The Council of the European Union (the “Council”) released its conclusions following meetings held on February 24 and 25, 2011, regarding the European Commission’s November 4, 2010 Communication proposing “a comprehensive approach on personal data protection in the European Union” which we reported on last November.
The Council’s six-page report contains various observations and recommendations directed to the European Commission (the “Commission”) and concludes that the revised data protection framework should facilitate a higher level of harmonization among the EU Member States than the current framework. In that context, the Council observes that a readjustment of the roles of the national data protection authorities is needed, especially for cross-border cases, and that the role of the EU Article 29 Data Protection Working Party should be reviewed. In light of globalization and technological developments, the Council also recommends revisiting rules on applicable law to enable data subjects to effectively exercise their rights while providing legal certainty to data controllers.
According to the report, the Council welcomes the work done on developing a principle of accountability and invites the Commission to investigate the use of the accountability principle and instruments of self-regulation to promote “a smoother functioning of the internal market in order to achieve a higher level of data protection compliance.” In addition, the Council encourages the Commission to further explore the possible introduction of a “right to be forgotten” and the inclusion of a “privacy by design” principle provision in the new legal framework. The report addresses additional topics including increased protection for minors, expanded data breach notification requirements, a revised framework for international data transfers, standardized EU privacy notices and decreased administrative burdens for registrations with national data protection authorities.