Tuesday 5 October 2010

The European Commission's cunning plan

The European Commission has just unveiled it's cunning plan for a new Data Protection Directive, which has been given the glorious title of "A comprehensive strategy on data protection in the European Union."

You may be reading about these proposals for the first time. It won’t be the last time, and I suspect we’ll all be thoroughly sick of them by the time the Member States get their opportunity to implement the final version of the new Data Protection Directive.

The initial explanation of the (18 page) cunning plan goes on for almost 1,000 words. Some of the proposals appear to be very useful, and are very welcome. Other proposals don’t appear to make much sense - but perhaps it’s me that simply doesn’t get it, or that I can’t see how they can possibly be implemented.

So, fellow Data Protectors, let’s all have a good read of this and mull it over until we lose the will to live!

It is understood that the proposed actions by the Commission are:

- The Commission will consider how to ensure a coherent application of data protection rules, taking into account the impact of new technologies on individuals' rights and freedoms;

- The Commission will consider introducing a general principle of transparency in the legal framework; introducing specific obligations for data controllers on the type of information to be provided and on the modalities for providing it, including in relation to minors; drawing up one or more EU standard forms ("privacy information notices") to be used by data controllers;

- The Commission will examine the possible modalities for the introduction in the general legal framework of a general personal data breach notification, including the addressees of such notifications and the threshold beyond which the obligation to notify should apply;

- The Commission will therefore examine ways of:

a) strengthening the principle of data minimisation;

b) improving the modalities for the actual exercise of the rights of access, rectification, erasure or blocking of data (e.g., by introducing deadlines to respond to individuals' requests, by allowing the exercise of rights by electronic means or by providing that right of access should be ensured free of charge as a principle);

c) strengthening the so-called "right to be forgotten", i.e. the right of individuals to have their data deleted/removed when they are no longer needed for the purposes for which they were collected or when, in particular, processing is based on the person's consent, when he or she withdraws consent or when the storage period consented to has expired;

d) guaranteeing "data portability", i.e., enabling an individual should be able to withdraw his/her own data (e.g., his/her photos, medical records or a list of friends) from an application or service and transfer them into another one, without hindrance from the data controllers;

- The Commission will explore the possibility for co-financing awareness-raising activities on data protection via the Union budget; the need for and the opportunity of including in the legal framework an obligation to carry out awareness-raising activities in this area;

- The Commission will examine ways of ensuring a more harmonised implementation of current rules on consent; clarifying and strengthening the rules on consent;

- The Commission will consider whether other categories of data should be considered as "sensitive data", for example genetic data; certain types of data that, in specific cases, could also be considered as 'sensitive', for example, data related to minors;

- The Commission will therefore consider the possibility of extending the right to bring an action before the national courts to data protection authorities and to civil society associations, including consumer associations; assess the need for strengthening the existing provisions on sanctions, for example by explicitly including criminal sanctions in case of serious data protection violations, in order to make them more effective.

- In order to ensure a true level playing field for all data controllers who operate in different Member States, the Commission considers that further harmonisation and approximation of data protection rules need to be provided at EU level. The Commission will examine the means to achieve this;

- The Commission will explore different possibilities for the simplification and harmonisation of the current notification system, including the possible drawing up of a uniform EU-wide registration form;

- The Commission will examine how to revise and clarify the existing provisions on applicable law, including the current determining criteria, in order to improve legal certainty, clarify Member States' responsibility for applying data protection rules and ultimately provide for the same degree of protection of EU data subjects, regardless of their geographic location and of the location of the data controller;

- The Commission will examine elements to enhance data controllers' responsibility;

- The Commission will examine means of further encouraging self-regulatory initiatives, including the active promotion of Codes of conduct; explore the feasibility of establishing EU certification schemes (privacy seals) for privacy aware Technologies;

- The Commission will consider the extension of the application of the general data protection rules to the areas of police and judicial cooperation in criminal matters, including at domestic level, while providing for the necessary limitations (e.g. concerning the right of access) and derogations (e.g., to the principle of transparency); examine the need for introducing specific provisions, for example on data protection regarding the processing of genetic data for criminal law purposes or distinguishing the various categories of data subjects (witnesses; suspects etc); assess the need to align, in the long term, the existing various sector specific rules adopted at EU level for police and judicial co-operation in criminal matters in specific instruments, to the new general legal data protection framework; launch, in 2011, a consultation of all concerned stakeholders about the best way to revise the current supervision systems in the area of police cooperation and judicial cooperation in criminal matters, in order to ensure effective and consistent data protection supervision on all Union institutions, bodies, offices and agencies;

- The Commission intends to examine how to improve and streamline the current procedures for international data transfers, in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations; to clarify the Commission’s adequacy procedure and better specify the criteria and standards for assessing the level of data protection in a third country or an international organisation; to define standard data protection clauses to be used in international agreements, contracts, binding corporate rules or other legally binding instruments;

- The Commission will continue to promote the development of high data protection legal and technical standards in third countries and at international level; seek to secure that the international actions of the Union are grounded on the principle of reciprocity of protection enjoyed by data subjects, and in particular ensure that data subjects whose data are exported from the EU enjoy the same rights (including judicial redress) in third countries as third country nationals enjoy within the EU (reciprocal treatment); enhance its cooperation, to this end, with third countries and international organisations, such as the OECD, the Council of Europe, the United Nations, and other regional organisations; closely follow up the development of international technical standards by standardisation organizations such as CEN and ISO, to ensure that they usefully complement the legal rules and to ensure operational and effective implementation of the key data protection requirements;

- The Commission will examine how to strengthen, clarify and harmonise the status and the powers of the national Data Protection Authorities in the new legal framework (including art. 29 WP).

[I'll update this blog with a link to the official document when it officially exists]