The European Parliament adopted a resolution on a comprehensive approach on personal data protection in the European Union in response to a European Commission communication on the same subject.
Members consider that while the core principle of the 1995/46/EC Data Protection Directive remain valid, but different approaches in Member States' implementation and enforcement thereof have been observed. The EU must equip itself – after a thorough impact assessment – with a comprehensive, coherent, modern, high-level framework in order to face the numerous challenges facing data protection, such as those caused by globalisation, technological development, enhanced online activity, uses related to more and more activities, and security concerns (e.g. the fight against terrorism).
Parliament supports the Commission’s communication and its focus on strengthening existing arrangements, putting forward new principles and mechanisms and ensuring coherence and high standards of data protection in the new setting offered by the entry into force of the Lisbon Treaty and the now binding Charter of Fundamental Rights.
1) Fully engaging with a comprehensive approach: Parliament emphasises that the standards and principles set out in Directive 95/46/EC represent an ideal starting point and should be further elaborated, extended and enforced, as part of a modern data protection law.
The resolution underlines the importance of Article 9 of Directive 95/46/EC, which obliges Member States to provide for exemptions from data protection rules when personal data are used solely for journalistic purposes or the purpose of artistic or literary expression. It calls on the Commission to ensure that these exemptions are maintained and that every effort is made to evaluate the need for developing these exceptions further in the light of any new provisions in order to protect freedom of the press.
Recognising that technological developments have created new threats to the protection of personal data, Members consider that a thorough evaluation of the current data protection rules is required in order to ensure that (i) the rules still provide a high level of protection, (ii) the rules still strike a fair balance between the right to protection of personal data and the right to freedom of speech and information, and (iii) the rules do not unnecessarily hinder everyday processing of personal data, which is typically harmless.
Members also consider it imperative to extend the application of the general data protection rules to the areas of police and judicial cooperation.
The Commission is called upon to ensure that the current revision of EU data protection legislation will provide for:
- full harmonisation at the highest level providing legal certainty and a uniform high level standard of protection of individuals in all circumstances,
- further clarification of the rules on applicable law with a view to delivering a uniform degree of protection for individuals irrespective of the geographical location of the data controller, also covering enforcement of data protection rules by authorities or in courts.
2) Strengthening individuals’ rights: the resolution calls on the Commission to reinforce existing principles and elements such as transparency, data minimisation and purpose limitation, informed, prior and explicit consent, data breach notification and the data subjects’ rights, as set out in Directive 95/46/EC, improving their implementation in Member States, particularly as regards the ‘global online environment’.
The resolution underlines the importance of:
- improving the means of exercising, and awareness of, the rights of access, of rectification, of erasure and blocking of data, of clarifying in detail and codifying the ‘right to be forgotten’ and of enabling data portability;
- enabling individuals to sufficiently control their online data to enable them to use the internet responsibly;
- including provisions on profiling, while clearly defining the terms ‘profile’ and ‘profiling’;
- enhancing obligations of data controllers with regard to provision of information to data subjects;
- specifically protecting children and minors – in the light, inter alia, of increased access for children to internet and digital content.
3) Strengthening the global dimension of data protection: Parliament considers it of utmost importance that data subjects’ rights are enforceable. It highlights the need for proper harmonised enforcement across the EU. It calls on the Commission to provide in its legislative proposal for severe and dissuasive sanctions, including criminal sanctions, for misuse and abuse of personal data. The Commission is encouraged to introduce a system of mandatory general personal data breach notifications by extending it to sectors other than the telecommunications sector.
The resolution welcomes the possibility of making the appointment of organisation data protection officers mandatory, as the experience of EU Member States which already have data protection officers shows that the concept has proved successful.
Members see in the concepts of ‘privacy by design’ and ‘privacy by default’ a strengthening of data protection, and support examination of possibilities for their concrete application and further development, as well as recognising the need to promote the use of Privacy Enhancing Technologies.
Parliament supports the efforts to further advance self-regulatory initiatives – such as codes of conduct – and the reflection on setting up voluntary EU certification schemes, as complementary steps to legislative measures, while maintaining that the EU data protection regime is based on legislation setting high-level guarantees.
Lastly, the resolution stresses that any certification or seal scheme must be of guaranteed integrity and trustworthiness, technology-neutral, globally recognisable and affordable, so as not to create barriers to entry.