This post was written by Nick Tyler.
In a recent speech, Viviane Reding, the EU Commissioner with responsibility for European Union data protection policy identified ‘four pillars’ upon which the privacy rights of EU citizens “need to be built” so that individuals’ have more control over their personal data in today’s online world.
Reforming EU data protection is Commissioner Reding’s “top legislative priority” and the new proposals are expected this summer.
The ‘four pillars’ are:
- The right to be forgotten,
- Transparency,
- Privacy by default, and
- Protection regardless of geographic location.
The “right to be forgotten” (also alarmingly termed the “right to oblivion”) will comprise “a comprehensive set of existing and new rules to better cope with privacy risks online”. This new “right” will require the data controller to demonstrate the need for collecting personal data and to delete data held if consent to processing is withdrawn.
While transparency has always been a fundamental principle, Commissioner Reding is advocating transparency as a new right. This would fundamentally shift transparency from being an obligation on data controllers to a right providing individuals more control over their data. The shift seeks to address the perceived risks of regulators and policy makers (particularly in the context of social networks) that personal data is misused, especially the personal data of young people. These paternalistic concerns appear to be driving Commissioner Reding’s call for “privacy by default”.
There is potential for confusion with this new term in that “privacy by default” could easily be mistaken for the concept of “Privacy by Design”, which was recently adopted as a guiding principle by the global data protection community. In fact, “privacy by default” is a much more basic idea and signals a policy shift towards more explicit consent from individuals. Its implementation would challenge existing data collection practices currently relied on through available software applications. While the focus on “explicit consent” is initially concerning, Ms Reding does appear to recognise other lawful reasons for collection and use, apart from consent. We can only hope that the “legitimate interests” of the controller continue to provide a lawful basis to rely upon in practice, subject, of course, to any overriding interest of an individual.
Commissioner Reding has taken a particularly robust stance on the extra-territorial application of EU data protection laws to ensure protection of EU citizens’ data irrespective of geographic location:
“Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.”
To make this commitment more realistic in practice, the Commissioner recognises the need to “reinforce the independence and harmonise the powers” of Member States’ privacy regulators through a more coordinated approach to EU-wide enforcement and regulation.
That’s a mighty challenge in itself since the existing European data protection landscape remains notoriously inconsistent and unpredictable with many regulators anxious to address criticism of ineffectual regulation by exercising enforcement powers. This is all likely to increase the heat on the compliance and legal functions, as well as the boardrooms, of many enterprises with EU operations. It looks like we can all look forward to a long, hot summer!