Ensuring stronger, more effective and more consistent protection of personal data in the EU
BRUSSELS - The key instrument of the current EU legal framework for Data Protection and Privacy - the general Data Protection Directive 95/46/EC - was without any doubt a great achievement. It has an impressive history, building on human rights' protection. But, the truth is now that the Directive is starting to show its age. It is approaching its "final consumption date" and clearly not sustainable for a longer period. When the Directive was adopted in 1995, the Internet was still hardly visible and in any case far from its present highly dynamic reality. We now live in a world that is increasingly global, internet driven and dependent on the wide spread use of ICT in all areas of life, including the most private and intimate ones. That means that there is not only a need for modernisation, but also an urgent need to ensure that the principles of data protection continue to be fully effective in a changing world. "Effectiveness" is not only required in a legal sense, but also and most of all, in a practical sense: legal safeguards are only effective if they are applied in practice, and provide the required protection where it is really needed. Data protection has now become such a relevant factor for other important policy fields that it can somehow be described as a critical success factor for those other policies. Data protection plays a key role as a vital source of legitimacy, trust and confidence.
It should be clear that this is not the time to reinvent data protection. It has been invented and is now recognised as a fundamental right in the Lisbon Treaty. Instead, much attention should be given to making data protection more effective in practice. This means a greater focus on implementation and enforcement of data protection principles and on the delivery of data subject’s rights. A related concern is that some existing formal requirements should be simplified or abandoned, if they are no longer needed for effective data protection.
Another point in this context is the need for greater harmonisation of rules across the EU. The present diversity of national rules is not helpful for effective data protection, and even counterproductive. A strong emphasis on the "internal market" perspective is not only good for international business and cooperating governments, but also for data subjects that increasingly move around the EU, and for the effectiveness of data protection in general.
More effective data protection also requires that data subjects should be enabled to exercise their present rights more easily and should be given a few additional rights to protect their interests where needed. An interesting example is the right to require that personal data are deleted or transferred to another provider – the "right to be forgotten" or the "right to data portability" – which might be particularly useful in the context of social networks or other online services. Strengthening the rights of data subjects would also require a clarification of the situations where consent is required and the conditions that have to be met for valid consent. A lack of clarity about this often leads to a weaker position of data subjects, particularly in the online environment.
Data controllers are now responsible for compliance with data protection rules, but in practice this often only leads to formal arrangements and responsibility "at the end" if something goes wrong. Instead, they should be mandated to be more active and to take all those measures which are necessary to ensure that data protection rules are complied with. This is referred to as the principle of "accountability" that would require data controllers to be able to demonstrate that they have taken all appropriate measures to ensure compliance. The principle of "privacy by design" would fit in the same approach: controllers should be able to demonstrate that appropriate measures have been taken to ensure that privacy requirements have been met in the design of their systems.
Last but not least, supervisory authorities should be given adequate resources and stronger powers of enforcement that are equivalent in all member states. They should also be allowed to use these powers more strategically, including the possibility to be more selective, in the case of substantial risks or systematic wrongdoing. At the same time, the conditions for "complete independence" should be equivalent in all member states. This means that data protection authorities should be free from any influence in the exercise of their duties. It is clear that complete independence is not inconsistent with the principles of democracy and legality. It only requires transparent procedures for appointment and annual reporting on activities, so as to ensure a structured dialogue between independent authorities and governments or parliaments.
A legal framework that would provide all of the above elements would be much better in the position to deal with the challenges of new technologies and globalisation. At this stage, it is also important to clearly define the external scope of EU data protection law. The concept that EU law should not only apply when the responsible data controller is established in Europe, but also when EU consumers are "targeted" - regardless from where over the Internet - seems to attract more and more support. All this will be on the agenda of the European legislator further to a package of proposals from the Commission to be expected early in 2012. The results should be available by 2014, towards the end of the current mandates for the Commission and the European Parliament