In today’s digital environment, the increasingly widespread use of social networking sites and location-based services and the constant collection of data for advertising purposes make the protection of privacy online a fundamental issue.
According to a recent Eurobarometer, 70% of the Europeans are concerned that their personal data may be misused[i]. European citizens place a high value on privacy, explicitly guaranteed by Article 8 of the EU’s Charter of Fundamental Rights. The centerpiece of the present EU data protection framework was adopted 17 years ago, at a time when Internet had not yet revolutionised our everyday life and cybersecurity was not yet an imperative[ii].
The several hackings registered in 2011, affecting Playstation Network[iii] as well as Citigroup[iv] solicited demand for a modernised and strengthened data protection framework. Additionally, lack of uniform transposition in the national legislations resulted in a patchwork of different obligations for enterprises and varying levels of protection.
The European Commission finally proposed a comprehensive reform last 25th January: a Communication and two legislative proposals, a Regulation setting out a common EU framework for data protection and a Directive on data processed for criminal offences and related judicial activities. The draft reform is aimed to build a single, stronger and more coherent data protection framework, allowing the development of digital economy while guaranteeing a greater control of personal data and a reinforced legal certainty. Yet several points were object of heavy criticism either from national authorities and enterprises.
Key changes include a right to have access to their own data and to erase them (what has been called “a right to be forgotten”) if there are no legitimate grounds for retaining it. Enterprises are called to establish data protection structures with numerous prescribed obligations, while independent national data protection authorities will be allowed to sanction violation of EU data protection rules with fines of up to €1 million or up to 2% of the global annual turnover of a company. This pushed enterprises like Microsoft Europe to express concern that the regulation might be “too restrictive”[v].
Additionally, companies based outside the EU, but which target their services to EU consumers, will be subject to EU data protection law as well.
The German Minister of the Interior and a Federal Constitutional Court Judge already criticized the choice of a regulation in early December. Since in Germany not only courts but also individual citizens can appeal to the Constitutional Court when they feel their fundamental rights are violated, the new regulatory framework could ironically reduce German citizens’ rights. German courts would no longer decide on the interpretation of data protection law, but would need to present critical cases to the European Court of Justice[vi].French CNIL agreed that national authorities risk to be reduced to play the role of a mailbox, determining a “real regression towards the citizens’rights”[vii].
So, do we really need a new regulation? The fact that 1995 directive failed to impose a common level of protection in all EU member states means that an Internet company cannot operate across the 27-countries under the same regulations. Therefore these enterprises urged EU lawmakers to simplify the existing practice[viii]. Lack of uniformity has to be addressed: despite national authorities complain that a European regulation would essentially deprive them of control powers, in some member states the existing system does not ensure effective protection. While the global dimension of data exchange imposes uniformisation of rules also outside of Europe, the fixation of a common level of protection should allow national authorities to continue to play their essential role of inspection, investigation and regulation.
However, as the Commission’s proposals are now to be passed on to the European Parliament and EU Council of Ministers for discussion, they are likely to undergo to a lively debate and some points might be significantly changed.
[i]“Data Protection: Europeans Share Data Online, But Privacy Concerns Remain-New Survey”, European Commission, Brussels, 16 June 2011. http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/742&format=HTML&aged=0&language=EN&guiLanguage=en
[ii] “Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st
[ii]Century” COM(2012) 9 final.
[iv]Smith R., “Citigroup Says Hacking Affected 360,000 Cards” in The Wall Street Journal, 26 June 2011 http://online.wsj.com/article/SB10001424052702304319804576388643469171586.html
[vii] “Draft EU Regulation on Data Protection: The Defense of Data Protection Driven Apart From Citizens”,ibidem.
[viii] Pfanner E., “A proposal for EU Wide Data Protection Regulation”, The New York Times, 29 November 2011, http://www.nytimes.com/2011/11/30/technology/a-proposal-for-eu-wide-data-protection-regulation.html