Privacy and Security TidBits

The European Data Protection Supervisor recommends a Regulation, not a Directive!

The European Data Protection Supervisor, Peter Hustinx, has issued an opinion in response to  the Commission’s Communication of November 4, 2010  regarding the Review of the Data Protection Legal Framework .

The EDPS agrees with the Commission that a review of the present legal framework for data protection in the EU is necessary in order to ensure effective protection in a further developing information society.

On the other hand, the EDPS believes that a more ambitious approach than the one proposed by the Commission would lead to a more effective system.

The EDPS identifies  four main drivers determining the environment in which the review process takes place:

  • Technological development: The technological developments like cloud computing, behavioural advertising, social networks etc.., since Directive 95/46 was adopted .
  • Globalisation: The abolition of trade barriers has given rise to an increase in international and cross border data transfers and the development of the internet and cloud computing has allowed processing of data on a worldwide scale. The increase of terrorism and other forms of international organised crime, has caused an increase in international judicial activities, supported by an enormous exchange of information for law enforcement purposes.
  • The Lisbon Treaty: The abolition of the pillar structure obliges the European Parliament and Council to provide for data protection in all areas of EU law, and in the public sector as well as in the private sector. Article 16 TFEU also contains an individual right of the data subject.
  • The parallel developments in international organisations, like the OECD, and the adoption of international standards.

The EDPS then states the importance of data protection: it fosters trust and must support other (public) interests, such as a strong European economy, the security of individuals, as well as the accountability of governments.

It sees a comprehensive legal instrument for data protection including police and judicial cooperation in criminal matters as one of the main improvements a new legal framework can bring.

According to the EDPS, a general legal instrument for data protection must be formulated in a technologically neutral way. This implies that the rights and obligations of the various actors are to be formulated in a general and neutral way so as to remain, in principle, valid and enforceable irrespective of the technology chosen for processing personal data. The EDPS suggests introducing new ‘technologically neutral’ rights on top of the existing principles of data protection which could have a specific importance in the rapidly changing electronic environment

The EDPS the proceeds to make the following recommendations in order to achieve above mentioned goals:

1. Comprehensive approach:

The EDPS fully supports the comprehensive approach on data protection which is not only the title but also the point of departure of the Communication and necessarily includes the extension of the general rules on data protection to police and judicial cooperation in criminal matters. But, contrary to the suggestion of the Commission, the EDPS believes that data processing by EU institutions should also be included in the framework. He also reminds the Commission to include data protection in the Common Foreign and Security Policy, sector specific data protection regimes for EU bodies such as Europol and Eurojust, and the ePrivacy Directive 2002/58.

2. Harmonisation:

The EDPS believes that further and better harmonisation of the implementation of the Directive by the Member States is one of the principal   objectives of the review process. He specifies the following areas that need more harmonisation: Definitions; Lawfulness of processing; Grounds for data processing; Data subject rights; International transfers (BCR); National Data Protection Authorities; The EDPS also agrees withthe Commission that a harmonised system of notification requirements would reduce costs as well as administrative burden for data controllers and suggests a standard pan-European notification form.

Finally, the EDPS believes that the review process is also an opportunity to reconsider the type of legal instrument for data protection.

The  EDPS recommends Regulation, not a directive! “A Regulation, a single instrument which is directly applicable in the Member States, is the most effective means to protect the fundamental right to data protection and to create a real internal market where personal data can move freely and where the level of protection is equal independently of the country or the sector where the data are processed …The choice for a Regulation as a general instrument allows, where necessary, provisions directly addressed to Member States where flexibility is needed. It also does not influence the competence of Member States to adopt additional rules for data protection, where needed, in conformity with EU law.

3. Strenghtening the rights of individuals:

In light of the increasing encroachment on individuals’ privacy by third parties online for purposes of targeting advertisements, e.g through data mining, and web tracking, the EDPS advocates including an explicit principle of transparency, as well as strenghtening existing provisions.For example, a provision could render  illegal privacy policies which are opaque or difficult to understand.

The EDPS also supports the obligation to report security breaches, suggests additional rules to clarify the concept of informed , unambiguous consent, data portability and the right to be forgotten. The right to be forgotten could be implemented by attaching an obligatory expiration date to the data, a concept that  is already applied to e.g. criminal records.

The EDPS suggests the adoption of specific provisions pertaining to the processing of personal data relating to children, e.g. a specific provision protecting children against behavioural advertising, as well as the introduction of consumer collective redress mechanisms. (class actions).

4. Strenghtening the role of organisations/controllers:

The EDPS favors inserting a general provision on accountability of controllers. This would stimulate controllers to put into place proactive measures, such as internal control mechanisms, in order to be able to comply with all the elements of data protection law.

The EDPS is of the opinion that demonstrating compliance to the public at large should, in certain cases, also be made mandatory. This could be done for instance, by requiring controllers to include data protection in public (annual) reports.

The EDPS suggests codification of the Privacy by Design principle, and considers it to be an accountability issue. “Privacy by design refers to the integration of data protection and privacy from the very inception of new products, services and procedures that entail the processing of personal data…More specifically, the provision would explicitly require data controllers to implement technical and organization measures, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to ensure the protection of personal data and prevent any unauthorized processing.”  The EDPS  considers, on top of that, creating a separate obligation addressed to designers and manufacturers of new products and services with likely impact on privacy and data protection. The EDPS supports the Commission’s idea of EU certification schemes for privacy compliant products and services.

5. Globalisation and applicable law:

In order to find a solution to the conundrum of applicable law ( see this previous post ), the EDPS favors the development of international rules, such as the “Madrid Standards”. Meanwhile, until such standards will be adopted, the EDPS suggests clarification of the criteria determining applicable law. The EPDS proposes that EU law is applicable when personal data are processed outside the borders of the EU, but where there is a justified claim of applying EU law. “The example of non European cloud computing services targeted to EU residents is an illustration why this is needed. In an environment where data are not physically stored and processed in a fixed location, where service providers and users located in different countries have interfering influence on data, it is very difficult to identify who is responsible for complying with which data protection principles.” But if the legal instrument is a Regulation, applicable uniformly to all Member States, the need for complicated applicable law rules becomes less urgent. This is one of the reasons why the EDPS strongly favours the adoption of a Regulation.

The EDPS also  fully supports the objective of the Commission to streamline current procedures for international data transfer, especially for Binding Corporate Rules. (BCR).

6. The area of Police and Justice:

As mentioned above, the EDPS believes that the area of police and judicial cooperation should be included in the general instrument. For example, DPAs will have the same extensive and harmonised powers vis-à-vis police and judicial authorities as they have vis-à-vis other data controllers. This would not exclude necessary and proportionate special rules. Special safeguards for the protection of the individual should be introduced, such as in relation to the processing of biometric and genetic data in the field of law enforcement.

7. DPAs and the cooperation between DPAs:

The EDPS supports the Commission’s suggestion to strengthen the independence, resources and enforcement powers of DPAs. In addition, the EDPS suggests codifying a definition of independence into the new law, as well as a requirement that they be  given sufficient human and financial resources in order to make this independence possible. The EDPS encourages more cooperation between the DPAs in enforcement actions, with the help of the Article 29 Working Party. The EDPS also aims for more independence and more authoritative powers for the Working Party.