After months of speculation, fierce lobbying and leaked strategy documents, the European Commission has finally and publicly come out of the legislative policy closet. The European Commission’s communication for ‘a comprehensive approach on personal data protection in the European Union’, published on 4 November 2010, sets out the essential elements for the reform of the existing EU data protection directive. The publication of the Commission’s approach for modernising the EU legal system for the protection of personal data is a crucial milestone. In fact, the potential impact of the Commission’s official communication should not be underestimated. If the Commission gets it right, this will shape the future of privacy – a must-have value for the information society. If the Commission gets it wrong, not only will legal compliance be compromised, but a fundamental right will end up being very badly damaged.
Although they are only covered at a very high level, the Commission seems to have correctly identified today’s data protection challenges. It is certainly encouraging to see a public acknowledgement of the current framework’s failure to address the issues raised by new technologies and globalisation. The big question mark is whether the EU will be able to identify what is realistically achievable and aim for that, rather than pursuing an unrealistic data protection nirvana. When dealing with a fundamental right, there is a natural tendency to avoid compromises, but in this case pragmatism should prevail. As the Commission puts it, ensuring respect for the fundamental right to data protection will be given the highest priority, while at the same time enhancing the internal market dimension and facilitating the free flow of personal data.
The devil may be in the detail (which will come in 2011 when a concrete legislative proposal is revealed), but so far the signs are positive. In practical terms, the Commission’s strategy for a future data protection regime rests on five pillars: strengthening individuals’ rights, achieving harmonisation, enhancing organisations’ responsibilities, addressing international data transfers and strengthening enforcement. Overall, the balance between tried and tested solutions and new ideas is good but, more importantly, the essential ingredients for progressive personal information protection are either specifically included in the proposed strategy or suitably implied.
The most innovative features of the Commission’s approach to 21st century data privacy seem to fall within the individuals’ rights category. Whilst transparency is far from new in European data protection law, the Commission hints at some new measures such as more specific multi-party information provision obligations, children-specific notice requirements and standard privacy notices. Following on from that, the Commission is eager to explore controversial measures such as general personal breach notification, data minimisation, the right to be forgotten and data portability. The right to be forgotten has already been singled out by Commissioner Reding as a very desirable objective and particularly relevant to personal data that is no longer needed for the purposes for which it was collected. According to Reding, this right should also apply when a storage period which the user agreed to has expired. Whether a meaningful and productive debate about all of these ideas can take place in just a few months is another matter, but the new framework could see the introduction of measures that would go head-to-head against the direction adopted by the digital economy so far.
An objective that is guaranteed to receive 100% support is the harmonisation and simplification of rules. Administrative burdens in particular, like registration and regulatory authorisation, are due for a makeover and are likely to face a radical review. However, a much more difficult question in terms of obtaining universal agreement will be the clarification of the criteria for determining the applicable law. The Commission is aware of the illogical consequences of applying the current establishment and equipment rules in an online world and, at the same time, it is keen to ensure that individuals are not deprived of protection. So will it change direction entirely and go for jurisdictional rules based on EU citizenship or residency?
The Commission provides a greater degree of certainty about its intentions when it talks about the elements of the forthcoming regime aimed at enhancing data controllers’ responsibility. The emphasis here seems to be on practicalities – hence the references to the role of privacy officers, the requirement to carry out privacy impact assessments and the implementation of the ‘Privacy by Design’ principle. Equally practical is the position on the rules for international data transfers. Whilst abandoning the restrictions affecting unsafe data flows seems out of the question, the specific references to the improvement of the current adequacy mechanisms and the development of Binding Corporate Rules evidence a recognition of the need for a fix.
In the end, the test for the future of European data protection law lies in its ability to interface with other international data privacy laws. More than ever, and for the rest of human history, privacy is a global issue. A European framework that is tolerant of other regimes and can relate to personal information protection initiatives developed in other parts of the world will be much more effective and successful than an EU-centric one. If the EU is to remain a driving force for the development and promotion of international legal and technical standards for the protection of personal data – as the Commission wishes – realism and pragmatism, as well as imagination, should guide everyone’s efforts. The consultation is open and the opportunity is ours.
Eduardo Ustaran is a Partner and the Head of the Privacy and Information Law Group at Field Fisher Waterhouse LLP. He can be contacted at eduardo.ustaran@ffw.com
