|
|
Overhaul of European Data Protection Framework Becomes Reality
November 2010
Jan Dhont
Partner
Lorenz |
Just as Privacy: Generations, the 32nd International Conference of Data Protection and Privacy Commissioners came to an end the European Commission published its draft version of a Communication From The Commission To The European Parliament, The Council, The Economic And Social Committee And The Committee of The Regions - "A comprehensive approach on personal data protection in the European Union".
Jan Dhont of Lorenz shares his observations of the way forward and what can be done to influence the outcome.
Jan is a partner in the Brussels office of Lorenz. He specializes in data protection and privacy, telecommunications, media and technology law. He has also expertise in EU regulatory matters including product regulation and product liability.
Jan counsels private corporations and public institutions on various technology and privacy law issues associated with the development and deployment of information technology. He has expertise in providing privacy compliance solutions for the pharmaceutical, insurance, banking, direct marketing and telecom industry. He assists on a daily basis international corporations with data protection issues such as international data transfers, human resources privacy, outsourcing of data processing, information security, etc.
Nymity: What has occurred?
Dhont: The European Commission adopted a draft version of a Communication on “a comprehensive approach on personal data protection in the European Union” (COM (2010) 609, hereinafter: “Communication”).
The released Communication is a clear indication that the European Commission intends to move forward with the revision of the European data protection framework (i.e., Directive 95/46/EC). The Commission initiative aims at addressing new challenges for the protection of personal data such as the impact of new technologies and globalization.
The aim of the European Commission is to propose legislation in 2011 amending the current European data protection framework. The Commission has opened a public consultation and interested stakeholders may submit their comments to the proposed framework by January 15, 2011 via the following link:
http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm
The text of the draft Communication is available here:
http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf
Furthermore, the European Data Protection Supervisor (hereinafter: “EDPS”) has in a Press Release of November 15, 2010 commented on the Commission Communication. The text of the press release can be consulted here:
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2010/EDPS-2010-15_Data%20protection%20reform%20strategy_EN.pdf
Nymity: What are the key recommendations and what would be the effect of these key recommendations for companies as written?
Dhont: The key provisions for companies and businesses relate to increased harmonization of data protection legislation within the EU and additional data privacy requirements. The Commission is contemplating standard EU privacy (information) notices and a simplification of the current system of notification with national data protection authorities (including a uniform EU-wide registration form). Additionally, there will likely be new data breach notification requirement both for the public and private sector similar to the requirements in the e-Privacy Directive (which applies to the telecommunications sector). The responsibility of data controllers will also be enhanced by broader obligations (i) to assign data protection officers and (ii) to carry out data privacy impact assessments (i.e. internal and external audits). The Commission promotes the use of Privacy Enhancing Technologies (PETs) and the ‘privacy by design’ principle which will require companies to roll out products and services with privacy embedded functions.
The further harmonization within the EU will allow for simplification in notification procedures and data privacy notices and the possibility to enhance the role of DPOs, lessening the administrative burdens for companies. However, data breach notifications and audit requirements will be additional data protection measures that companies will have to take into account in their compliance. Not unimportantly, the EDPS calls for stronger means for national Data Protection Authorities to enforce data protection legislation, and the introduction of collective actions for individuals to “facilitate redress and reinforce compliance by data controllers”.
Nymity: What will the process likely be through January and then after? Given your experience with similar regulatory processes what is the most effective way for those that wish to change the outcome to do so?
Dhont: The Communication contemplates the Commission issuing proposed legislation in 2011. Various studies and public consultations will be taken into account in the drafting of such language. I would definitely encourage companies and businesses to get involved in the public consultations. Based on the stakeholders’ feedback to the public consultations on the Commission’s approach as well as based on the issues raised by the Communication itself, the Commission will propose legislation to enforce the protection of personal data in the context of all EU policies including law enforcement and crime prevention.
Nymity: The relationships between the European Commission, Parliament, Council, Committees, Commissioners and so on is not so familiar to all globally. What is the relationship between these various organizational entities and others that will be involved in the process and what role will they play?
Dhont: The European Parliament and Council enact framework laws and the Commission is an executive body that sees to it that such legislation is duly executed. Once the Commission will present proposals for a new general data protection legal framework, it will be negotiated and adopted by the European Parliament and the Council. The EDPS is expected to also formally advise on the proposed text that will circulate.
Nymity: Is there a likely timeline?
Dhont: Again, draft language is expected in 2011, but as with all legislative procedures, in actuality it could be later.
Nymity: In closing, what have we not asked you that our readers would like to know about?
Dhont: One interesting suggestion is the right to data portability, which will provide an explicit right for data subjects to withdraw their data from a service so that the withdrawn data can be transferred into another service (or application). This contemplates online content such as online photos or ‘friends’ from social networking sites, but one can see the commercial advantages for companies in the private sector.
Another point concerns the applicability of the national data protection laws where several member states are concerned, for instance in a case where a multinational is located in different member states or if the data controller is located outside the EU but provides services to EU residents. In such cases legal certainty may be served by clear answers provided by the legislator.