Out of Brussels comes the news that the European Commission has circulated a document containing a draft strategy for improvements in data protection, including a long-awaited set of proposals for revamping of the EU Data Protection Directive. The proposals are prompted by the changes in technology and changes in the ways in which people share information since the adoption of the Directive in the 1990’s. It appears that the Commission intends to propose changes in the law and non-legislative steps to bring about the changes that are being discussed.
According to Bloomberg, "[c]hanges could be made to the document before regulators discuss it on Dec. 4. They will then ask for support from national governments and EU lawmakers before they draw up draft legislation in mid-2011."
The key components of the new EU strategy appear to include:
- The establishment of EU-wide registration forms for databases;
- Specific new rules on privacy notices, including the promulgation of EU “standard form privacy information notices” and special rules with respect to minors;
- New rules that strengthen and clarify the concept of consent to the collection, use and transfer of data;
- New rules on data minimization;
- The creation of a “right to be forgotten” by giving a right to demand deletion of data no longer needed for the purpose for which it was collected);
- The creation of a right of “data portability,” allowing individuals to take his/her photos, medical records or a list of friends from an application or service and transfer them into another one;
- New rules on what constitutes “sensitive data”;
- New remedies for violations of privacy, including expanded criminal sanctions and empowering data protection authorities with the right to go to court;
- The establishment of security breach notification rules;
- Clarification on the legal rules that will attach to data stored in the cloud, regardless of the geographic location of the controller;
- The possible introduction of an “accountability” principle to ensure compliance with data protection laws;
- New rules that make the appointment of corporate Data Protection Officers mandatory, along with privacy impact assessments and the employment of privacy by design principles
- The encouragement of self-regulatory schemes and privacy seals;
- Improvements in current procedures for international data transfers, in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations;
- Clarification of the Commission’s adequacy procedure and improved specification of the criteria and standards for assessing the level of data protection in a third countries;
- A re-definition of standard data protection clauses to be used in international agreements, contracts, binding corporate rules or other legally binding instruments.
- Clarifying and strengthening the status and the powers of the national Data Protection Authorities in the new legal framework, including the concept of "complete independence";
- Exploration of ways to improve the cooperation and coordination between Data Protection Authorities and to ensure better enforcement of EU rules, particularly on issues having a cross-border dimension. This may include strengthening the role of the Article 29 Working Party and providing it with additional powers in order to give a European response to breaches of data protection rules at EU level, or to create a European Data Protection Authority.
- Enhancing international privacy enforcement in a cooperative fashion.
Any one of the proposed changes would be news, but taken together, they suggest a dramatic set of possible changes with respect to data protection in the EU.