The Guessing Game

August 25, 2011

It has been a busy year for the European Commission’s Data Protection Unit so far. Day after day, week after week, month after month, a multicultural team of officials based in an unassuming Brussels building have been brainstorming ideas, pouring over written submissions and listening patiently to the wishes, concerns and ideas of those who hope to have a say in the future European data protection framework. Despite all this hard work, it seems that we may not see a formal proposal until the end of the year. The reason for this – in addition to the massive pressure to get the first draft right – is that the Commission would like to feed into the proposal the outcomes of the current public consultations on cloud computing and data breach notification. That is understandable but in the meantime and to temper our anxiety, we can make an informed guess of what we will be presented with.

Much of the debate surrounding this process so far has been around the form that the new legislative framework will take. If, as it has been made patently clear, the primary objective of the legislative reform is to achieve the greatest possible degree of harmonisation, the Commission is likely to favour a Regulation over another Directive. The effect of this would be a single piece of legislation immediately applicable across the European Union without the need for implementation at a national level. If the extremely clumsy implementation process of the revised e-privacy directive is anything to go by, the prospect of a Regulation seems very possible indeed. However, even a Regulation would be enforced at a national level by each data protection authority, so an element of local interpretation will always exist.

A crucial building block of the new regime will be the rules determining the applicability of the law. For EU-based organisations, a Regulation would solve the problem of facing multiple national laws and the ‘country of origin’ principle seems the way forward in terms of determining the competent data protection authority. The big change in this respect will be for overseas organisations, which will find themselves subject to EU law, not when they happen to serve a humble cookie on an EU-based machine, but when they target people in Europe, for example by employing them or marketing to them.

With regard to the substantial content of the new framework, much of our beloved law will stay with some tweaks. An important objective of the new legal framework will be to give greater control to individuals. The cornerstone of this, as trumpeted by Viviane Reding, is the so-called ‘right to be forgotten’ which is meant to allow individuals to get their personal information removed from publicly available platforms like networking sites and other websites. However, the huge two-fold difficulty with extending this beyond the current right to object is how to reconcile it with the freedom of expression of others to disseminate information and the intermediary roles of those which only act as conduits for this information.

As for transparency and consent, expect clever attempts to make these two aspects truly meaningful. Once again, the emphasis will be on putting people in control, but let’s hope that the Commission’s efforts to make legal obligations clear cut do not translate into unachievable targets like the Working Party’s unqualified interpretation of consent as prior, express opt-in and nothing else. At the very least, it is reasonable to assume that the legal grounds for processing personal data will continue to include – and possibly expand – the legitimate interest condition to justify such processing.

However, for most organisations the key new ingredient will no doubt be the ‘accountability package’. Not that it will be ever called that, but it is almost certain that a whole range of practical measures – from mandatory data protection officers to privacy impact assessments, and possibly internal audit and training requirements – will make its way into the black letter of the law. An outstanding question is to what extent this will be linked to the provisions affecting international data transfers. With all probability, the Commission is likely to retain some restrictions but widen the mechanisms available to ensure that such transfers are lawful. The greatest hope of all is that at the end of the day, the EU legislative bodies manage to come up with a regime that shows the benefits of data protection for all and encourages compliance not just for the sake of it, but for the good of the future generations. Time will tell.

This article was first published in Data Protection Law & Policy in August 2011

Eduardo Ustaran is a Partner and the Head of the Privacy and Information Law Group at Field Fisher Waterhouse LLP. He can be contacted at