PURPOSE: to define an overall approach permitting the modernisation of the Union’s legal framework governing personal data protection in response to the challenges posed by globalisation and the rapid development of new technologies.
BACKGROUND: the 1995 Data Protection Directive enshrines two important ambitions of the European integration process: the protection of fundamental rights and freedoms of individuals and in particular the fundamental right to data protection, and the achievement of the internal market – the free flow of personal data in this case.
Fifteen years later, this twofold objective is still valid and the principles enshrined in the Directive remain sound. However, rapid technological developments and globalisation have profoundly changed the world around us, and brought new challenges for the protection of personal data. At the same time, ways of collecting personal data have become increasingly elaborated and less easily detectable.
The Commission launched a review of the current legal framework in May 2009. The findings confirmed that the core principles of the Directive are still valid and that its technologically neutral character should be preserved. However, several issues were identified as being problematic and posing specific challenges. These include:
- addressing the impact of new technologies;
- enhancing the internal market dimension of data protection;
- addressing globalisation and improving international data transfers;
- providing a stronger institutional arrangement for the effective enforcement of data protection rules;
- improving the coherence of the data protection legal framework.
The above challenges require the EU to develop a comprehensive and coherent approach guaranteeing that the fundamental right to data protection for individuals is fully respected within the EU and beyond.
The Lisbon Treaty provided the EU with additional means to achieve this: the EU Charter of Fundamental Rights - with Article 8 recognising an autonomous right to the protection of personal data - has become legally binding, and a new legal basis, Article 16 of the Treaty on the Functioning of the EU (TFEU), has been introduced allowing for the establishment of comprehensive and coherent Union legislation on the protection of individuals with regard to the processing of their personal data
CONTENT: this communication seeks to lay down the Commission's approach for modernising the EU legal system for the protection of personal data in all areas of the Union’s activities, taking account, in particular, of the challenges resulting from globalisation and new technologies.
1) Strengthening individuals' rights: it is essential that individuals are well and clearly informed, in a transparent way, by data controllers about how and by whom their data are collected and processed, for what reasons, for how long and what their rights are if they want to access, rectify or delete their data. Basic elements of transparency are the requirements that the information must be easily accessible and easy to understand, and that clear and plain language is used. In this context, children deserve specific protection.
The processing of data must be limited in relation to its specific purposes (principle of data minimisation) and individuals must retain the possibility of an effective control over their own data. In particular, they should be able to give their informed consent to the processing of their data and benefit from the ‘right to be forgotten’ when these data are no longer needed for legitimate purposes or they wish them to be deleted.
There is also a need to make the general public, and particularly young people, more aware of the risks related to the processing of personal data and of their rights, as well as to ensure that there are effective provisions on remedies and sanctions.
2) Enhancing the internal market dimension: the divergences that currently characterise the implementation of European data protection rules run counter to the free flow of data within the Union and increase costs. The Commission recommends:
- increasing legal certainty and providing a level playing field for data controllers by reducing the administrative burden they have to bear;
- clarifying the rules on applicable law and Member States' responsibility for the application of data protection rules;
- encouraging self-regulatory initiatives and exploring EU certification schemes, such as, for example, privacy seals.
3) Revising the data protection rules in the area of police and judicial cooperation in criminal matters: the Lisbon Treaty introduced a new and comprehensive legal basis for the protection of personal data across Union policies. Against this background, and in view of the EU Charter of Fundamental Rights, the Commission plans to examine the opportunity to:
extend the application of the general data protection rules to the areas of police and judicial cooperation in criminal matters, including for processing at domestic level;
introduce specific and harmonised provisions in the new general data protection framework, for example on data protection regarding the processing of genetic data for criminal law purposes or distinguishing the various categories of data subjects (witnesses; suspects etc) in the area of police cooperation and judicial cooperation in criminal matters.
4) Ensure a high level of protection of data transferred outside the EU: this would involve the improvement and streamlining of procedures for international data transfers while guaranteeing an adequate level of protection of these data in the event of their transfer outside the EU or the EEA. The Commission also proposes to clarify its adequacy procedure and better specify the criteria and requirements for assessing the level of data protection in a third country or an international organisation.
5) A stronger institutional arrangement for better enforcement of data protection rules: the Commission will examine how to i) strengthen, clarify and harmonise the status and the powers of the national Data Protection Authorities in the new legal framework; ii) improve the cooperation and coordination between Data Protection Authorities; iii) strengthen the role of national data protection supervisors, better coordinating their work via the Article 29 Working Party (which should become a more transparent body).
The Commission's comprehensive approachwill serve as a basis for further discussions with the other European institutions and other interested parties. For this purpose, the Commission welcomes feedback on the issues raised in this Communication.
On this basis, the Commission will propose legislation in 2011 aimed at revising the legal framework for data protection. As a second step, the Commission will assess the need to adapt other legal instruments to the new general data protection framework.