Stricter data protection
At the heart of the EU lies a fondness towards the protection of privacy and its concomitant data protection. So much so that the EU has enshrined the principle of personal data protection in the Charter of Fundamental Rights of the European Union, elevated its remembrance by dedicating a day in celebration of privacy in order to increase awareness amongst individuals on data protection and keeps working intensely towards more legislative proposals to address privacy concerns.
Indeed data protection issues, including their cross-border dimension augmented by the ever-increasing use of the internet, take place in a variety of contexts, whether at work, in the health sector, in the purchase of goods and services, in travel or surfing the web.
In a sign of growing concern about privacy, European Justice Commissioner Viviane Reding recently confirmed that a draft of the eagerly awaited new Data Privacy Directive is to be published early next year. Understandably, the draft is expected to be a departure from the original directive as it was laid down almost a decade and a half ago and pre-dated the internet age.
The new rules are likely to significantly strengthen the rights of individuals. According to a press release issued jointly earlier this month by Ms Reding and Germany’s Federal Minister for Consumer Protection, consumers in Europe will see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies, which process their personal data, are established.
Although it still remains to be seen as to what the new directive contains, the press release indicates two key changes to the current rules. The first is that the new laws will apply to any online business that directs its services at EU consumers, irrespective of where the business or data is located. Companies, including social networks, that provide or market their services to EU consumers are to be subject to EU data protection laws. Currently, businesses without offices or equipment in the EU can avoid the application of EU data protection laws as the original directive created in 1995 does not include provisions that could have foreseen the growth of the internet. Although this change is a move ahead in the right direction, it may pose difficulty in effective enforcement, particularly if the online businesses are located in a country which is not an EU member state.
The second important change is the requirement of the explicit consent of consumers before their data is used, thus allowing them to remain in control of their data. Users of internet services will have the right to withdraw or delete their data at any time, especially data that is posted by them on the internet, in support of the so-called “right to be forgotten”. This may entail that online businesses require of consumers their consent while browsing; how technically achievable this is will depend on the implementation provisions of the directive.
The “right to be forgotten”, for instance, will apply to social networking sites on which photographs and information about personal preferences and hobbies are posted. In the implementation of the right to be forgotten in the world of media, it is expected that regardless of this right, publishers will still be allowed to store personal data about individuals within news stories, if those stories are in the public interest. This caveat is important in upholding freedom of the press, freedom of expression and freedom of information.
The Commissioner has indicated that the draft of the new directive will be published in January 2012. It would be a further cause for celebration if the draft of the new directive is unveiled on Data Protection Day that falls on January 28.
Dr Grech is an associate with Guido de Marco & Associates and heads its European law division.