Towards a new regulation on data protection in Europe
By José-Luis Piñar Mañas
The European Commission (EC) has opened a public consultation period (from November 4, 2010, to January 15,2011) to obtain views on its ideas for addressing new challenges to personal data protection in order to ensure an effective and comprehensive protection to individuals’ personal data within the EU. The document “Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions informs the consultation.”
After the Lisbon Treaty, and since the EU Charter of Fundamental Rights has become legally binding (Art. 8 recognizes an autonomous right to the protection of personal data), the European Commission is considering proposing new legislation in 2011. The legislation would be “aimed at revising the legal framework for data protection with the objective of strengthening the EU's stance in protecting the personal data of the individual in the context of all EU policies, including law enforcement and crime prevention, taking into account the specificities of these areas.”
The document begins by stressing that the Directive 95/46/CE “set a milestone in the history of the protection of personal data in the European Union,” and its core principles “are still valid.” But the document immediately notes that “rapid technological developments and globalization have profoundly changed the world around us and have brought new challenges for the protection of personal data.”
Like technology, the document says, “the way our personal data is used and shared in our society is changing all the time.” The challenges posed include addressing the impact of new technologies, enhancing the internal market dimension of data protection, addressing globalization and improving international data transfers, providing a stronger institutional arrangement for the effective enforcement of data protection rules and improving the coherence of the data protection legal framework.
The key objectives of the comprehensive approach on data protection are grouped under five headings. The first one is to strengthen individuals’ rights. In this sense, among others, the following objectives of the European Commission can be highlighted:
- introducing a general principle of transparent processing of personal data in the legal framework
- introducing specific obligations for data controllers on the type of information to be provided and on the modalities for providing it, including in relation to children
- drawing up one or more EU standard forms (“privacy information notices”) to be used by data controllers
- to examine the modalities for the introduction in the general legal framework of a general personal data breach notification
- strengthening the principle of data minimization
- clarifying the so-called “right to be forgotten,” i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes; to make remedies and sanctions more effective.
The second objective is to enhance the internal market dimension. To this end, the EC will:
- examine the means to achieve further harmonization of data protection rules at the EU level
- explore different possibilities for the simplification and harmonization of the current notification system
- examine how to revise and clarify the existing provisions on applicable law, including the current determining criteria, in order to improve legal certainty
- examine some elements to enhance data controllers' responsibilities (making the appointment of an independent data protection officer mandatory, including in the legal framework an obligation for data controllers to carry out a data protection impact assessment in specific cases, promoting the use of PETs and the possibilities for the concrete implementation of the concept of “Privacy by Design”
- encourage self-regulatory initiatives and explore EU certification schemes.
Third, the commission considers it advisable to revise the data protection rules in the area of police and judicial cooperation in criminal matters. To this end, it will consider the extension of the application of those rules to such areas.
On the other hand, the commission makes reference to the global dimension of data protection. In this context, the commission intends to examine how to improve and streamline the current procedures for international data transfers, including legally binding instruments and “Binding Corporate Rules” in order to ensure a more uniform and coherent EU approach; how to clarify the commission’s adequacy procedure, and how to define core EU data protection elements, which could be used for all types of international agreements.
Also, it will promote universal principles by promoting the development of high legal and technical standards of data protection in third countries and at an international level; striving for the principle of reciprocity of protection in the international actions of the EU; enhancing its cooperation with third countries and international organizations, and following up the development of international technical standards by standardization organizations.
Finally, the document stresses that the implementation and enforcement of data protection principles and rules is a key element in guaranteeing respect for individuals' rights. In this context, the commission will examine how to strengthen, clarify and harmonize the status and the powers of the national data protection authorities, including the full implementation of the concept of complete independence; ways to improve the cooperation and coordination between data protection authorities, and how to ensure a more consistent application of EU data protection rules across the internal market.
In conclusion, it appears that the European Commission is committed to revising the legal framework of data protection in Europe. Always starting from the basis of considering data protection as a fundamental right, that has very significant economic implications whose clarification is essential in the field of international transactions.
Jose-Luis Piñar Mañas, Ph.D. is an attorney at Piñar Mañas & Asociados Law Firm, and a professor of administrative law. He also is the former director of the Spanish Agency for Data Protection and former Vice-Chairman of the Article 29 Working Party and Honorific President of the Ibero-American Network of Data Protection. He can be reached at firstname.lastname@example.org.