An overhaul of European Privacy Standards may be afoot

30 Mar 2010

Author: Adrian Bannon

In her recent speech ‘Next Steps for Justice, Fundamental Rights and Citizenship in the EU’, on March 18, the newly appointed Commissioner for Justice, Fundamental Rights and Citizenship, Viviane Reding emphasised the need, amongst other things,  to (a) substantively overhaul European privacy legislation, particularly the Data Protection Directive; and (b) foster more effective e-commerce by harmonising European contract law.

Reding said a legislative draft of a new Directive will be published in the autumn of this year. This announcement of legislative reform is timely – the Data Protection Directive has governed our privacy for a decade and a half now, and while it is a forward looking piece of legislation, it has attracted increasing attention from some quarters for being unwieldy, complex, bureaucratic, too broad in scope and costly.

Areas for consideration will include: (I) the changes brought about to the Directive as a result of the Lisbon Treaty; (II) the fact that there have been major advances in technology since the introduction of the Directive in 1995, and its accompanying implementing legislation; and (III) issues of enforcement and resources. Other areas for consideration could potentially include the exemptions currently provided for under the Directive, as well as the definitions of some important terms. For example, one of the most important, yet misunderstood, definitions of the Directive is that of ‘personal data’.

Data Protection and the Lisbon Treaty

As noted in her speech, the entry into force of the Lisbon Treaty significantly affects the data protection framework in a number of ways. First, under Lisbon, the protection of personal data is recognised as a fundamental right.  

As stated in Article 16 of the Treaty:

Everyone has the right to the protection of personal data concerning them. (2) The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

Second, the European Charter of Fundamental Rights affords every EU citizen the right to personal data protection. It states that personal data should be processed fairly, with the individual’s consent and for relatively specific purposes. With the coming into force of the Lisbon Treaty, the Charter of Fundamental Rights is now a legally enforceable document not only on the EU institutions, but also on the member states as regards the implementation of European law.  

Third, an additional change brought about by the Lisbon Treaty is the elimination of the three pillar structure. In practical terms, the abolition of the third pillar introduces qualified majority voting and co-decision with the European Parliament. This has positive implications for the enforcement of privacy and data protection legislation, although the legislative process becomes more complex.

Reding Reforms – European Privacy Legislation

In her speech, Commissioner Reding  made reference to the public consultation on data protection already in operation. Some 160 submissions have already been received. Significantly, the Commissioner has voiced her own preference for the introduction of a ‘Privacy by Design’ (PbD) model. 

Privacy by design (PbD) was developed in Canada by Ontario’s Information and Privacy Commissioner, Dr. Anna Cavoukian, in the 1990’s. PbD is an approach where privacy and data protection compliance is designed from the offset into systems holding information, rather than being subsequently added on or ignored. At the heart of the PbD model are seven core privacy principles. These include: 

1. Proactive not reactive; preventative not remedial
2. Privacy as the default model of protection
3. Privacy embedded into the design
4. Full functionality – positive sum, not zero-sum
5. End-to-End lifecycle protection
6. Visibility and transparency
7. Respect for user privacy

PbD is something that is already gaining significant traction within the EU. A prime example is that of the UK, and the Information Commissioner’s Office, which has already published literature on privacy impact assessment (PIA), and briefing notes on privacy enhancing technologies (PETs).

(b) More effective E-Commerce by Harmonising European Contract Law

In addition to the measures proposed above, Commissioner Reding has proposed a second area of reform that impacts on the digital future, specifically e-commerce and the introduction of a harmonised European contract law. If such a European contract law, were to be introduced, it could significantly boost trade and commerce, reduce litigation and relieve much of the trans-border disputes that inevitably accrue through member state trade.

While the Reding reforms appear to be very ambitious, they will be contentious. Eyes will be firmly fixed on the legislative proposals due for publication at the end of this year. 

As an independent forum, the Institute does not express any opinions of its own. The views expressed in the article are the sole responsibility of the author.