16 August 2015

Data Protection Standards

'Technical standards and the draft General Data Protection Regulation' by Eleni Kosta and Kees Stuurman in Delimatsis (ed), The Law, Economics and Politics of International Standardization (Cambridge University Press, 2016) comments
Privacy issues relate to a wide range of aspects of technical operations, including availability and integrity of services and data, confidentiality, data classification mechanisms, vendor lock-in, certification, audit and testing and so forth. The application of the European legal framework on the protection of personal data in online environments, in particular the Data Protection Directive (1995/46/EC), is a highly debated issue, not only in relation to the trans-border transfers of data originating from a European Union (EU) Member State but also to the practical application of the principles contained in the Directive in data processing operations. The current statutory framework for data processing includes a number of main principles that are directly linked to the architecture of systems and applications without any explicit reference to technical standards. However, the Directive is currently under review, and the revised European data protection framework seems to have a stronger focus on the role and significance of technical standards. The European Commission proposed the replacement of the Directive with a Regulation, which not only contains updates to existing principles and provisions of the Directive but also introduces novelties with regard to the processing of personal data. One such novelty is the explicit reference to the importance of technical standardisation initiatives in relation to data protection.  
De Hert and Papakonstantinou commented that ‘despite the fact that [technical standards] focus on the effectiveness of processes rather than an adequate level of (human rights) protection, [they] are of relevance to the international data privacy field.’ The protection of personal data has traditionally been seen as part of the protection of information in computer systems. However, the proposed General Data Protection Regulation (GDPR) puts special emphasis on the need for the development of specific standards for a number of data protection issues. The enactment of the GDPR may for instance introduce a ‘right to data portability’ (i.e. the right to transfer data from one electronic processing system to and into another, without being prevented from doing so by the controller). As a precondition and to further improve access of individuals to their personal data, it provides the right to obtain from the controller a copy of those data in a commonly used electronic and structured format) and the data protection by design and by default principle. Such novelties will put even more emphasis on the key importance of technical standards in relation to privacy compliance. Therefore, the focus of this chapter is on the role of technical standards on data processing operations in view of the ongoing review of the European data protection framework.  
In particular, this chapter explores the complex relation between data protection and technical standards from a legal perspective. It first describes the relationship between the technical standards and the European data protection legal framework. The chapter also reflects on the development of privacy standards in complex technological environments, such as cloud computing and radio-frequency identification (RFID) applications. It finally examines the role of technical standards in the GDPR and analyses the specific provisions of the GDPR that relate to standardisation.