“30 years after: the impact of the OECD Privacy Guidelines” Joint ICCP-WPISP Roundtable Paris, 10 March 2010 Session 3: The Privacy Guidelines in the Current Environment “Recent developments in the European Union” Peter Hustinx European Data Protection Supervisor (EDPS) Background The EU legal framework for data protection developed on the basis of the Council of Europe’s Convention 108 that was elaborated in parallel with the OECD Guidelines. The Convention is a benchmark for 41 states in Europe and offers protection to nearly 800 million people. The OECD Guidelines are mostly relevant as a global framework for interactions with partners around the world. The EU legal framework specifies the provisions of Convention 108 to ensure a high level of protection and a free flow of personal data for the 27 member states or 500 million people of the European Union. It consists of three main elements: Directive 95/46/EC (general Directive), Directive 2002/58/EC (e-Privacy Directive) and Council framework Decision 2008/977/JHA on police and judicial cooperation in criminal matters. The requirement of ‘independent supervision’ was recently clarified by the European Court of Justice1. Consultation The implementation of the general Directive by the member states has been reviewed twice. In July 2009, the European Commission launched a public consultation with a view to receiving input on the questions whether the current legal framework meets the present challenges for personal data protection, in particular in the light of new technologies and globalisation, and what action would be needed to address these challenges. The consultation closed in December 2009 and resulted in 168 contributions from citizens, private organisations and public authorities, which are now available at the Commission’s website. Most contributions argue that the main principles of data protection should not be amended and that instead the focus should be on a better implementation of the principles. The Commission is now analyzing this input and is expected to come up with its conclusions and proposals by early 2011. Relevant context An important element of the context is the entry into force of the Lisbon Treaty on 1 December 2009. As a result, the Charter of fundamental rights has become binding not only for EU institutions and bodies, but also for the member states when they are implementing EU law. One of the new features of the Charter was the introduction in 1 Judgment of 9 March 2010 in Case C-518/07 Article 8 of a separate right to the protection of personal data. Article 16 TFEU2 now also contains a general legal basis for legislative measures with regard to data protection. Both elements will lead to a more horizontal approach and an increased focus of policy makers on privacy and data protection in EU policies and legislation. A second important element is that the new Commission that took office in February 2010 has a strong emphasis on citizen rights and data protection. The commissioner responsible for Justice, Fundamental Rights and Citizenship has made data protection her top priority. The new five year programme for Justice and Home Affairs adopted under Swedish Presidency in December 2009 (Stockholm Programme) has a similar focus. The increased role of the European Parliament under the Lisbon Treaty has also led to more attention for data protection issues. More effective protection One of the most substantial contributions3 to the consultation was submitted by the Article 29 Data Protection Working Party and the Working Party on Police and Justice, both with representatives of all national data protection authorities in the EU and the EDPS. The central message of this contribution is that the main principles of data protection are still valid despite new technologies and globalisation. However, the level of data protection in the EU should benefit from a better application of the existing principles in practice. Some key improvements would help to face most of the current challenges. The paper proposes the introduction of one comprehensive framework to replace the three main instruments mentioned before. It recognizes the need for specific rules (leges speciales) provided that they fit in the notion of a comprehensive framework and comply with the main principles. The main safeguards and principles of data protection should apply to data processing in all sectors. The EU and its Member States should guarantee the right to data protection for everybody, in so far as they have jurisdiction. Individuals should be able to claim protection, also if their data are processed outside the EU. Therefore, the Commission is called upon to take initiatives towards the further development of international global standards for the protection of personal data. Binding Corporate Rules are also mentioned as important instruments for the protection of personal data outside the EU. A provision on BCR should be included in the new legal framework. The issues of jurisdiction and applicable law will be looked into separately at a later stage. The paper states that Directive 95/46/EC has stood the test of technological change due to its sound and technologically neutral principles and concepts. These remain equally valid and applicable in today’s networked world. However, to counterbalance the risks for privacy and data protection, the principle of ‘Privacy by Design’ should be introduced in the new framework: privacy and data protection should be integrated in the design of ICT. This would require the implementation of ‘privacy enhancing technologies’, ‘privacy by default’ settings and the necessary tools to enable users to 2 TFEU: Treaty on the Functioning of the European Union, one of the two main elements of the Lisbon Treaty. 3 “The Future of Privacy”, Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, adopted on 1 December 2009 (WP 168). 2 better protect their personal data. This principle should therefore not only be binding for data controllers, but also for technology designers and producers. Stronger roles In addition to these general measures, the position of the main actors – data subjects, data controllers and data protection authorities – should be reinforced. Empowerment of data subjects requires, among others, the improvement of redress mechanisms: more options for the data subject to execute and enforce his rights, including the introduction of class action procedures, more easily accessible, and more effective and affordable complaints procedures and alternative dispute resolutions. The new framework should also provide more transparency and specify the requirements for ‘consent’. Finally, the role of data subjects on the internet is an area of concern. In any case, whoever offers services to a private individual should be required to provide certain safeguards for security and confidentiality of information uploaded by users, regardless of whether their client is a data controller. The responsibility of data controllers should also be strengthened. Data protection should be better embedded in organisations and responsibilities for it should be expressly assigned. It would be appropriate to introduce in the comprehensive framework an accountability principle, so that data controllers are required to carry out the necessary measures to ensure that substantive principles and obligations are observed when personal data are processed, and to have the necessary internal mechanisms in place to demonstrate compliance to external stakeholders, including data protection authorities. This shift is likely to improve the effectiveness of data protection measures. Notifications of data processing operations to data protection authorities should be reduced or simplified. The paper further envisages a stronger role for data protection authorities. The new challenges for data protection require stronger supervision, in a more uniform and effective way. The new framework should therefore guarantee uniform standards as to independence, effective powers, an advisory role in the legislation making process and the ability to set their own agenda, in particular by setting priorities regarding the handling of complaints. International cooperation among data protection authorities should likewise be reinforced. Law enforcement Finally, the paper discusses the data protection challenges in the field of police and law enforcement. The general data protection principles should be equally applicable in this area, but with some further specifications. The challenges in this area include increasing data flows in order to face threats resulting from terrorism and organised crime, and stimulated by technological developments. These data flows involve both exchanges among law enforcement bodies and with other organisations in the public or the private sector. A consistent framework would help to face the challenges in this area. 3