How might the EU data protection framework change ?

Waltraut Kotschy

Expert Workshop onData Protection

Podgorica, Febr. 7 2011

Why should it change? (1)

• Ernormous changes since 1995– Technological developments

• Internet as a predominant way of communication• Data mining• Cloud computing• etc

– Globalisation:• Due to the internet, „doing things“ is less than ever bound to being

present at a specific location • Due to the internet, information can be spread easily to the whole world

– Abolition of „pillar“-structure of the EU by the Lisbon Treaty• Coherence throughout all matters subject to EU legislation - beyond

common market matters

Why should it change? (2)

• New technologies do not always meet with effective data protection tools:– How to get rid of personal information in the Internet ?– How to find the responsible controller on the internet ?– Who can guarantee data protection in a cloud computing environment?

• Globalisation may for the data subject lead to a – lack of transparency as to the use of data and – difficulties to enforce data protection

• New structure of the EU makes it possible to fully extend data protection rules to areas of police and justice– Reason for lack of full protection by EU-legislation is no longer existent

How should it change ?

• The Commission Paper COM(2010) 699 final, from Nov. 2010, makes several proposals for intensive discussion in public during the next months

One comprehensive DP- framework

• The applicability of a revised Data Protection Directive should be extended to matters of the former „third pillar“ (police and justice)

• It should be fully applicable, that is: not only pertain to matters of transborder-cooperation, but to all activities, national and transnational, of police or judicial authorities

Enhancing rights of data subjects

– Applicability to the former „third pillar“- matters would automatically be favourable to the rights of data subjects; moreover

– the rights of data subjects need to be enhanced vis à vis new technologies, e.g.• „right to be forgotten“ in the internet• Mandatory data breach notifications• Right to data portability• Introducing „class action“ to make enforcing rights

easier for the data subject

Additional „Internet-rules“?

• The internet empowers the individual by completely new possibilities to make information public, even globally public.

Such power needs balancing• The Directive does not apply to processing for

„personal and household activities“Social networks have become a phenomenon with serious data protection implicationsthe Directive is, however, not applicable

Introducing some new principles

• The Commission paper proposes to introduce several new mandatory principles:– data minimisation– built in data protection into new processing

systems: „privacy by design“– internal data protection officers– „Accountability principle“: stressing

responsibility of controllers

Globalising data protection

• Goal: minimum standard of protection for personal data wherever they are processed

• Means:– Working together with international community to

establish universal principles for data protection– Follow more often the principle of reciprocity– Within the EU:

• Further harmonization of the interpretation and implementation of EU rules

• Revise the rules on international data transfer• Develop procedures with effect in all 27 member states

Strengthening enforcement

• Revision of – Powers of data protection authorities– Nature of sanctions– Procedures of sanctioning:• Introduce criminal sanctions• Stress joined enforcement actions beyond national

borders or even continental outlines