The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU. Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years. After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:
1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.
2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites. WP29 says it is currently preparing a detailed opinion on the applicability of EU law.
3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.
4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector. Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.
5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”
6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.
7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy. Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.
8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.
9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.
Adopted on December 1, 2009, but made available on the WP29 website only recently, the WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.