Deconstructing the privacy macaron
This article was first published in Data Protection Law & Policy in November 2011.
Compact. Self-contained. Multi-layered. Hard to penetrate and rich inside with a mix of flavours and tones. Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law. But if the indications of what we are about to see in the regulation being proposed by the European Commission are true, complying with the future European privacy regime is going to require fine confectionery skills.
So what are the likely ingredients of this extremely elaborate piece of legislation and how will they blend together?
- A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best recipe for a harmonised regime that delivers a consistent level of protection across the EU.
- Two-fold objective – Like the original directive, the new regulation will most certainly have a dual aim: protecting personal data and facilitating the intra-EU movement of that data.
- Applicability based on establishment and targeting of European residents – The novelty being that the use of equipment in the EU will be replaced by data processing directed at those individuals who live in the EU.
- Privacy principles – Transparency, finality, proportionality and data quality – they are all likely to be there but for added flavour, expect some new ones like data minimisation and accountability.
- Consent – Individual's consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual's freedom of choice.
- Big rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals' rights. Top of the list will be the much publicised right to be forgotten followed closely by data portability rights. No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities.
- Controller's responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers.
- Data breach notification – As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.
- International data transfers – Greater flexibility is expected on this issue alongside an express recognition for binding corporate rules, which will be available to both controllers and processors. An area of concern however is the potential conflict between data requests by non-EU authorities and the limitations on data disclosures, which will probably require the involvement of data protection authorities in determining how to resolve such conflict.
- Role of data protection authorities – The main novelty on this front is bound to be in relation to their geographical competence. In all likelihood, the data protection authority of the Member State where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU. We can also assume that greater international coordination mechanisms will be in place.
- Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and succulent monetary fines, which can only be more substantial than what most Member States have at the moment.
All in all, it is beyond doubt that the Commission has been working very hard to craft a framework that fits the regulatory requirements of today's and tomorrow's data protection. Whether the result will suit everyone's taste is a different matter.