The annual conference, Computers, Privacy & Data Protection was held in Brussels last week. The purpose of the conference is to create a forum where various individuals can exchange ideas about key issues in the fields of privacy, data protection, technology and society. This year, of course, the biggest topic of discussion was the European Commission’s proposal for a comprehensive reform of EU data protection rules which was announced on the first day of the meeting.
On January 25, Ms. Francoise Le Bail, Director-General for DG Justice, gave a key-note speech where she highlighted some of the major goals in the Commission’s proposal. First, she emphasized that the proposal is unequivocally designed to modernize the EU’s data protection regime and to strengthen the rights of individuals. She explained that one way to achieve these goals is to require “explicit” consent in order to process data, despite the fact that this may be burdensome for data processors (how many pop-up boxes requiring consent constitutes “explicit” consent?). Second, she emphasized that the use of a “single rule” (i.e. the use of a regulation rather than a directive ) would help to reinforce the rights of individuals, save companies money and reduce “red tape” insofar as it would create a “one stop shop” for data protection regulation and enforcement. Third, she highlighted the proposal’s goal of strengthening the powers of national data protection authorities who, pursuant to the draft document, would be empowered to fine companies that violate EU data protection rules up to €1 million or up to 2% of the company’s global annual turnover. Finally, Ms. Le Bail stated that the proposal seeks to facilitate the free flow of data among the member states and to third countries to the extent that it is designed to reduce authorizations, facilitate binding corporate rules and clarify adequacy decisions. For more, see the Commission’s press release.
Privacy and data protection advocates at the conference, at least, generally, seem to applaud the Commission’s sweeping reform and viewed it as an excellent starting point for a modern EU data protection regime. These individuals seemed particularly pleased with the application of a regulation which would allow all EU citizens to receive the same high level of data protection regardless of their country of residence. Privacy advocates also welcomed the proposal’s call for increased accountability on behalf of data controllers and its ambition to strengthen enforcement powers of national data protection authorities. For more see, European Data Protection Supervisor’s press release.
The business reaction at the conference was mixed. Businesses seemed pleased with the prospect of reduced administrative burdens facilitated by the “one stop shop” approach. On the other hand, there was a feeling that the proposal creates a gulf between the theory and practice of data processing. Christopher Kuner noted that while Privacy Impact Assessments (PIAs) can be useful and necessary in many instances, the provisions on PIAs in the proposal might overly burden small and medium sized businesses. He also stated that many EU companies might to have to renegotiate their contracts in order to adapt to the reallocation of duties between data controllers and processors. He further stated that provisions concerning “the right to be forgotten” and the security breach notifications appeared to be problematic (at least from his cursory view of the proposal which was announced just hours before his speech). Finally, he noted that the data transfer issues posed by cloud computing did not appear to be adequately addressed by the regulation.
Ultimately, it will probably be another year or two before the Commission’s proposal is adopted so we will have to stayed tuned to see what happens.