'Technical standards and the draft General Data Protection Regulation' by Eleni Kosta and Kees Stuurman in Delimatsis (ed),
The Law, Economics and Politics of International Standardization (Cambridge University Press, 2016) comments
Privacy issues relate to a wide range of aspects of technical operations, including
availability and integrity of services and data, confidentiality, data classification
mechanisms, vendor lock-in, certification, audit and testing and so forth. The application of
the European legal framework on the protection of personal data in online environments,
in particular the Data Protection Directive (1995/46/EC), is a highly debated issue, not
only in relation to the trans-border transfers of data originating from a European Union
(EU) Member State but also to the practical application of the principles contained in the
Directive in data processing operations. The current statutory framework for data
processing includes a number of main principles that are directly linked to the architecture
of systems and applications without any explicit reference to technical standards. However,
the Directive is currently under review, and the revised European data protection
framework seems to have a stronger focus on the role and significance of technical
standards. The European Commission proposed the replacement of the Directive with a
Regulation, which not only contains updates to existing principles and provisions of the
Directive but also introduces novelties with regard to the processing of personal data. One
such novelty is the explicit reference to the importance of technical standardisation
initiatives in relation to data protection.
De Hert and Papakonstantinou commented that
‘despite the fact that [technical standards] focus on the effectiveness of processes rather
than an adequate level of (human rights) protection, [they] are of relevance to the international data privacy field.’
The protection of personal data has traditionally been
seen as part of the protection of information in computer systems. However, the proposed
General Data Protection Regulation (GDPR) puts special emphasis on the need for the
development of specific standards for a number of data protection issues. The enactment of
the GDPR may for instance introduce a ‘right to data portability’ (i.e. the right to transfer
data from one electronic processing system to and into another, without being prevented
from doing so by the controller). As a precondition and to further improve access of
individuals to their personal data, it provides the right to obtain from the controller a copy
of those data in a commonly used electronic and structured format) and the data protection
by design and by default principle. Such novelties will put even more emphasis on the key
importance of technical standards in relation to privacy compliance. Therefore, the focus of
this chapter is on the role of technical standards on data processing operations in view of
the ongoing review of the European data protection framework.
In particular, this chapter explores the complex relation between data protection
and technical standards from a legal perspective. It first describes the relationship between
the technical standards and the European data protection legal framework. The chapter
also reflects on the development of privacy standards in complex technological
environments, such as cloud computing and radio-frequency identification (RFID)
applications. It finally examines the role of technical standards in the GDPR and analyses
the specific provisions of the GDPR that relate to standardisation.
