Background

13.1 The European Commission published this Communication on 4 November 2010. The Communication outlines the challenges facing the existing EU data protection legislative framework and the Commission's key objectives for a comprehensive approach to personal data protection. According to the Commission, the Data Protection Directive (which the Data Protection Act 1998[105] transposes into UK law) faces challenges from rapid technological developments and globalisation. Article 16 of the Treaty of the Functioning of the European Union gives the Commission power to propose legislation to regulate data protection when processed by EU institutions, bodies and agencies and by Member States when carrying out activities "which fall within the scope of EU law"; and to regulate the free movement of personal data in the EU.

13.2 The Communication is intended to serve as a basis for further discussions between the Commission, other European institutions and interested parties with a view to developing a new data protection legislative framework.

The document

13.3 The Commission has identified several issues which it describes as being problematic and posing specific challenges. These include: addressing the impact of technological advances; enhancing the internal market dimension of data protection; addressing globalisation and improving international data transfers; providing a stronger institutional arrangement for the effective enforcement of data protection rules; and improving the coherence of the data protection legal framework.

13.4 The proposals put forward in the Communication can be placed into five broad categories.

(A) STRENGTHENING INDIVIDUALS' RIGHTS

13.5 The Commission proposes to clarify sections of the existing legislation to ensure a more coherent application of data protection rules, taking into account the impact of new technologies and the objective of ensuring the free flow of personal data within the internal market. For example, clarifying the definition of personal data and the right of individuals to stop their data being processed or to have it deleted when no longer needed for legitimate purposes. It also proposes to introduce a general principle of transparent processing of personal data to ensure that individuals are clearly informed about how and why their data is being processed as well as how to exercise their rights to access, rectify or delete their data. The Communication proposes drawing up standard privacy information notices to be used by data controllers as well as introducing specific obligations for data controllers about the type of information they need to provide to data subjects, including children.

13.6 The Commission proposes to examine mechanisms for introducing a mandatory notification when rules on personal data have been breached and for improving the ways in which data subjects can exercise their rights of access, rectification, erasure or blocking of data. The Commission also proposes to strengthen the principle of data minimisation and the concept of 'data portability', which would provide an individual with the explicit right to withdraw his or her own data from a service without hindrance from data controllers.

13.7 The Commission also proposes to raise public awareness of the risks related to the processing of personal data through measures such as awareness campaigns so that data subjects, and in particular young people, are more aware of their rights concerning data protection and the associated risks. The Commission also sees value in clarifying and strengthening the rules on consent as well as clarifying and harmonising the conditions for the processing of 'sensitive data'. The Commission will also consider whether new categories of data should be treated as 'sensitive data', for example, genetic data.

13.8 In relation to the enforcement of data subjects' rights, the Commission proposes to strengthen the existing provisions on remedies and sanctions by, for example, allowing the possibility of class actions and explicitly requiring that Member States provide criminal sanctions in the case of serious data protection violations.

(B) ENHANCING THE INTERNAL MARKET DIMENSION

13.9 The Communication describes how the divergence in Member States' implementation of the Data Protection Directive can create legal uncertainty and increase costs for data controllers operating in more than one Member State. The Commission will propose further harmonised legislation to reduce the divergences between the national laws implementing the Directive. It will also seek to reduce the administrative burden on data processors by simplifying the current notification system, for example, by considering drawing up a uniform EU-wide registration form.

13.10 The Commission also proposes to clarify Member States' responsibility for providing the same degree of protection to EU data subjects, regardless of the geographic location of the data controller including data controllers outside the EEA. This is to ensure effective policies and mechanisms are in place to ensure compliance with data protection rules. In furtherance of this, it proposes to introduce an obligation for data controllers to carry out a data protection impact assessment in specific cases and further promote the use of Privacy Enhancing Technologies and the concept of Privacy by Design.[106]

13.11 The Commission also sees value in further encouraging self-regulatory initiatives by data controllers which the Commission considers will contribute to a better enforcement of data protection rules. It also wishes to explore the possible creation of EU certification schemes for privacy compliant processes, technologies, products and services so data controllers can show they have fulfilled their obligations and to provide individuals with more information when choosing such products.

(C) REVISING THE DATA PROTECTION RULES IN THE AREA OF POLICE AND JUDICIAL COOPERATION IN CRIMINAL MATTERS

13.12 The Data Protection Directive applies to all personal data processing activities in Member States in both the public and the private sectors. However, it does not apply to the processing of personal data 'in the course of an activity which falls outside the scope of Community law', such as activities in the areas of police and judicial cooperation in criminal matters. The Lisbon Treaty has however abolished the pillar structure of the EU and introduced a new and comprehensive legal basis for the protection of personal data across Union policies.[107] Against this background, and in the light of the EU Charter of Fundamental Rights, the Commission Communications on the Stockholm Programme and the Stockholm Action Plan highlighted the need to have a comprehensive protection scheme' and to 'strengthen the EU's stance in protecting the personal data of the individual in the context of all EU policies, including law enforcement and crime prevention'.

13.13 The Communication outlines[108] a number of concerns in relation to the current Data Protection Framework Decision.[109]

"The Framework Decision only applies to the cross-border exchange of personal data within the EU and not to domestic processing operations in the Member States. This distinction is difficult to make in practice and can complicate the actual implementation and application of the Framework Decision.

"Also, the Framework Decision contains too wide an exception to the purpose limitation principle. Another shortcoming is the lack of provisions that different categories of data should be distinguished in accordance with their degree of accuracy and reliability, that data based on facts should be distinguished from data based on opinions or personal assessments, and that a distinction should be made between different categories of data subjects (criminals, suspects, victims, witnesses, etc.), with specific guarantees laid down for data relating to non-suspects.

