New EU Data Protection Strategy

November 4, 2010

The European Commission has published a new strategy document which sets out its plans to ‘strengthen data protection rules’. The Commission press release is set out below. The Commission has also published answers to frequently asked questions on data protection reform here. Comments can be made on the proposals up to 15 January 2011 here. In 2011, the Commission will propose a new general legal framework for the protection of personal data in the EU covering data processing operations in all sectors and policies of the EU.

You can download the full document from the panel opposite.

Eduardo Ustaran, head of the Privacy and Information Law Group at Field Fisher Waterhouse said:  

‘After nearly two years of considering the right approach to the future of EU data protection law, it is now clear which direction this is likely to take. The strategy document reveals some clear priorities for the European Commission, namely: true harmonisation, stronger and more meaningful individual rights, and more modern and standardised obligations for data users.

True harmonisation is long overdue. Anyone practising in this area is aware of the existing differences between member states. Some of these differences are bureaucratic and should be easily resolved by issuing consistent documentation and administrative protocols that work across the whole of the EU. Other differences will need to be addressed by local legislative changes and unfortunately will not be ironed out overnight.

Despite the calls for a more flexible framework, the Commission is adamant that this should not happen at the expense of individuals’ rights. In fact, in order to compensate for the increasing lack of control over our own information – particularly on the internet – the future framework is likely to include much stronger and specific rights than what we have today.

For organisations, the key changes will be about embedding data protection into their day to day operations and business development activities. This is partly technological but mainly a managerial issue. Privacy and information management is set to become a strategic priority for businesses and public bodies – that’s what the Commission is aiming for anyway.’


Text of EU Commission Press Release 

What happens to your personal data when you board a plane, open a bank account, or share photos online? How is this data used and by whom? How do you permanently delete profile information on social networking websites? Can you transfer your contacts and photos to another service? Controlling your information, having access to your data, being able to modify or delete it – these are essential rights that have to be guaranteed in today’s digital world. To address these issues, the European Commission today set out a strategy on how to protect individuals’ data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review will be used by the Commission with the results of a public consultation to revise the EU’s 1995 Data Protection Directive. The Commission will then propose legislation in 2011.

“The protection of personal data is a fundamental right,” said Vice-President Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship. “To guarantee this right, we need clear and consistent data protection rules. We also need to bring our laws up to date with the challenges raised by new technologies and globalisation. The Commission will put forward legislation next year to strengthen individuals’ rights while also removing red tape to ensure the free flow of data within the EU’s Single Market.”

Today’s strategy sets out proposals on how to modernise the EU framework for data protection rules through a series of key goals:

Strengthening individuals’ rights so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the “right to be forgotten” when their data is no longer needed or they want their data to be deleted.

Enhancing the Single Market dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country’s rules apply harm the free flow of personal data within the EU and raise costs.

Revising data protection rules in the area of police and criminal justice so that individuals’ personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.

Ensuring high levels of protection for data transferred outside the EU by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.

More effective enforcement of the rules, by strengthening and further harmonising the role and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.

The way forward

The Commission’s policy review will serve as a basis for further discussion and assessment. The Commission is calling on all stakeholders and the public to comment on the review’s proposals until 15 January 2011. Submissions can be made on the Commission’s public consultation web site

Building on this, the Commission will present proposals for a new general data protection legal framework in 2011, which will then need to be negotiated and adopted by the European Parliament and the Council.

In addition, the Commission will examine other measures, such as encouraging awareness-raising campaigns on data protection rights and possible self-regulation initiatives by industry.