Shaping the future of privacy

This article was first published in Data Protection Law & Policy in November 2010

After months of anticipation, weeks of gossip and leaked strategy documents, the European Commission has finally and publicly come out of the legislative policy closet. The publication of the Commission’s approach for modernising the EU legal system for the protection of personal data is a crucial milestone. In fact, the potential impact of the Commission’s official communication should not be underestimated. If it gets it right, this will shape the future of privacy - a must-have value for the information society. If it gets it wrong, not only will legal compliance be compromised, but a fundamental right will end up being very badly damaged.

Although they are only covered at a very high level, the Commission seems to have correctly identified today’s data privacy challenges. It is certainly encouraging to see a public acknowledgement of the current framework’s failure to address the issues raised by new technologies and globalisation. The big question mark is whether the EU will be able to identify what is realistically achievable and aim for that, rather than pursuing an unrealistic data protection nirvana. When dealing with a fundamental right there is a natural tendency to avoid compromises, but in this case pragmatism should prevail.

The devil may be in the detail (which will come later in 2011 when a concrete legislative proposal is revealed), but so far the signs are positive. In practical terms, the Commission’s strategy for a future data protection regime rests on five pillars: strengthening individuals’ rights, achieving harmonisation, enhancing organisations’ responsibilities, addressing international data transfers and strengthening enforcement. Overall, the balance between tried and tested solutions and new ideas is good, but more importantly, the essential ingredients for progressive personal information protection are either specifically included in the proposed strategy or suitably implied.

The most innovative features of the Commission’s approach to 21st century data privacy seem to fall within the individuals’ rights category. Whilst transparency is far from new in European data protection law, the Commission hints at some new measures such more specific multi-party information provision obligations and standard privacy notices. Following from that, the Commission is eager to explore controversial measures such as general personal breach notification, data minimisation, the right to be forgotten and data portability. Whether a meaningful and productive debate about all of these ideas can take place in just a few months is another matter, but the new framework could see the introduction of measures that would go head to head against the direction adopted by the digital economy so far.

An objective that is guaranteed to receive 100% support is the harmonisation and simplification of rules. Administrative burdens in particular, like registration and regulatory authorisation, are due for a makeover and are likely to face a radical review. However, a much more difficult question in terms of obtaining universal agreement on will be the clarification of the criteria for determining the applicable law. The Commission is aware of the illogical consequences of applying the current establishment and equipment rules in an online world and, at the same time, it is keen to ensure that individuals are not deprived of protection. So will it change direction entirely and go for jurisdictional rules based on EU citizenship or residency?

The Commission provides a greater degree of certainty about its intentions when it talks about the elements of the forthcoming regime aimed at enhancing data controllers’ responsibility. The emphasis here seems to be on practicalities - hence the references to the role of privacy officers, the requirement to carry out privacy impact assessments and the implementation of the ‘Privacy by Design’ principle. Equally practical is the position on the rules for international data transfers. Whilst abandoning the restrictions affecting unsafe data flows seems out of the question, the specific references to the improvement of the current adequacy mechanisms and the development of Binding Corporate Rules evidence a recognition of the need for a fix.

In the end, the test for the future of European data protection law lies on its ability to interface with other international data privacy laws. More than ever and for the rest of human history, privacy is a global issue. A European framework that is tolerant of other regimes and can relate to personal information protection initiatives developed in other parts of the world will be much more effective and successful than an EU-centric one. If the EU is to remain a driving force for the development and promotion of international legal and technical standards for the protection of personal data – as the Commission wishes - realism and pragmatism, as well as imagination, should guide everyone’s efforts. The opportunity is ours.