EU Commission kicks off major data law review

Topic: Privacy

Who: European Commission

When: 26 April 2010

Where: EU

Law stated as at: 26 April 2010

What happened:

Commissioner Viviane Reding – the first ever commissioner for Justice, Fundamental Rights and Citizenship – spoke to the European Policy Centre in Brussels on the 18th March 2010 and outlined her priorities for her new term as Commissioner.

She focused her priorities on, amongst other things, the reform of current EU data protection laws. This followed her speech on Data Protection Day (28 January 2010) to the European Parliament where she said that the EU needed to provide "a robust legal instrument to respond to the challenges posed by the rapid development of new technologies and by evolving security threats".

The current European law governing data protection is set out in the Data Protection Directive 1995 (95/46/EC) – it should be no surprise that reform is on the way given the number of emerging trends and new challenges posed by the information age, such as globalisation, the internet, online social networking, e-commerce, behavioural advertising, cloud computing etc. since the directive was signed off nearly 15 years ago.

Privacy by Design

Amongst other things Reding proposes to establish the principle of 'privacy by design' – a principle where businesses voluntarily 'build in' privacy safeguards such as limited data collection, consumer notice, individual consent and reasonable security. This could also witness mandatory default settings concerning personal data or insisting that technologies lend themselves to audits of data protection compliance, thus making the enforcement of data protection easier.

Action Plan

On the 20 April 2010 the European Commission unveiled an action plan for the implementation of the Stockholm Programme – a wider EU plan containing 170 initiatives for justice and security for the next 5 years that was adopted in December 2009. The action plan follows on from Commissioner Reding's speeches earlier in 2010 about her plans for data protection reform. The actions include:

• Post-Lisbon Treaty – providing a communication on the new legal framework on the protection of personal data.
• Commissioner Reding to publish a data protection legislative reform proposal by the end of 2010. This will draw on the results of an EU wide public consultation into the need for reform of the 1995 Directive, although disappointingly the massed stakeholders in 27 EU states could muster only 160 responses.
• Publish a communication on privacy and trust in digital Europe.

Why this matters:

This proposed data protection reform stems from the adoption of the Lisbon Treaty in December 2009 that has put the Charter of Fundamental Rights on a level footing with the other EU Treaties, including articles 7 and 8 on the respect for private and family life and protection of personal data. This is likely to apply to all policy areas – having a potentially wide ranging effect on both individuals as well as businesses.

Technology producers will need to be increasingly aware of the 'privacy by design' principle from the starting point of their product development and social networking sites are also likely to come under increasing scrutiny. Pressure has already been applied to social networking sites by Reding, in her previous post as telecoms commissioner, to hide internet profiles from public view.

Google is another example of the potential power of the EU, having been forced to cut the amount of time it stores images on its Street View Services from 12 to 6 months. Commissioner Reding has, however insisted that EU does not have the intention to catch out any single company and that she said that it is about "general European rules which have to be applied, and then about their enforcement at national level. Only when we see that this is not happening we intervene, we cannot go against a single company."