Do we ever wonder what happens to the personal information that we divulge to various service providers for a variety of reasons? Whether we are opening bank accounts, joining a social network, or purchasing a product online we are requested to exchange personal data such as an address, a credit card number and other sensitive information. EU citizens can rest assured that Europe is doing its utmost to safeguard the exchange of such data by amending the current EU rules in order to offer maximum protection to its citizens.

The proposed rules are intended to affect several substantive reforms- Mariosa Vella Cardona

Personal data includes any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an e-mail address, bank details, medical information or an IP address. Current EU rules dating to 1995 provide that personal data about others can only be collected under strict conditions and for a legitimate purpose. People or organisations collecting and managing personal information must, in line with current rules, protect it from misuse and respect rights of the data owners.

However, the European Commission has noted that divergences in the way that each member state implements the current rules have led to a lack of harmonised rules in Europe and hence legal uncertainty. The current rules also need modernising as they were introduced when many of today’s online services – and the challenges which they pose for data protection – did not yet exist. We have to acknowledge that technological progress and globalisation have changed the way that our data is collected, accessed and used. To this end, almost a year ago, the Commission proposed a comprehensive reform of the current EU rules.

It proposed the adoption of a regulation setting out a general EU framework for data protection as well as of a directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Since a regulation is, by its legal nature, directly applicable in all member states, the proposed rules will not require implementation by the individual states. This will eliminate the risk of having a patchwork of applicable rules, as is currently the case while at the same time increase legal certainty for industry and citizens.

The proposed rules are intended to affect several substantive reforms. Entities will no longer be obliged to notify all data protection activities to data protection supervisors. Instead, the proposed regulation provides for increased responsibility and accountability for those processing personal data such as an obligation to notify the national supervisory authority of serious data breaches as soon as possible and if feasible within 24 hours. Entities will only have to deal with a single national data protection authority in the EU country where they have their main establishment. This ‘one-stop-shop’, as opposed to the current situation where businesses are supervised by a different data protection authority in each member state where they operate, is intended to simplify data protection matters for businesses. Likewise, EU citizens can always liaise with the data protection authority in their own country, even when their data is processed by a company based outside the EU.

The proposed rules clarify that, whenever consent is required for data to be processed, it has to be given explicitly, rather than assumed. People will also be granted easier access to their own data to facilitate the transfer of personal data from one service provider to another. The proposals make provision for a reinforced “right to be forgotten”, whereby people will be able to delete their data if there are no legitimate grounds for retaining it.

The proposed directive lays down general data protection principles and rules for police and judicial cooperation in criminal matters. These rules will apply to both domestic and cross-border transfers of data.

These proposed reforms have now received the full support of European Parliament rapporteurs. While embracing the objectives of the reform, they have proposed some amendments to the Commission’s legislative package, intended to reinforce the protection given to individuals. For example, the rapporteurs are proposing to further enhance the concept of explicit consent for data to be legally processed by obliging companies to use clear and easily comprehensible language in privacy policies.

While acknowledging that in today’s fast-paced world the exchange of personal information even online is indispensable, recent statistics show that 70 per cent of Europeans are nonetheless concerned that their personal data might be misused. Indeed, should the reform in relation to data protection ever see the light of day, there would be only winners and no losers.

A harmonised, strong and transparent data protection framework would encourage both industry and citizens alike to partake of the benefits offered by a single market economy in the full knowledge that their rights and obligations in relation to data protection are respected in the same way, irrespective of where a service is delivered or received.

mariosa@vellacardona.com

Mariosa Vella Cardona is deputy chairperson of the Malta Competition and Consumer Affairs Authority and a member of the National Commission for the Promotion of Equality.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.