The rapid pace of technology changes, coupled with the notion of globalisation, is prompting new questions and bold challenges. Challenges in the privacy arena are mushrooming. Nowadays, clearer and more consistent data protection rules have become the order of the day for privacy experts and these are imperative to guarantee each citizen the right to privacy.

With the entry into force of the Lisbon Treaty last year, the European Commission was mandated to devise a comprehensive strategy to strengthen data protection rules and to protect the right to privacy, a fundamental right within the European Union.

In a bid to address the new challenges and commence the implementation of the new strategy, the Commission is currently revising the Data Protection Directive. Revamping the fifteen-year-old privacy rules is no walk in the park for legislators, given that the challenges created by social networking sites and search engines, in particular, are pressing.

However, a fellow reader might feel compelled to ask: isn’t the current privacy framework a solid legislation for the protection of the individuals’ right to privacy given its technology neutrality and given that it has worked exceptionally well for the last fifteen years? So, why do we need to change?

This question has been posed to the Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship, Viviane Reding, who has firmly declared that, notwithstanding the fact that Europe has the best data protection law in the world, privacy has become a moving target and consequently the new risks require to be better addressed whilst providing enhanced legal remedies.

The strategy embarked upon by the Commission ascertains that citizens’ rights are further protected both offline and online, both in their private and business relations, both in the context of civil and criminal law and also, both within the European Union, and in the relations with third countries. These notions have been clearly expressed in a recent Commission communication concerning “a comprehensive approach on personal data in the European Union.” The main proposals set out in the communication address the ways on how to modernise the EU framework for data protection rules.

A first proposal contained in the communication, reinforces the belief that individuals need to be able to maintain control over their personal data. This is particularly important in the online world, where data protection practices are often unclear, non-transparent and not always in full compliance with existing rules. The process of collecting personal data has become increasingly elaborate and less easily detectable, for instance, by the use of geo-location devices which make it easier to determine the location of individuals who use a mobile phone.

Individuals need to be clearly and adequately informed, in a transparent manner, about how and by whom their personal information is processed. They need to know what their rights are, if they require to access, change or delete their data. The Commission is introducing the new concept of “the right to be forgotten” which provides that where personal data is no longer needed for the purpose for which it has been collected, it should be deleted. For instance, social network sites are a great way to stay in touch with friends and share information, however if users no longer want to avail of this service, they should have the possibility to completely and permanently wipe out their profiles. A second proposed reform aims to strengthen the single market dimension by reducing the administrative burden on companies and assuring a true level-playing field. This target will be achieved by the harmonisation of data protection rules to reduce and simplify administrative formalities, such as notifications to data protection authorities. Current differences in implementing such rules, coupled with the lack of clarity about which country’s rules apply, tend to harm the free flow of personal data within the European Union.

The proposed privacy framework will impose additional obligations on data controllers which are the principal processing hubs of the individuals’ personal data. Such obligations will require controllers to better assume their responsibilities by putting in place effective data protection mechanisms. These mechanisms will include the establishment of data protection officers, the carrying out of privacy impact assessments based on EU data protection rules, and the application of a “Privacy by Design” approach in the development of business processes.

A revision of the data protection rules in the area of police and criminal justice is also envisaged as part of the reform. Under the Lisbon Treaty, which led to the abolishment of the pillar structure, the European Union now has the possibility to lay down comprehensive and coherent rules in this sector.

The last area of review will tackle the role of national data protection authorities which will see the strengthening of such authorities by them being granted the necessary powers and resources to properly exercise their functions. Improved cooperation and coordination is also on the cards to ensure a more consistent application of data protection rules across the Single Market.

The European Commission has publicly stressed that such proposals can only be put in place if further harmonisation and approximation of data protection rules are taken on board by all member states.

The Commission’s policy review will serve as a basis for further discussion and assessment. In fact, it called on all stakeholders, including the public, to enter the pertinent comments on the review’s proposals by mid January. Building on this, the Commission will present the proposals for a new general data protection legal framework in 2011, which will then be negotiated and adopted by the European Parliament and the Council.

Mr Deguara is the head of the technical unit in the Office of the Data Protection Commissioner.