On December 1, 2009, the Article 29 Working Party adopted a contribution (the “Contribution”) to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data (the “Consultation”). The Consultation was launched on July 9, 2009, to explore the challenges to personal data protection presented by new technologies and globalization. The Consultation was also motivated by the recent adoption by the EU of the Lisbon Treaty, which will necessitate a reworking of structure of the EU legal framework for data protection. The Contribution’s thoughtful examination of several important data protection issues makes it one of the most significant documents that the Working Party has issued in recent years.
The Contribution maintains that the fundamental principles of European data protection law remain valid. However, it also notes that both improvements in implementation of the existing data protection framework and changes to it should be considered, in particular regarding the following points:
- implementation of the legal framework for data protection in the EU Member States should be improved;
- the system for issuing “adequacy decisions” by the European Commission regarding the level of data protection in third countries should be made more efficient;
- a provision on binding corporate rules should be introduced;
- the position of “privacy by design” in the legal framework should be strengthened;
- a general security breach notification regime (i.e., one not limited to telecom service providers and ISPs as is now the case) should be introduced;
- requirements to notify data processing with national data protection authorities should be simplified or even eliminated in some cases;
- the responsibilities of data controllers should be increased by introducing an accountability principle into the new legal framework (in this regard, the Contribution explicitly mentions the work of the Centre for Information Policy Leadership at Hunton & Williams);
- the use of consent as a legal basis for data processing should be made more restrictive;
- the role of the data protection authorities should be strengthened and clarified, and cooperation between the DPAs should be reinforced, particularly through improvements to the Article 29 Working Party’s working methods.
The European Commission will now evaluate all the contributions received under the Consultation and consider whether changes to the EU legal framework should be proposed. It should be noted that any changes to the framework would likely take a minimum of five years to be enacted.