Private rules, private lives

To be truly effective, the proposed Data Protection Regulation needs to bring privacy rules in line with the life we’re living, says Antonio Ghio.

[attach id="244150" size="medium"][/attach]

The right to privacy does not exist in a vacuum. Likewise, the tools available to protect such rights need to reflect today’s world in order to be mostly effective.

It is in this landscape that the EU is currently considering revising its data protection rules through a new regulation intended to update existing legal regimes.

However, the road ahead is a tricky one indeed, as the balance between the rights of individuals and corporate interests is not easy to achieve.

The proposed Data Protection Regulation was published in January 2012 and its adoption is aimed at 2014. However, there is still a long way to go in its legislative process, especially when the European Parliament still needs to take a vote in plenary session. It is expected that there shall be at least a two-year transition period from its adoption, if at all, before the regulation becomes effective.

The proposed regulation is aimed towards ensuring that applicable data protection rules reflect technological state of play

While the EU Commission believes that the proposed regulations will be beneficial to European economy, the industry has been vociferous in its criticism on various prescriptive aspects introduced by the regulation and which will mean huge costs to get their organisations in line with the new rules.

The ongoing discussions on the proposed regulations have been marred by controversy following a vote by the Industry, Research and Energy Committee of the European Parliament, which proposed some changes to the original draft. These changes led to accusations that some MEPs copied and pasted a number of amendments to the draft which are identical to a number of proposals by various international companies on the initial draft, in the process weakening the scope of the regulation through a watered down version of the proposed regime. The draft will now be considered by the Civil Liberties, Justice and Home Affairs Committee of the European Parliament.

The main scope behind the proposed EU Data Protection Regulation is to update current legislation which is currently mainly regulated by means of the EU Directive 46/95/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The proposed regulation is aimed towards ensuring that applicable data protection rules reflect technological state of play such as social networks and cloud computing, the reality of data globalisation as well as ensuring that the new rules can cater for future innovation.

Another key aspect is that under the proposed scheme, harmonisation of data protection requirements across member states will be significantly facilitated due to the fact that, as opposed to a directive which member states have to individually transpose and implement within their own national regimes, a regulation is directly enforceable – this helps avoid situations where national rules are not completely identical or give rise to ambiguities.

Of special importance is the proposed Article 23 which introduces the concepts of privacy by design and privacy by default. Data protection should be designed into the business processes for services and products and not simply considered as an afterthought.

Also, default privacy settings on services and applications should be high. This reflects and responds to the various criticisms which were levelled towards social networks, most notably Facebook, which had changed their privacy settings in the past and set the default to low.

The rise of social networking applications and the risks that such tools pose to our privacy has also been addressed in the new regulations by means of the introduction of a right to be forgotten.

Even though such right is already present in current rules, the wording used in the proposed regulation is much stronger. Data portability is also explicitly addressed in the new regulation, whereby data subjects will have a right to request a copy of the personal data being processed about them in a format they can use and also be able to transmit such data to another processing system such as a competing social network or data processor.

The new proposed regime would extend the applicability of data protection rules not only to EU companies processing personal data but also to foreign companies processing data of EU citizens.

It also introduces a much tougher compliance regime whereby companies can face penalties of up to two per cent of their worldwide turnover even though this mandatory fine regime has been rejected by ITRE.

Some quarters have even gone as far as claiming that the position taken by ITRE was the result of pressures from various lobbying groups representing multinational companies who do not want data privacy rules affect their bottom line through the high costs of compliance that the new framework might introduce.

It is still very early to gauge what the final text of the regulation will look like. As in other situations, conspiracy theories will mushroom. At least the impetus by the Commission to ensure that the revised rules come to port is still strong. Let us hope that the final version of the regulation will not be too watered down in the end.

Dr Ghio is a partner at Fenech & Fenech Advocates specialising in ICT Law (www.fenechlaw.com). He also lectures ICT Law and Cybercrime at the University of Malta.