The European Commission has set out a strategy to modernise its approach to personal data protection in a communication issued on 4 November 2010 ('Communication'). The Commission plans to propose legislation in 2011 revising the legal framework for data protection, including the European Data Protection Directive 95/46/EC. Technological advancements such as social media and cloud computing have highlighted the need to strengthen individuals' rights. The strategy therefore stresses the need for greater clarity on the part of data controllers about what is done with personal data and how individuals can exercise effective control over their own data.
Harmonisation and Certainty: Top of Everyone's Wish List
The Commission seeks a more unified, consistent approach to data protection regulation across Member States, recognising that the different approaches currently adopted at national level present significant challenges to multi-national companies operating within and across Europe. For example, the Commission is looking to reduce the cost and administrative burden resulting from compliance with multiple national regimes by potentially introducing EU-wide registration forms for notification purposes (data protection regulatory filings). This is complemented by a recognition that EU regulatory measures for international data transfers are "not entirely satisfactory and need to be reviewed and streamlined so as to make transfers simpler and less burdensome." In future, therefore, multi-national companies acting as data controllers may benefit from a streamlined notification process, freeing up resources from complying with multiple regimes at once in respect of both data notification and international data transfers.
The Emergence of the Accountability Principle and 'Privacy by Design'
The Commission is supportive of the 'accountability principle' and will explore ways to enhance data controllers' responsibility for personal data, see Client Alert, Article 29 Working Party Opinion 3/2010 on the Principle of Accountability. The Commission wants data controllers to take more responsibility for compliance and to put in place more effective policies and mechanisms to ensure fulfilment of data protection obligations.
One favoured method for achieving increased accountability is to introduce a mandatory requirement to appoint an independent Data Protection Officer, harmonising the rules relating to their tasks and competencies. This could result in simplification of the management of data protection within organisations. In addition, the Commission is looking at including an obligation in the legal framework for data controllers to carry out a data protection/privacy impact assessment, particularly where the processing of sensitive personal data is involved or in other areas involving specific risks such as the use of emerging technologies and practices such as profiling and video surveillance. Even though this would involve additional work in the short term, it will assist data controllers in complying with their obligations in the long term.
The Commission will also examine promoting the use of privacy enhancing technologies (see Blog Post, What kind of animal is your PET?) as well as the concrete implementation of 'Privacy by Design'. This is the concept1 of incorporating privacy considerations into the development and design of new technologies and business practices from the outset, rather than imposing remedial measures retrospectively - 'build personal data protection in rather than bolt it on'.
'Privacy by Design' is likely to become an increasingly important theme in future global data protection best practice. At the end of October, the International Conference of Data Protection and Privacy Commissioners (held this year in Jerusalem) passed a resolution recognising and endorsing the adoption of 'Privacy by Design' as a guiding legal principle of data protection worldwide. The resolution reflects a notable paradigm shift towards increased convergence in the global approach to data protection and privacy compliance and best practice.
For data controllers, this will mean a significant shift in the way they approach data protection within their organisations. New data protection frameworks may need to be implemented where existing protections are not sufficiently robust to satisfy the requirements for 'Privacy by Design'. It may in some cases be prudent to begin reassessing data protection compliance in light of this potential change in advance of any definitive legislation being passed, as the process may be time-consuming, particularly for multi-national organisations lacking a harmonised approach to data protection across different jurisdictions. Reed Smith is at hand to assist, should such reworking be necessary.
Conclusion
The Communication represents the clearest indication yet that the European Commission is taking on board the views of citizens, businesses and regulators to revise its approach to personal data protection. This will help to meet the challenges and changes wrought by rapid technological developments and globalisation over the last fifteen years. In this context, the Commission will consider introducing a general data breach notification obligation and may also consider a legal framework for a 'right to be forgotten', in particular in the online world.
The Commission will now carry out an impact assessment based on the strategy laid out in the Communication and is looking to propose new data protection legislation in 2011. Unfortunately, the implementation of such legislation is a long way away in practice and, in the meantime, data controllers are required to negotiate compliance with the complex and inconsistent requirements of the different data protection regimes currently prevailing across Europe.
How might we help?
Reed Smith's Data Privacy, Security and Management Team has the level of experience and "hands-on" knowledge required to assist you in negotiating the complex legal framework in and across Europe, and globally. We can support you in designing, developing and implementing an effective global data protection compliance programme across your organisation, with appropriate data protection policies, practices and controls. We can advise you in greater depth about the implications of the proposed changes and discuss with you how to ensure your business can incorporate best practices in personal data protection and so gain competitive advantage.
1. originally conceived and developed by Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian