Rewinding the clock 35 years recalls the day when the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, commonly known as Convention 108, was opened for signature in Strasbourg. Malta signed the convention on January 15, 2003 and ratified the following February 28.

This day marks the European Data Protection Day, first commemorated in 2007, which is the fruit of an initiative spearheaded by the Council of Europe with the full support of the European Commission. It calls on European authorities to raise awareness on data protection by informing citizens of their privacy rights and the value of their personal data.

Back in the 1960s and 1970s, in the face of the emerging trend involving the mass electronic storage of information by large companies and public administrations, the Council of Europe had decided to establish a framework, with specific principles and requirements, to safeguard the processing of personal data and impose restrictions on trans-border data flows to legal systems which did not provide for equivalent protection.

The resulting treaty was the first binding international instrument with worldwide significance for data protection. It was inspired by Article 8 of the European Convention on Human Rights and Fundamental Freedoms which provides that “Everyone has the right to respect for his private and family life, his home and his correspondence”. In 1987, Malta enacted the European Convention Act by adopting the convention in toto.

The right to privacy is a fundamental human right, albeit not absolute, and is entrenched in the Constitution of Malta. It is safeguarded by the Data Protection Act which transposes European Directive 95/46 on the protection of individuals against the violation of their privacy in the processing of personal data. It is a known fact that the data protection directive is implemented in a fragmented manner across the EU, with the risk of creating legal uncertainty and significant risks for the protection of privacy, especially when it comes to online activity.

Technological developments over the past two decades have significantly changed the way personal data is processed. The new trends of information processing, such as cloud services, social networking, location-based marketing, profiling and web tracking, are increasingly exposing the data, leading to risks of security breaches, hacking and other forms of illegal online activity.

New trends of information processing are increasingly exposing the data, leading to risk of security breaches

Recognising these developments, the European Commission proposed, in January 2012, a reform of the data protection legislative framework to address the challenges arising out of the rapidly changing environment, primarily to ensure that citizens get control over their personal data and to allow them and businesses to reap the full benefit of the digital economy.

The Commission selected a regulation as the new legal act, given that regulations are binding in their entirety and directly applicable in all Member States. The principal objectives are to ensure a harmonised data protection legal framework and more legal certainty.

Following lengthy discussions and negotiations on the draft General Data Protection Regulation, political agreement was reached between the co-legislators and the official text is expected to be published shortly.

Whereas this legal instrument retains the main principles inherent in the current Directive 95/46, it introduces new rights for data subjects, namely the right to data portability and to be forgotten. It also imposes new obligations on data controllers, including the mandatory notification of data breaches, the carrying out of privacy impact assessments and the development of systems using privacy-by-design architecture.

The regulation also establishes a new system of supervision for organisations processing personal data in more than one EU Member State or with a pan-European impact. This consistency mechanism is at the heart of the new framework and involves the concept of a one-stop-shop: only one data protection authority where the company has its main establishment will issue a decision and this following mandatory cooperation between other authorities.

The regulation also introduces hefty fines for data controllers who violate the law.

A final reflection must be made on the recent judgments delivered by the EU’s Court of Justice which have shaken the data protection environment. In the Digital Rights Ireland case, the court declared the Data Retention Directive null in view of the absence of limits for necessary processing and the absence of a judicial oversight in accessing such data.

Another equally important judgment was delivered on October 6, 2015, in the Max Schrems case, where the court invalidated the European Commission’s decision on the Safe Harbour Agreement, adopted in 2000, because it did not provide for the guarantees necessary in a democratic society to safeguard citizens’ data when exported by European data controllers to the US.

These rulings show how far expectations towards the right to privacy have soared in Europe. Undoubtedly, this involves additional work for data protection regulators, who are empowered to promote and safeguard data protection rights by ensuring that data controllers process data fairly and lawfully.

The next step to continue building on the principles and requirements of Convention 108 is therefore the implementation of this regulation. This presents a challenge to the EU at large. Cultures have to change both in public and private sectors.

The question remains how to achieve the necessary proportionality between the needs of processing and fundamental right to data protection. Can we walk the mile?

Saviour Cachia is the Information and Data Protection Commissioner.