EU Justice Commissioner Viviane Reding’s recent address at an EPP Group Public Hearing to European Parliamentarians on the cost of data protection compliance rightly raised a number of interesting
EU Justice Commissioner Viviane Reding’s recent address at an EPP Group Public Hearing to European Parliamentarians on the cost of data protection compliance rightly raised a number of interesting points, not least on the issue of current data protection notification obligations, which look set to be abolished in a bid to eliminate those administrative obligations that are “unnecessary and ineffective”.
However, her address also raised a number of other interesting points:
First, we again have an instance of a senior member of the European Commission talking candidly about weaknesses in the current Data Protection Directive, the importance of change and the need to make such change a “top legislative priority”. Ms. Reding’s address rightly highlights that the effective regulation of personal data (a significant “economic asset” to many businesses) affects us all, whether individuals, businesses or regulators, and that a fresh solution is required: major changes in technology and business practices have occurred since the heady days of 1995 when the Directive was adopted, and this address is a tacit acknowledgement that the current data protection regime is showing its age.
Secondly, her address highlights that the Commission is alive to the “legal uncertainty and costs” associated with the principle of ‘establishment’ – the concept that businesses must comply with the data protection laws of those member states in which they have an office or equipment for data processing activities - and the legal and practical limitations of this concept in today’s world of cloud-computing, social networking and multi-national processing operations. Her comments further support the view that the future data protection regime is likely to account for the location of data subjects and not just the location of businesses or their IT, in determining where and when EU data protection rules apply.
Finally, her address talks about introducing “intra-company standards rules officially in the new legislation”, simplifying their procedure and introducing the ‘mutual recognition’ principle – hinting at further streamlining of the BCR process and a desire to put it on an official, legislative footing in a bid to improve harmonisation. Interestingly, her address refers to the possible expansion of such “intra-company standard rules” to “groups of companies” – whilst it is difficult to interpret exactly what she meant by this, one possibility is that the Commission may be considering the introduction of sector - or industry-specific rules for companies that process data, such as sector-specific rules for the pharma, finance and telco sectors.
While the questions and speculation will continue, the potential form of the new framework is slowly starting to become clearer.
The full text of Ms. Reding’s speech is available online here.
However, her address also raised a number of other interesting points:
First, we again have an instance of a senior member of the European Commission talking candidly about weaknesses in the current Data Protection Directive, the importance of change and the need to make such change a “top legislative priority”. Ms. Reding’s address rightly highlights that the effective regulation of personal data (a significant “economic asset” to many businesses) affects us all, whether individuals, businesses or regulators, and that a fresh solution is required: major changes in technology and business practices have occurred since the heady days of 1995 when the Directive was adopted, and this address is a tacit acknowledgement that the current data protection regime is showing its age.
Secondly, her address highlights that the Commission is alive to the “legal uncertainty and costs” associated with the principle of ‘establishment’ – the concept that businesses must comply with the data protection laws of those member states in which they have an office or equipment for data processing activities - and the legal and practical limitations of this concept in today’s world of cloud-computing, social networking and multi-national processing operations. Her comments further support the view that the future data protection regime is likely to account for the location of data subjects and not just the location of businesses or their IT, in determining where and when EU data protection rules apply.
Finally, her address talks about introducing “intra-company standards rules officially in the new legislation”, simplifying their procedure and introducing the ‘mutual recognition’ principle – hinting at further streamlining of the BCR process and a desire to put it on an official, legislative footing in a bid to improve harmonisation. Interestingly, her address refers to the possible expansion of such “intra-company standard rules” to “groups of companies” – whilst it is difficult to interpret exactly what she meant by this, one possibility is that the Commission may be considering the introduction of sector - or industry-specific rules for companies that process data, such as sector-specific rules for the pharma, finance and telco sectors.
While the questions and speculation will continue, the potential form of the new framework is slowly starting to become clearer.
The full text of Ms. Reding’s speech is available online here.