The right to privacy does not exist in a vacuum. Likewise, the tools available to protect such rights need to reflect today’s world in order to be mostly effective.
It is in this landscape that the European Union is presently considering revising its data protection rules through a new Regulation intended to update existing legal regimes but the road ahead is a tricky one indeed as the balance between the rights of individuals and corporate interests is not easy to achieve.
The proposed Data Protection Regulation was published in January 2012 and its adoption is aimed at 2014 but there is still a long way to go in its legislative process especially when the European Parliament still needs to take a vote in plenary session. It is expected that there shall be at least a two year transition period from its adoption, if at all, before the Regulation becomes effective.
Whilst the EU Commission believes that the proposed Regulations will be beneficial to European economy, the industry has been vociferous in its criticism on various prescriptive aspects introduced by the Regulation and which will mean huge costs to get their organisations in line with the new rules.
The on-going discussions on the proposed Regulations have been marred by controversy following a vote by the Industry, Research and Energy Committee (ITRE) of the European Parliament which proposed some changes to the original draft which led to accusations that some MEPs copied and pasted a number of amendments to the draft which are identical to a number of proposals by various international companies on the initial draft and thus weakening the scope of the Regulation through a watered down version of the proposed regime. The draft will now be considered by the Civil Liberties, Justice and Home Affairs Committee (LIBE) of the European Parliament.
The main scope behind the proposed EU Data Protection Regulation is to update current legislation which is presently mainly regulated by means of the EU Directive 46/95/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The proposed Regulation is aimed towards ensuring that applicable data protection rules reflect technological state of play such as social networks and cloud computing, the reality of data globalization as well as ensuring that the new rules can cater for future innovation. Another key aspect is that under the proposed scheme, harmonisation of data protection requirements across Member States will be significantly facilitated due to the fact that, as opposed to a Directive which Member states have to individually transpose and implement within their own national regimes, a Regulation is directly enforceable thereby avoiding situations where national rules are not completely identical or give rise to ambiguities.
Of special importance is the proposed Article 23 which introduced the concepts of privacy by design and privacy by default. Data protection should be designed into the business processes for services and products and not simply considered as an afterthought. Also, default privacy settings on services and applications should be high. This reflects and responds to the various criticisms which were levelled towards social networks, most notably Facebook, which had changed their privacy settings in the past and set the default to low.
The rise of social networking applications and the risks that such tools pose to our privacy has also been addressed in the new Regulations by means of the introduction of a right to be forgotten. Even though such right is already present in current rules, the wording used in the proposed Regulation is much stronger. Data portability is also explicitly addressed in the new Regulation whereby data subjects will have a right to request a copy of the personal data being processed about them in a format they can use and also be able to transmit such data to another processing system such as a competing social network or data processor.
The new proposed regime would extend the applicability of data protection rules not only to EU companies processing personal data but also to foreign companies processing data of EU citizens and introduces a much tougher compliance regime whereby companies can face penalties of up to 2% of their worldwide turnover even though this mandatory fine regime has been rejected by ITRE. Some quarters have even gone as far as claiming that the position taken by ITRA was the result of pressures from various lobbying groups representing multi-national companies who do not want data privacy rules effect their bottom line through the high costs of compliance that the new framework might introduce.
It is still very early to gauge what will the final text of the Regulation look like. As in other situations, conspiracy theories will mushroom. At least the impetus by the Commission to ensure that the revised rules come to port is still strong. Let us hope that the final version of the Regulation will not be too watered down in the end.
No comments:
Post a Comment