Reform of EU Data Protection law: EDPS calls on the European Commission to be ambitious in its approach
Today, in a speech at the European Privacy and Data Protection Commissioners' Conference in Prague, the European Data Protection Supervisor (EDPS), Peter Hustinx, spoke strongly about the need to be proactive in the context of the unfolding debate on the future of the EU legal framework for data protection. The EDPS called on the European Commission to remain ambitious in updating the existing framework to avoid the risk of an increasing loss of relevance and effectiveness of data protection in a society that is ever more driven by technological change and globalisation.
"The stakes are not more and not less than how to ensure privacy and data protection in a highly developed Information Society of 2015, 2020 or beyond" said Peter Hustinx. "An ambitious approach is the only way in which we can ensure that our privacy and personal data are well protected, also in the future. It is essential that the Commission comes up with proposals that take into account what is really needed and does not settle for less ambitious results".
In his speech, Peter Hustinx insisted on the key conditions for an effective legal framework to protect the individual's personal data in the EU. This includes the need for a comprehensive legal framework to ensure more effectiveness, as well as the following main elements:
- integration of "privacy by design"(*) and "privacy by default"(**) in information and communication technologies;
- more accountability for controllers: data controllers should be made more accountable to ensure compliance with data protection rules in practice. This would bring significant added value for an effective implementation of data protection and would considerably help data protection authorities in supervision and enforcement;
- stronger enforcement powers for data protection authorities: it is essential that data protection authorities have sufficient resources to exercise their monitoring tasks and, if necessary, enforce compliance with data protection rules.
(*) Application of data protection requirements from the very inception of new information and communication technologies and at all stages of their development
(**) Parameters controlled by users, for instance in Internet browsers, that should be set by default to the most privacy compliant option.
Background information
In July 2009, the European Commission launched a consultation on the future of the present legal framework for data protection to seek views on how to respond to new challenges for data protection presented by new technologies and globalization. The consultation was also motivated by the adoption of the Lisbon Treaty, which will require a reworking of the structure of the EU legal framework for data protection.
One of the most substantial contributions to the consultation was submitted by the Article 29 Data Protection Working Party and the Working Party on Police and Justice, both with representatives of all national data protection authorities in the EU and the EDPS. The central message of this contribution (pdf) is that the main principles of data protection are still valid despite new technologies and globalisation. However, the level of data protection in the EU should benefit from a better application of the existing principles.
The Commission is expected to come up with its conclusions and proposals by the end of the year. They are likely to include a review of the EU Data Protection Directive (Directive 95/46/EC), which is the reference text, at European level, on the protection of personal data.