European Data Protection Supervisor
European Data Protection Supervisor

Data Protection Reform Strategy: EDPS sets out his vision for the new framework

Data Protection Reform Strategy: EDPS sets out his vision for the new framework


Data Protection Reform Strategy: EDPS sets out his vision for the new framework

On 14 January 2011, the European Data Protection Supervisor (EDPS) issued an opinion on the Commission's Communication on the review of the EU legal framework for data protection (*). The Communication is an essential landmark on the way towards a new legal framework that will represent the most important development in the area of EU data protection since the adoption of the EU Data Protection Directive 16 years ago.

The EDPS welcomes the Commission's intention to reform the legal framework, as he is convinced that the current legislative arrangements for data protection will not provide for sufficient effective protection in the longer term in a further developing information society and globalised world. He shares the Commission's view that in the future a strong system of data protection is absolutely necessary, based on the notion that the existing general principles of privacy and data protection still remain valid (**). The perspective of a future without effective privacy and data protection can not be accepted.

The opinion sets out the EDPS vision for the future framework and proposes a set of recommendations. The EDPS supports the main issues and challenges identified by the Commission, but asks for more ambitious solutions to make the system more effective and give citizens better control over their personal data.

Peter Hustinx, EDPS, says: "In an information society where huge amounts of personal information are constantly being processed, citizens need and expect to stay in control of their personal data. If we want to strengthen citizens' rights over their personal data, we need to ensure that individuals remain in control and that data controllers pro-actively include data protection in their business processes. There is also a crucial need for a comprehensive framework that includes the area of police and justice."

In the EDPS' view, the major driving forces of the review process should be as follows:

  • the rights of individuals should be strengthened: data protection is a fundamental right and individuals should be protected under all circumstances. The EDPS suggests introducing a mandatory security breach notification covering all relevant sectors, as well as new rights, especially in the online environment, such as the right to be forgotten and data portability (***). Children's data should also be better protected;
  • the responsibility of organisations needs to be reinforced: the new framework must contain incentives for data controllers in the public or private sector to pro-actively include new tools in their business processes to ensure compliance with data protection (accountability principle). The EDPS proposes the introduction of general provisions on accountability and "privacy by design";
  • the inclusion of police and justice cooperation in the legal framework is a conditio sine qua non for effective data protection in future;
  • further harmonisation should be one of the key objectives of the review. The Data Protection Directive should be replaced by a directly applicable regulation;
  • the new legal framework must be formulated in a technologically neutral way and must have the ambition to create legal certainty for a longer period;
  • the enforcement powers of data protection authorities should be strengthened and their independence should be better guaranteed across the EU.

(*) Communication from the Commission of 4 November 2010, on "A comprehensive approach on personal data protection in the European Union (COM(2010) 609 final)

(**) These principles are laid down in Council of Europe Convention 108 and Article 8 of the Charter of the Fundamental rights of the Union.

(***) The right to be forgotten refers to the right to have one's data deleted or not further disseminated after a fixed period of time. Data portability is the ability to shift data from one place to another and not be tied to a particular system.