Personal data protection: a new strategy
The European Commission examines the modalities for revising the current legal framework relating to personal data protection. The aim is to modernise the legislation by adapting it to the challenges of globalisation and the use of new technologies, whilst protecting the rights of individuals.
Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions of 4 November 2010 - A comprehensive approach on personal data protection in the European Union [COM(2010) 609 final – Not published in the Official Journal].
Personal data comprises all information relating to an identified or identifiable person, either directly or indirectly.
This Communication proposes a new strategy for protecting personal data. It aims to revise the current legislative framework, specifically the Directive relating to the protection of personal data and the Directive relating to data protection in the electronic communications sector. As part of this revision, the Communication sets several objectives.
Objective 1: strengthening individuals’ rights
The right to personal data protection is a principle that follows from the Charter of Fundamental Rights of the European Union (EU). In order to protect this right, the European Commission wishes to develop a legal framework which takes into account the rapid growth of new technologies and social networks, in particular.
The Commission is considering introducing a general principle of transparent processing of personal data. To this end, it plans to draw up one or more EU standard forms of privacy information notices, and to implement a general obligation to notify personal data breaches.
It is also essential that individuals can exercise better control over their data, particularly when sending them online. To this end, the Commission wishes to improve the modalities for:
- the right of access;
- erasure or blocking of data;
- the ‘right to be forgotten’.
Objective 2: enhancing the internal market
There are currently divergences in how the Member States apply the Directive on the protection of personal data. The Commission therefore wishes to enhance the harmonisation of data protection rules at EU level.
Furthermore, still within the context of enhancing the internal market, the Commission also intends to reduce the administrative burden that data protection represents for enterprises. It therefore plans to harmonise the current notification system and to draw up a uniform EU-wide registration form. At the same time, certain modalities related to data processing must be more clearly defined through:
- the appointment of an independent Data Protection Officer;
- a data protection impact assessment;
- promoting the use of Privacy Enhancing Technologies (PETs).
Objective 3: revising the data protection rules in the area of police and judicial cooperation
In the Stockholm Programme the Commission highlighted the need to have a comprehensive protection scheme. Currently, Framework Decision 2008/977/JHA establishes cooperation in criminal matters relating to personal data protection which applies only to the exchange of data between EU countries. The Commission is considering extending, in the future, the application of these rules to data exchanged at national level.
Objective 4: developing international data protection
Personal data from third countries can circulate through Member States if the Commission considers that the level of data protection guaranteed by a third country is adequate. However, the criteria which enable the level of protection to be determined have not yet been clearly defined. The current procedures for international data transfers therefore need to be defined, as do the legal instruments applicable in this field.
Furthermore, the Commission wishes to harmonise the clauses relating to personal data protection contained in the international agreements concluded by the EU with third countries. In this regard, the Commission plans to enhance its cooperation with third countries and follow up the development of international technical standards.
Objective 5: strengthening the institutional arrangement
The Commission wishes to strengthen the role and powers of the authorities responsible for data protection. They should benefit from the status of ‘complete independence’. It is also crucial that they improve their cooperation and coordination.
Furthermore, the Article 29 Working Party shall also contribute towards improving the activities of the national authorities by ensuring a more consistent application of the European data protection rules.
A review of the current legal framework for data protection was launched during a conference in May 2009, followed by a public consultation. Following the consultation, the Commission shall present new legislative proposals in 2011.
This summary is for information only. It is not designed to interpret or replace the reference document, which remains the only binding legal text.