"In addition the Framework Decision does not replace the various sector-specific legislative instruments for police and judicial co-operation in criminal matters adopted at EU level, in particular those governing the functioning of Europol, Eurojust, the Schengen Information System (SIS) and the Customs Information System (CIS), which either contain particular data protection regimes, and/or which usually refer to the data protection instruments of the Council of Europe. For activities within the area of police and judicial cooperation all Member States have subscribed to the Council of Europe Recommendation No R (87) 15, which sets out the principles of Convention 108 for the police sector. This is not, however, a legally binding instrument.

"This situation may directly affect the possibilities for individuals to exercise their data protection rights in this area (e.g. to know what personal data are processed and exchanged about them, by whom and for what purpose, and on how to exercise their rights, such as the right to access their data).

"The objective of establishing a comprehensive and coherent system in the EU and vis-à-vis third countries entails the need to consider a revision of the current rules on data protection in the area of police cooperation and judicial cooperation in criminal matters. The Commission stresses that the notion of a comprehensive data protection scheme does not exclude specific rules for data protection for the police and the judicial sector within the general framework, taking due account of the specific nature of these fields, as indicated by Declaration 21 attached to the Lisbon Treaty. This implies, for example, a need to consider the extent to which the exercise of certain data protection rights by an individual would jeopardise the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in a specific case."

13.14 The Commission plans to launch a consultation of all concerned stakeholders in 2011 about the best way to revise the current supervision of the data protection rules in the area of police and judicial cooperation in criminal matters.

(D) THE GLOBAL DIMENSION OF DATA PROTECTION

13.15 The Commission proposes to improve and streamline the current procedures for international data transfers to ensure a more uniform and coherent approach toward third countries and international organisations. The Commission considers that the exact requirements for recognition of adequacy of the data protection regime in a third country are not currently specified in satisfactory detail and this may lead to different approaches to third countries or organisations. The Commission will seek to clarify the adequacy assessment and define core elements of EU data protection which could be used in international agreements.

13.16 Under the rubric Promoting universal principles the Commission says it will enhance its cooperation with third countries and international organisations by continuing to promote the development of high legal and technical standards of data protection and closely follow up the development of international technical standards by standardisation organisations.

(E) A STRONGER INSTITUTIONAL ARRANGEMENT FOR BETTER ENFORCEMENT OF DATA PROTECTION RULES

13.17 The Commission proposes to examine how to strengthen, clarify and harmonise the status and powers of the national Data Protection Authorities. They are described as "independent guardians of fundamental rights and freedoms with respect to the protection of personal data, upon which individuals rely to ensure the protection of their personal data and the lawfulness of processing operations." For this reason, the Commission believes that their role should be strengthened, especially having regard to the recent case law of the Court of Justice on their independence,[110] and that they should be provided with the necessary powers and resources to properly exercise their tasks both at national level and when co-operating with each other.

13.18 The Commission will also examine ways to improve cooperation and coordination between supervisory authorities and strengthen the role of the Article 29 Working Party in this regard. Better cooperation and coordination is particularly important where multinational enterprises are based in several Member States.

13.19 The Commission has invited comments on the Communication by 15 January 2011. It will then produce an impact assessment in spring 2011 and publish legislative and non-legislative proposals in mid-2011.

The Government's view

13.20 In his Explanatory Memorandum of 24 November 2010, the Minister for State at the Ministry of Justice (Lord McNally) says that the Commission's Communication helpfully indicates the areas the Commission is looking at before bringing forward a new legislative proposal on data protection. In preparation of this, the Government launched a call for evidence on 6 July 2010 to seek views on how the Data Protection Act 1998 is working. The call for evidence sought information from individuals, businesses, the public sector, charities and other interested parties about the current law on data protection. Ten workshops were held for stakeholders so that matters arising could be discussed in detail. These included representatives from the private and public sectors, as well as civil society groups. Respondents were asked for their views on how the current legislative framework is working and suggestions to improve it.

13.21 The Minister tells us that the call for evidence closed on 6 October 2010. The Government received a total of 161 responses and those responses are currently being analysed. The Government expects to publish its response to the call for evidence in early 2011. At the same time as conducting the call for evidence, the Government published a provisional Post-Implementation Review (PIR) of the Data Protection Act, which aimed to assess its costs and benefits. The PIR is being updated to take account of evidence provided during the call for evidence process. The Government will take account of the responses to the call for evidence and the findings from the PIR to inform its approach to future discussions about the data protection legislative framework.

13.22 The Minister says that the Government's approach to legislative changes in the area of data protection will be informed by several factors including:

—  a proper evidence base for the proposed legislative change;

—  the resource implications for data controllers balanced against safer, more transparent data processing;

—  the impact on the Information Commissioner's Office;

—  the need to cater for the specific needs of law enforcement bodies because of the very different nature of law enforcement work; and

—  the benefits to data subjects.

Conclusion

13.23 We thank the Minister for his Explanatory Memorandum.

13.24 We would be grateful to the Minister for providing us, in due course, with:

—  a summary of the responses received from the call for evidence;

—  the final Post-Implementation Review of the Data Protection Act 1998; and

—  a summary of the response to this Communication, which the Government sends to the Commission.

13.25 In the meantime the Communication remains under scrutiny.

106   On PETs see: Communication from the Commission to the European Parliament and the Council on Promoting Data Protection by Privacy Enhancing Technology (PETs) - COM(2007) 228. The principle of 'Privacy by Design' means that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. This principle features inter alia in the Commission Communication on 'A Digital Agenda for Europe' -COM(2010) 245. Back

107   Article 16 TFEU. Back

108   Paragraph 2.3, p 13. Back

109   2008/977/JHA. Back

110   Commission v Germany C-518/07. Back