02 June 2012

Data Protection Agencies

Tthe European Data Protection Commissioners (130 delegates from 38 countries) in their Spring Conference last month issued a broad 'Resolution on the European data protection reform' regarding the data protection frameworks of the EU, the Council of Europe and the OECD.

The Commissioners welcomed the following key aims in "modernisation" of those frameworks -
- strengthening and clarification of the rights of individuals; 
- the emphasis put on accountability of data controllers and processors; 
- the reduction of some administrative burdens and the search for consistency; 
- the key role devoted to independent data protection authorities; 
- the move to develop a more comprehensive framework ensuring the application of the fundamental data protection principles across all areas; 
- the initiative of the Council of Europe to revise Convention 108, which has been leading the way since 1981, including the objective to assure consistency and compatibility with the legal framework of the EU and supporting firmly the intention to follow more closely the implementation of the Convention by States Parties; 
- the ongoing reflection process at the level of OECD on the evolving international privacy landscape. 
The Conference also analysed the proposed improvement of the European legal texts against the background of the international developments in the field of data processing and privacy, including in the transatlantic relations, in particular in light of the white paper of the U.S. Administration released on 23 February 2012 and the FTC Report published in March 2012. Taking into account the previously adopted resolutions1, the Conference studied in more detail the recent legislative package of the European Commission aimed at modernizing EU data protection rules.

The Commissioners indicated that -
The Conference welcomes that the proposals address the new challenges resulting from the pervasive collection and use of personal data in a connected and globalised world. The Data Protection Commissioners are especially pleased with: 
- the rules providing for more transparency and greater control over the data processing; 
- the codification of the principle of data minimization; 
- greater redress possibilities for data subjects; 
- the strengthening of rules concerning the rights to access and to object; 
- the inclusion of rights in order to address the challenges arising out of the online environment (a specific protection of children, the “right to be forgotten” and the new right to data portability); 
- the attempt to introduce simplified and consistent rules for data controllers; - the introduction of the principle of accountability; 
- the introduction of mechanisms and tools serving as incentives to demonstrate accountability such as data protection by design and by default, privacy impact assessments, the appointment of DPOs and data breach notification duties; 
- the introduction of a one-stop shop solution both for controllers by creating the concept of a lead authority cooperating with other concerned DPAs and also for individuals (subject to the latter being improved further); 
- the requirement of an active cooperation between DPAs and the strengthening of their independence and powers, including the introduction of administrative fines.
The  Commissioners, unsurprisingly, also stated that they are "convinced that the expertise and practical experience of DPAs can play an important role in the practical application of data protection rights also in the future". That includes -
1. the mandatory consultation of DPAs on legislative measures at EU as well as at national level; 
2. the development of guidelines and recommendations for the practical implementation, considering national and sectoral specificities; 
3. the possibility to carry out ex officio investigations and audits.
They warned that too many exemptions and derogations hinder the effective application of core data protection principles.
Exemptions provided for public authorities, law enforcement activities or the use of data for governmental purposes, including fiscal purposes, must comply with the core aspects of data protection law. Essential data protection rules should be applied in a consistent way and independent of the respective sector. The conference therefore notes that further improvements to the current proposals are needed, especially to bring the proposed Directive regarding the area of police and justice more in line with the core principles of the General Data Protection Regulation. Rules on the transfer of data between private parties and law enforcement bodies are, for instance, still missing. Having this in mind, the Data Protection Commissioners are prepared to contribute actively to the success of a modernised and effective data protection framework for Europe. The strengthening and simplification of data protection is more important than ever.