EU level for police and judicial co-operation in criminal matters in specific instruments with the new general legal data protection framework.
The modernisation is also to focus on the global dimension of data protection, namely on clarifying and simplifying the rules for international data transfers by, among other, improving the current procedures in place to ensure a more uniform EU approach and by defining the core EU data protection elements which could be used for all types of international agreements. With the aim of promoting the development of high legal and technical standards of data protection in third countries, the Commission will enhance its cooperation with third countries and international organisations, such as the OECD, the Council of Europe and the the United Nations, and will closely follow the development of international technical standards by standardisation organisations.
The Commission will also examine ways of implementing a stronger institutional arrangement for better enforcement of data protection rules, in particular how to to strengthen, clarify and harmonise the status and the powers of the national Data Protection Authorities and how to how to ensure a more consistent application of EU data protection rules across the internal market.
Legislation in 2011
On this basis the Commission will propose legislation in 2011 aimed at revising the legal framework for data protection with the objective of strengthening the protection of personal data in the EU, and will assess the need to adapt other legal instruments to the new data protection framework.
You can read more about the Commission’s re-examining of personal data protection in Aphaia’s White Paper.