Transcript How might the EU data protection framework change

How might the EU data
protection framework change ?
Waltraut Kotschy
Expert Workshop on
Data Protection
Podgorica, Febr. 7 2011
Why should it change? (1)
• Ernormous changes since 1995
– Technological developments
•
•
•
•
Internet as a predominant way of communication
Data mining
Cloud computing
etc
– Globalisation:
• Due to the internet, „doing things“ is less than ever bound to being
present at a specific location
• Due to the internet, information can be spread easily to the whole
world
– Abolition of „pillar“-structure of the EU by the Lisbon Treaty
• Coherence throughout all matters subject to EU legislation - beyond
common market matters
Why should it change? (2)
• New technologies do not always meet with
effective data protection tools:
– How to get rid of personal information in the Internet ?
– How to find the responsible controller on the internet ?
– Who can guarantee data protection in a cloud computing
environment?
• Globalisation may for the data subject lead to a
– lack of transparency as to the use of data and
– difficulties to enforce data protection
• New structure of the EU makes it possible to fully extend data
protection rules to areas of police and justice
– Reason for lack of full protection by EU-legislation is no longer existent
How should it change ?
• The Commission Paper COM(2010) 699 final,
from Nov. 2010, makes several proposals for
intensive discussion in public during the next
months
One comprehensive DP- framework
• The applicability of a revised Data Protection
Directive should be extended to matters of the
former „third pillar“ (police and justice)
• It should be fully applicable, that is: not only
pertain to matters of transborder-cooperation,
but to all activities, national and transnational,
of police or judicial authorities
Enhancing rights of data subjects
– Applicability to the former „third pillar“- matters
would automatically be favourable to the rights of
data subjects; moreover
– the rights of data subjects need to be enhanced
vis à vis new technologies, e.g.
•
•
•
•
„right to be forgotten“ in the internet
Mandatory data breach notifications
Right to data portability
Introducing „class action“ to make enforcing rights
easier for the data subject
Additional „Internet-rules“?
• The internet empowers the individual by
completely new possibilities to make
information public, even globally public.
Such power needs balancing
• The Directive does not apply to processing for
„personal and household activities“
Social networks have become a phenomenon
with serious data protection implications
the Directive is, however, not applicable
Introducing some new principles
• The Commission paper proposes to introduce
several new mandatory principles:
– data minimisation
– built in data protection into new processing
systems: „privacy by design“
– internal data protection officers
– „Accountability principle“: stressing
responsibility of controllers
Globalising data protection
• Goal: minimum standard of protection for
personal data wherever they are processed
• Means:
– Working together with international community to
establish universal principles for data protection
– Follow more often the principle of reciprocity
– Within the EU:
• Further harmonization of the interpretation and
implementation of EU rules
• Revise the rules on international data transfer
• Develop procedures with effect in all 27 member states
Strengthening enforcement
• Revision of
– Powers of data protection authorities
– Nature of sanctions
– Procedures of sanctioning:
• Introduce criminal sanctions
• Stress joined enforcement actions beyond national
borders or even continental outlines