This article was first published in Data Protection Law
& Policy in November 2011.
Deconstructing the privacy macaron
08 December 2011
Compact. Self-contained. Multi-layered. Hard to
penetrate and rich inside with a mix of flavours and tones.
Judging by the commentary surrounding the forthcoming EU data
protection framework circulating in the corridors of the IAPP
European Data Protection Congress that took place in Paris at the
end of November, we could have been describing a typical Parisian
macaron instead of a new law. But if the indications of what
we are about to see in the regulation being proposed by the
European Commission are true, complying with the future European
privacy regime is going to require fine confectionery skills.
So what are the likely ingredients of this
extremely elaborate piece of legislation and how will they blend
- A Regulation – It is widely accepted that
a regulation, rather than another directive, will be the best
recipe for a harmonised regime that delivers a consistent level of
protection across the EU.
- Two-fold objective – Like the original
directive, the new regulation will most certainly have a dual aim:
protecting personal data and facilitating the intra-EU movement of
- Applicability based on establishment and
targeting of European residents – The novelty being that the use of
equipment in the EU will be replaced by data processing directed at
those individuals who live in the EU.
- Privacy principles – Transparency,
finality, proportionality and data quality – they are all likely to
be there but for added flavour, expect some new ones like data
minimisation and accountability.
- Consent – Individual's consent will remain
a cornerstone of European data protection law but the standard for
valid consent will be higher than ever before, with a greater
emphasis on the individual's freedom of choice.
- Big rights – Some rather radical changes
are likely to come in the shape of new or strengthened individuals'
rights. Top of the list will be the much publicised right to
be forgotten followed closely by data portability rights. No
doubt the Commission will want to give people as much control as
possible over their data, particularly in relation to profiling
- Controller's responsibilities – As a
flipside of the increased rights of individuals, controllers are
bound to face very specific responsibilities ranging from the
adoption of policies and principles such as privacy by design and
privacy by default to the training of staff and the appointment of
data protection officers.
- Data breach notification – As is already
the case for providers of communications services, an obligation to
notify security breaches to data protection authorities (and in
some cases to the individuals affected) will now apply to all
- International data transfers – Greater
flexibility is expected on this issue alongside an express
recognition for binding corporate rules, which will be available to
both controllers and processors. An area of concern however
is the potential conflict between data requests by non-EU
authorities and the limitations on data disclosures, which will
probably require the involvement of data protection authorities in
determining how to resolve such conflict.
- Role of data protection authorities – The
main novelty on this front is bound to be in relation to their
geographical competence. In all likelihood, the data
protection authority of the Member State where the main
establishment of a data processing organisation is based will be
responsible for supervising that organisation across the whole of
the EU. We can also assume that greater international
coordination mechanisms will be in place.
- Enforcement powers – The promise by the
Commission of stronger enforcement powers for the data protection
authorities is bound to bring harmonised and succulent monetary
fines, which can only be more substantial than what most Member
States have at the moment.
All in all, it is beyond doubt that the
Commission has been working very hard to craft a framework that
fits the regulatory requirements of today's and tomorrow's data
protection. Whether the result will suit everyone's taste is
a different matter.
Eduardo Ustaran, Partner
in the Technology
& Outsourcing Law Group at Field