On 5th October I blogged about the European Commission’s cunning plan, as it was in its (then) draft form, to revise the Data Protection Directive. On 26th October I blogged that Statewatch had published this draft on their website, and mentioned that it was out of date as the actual plan had just been tweaked.
The latest draft version has been officially pubished, for comment, today.
So, what are the significant changes that have been made to the version that we’ve obviously been pouring over since 26th October (or before)?
Well, not many, but there are a couple of reasonably significant tweaks, which indicate the general direction of travel that the Commission is taking. It looks as though a new translator has run their finger through the text, as some passages have simply been reworded without any there being any material changes to the original meaning. Some of the language is easier to understand through. It must be a more experienced translator!
Here are the principal changes to the version that Statewatch kindly published:
1. The Commission has added a new, more business friendly, objective to the review of the rules. As well as taking into account the impact of new technologies on individuals' rights and freedoms, it will also take account of the objective of ensuring the free circulation of personal data within the internal market.
2. References to minors have been replaced by references to children.
3. Strengthened rules on data deletion will take account of the legitimate purposes for which they are needed rather than the purposes for which they were collected. This recognises the problems some organisations find themselves in when they are required to keep information for, say, surveillance purposes, even though there is no business need for its retention.
4. The concept of data portability (being able to transfer, say, pictures of friends from one social networking site to another without hindrance) is now to be permitted subject to restrictions based on technical feasibility.
5. On consent, the Commission has abandoned references to ensuring a more harmonised implementation of current rules but it has retained its task of clarifying and strengthening the rules.
6. The previous reference to minors has been dropped a an example of another type of data that could be considered as sensitive data.
7. The latest text explains that The Commission will examine the means to achieve further harmonisation of data protection rules at EU level. And it drops its earlier reason which was In order to ensure a true level playing field for all data controllers who operate in different Member States. Presumably this is because it now realises that harmonisation of rules is in the interests of individuals, as well as data controllers.
8. The latest text includes a greatly expanded section on how data controllers’ responsibility could be enhanced. It refers to
a. making the appointment of an independent Data Protection Officer mandatory and harmonising the rules related to their tasks and competences, while reflecting on the appropriate threshold to avoid undue administrative burdens, particularly on small and micro-enterprises;
b. including in the legal framework an obligation for data controllers to carry out a data protection impact assessment in specific cases, for instance, when sensitive data are being processed, or when the type of processing otherwise involves specific risks, in particular when using specific technologies, mechanisms or procedures, including profiling or video surveillance;
c. further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’.
9. New text is added on the application of the new rules to the area of law enforcement, including an undertaking to assess the need to align, in the long term, the existing various sector specific rules adopted at EU level for police and judicial co-operation in criminal matters in specific instruments, with the new general legal data protection framework. While this is a welcome step in the right direction, we have to take acount of the fact that some elements of policing in Member States has been "privatised", so it would not be fair to provide special dispensations only to people who wear police uniforms. And I am still not sure how we square the competing demands of information that is required for national security and serious crime purposes with the natural desire that some others will have to use that same information to deal with law enforcement breaches (and other misdeeds) of a much less significant nature.
10. Finally, the new text expands the previous commitment to review the role of the National Data Protection authorities. The Commission will examine:
a. how to strengthen, clarify and harmonise the status and the powers of the national Data Protection Authorities in the new legal framework, including the full implementation of the concept of ‘complete independence’;
b. ways to improve the cooperation and coordination between Data Protection Authorities;
c. how to ensure a more consistent application of EU data protection rules across the internal market. This may include strengthening the role of national data protection supervisors, better coordinating their work via the Article 29 Working Party (which should become a more transparent body), and/or creating a mechanism for ensuring consistency in the internal market under the authority of the European Commission.
I'm sure we would support any measure that helps these authorities become more credible institutions.
So, we now have a couple of months to review these proposals and send comments back to the European Commission. It’s not quite a 3 month consultation period (which is what we are used to in the UK when a Government Department asks us for our views). Instead it’s a 2 ½ month period with the Christmas holidays thrown in for good measure. Still, we Brits should be on a roll. After being all fired up to respond to the Ministry of Justice’s recent questionnaire on this subject, we ought to know what to say about this lot!
sources:
http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf
http://www.statewatch.org/news/2010/oct/eu-com-draft-communication-data-protection.pdf
.
Posts
