Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

European Commission outlines data protection law overhaul

The European Commission will overhaul data protection laws, enforcing them more strictly; demanding that organisations that lose data go public; and proposing that they be extended to cover criminal matters.05 Nov 2010

The reforms are the result of a process dating back to 2002 and including reviews conducted in 2007 and 2009, according to privacy law expert Rosemary Jay of Pinsent Masons, the law firm behind OUT-LAW.COM.

"Many of the themes in the Commission document have been rehearsed over the previous 18 months, so there is nothing unexpected in either the review or the content of the Commission document," she said. "The 2007 report flagged many of the areas which are now going to be addressed."

The Commission will clear up what online operators such as social networking and behavioural advertising companies need to tell users before collecting personal data and what their obligations to provide and delete data on request are; and will propose a law that will force organisations that have lost data to go public with the loss.

The Commission has published a formal Communication to the European Parliament (20-page / 215KB PDF) outlining its proposals for reforming data protection law. It said that the move was necessary because since the Data Protection Directive came into force in 1995 the way that information is collected, and the amount collected, has changed radically.

"Social networking sites, with hundreds of millions of members spread across the globe, are perhaps the most obvious, but not the only, example of this phenomenon," said the Communication. "Cloud computing ... could also pose challenges to data protection, as it may involve the loss of individuals' control over their potentially sensitive information when they store their data with programs hosted on someone else's hardware. A recent study confirmed that there seems to be a convergence of views – of Data Protection Authorities, business associations and consumers' organisations – that risks to privacy and the protection of personal data associated with online activity are increasing."

"At the same time, ways of collecting personal data have become increasingly elaborated and less easily detectable. For example, the use of sophisticated tools allows economic operators to better target individuals thanks to the monitoring of their behaviour," it said. "And the growing use of procedures allowing automatic data collection, such as electronic transport ticketing, road toll collecting, or of geo-location devices make it easier to determine the location of individuals simply because they use a mobile device."

"All this inevitably raises the question whether existing EU data protection legislation can still fully and effectively cope with these challenges," it said.

Though the Commission said that a consultation it operated found that "the core principles of the Directive are still valid and that its technologically neutral character should be preserved", it still needed updating.

The Commission's planned changes will extend the scope of data protection law, it said.

"The Lisbon Treaty provided the EU with additional means to achieve [the reform]: the EU Charter of Fundamental Rights – with Article 8 recognising an autonomous right to the protection of personal data – has become legally binding, and a new legal basis has been introduced allowing for the establishment of comprehensive and coherent Union legislation on the protection of individuals with regard to the processing of their personal data and on the free movement of such data," it said. "In particular, the new legal basis allows the EU to have a single legal instrument for regulating data protection, including the areas of police cooperation and judicial cooperation in criminal matters."

The Commission has proposed giving individuals greater rights to control and even delete the personal data held on them by organisations.

"The Commission will examine ways of clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes," it said. "This is the case, for example, when processing is based on the person's consent and when he or she withdraws consent or when the storage period has expired."

The changes will also give users of a service 'data portability', meaning the right of a person to take their information elsewhere, such as to a competing service.

"The example of online social networking is particularly relevant here, as it presents significant
challenges to the individual's effective control over his/her personal data," said the Commission's proposal. "The Commission has received various queries from individuals who have not always been able to retrieve personal data from online service providers, such as their pictures, and who have therefore been impeded in exercising their rights of access, rectification and deletion."

Social networking giant Facebook recently added a function that allows users to download a single file containing all of their profile information, including photos, wall posts, messages and a list of friends.

The Commission has said that there should be a general personal data security breach notification law, meaning that organisations must inform the authorities if they lose or reveal personal data. It said it would investigate options for "the addressees of such notifications and the criteria for triggering the obligation to notify".

The Commission hopes to make the law clearer on what exactly constitutes the kind of consent to data gathering and processing that the Directive demands.

"In the online environment – given the opacity of privacy policies – it is often more difficult for individuals to be aware of their rights and give informed consent," it said. "This is even more complicated by the fact that, in some cases, it is not even clear what would constitute freely given, specific and informed consent to data processing, such as in the case of behavioural advertising, where internet browser settings are considered by some, but not by others, to deliver the user's consent."

"Clarification concerning the conditions for the data subject's consent should therefore be provided, in order to always guarantee informed consent and ensure that the individual is fully aware that he or she is consenting, and to what data processing," it said. "Clarity on key concepts can also favour the development of self-regulatory initiatives to develop practical solutions consistent with EU law."

The proposal also suggests strengthening the sanctions available so that criminal penalties could be used for serious law breaches, and extending to 'civil society associations' the ability to bring data protection actions to the courts.

It also envisages an expanded role for the EU's Article 29 Working Party, the committee made up of the data protection authorities of the EU's 27 member states. It should do more to ensure the consistency of the application of EU law across the countries, the Communication said.

The proposals also suggest that the process of transferring data out of the EU should be simplified.

"There are a few of these proposals that will raise concerns among businesses, such as the possible obligation to appoint a data protection officer, for example," said Jay of Pinsent Masons. "Others that will be welcome – for example removing the burdens of notification."

"One of the issues that comes up again and again for global business is the lack of harmonisation between EU countries – the communication proposes to address that – but of course it might address it by harmonising to the toughest level which will not necessarily appeal to business," said Jay. "The proposals which are likely to ring the biggest alarm bells because of the potential cost and impact are the possibility of breach notification and stronger requirements on transparency around complex data uses."

"The Government will probably not be keen on the suggestion that the Article 29 Group should have a bigger role, that there should be more scope for EU wide enforcement or a stricter level of harmonisation leaving us less 'wriggle room' where we want to be able to take a UK approach," she said. "On the other hand it has not gone as far as suggesting the use of a regulation and overall the proposal is probably evolution rather than revolution."