This article is also available in:
Deutsch: EDRi Stellungnahme zum Konsultationsverfahren zur Datenschutz-Richtlin...
Building on the analysis produced for the European Commission's initial data protection consultation in 2009, European Digital Rights has submitted its second round of comments on the review of the 1995 Data Protection Directive.
One of EDRi's primary concerns with regard to the existing legal framework is the lack of predictability - due to vast differences in the way basic parts of the Directive are understood by Member States' authorities and courts as well as the powers and resources of national data protection authorities. This led EDRi to the conclusion that a directly applicable EU Regulation is needed, rather than the current situation, where 27 Member States have to implement a Directive into their national law, leading to these diverging implementations.
Another core problem to address is the plummeting costs of data processing which causes more and more data to be collected and used. Such processing will lead to ever-greater risks being taken with personal data unless legal provisions ensure that the risk-reward balance for data processors is adapted appropriately.
Processing of personal data by states comes in for particular criticism in EDRi's submission. The actions of Member States must be consistent with what they expect from private companies, and there are many examples of this not being the case. There are numerous examples of electronic patient records, e-government systems and public transport payment systems which do not respect "privacy by design", data minimization and other key principles. Worse still, the broad exception given to Council of Europe Member States in that institution's Recommendation on profiling, which accepts in principle that the most basic of privacy protections, may be set aside by European governments.
Regarding data processing by companies, EDRi welcomes many of the policies described in the Commission Communication, such as data minimization, the right to be forgotten, rights of access and erasure of data etc, but points out that many of these rights are already in the existing legislation. The task at hand, therefore, is not to re-legislate for existing rights, but to establish why these rights are not readily enforceable.
Concerning new technologies, EDRi suggests that there are three trends which need to be taken into account - the exponential growth in personal data processing capabilities, the growing disconnection between data processing and physical location and the Internet of Things.
In order to improve implementation, EDRi called for increased implementation powers for national data protection authorities (DPAs) as well as a targeted reduction in the administrative burden. The reduction of the administrative burden should (and must) lead to national DPAs having more time and resources to devote to practical improvements in privacy protection for data subjects.
Both the change of legal environment as a result of the Lisbon Treaty and the increasing trend for data collected by private companies to be used for policing purposes means that it is essential to include data collected for policing purposes in the Directive. A strong data protection framework is the minimum price that should be paid for the levels of police and security cooperation that are currently demanded and enacted within the EU and between the EU and third states.
EDRi believes that a Regulation would be a better instrument to ensure clarification and simplification of rules for international data transfers. EDRi believes that the current "safe harbour" exceptions result in an opaque and unaccountable situation for data subjects. At the same time, EDRi feels very strongly about retaining the base principle that personal data should not be exported to jurisdictions without safeguards that are materially similar to those within the European Free Trade Area.
Finally, EDRi drew attention to a separate consultation that overlaps with the Commission's work on Data Protection - the Communication on the IPR Enforcement Directive. This latter Communication seeks to undermine the fundamental right to privacy by suggesting an opaque effort to "rebalance" rights to the benefit of so-called property rights. It is entirely and obviously unacceptable that the European Commission can simultaneously be negotiating ratification of the European Convention on Human Rights and seeking to undermine its core provisions.
EDRi response to 2010 Communication on Data Protection Directive revision
(15.01.2011)
http://www.edri.org/files/20110115_EDRi_data_protection_final.pdf
European Commission 2010 Communication on Data Protection Directive
revision (4.11.2010)
http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_e...
Data Protection Reform Strategy: EDPS sets out his vision for the new
framework (18.01.2011)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/...
Communication on IPR Enforcement Directive (22.12.2010)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0779:FI...
EDRi response to 2009 Consultation on Data Protection Directive revision
(13.01.2010)
http://www.edri.org/edrigram/number8.1/position-data-protection-review
(Contribution by Joe McNamee - EDRi)