Enhanced protection of personal data

EU data protection rules are bound to become more stringent. The European Commission is gearing up to review the current law in 2010 with the precise objective of increasing data protection for internet services such as webmail, social networks and online banking as well as in a number of other sectors such as finance and health care.

The current EU directive which regulates the processing of personal data already sets strict limits on the collection and use of personal data and obliges each member state to set up an independent national body responsible for the protection of such data. It lays down guidelines which determine when the processing of personal data can be considered to be lawful. In particular it provides that any personal data must be processed fairly and lawfully, and collected for specified, explicit and legitimate purposes.

Furthermore, personal data may be processed only if the data subject has unambiguously given his/her consent or if processing is necessary in certain specified circumstances. All these regulations have already been transposed into Maltese law and operators in various industries have sought to adapt themselves to the various obligations emanating from data protection law.

Now it seems that industry will shortly have to adjust itself to even stricter rules than the ones which are currently in place. Taking into consideration the substantial increase in exchange of personal data as consumers go about making use of available services in their daily life, together with the increase in misuse of such data, the European Commission is set to ensure that the current rules are reviewed in a way so as to increase data protection.

The new telecoms package bound to come into force shortly already contains new rules to tackle data breaches. However, the Commission has deemed such new rules not to be sufficient and is insisting that legislative improvements to tackle data breaches are also necessary in other sectors particularly in so far as online services are concerned. Online services comprise a wide range of services including social networks, e-commerce services such as e-Bay, online banking and webmail such as Gmail or Hotmail.

It is not only, however, online services that are a cause for concern for the Commission. Indeed, certain sectors such as transport, finance and health care rely extensively on private information and therefore tougher rules to prevent and inform users about data breaches could possibly be introduced in these sectors as well.

What the Commission seems to have in mind so far is to introduce an obligation to notify breaches. Another option seems to be to offer operators within the industry an exemption from liabilities if they can show that they have put in place certain minimum security standards. Both measures have attracted criticism from industry. Operators fear that a notification obligation could well increase the perception of risk amongst users of services resulting in less use of available services. On the other hand, the other measure could well imply extra costs for industry as it would necessitate updated security infrastructure and increased use of provisions such as encryption and secured access.

The final decision as to what provisions will actually be introduced will take place next year when the current rules will be reviewed. Obviously, any such amendment of EU rules will have to be transposed into national law resulting in an amendment of the national data protection rules as they stand today.

Dr Vella Cardona is a practising lawyer and a freelance consultant in EU, intellectual property, consumer protection and competition law. She is also a visiting lecturer at the University of Malta.

mariosa@vellacardona.com