“30 years after: the impact of the OECD Privacy Guidelines”
Joint ICCP-WPISP Roundtable
Paris, 10 March 2010
Session 3:
The Privacy Guidelines in the Current Environment
“Recent developments in the European Union”
Peter Hustinx
European Data Protection Supervisor (EDPS)
Background
The EU legal framework for data protection developed on the basis of the Council of
Europe’s Convention 108 that was elaborated in parallel with the OECD Guidelines.
The Convention is a benchmark for 41 states in Europe and offers protection to nearly
800 million people. The OECD Guidelines are mostly relevant as a global framework
for interactions with partners around the world.
The EU legal framework specifies the provisions of Convention 108 to ensure a high
level of protection and a free flow of personal data for the 27 member states or 500
million people of the European Union. It consists of three main elements: Directive
95/46/EC (general Directive), Directive 2002/58/EC (e-Privacy Directive) and
Council framework Decision 2008/977/JHA on police and judicial cooperation in
criminal matters. The requirement of ‘independent supervision’ was recently clarified
by the European Court of Justice1.
Consultation
The implementation of the general Directive by the member states has been reviewed
twice. In July 2009, the European Commission launched a public consultation with a
view to receiving input on the questions whether the current legal framework meets
the present challenges for personal data protection, in particular in the light of new
technologies and globalisation, and what action would be needed to address these
challenges.
The consultation closed in December 2009 and resulted in 168 contributions from
citizens, private organisations and public authorities, which are now available at the
Commission’s website. Most contributions argue that the main principles of data
protection should not be amended and that instead the focus should be on a better
implementation of the principles. The Commission is now analyzing this input and is
expected to come up with its conclusions and proposals by early 2011.
Relevant context
An important element of the context is the entry into force of the Lisbon Treaty on 1
December 2009. As a result, the Charter of fundamental rights has become binding
not only for EU institutions and bodies, but also for the member states when they are
implementing EU law. One of the new features of the Charter was the introduction in
1
Judgment of 9 March 2010 in Case C-518/07
Article 8 of a separate right to the protection of personal data. Article 16 TFEU2 now
also contains a general legal basis for legislative measures with regard to data
protection. Both elements will lead to a more horizontal approach and an increased
focus of policy makers on privacy and data protection in EU policies and legislation.
A second important element is that the new Commission that took office in February
2010 has a strong emphasis on citizen rights and data protection. The commissioner
responsible for Justice, Fundamental Rights and Citizenship has made data protection
her top priority. The new five year programme for Justice and Home Affairs adopted
under Swedish Presidency in December 2009 (Stockholm Programme) has a similar
focus. The increased role of the European Parliament under the Lisbon Treaty has also
led to more attention for data protection issues.
More effective protection
One of the most substantial contributions3 to the consultation was submitted by the
Article 29 Data Protection Working Party and the Working Party on Police and
Justice, both with representatives of all national data protection authorities in the EU
and the EDPS. The central message of this contribution is that the main principles of
data protection are still valid despite new technologies and globalisation. However,
the level of data protection in the EU should benefit from a better application of the
existing principles in practice. Some key improvements would help to face most of
the current challenges.
The paper proposes the introduction of one comprehensive framework to replace the
three main instruments mentioned before. It recognizes the need for specific rules
(leges speciales) provided that they fit in the notion of a comprehensive framework
and comply with the main principles. The main safeguards and principles of data
protection should apply to data processing in all sectors.
The EU and its Member States should guarantee the right to data protection for
everybody, in so far as they have jurisdiction. Individuals should be able to claim
protection, also if their data are processed outside the EU. Therefore, the Commission
is called upon to take initiatives towards the further development of international
global standards for the protection of personal data. Binding Corporate Rules are also
mentioned as important instruments for the protection of personal data outside the
EU. A provision on BCR should be included in the new legal framework. The issues
of jurisdiction and applicable law will be looked into separately at a later stage.
The paper states that Directive 95/46/EC has stood the test of technological change
due to its sound and technologically neutral principles and concepts. These remain
equally valid and applicable in today’s networked world. However, to counterbalance
the risks for privacy and data protection, the principle of ‘Privacy by Design’ should
be introduced in the new framework: privacy and data protection should be integrated
in the design of ICT. This would require the implementation of ‘privacy enhancing
technologies’, ‘privacy by default’ settings and the necessary tools to enable users to
2
TFEU: Treaty on the Functioning of the European Union, one of the two main elements of the Lisbon
Treaty.
3
“The Future of Privacy”, Joint contribution to the Consultation of the European Commission on the
legal framework for the fundamental right to protection of personal data, adopted on 1 December 2009
(WP 168).
2
better protect their personal data. This principle should therefore not only be binding
for data controllers, but also for technology designers and producers.
Stronger roles
In addition to these general measures, the position of the main actors – data subjects,
data controllers and data protection authorities – should be reinforced.
Empowerment of data subjects requires, among others, the improvement of redress
mechanisms: more options for the data subject to execute and enforce his rights,
including the introduction of class action procedures, more easily accessible, and
more effective and affordable complaints procedures and alternative dispute
resolutions. The new framework should also provide more transparency and specify
the requirements for ‘consent’. Finally, the role of data subjects on the internet is an
area of concern. In any case, whoever offers services to a private individual should be
required to provide certain safeguards for security and confidentiality of information
uploaded by users, regardless of whether their client is a data controller.
The responsibility of data controllers should also be strengthened. Data protection
should be better embedded in organisations and responsibilities for it should be
expressly assigned. It would be appropriate to introduce in the comprehensive
framework an accountability principle, so that data controllers are required to carry
out the necessary measures to ensure that substantive principles and obligations are
observed when personal data are processed, and to have the necessary internal
mechanisms in place to demonstrate compliance to external stakeholders, including
data protection authorities. This shift is likely to improve the effectiveness of data
protection measures. Notifications of data processing operations to data protection
authorities should be reduced or simplified.
The paper further envisages a stronger role for data protection authorities. The new
challenges for data protection require stronger supervision, in a more uniform and
effective way. The new framework should therefore guarantee uniform standards as to
independence, effective powers, an advisory role in the legislation making process
and the ability to set their own agenda, in particular by setting priorities regarding the
handling of complaints. International cooperation among data protection authorities
should likewise be reinforced.
Law enforcement
Finally, the paper discusses the data protection challenges in the field of police and
law enforcement. The general data protection principles should be equally applicable
in this area, but with some further specifications. The challenges in this area include
increasing data flows in order to face threats resulting from terrorism and organised
crime, and stimulated by technological developments. These data flows involve both
exchanges among law enforcement bodies and with other organisations in the public
or the private sector. A consistent framework would help to face the challenges in this
area.
3