New European Commission Privacy Recommendations
November 5, 2010
The EC released its new privacy recommendations on Thursday to update the 15 year old EU privacy regime. The report contains the Commission’s findings from their analysis over the past year and announces an intention to investigate a number areas in more depth with the goal of proposing legislation in 2011. The impetus as described by the Commission is that today’s challenges “require the EU to develop a comprehensive and coherent approach guaranteeing that the fundamental right to data protection for individuals is fully respected within the EU and beyond.”
I suspect that for some the principles may be perceived as new administrative overhead and obstacles to an “optimum user experience.” My quick take (personal opinion) is that the findings and areas of study represent a move in the right direction. Ofcourse, the devil is in the details which will evolve over the coming year, so we’ll see. As the EC develops its new framework, finding reasonable and practical ways to implement the proposals will be essential to their success.
This is even more interesting given that the US Federal Trade Commission has indicated its coming out with recommendations soon. These would also likely result in legislation next year as well. It would be great (if not just common sense) to see as much harmonization between the two frameworks as possible. We can still dream.
Welcome any thoughts or observations about the proposal. Some highlights from the report are shown below, but the report is worth the read.
- The Commission will consider how to ensure a coherent application of data protection rules, taking into account the impact of new technologies on individuals’ rights and freedoms and the objective of ensuring the free circulation of personal data within the internal market.
- The Commission will examine ways of clarifying and strengthening the rules on consent.
- The Commission will consider:
- introducing a general principle of transparent processing of personal data in the legal framework;
- introducing specific obligations for data controllers on the type of information to be provided and on the modalities for providing it, including in relation to children;
- drawing up one or more EU standard forms (‘privacy information notices’) to be used by data controllers.
- The Commission will therefore examine ways of:
- strengthening the principle of data minimisation;
- improving the modalities for the actual exercise of the rights of access, rectification, erasure or blocking of data (e.g., by introducing deadlines for responding to individuals’ requests, by allowing the exercise of rights by electronic means or by providing that right of access should be ensured free of charge as a principle);
- clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when processing is based on the person’s consent and when he or she withdraws consent or when the storage period has expired;
- complementing the rights of data subjects by ensuring ’data portability’, i.e., providing the explicit right for an individual to withdraw his/her own data (e.g., his/her photos or a list of friends) from an application or service so that the withdrawn data can be transferred into another application or service, as far as technically feasible, without hindrance from the data controllers.
- The Commission will examine the following elements to enhance data controllers’
- making the appointment of an independent Data Protection Officer mandatory and harmonising the rules related to their tasks and competences31, while reflecting on the appropriate threshold to avoid undue administrative burdens, particularly on small and micro-enterprises;
- including in the legal framework an obligation for data controllers to carry out a data protection impact assessment in specific cases, for instance, when sensitive data are being processed, or when the type of processing otherwise involves specific risks, in particular when using specific technologies, mechanisms or procedures, including profiling or video surveillance;
- further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’.