The European Commission has now announced that it
will propose in 2011 a new general legal framework for the protection of personal data in the EU covering data processing operations in all sectors and policies of the EU. This comprehensive new legal framework will ensure an integrated approach as well as seamless, consistent and effective protection. The European Parliament and the Council of Ministers will then negotiate and adopt the Commission’s proposal.The Commission comments that -
The principles enshrined in the Data Protection Directive are still sound. However, the rules need to be revised and modernised in order to respond to new challenges and situations.The Commission has launched a public consultation regarding revision of the Directive.
In any case, until new rules are adopted and enter into force, the current rules remain entirely valid and still have to be correctly implemented by Member States and applied by all those concerned.
It will also consider and pursue non-legislative measures such as awareness-raising campaigns on data protection, encouraging self-regulation and the possibility of EU certification schemes in the field of privacy and data protection.
In addition, the Commission will continue to promote high standards of data protection in third countries and at international level. Consequently, it will step up its cooperation with third countries and international organisations, such as the Organisation for Economic Co-operation and Development (OECD), the Council of Europe and the United Nations.The Commission also reviewing the 2006 Data Retention Directive (2006/24/EC), which was adopted to harmonise the different laws of EU member states regarding data retention. Under that Directive, companies are required to store communication traffic data for a period between six months and two years.
The Commission’s current review focuses on whether the type and amount of data is necessary for security reasons and whether the length of time that authorities can hold data is appropriate.In its consultation paper [PDF] the Commission comments that -
The 1995 Data Protection Directive1 set a milestone in the history of the protection of personal data in the European Union. The Directive enshrines two of the oldest and equally important ambitions of the European integration process: the protection of fundamental rights and freedoms of individuals and in particular the fundamental right to data protection, on the one hand, and the achievement of the internal market – the free flow of personal data in this case – on the other.
Fifteen years later, this twofold objective is still valid and the principles enshrined in the Directive remain sound. However, rapid technological developments and globalisation have profoundly changed the world around us, and brought new challenges for the protection of personal data. Today technology allows individuals to share information about their behaviour and preferences easily and make it publicly and globally available on an unprecedented scale.
Social networking sites, with hundreds of millions of members spread across the globe, are perhaps the most obvious, but not the only, example of this phenomenon. 'Cloud computing' - ie internet-based computing whereby software, shared resources and information are on remote servers ('in the cloud') could also pose challenges to data protection, as it may involve the loss of individuals' control over their potentially sensitive information when they store their data with programs hosted on someone else's hardware. A recent study confirmed that there seems to be a convergence of views – of Data Protection Authorities, business associations and consumers' organisations – that risks to privacy and the protection of personal data associated with online activity are increasing.
At the same time, ways of collecting personal data have become increasingly elaborated and less easily detectable. For example, the use of sophisticated tools allows economic operators to better target individuals thanks to the monitoring of their behaviour. And the growing use of procedures allowing automatic data collection, such as electronic transport ticketing, road toll collecting, or of geo-location devices make it easier to determine the location of individuals simply because they use a mobile device. Public authorities also use more and more personal data for various purposes, such as tracing individuals in the event of an outbreak of a communicable disease, for preventing and fighting terrorism and crime more effectively, to administer social security schemes or for taxation purposes, as part of their egovernment applications etc.
All this inevitably raises the question whether existing EU data protection legislation can still fully and effectively cope with these challenges. To address this question, the Commission launched a review of the current legal framework, with a high level conference in May 2009, followed by a public consultation until the end of 2009. A number of studies were also launched.
The findings confirmed that the core principles of the Directive are still valid and that its technologically neutral character should be preserved. However, several issues were identified as being problematic and posing specific challenges. These include:• Addressing the impact of new technologies Responses to the consultations, both from private individuals and organisations, have confirmed the need to clarify and specify the application of data protection principles to new technologies, in order to ensure that individuals' personal data are actually effectively protected, whatever the technology used to process their data, and that data controllers are fully aware of the implications of new technologies on data protection. This has been partially addressed by Directive 2002/58/EC (the so-called ‘e-Privacy’ Directive), which particularises and complements the general Data Protection Directive in the electronic communications sector.The above challenges require the EU to develop a comprehensive and coherent approach guaranteeing that the fundamental right to data protection for individuals is fully respected within the EU and beyond.
• Enhancing the internal market dimension of data protection One of the main recurrent concerns of stakeholders, particularly multinational companies, is the lack of sufficient harmonisation between Member States' legislation on data protection, in spite of a common EU legal framework. They stressed the need to increase legal certainty, lessen the administrative burden and ensure a level playing field for economic operators and other data controllers.
• Addressing globalisation and improving international data transfers Several stakeholders highlighted that the increased outsourcing of processing, very often outside the EU, raises several problems in relation to the law applicable to the processing and the allocation of associated responsibility. As to international data transfers, many organisations considered that the current schemes are not entirely satisfactory and need to be reviewed and streamlined so as to make transfers simpler and less burdensome.
• Providing a stronger institutional arrangement for the effective enforcement of data protection rules There is consensus among stakeholders that the role of Data Protection Authorities needs to be strengthened so as to ensure better enforcement of data protection rules. Some organisations also asked for increased transparency in the work of the Article 29 Working Party and clarification of its tasks and powers.
• Improving the coherence of the data protection legal framework In the public consultation, all stakeholders stressed the need for an overarching instrument applying to data processing operations in all sectors and policies of the Union, ensuring an integrated approach as well as seamless, consistent and effective protection.