The European Union has unveiled proposals for its long-awaited revision to the Data Protection Directive, the framework that informs laws such as the UK’s Data Protection Act.
One of the aims of the proposed revision is to “strengthen the individuals’ rights so that the collection and use of personal data is limited to the minimum necessary”. For example, it introduces the concept of the “right to be forgotten”, allowing individuals to demand that companies delete data about them.
Interesting Links
European Commission sets out strategy to strengthen EU data protection rules – EU press release
Exposed on the Internet An online attack on a UK law firm has revealed yet more inadequacies in data protection regulation and in businesses’ data-handling practices
According to Bridget Treacy, a privacy lawyer at Hunton & Williams, this is inspired by the difficulty individuals often experience when trying to quit social networking sites. But it will have consequences for other businesses too, she says, and they will be obliged to develop processes for removing customer data on request.
Another aim is to “increase transparency for data subjects”. It proposes “general principle of transparent processing” and “specific obligations for data controllers” to be more transparent about their data handling processes.
Treacy says that this chimes with best practice in data handling. “It is when companies are not transparent about the way they handle data that people complain,” she explains.
The EU proposes that the way in which data protection law is enforced within member states should be standardised. At the moment, Treacy explains, there is significant variation in the bureaucratic processes associated with privacy and data protection across member states. Greater standardisation would reduce the burden on companies that operate in multiple European countries, she says.
Cloud computing companies, many of which are based in the US, and their European customers have eagerly awaited an update to the directive that makes it easier to transfer data in and out of the EU. The proposed revisions do include improving the current procedures for international data transfers, but Treacy remarks that it remains unclear what this will mean in practice.
She says that there is nothing controversial in the EU’s proposed reforms and that the EU has already consulted extensively with various stakeholders. This means it is likely that they are implemented into the directive in their current state.
However, the degree to which member states implement the reforms when the EU does update the directive is a separate and complicated matter.