This post was also written by Nick Tyler.
On July 13, 2010, the influential Article 29 Working Party (“Working Party”), consisting of all the European Union’s national data privacy regulators, adopted Opinion 3/2010 on the principle of accountability (the “Opinion”).
This is an important contribution to the European Commission’s review of the European Data Protection Directive 95/46/EC (Data Protection Directive), a draft of which had been expected later this year, but is now expected some time in late 2011. In essence, the Opinion builds on good practice in the area of global regulatory compliance, advocating the introduction of a “principle of accountability” in the revised Data Protection Directive that “would explicitly require data controllers to implement appropriate and effective measures to put into effect the principles and obligations of the [Data Protection] Directive and demonstrate this on request.” The Working Party objective is to “encourage data protection in practice” by requiring data controllers to take a strategic, risk-based approach when determining effective and appropriate measures based on the nature of the personal information being processed and the risks represented by such processing.
It is going to be several years before any revised Data Protection Directive is agreed and in force throughout Europe. In the meantime, organisations are encouraged to follow the lead of an increasing number of data controllers who are taking responsibility for their data privacy obligations through the adoption of robust data privacy compliance programs. In so doing, they are holding themselves accountable to their stakeholders, including data protection authorities and data subjects, for that commitment to good practice.
The Working Party suggests that not only are such organisations more likely to be in compliance with the law, but, in the event of a data protection violation, data protection authorities also “could give weight to the implementation (or lack of it) of measures and their verification in considering sanctions.”
The Opinion is an important output of the Working Party and provides a clear indication of how the European data protection authorities view the real-world challenges facing data controllers.
To view the entire alert please click here. For additional information please contact one of the authors.