This article is also available in:
Deutsch: Europäische Kommission setzt den nächsten Schritt zur Überprüfung ...

The European Commission has published a Communication on "a comprehensive approach to personal data protection in the European Union", as the final stage in the consultation process leading to a review of the 1995 Data Protection Directive.

Based on its work on this dossier to date, the Commission has identified the need to address several key priorities, the first of these being to adapt to the impact of new technologies. Three further priorities (enhancing the single market, providing stronger institutional arrangements and improving coherence) address a core problem that unites pretty much everybody concerned with the current framework - the lack of consistency and predictability in the implementation of the Directive. This consistency will be tested by the broader applicability of the Directive as a result of the Lisbon Treaty. A further priority will be to strengthen international measures, to ensure protection of personal data on a global level, particularly as a result of developments such as outsourcing.

These priorities are honed down it the Commission's Communication into several specific objectives.

The first objective is the strengthening of individuals' rights. The Commission raises the issue of the definition of personally identifiable data in this context and says that additional measures are needed. The aim is to ensure a coherent application of data protection rules, taking into account the impact of new technologies on individuals' rights and freedoms and the objective of ensuring the free circulation of personal data within the internal market.

The second objective is more difficult still - to increase transparency for data subjects. The Commission proposes three different strands of action on this point. It suggests a general principle of transparent processing, bolstered by specific obligations on what information to provide and how to provide it and with standard EU forms for data controllers. Finally, as it was almost unavoidable after the introduction of a sector-specific breach notification obligation in the e-privacy Directive, the Commission suggests a general breach notification obligation.

The third objective is a clearer power of citizens to have control over their own data, where theoretical rights granted by the existing Directive are currently very difficult to enforce in practice. The aim of the Commission is to improve the procedures for exercising the rights of access, rectification, erasure and blocking of data - including the "right to be forgotten" - and "data portability" ("as far as technically feasible" - which will obviously need to be carefully worded to avoid businesses devising systems to make this technically unfeasible).

The fourth objective is to increase the level of awareness of data protection rights in Europe, including funding for this via the EU budget and through an obligation on Member States to raise awareness.

Fifth, the Commission sets an objective of ensuring free and informed consent but, unsurprisingly, as this is a particularly difficult issue, it makes few proposals at the moment, beyond suggesting that self-regulatory initiatives designed to develop solutions consistent with EU law may be a way of making progress.

The sixth objective is updating the protection for sensitive data, in particular with regard to the extension of the definition of sensitive data and harmonizing the conditions for processing such data.

Finally, and importantly, the Commission wishes to prioritise the issue of making remedies and sanctions more effective. It suggests that this could be done via group actions and strengthening existing provisions on sanctions.

With regard to the single market, the Commission recognizes the failures of the existing framework and undertakes to "examine the means to achieve further harmonisation of data protection rules at EU level." The Commission aims to achieve this in part through a simplification of the current notification system. Following from this, it will seek to solve the issue of applicable law, which is causing problems for companies established in several EU Member States. The Commission undertakes to examine how to revise and clarify the existing provisions on applicable law.

The Commission is keen to ensure that simplification of procedures will not lead to a weakening of rights and therefore aims to create specific obligations including data protection impact assessments and the use of privacy enhancing technologies. This approach would be bolstered by self-regulatory initiatives such as codes of conduct.

The Commission ambitiously aims to address the problems of data protection in the field of police and judicial cooperation. While there is a Framework Decision on this subject, it does not cover domestic processing of data and also is too weak with regard to purpose limitation. To overcome these and other problems, the Commission suggests considering the extension of the application of the general data protection rules to the areas of police and judicial cooperation in criminal matters and considers the possibility of specific and harmonised provisions in the new general Data Protection Framework, for example on data protection regarding the processing of genetic data for criminal law purposes or distinguishing the various categories of data subjects (witnesses, suspects etc.) in the area of police cooperation and judicial cooperation in criminal matters. In addition, it is contemplating a specific consultation on the revision of current supervision systems in this area and the alignment of existing sector-specific rules to the general data protection framework.

With regard to the many and varied problems related to international data transfer, the Commission says that it intends to examine how to improve and streamline the current procedures for international data transfers, to clarify the Commission's adequacy procedure and better specify the criteria and requirements for assessing the level of data protection in a third country or an international organisation. It will also look at defining core EU data protection elements, which could be used for all types of international agreements.

Consultation - A comprehensive approach on personal data protection in the European Union (4.11.2010)
http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_e...

Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (27.11.2008)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32008F0977...

(Contribution by Joe McNamee - EDRi)