Last November the European Commission published proposals for reform of the EU Data Protection Directive. It’s Communication: “A comprehensive approach on personal data protection in the European Union” (COM(2010) 609) gives some fairly clear signals about how the EU privacy framework will look in a couple of years’ time.

You’d be forgiven for asking why the Commission is looking to change the rules now when many organisations have only just got to grips with the existing regime. The first reason is simple: The Lisbon Treaty.

The Treaty, which was drawn up when French and Dutch voters rejected a full European constitution back in 2005, attempts to streamline EU institutions to make the enlarged bloc of 27 Member States function more effectively. To this end, Article 16(2) gives the European Parliament and Council the ability to re-cast data protection legislation and the Commission firmly believes the time do so is now.

The reasons for this are set out in the Communication and were recently outlined by Viviane Reding, the EU Justice Commissioner, in an article in the journal International Data Privacy Law (you can read the full article here). In essence, the Commission has acknowledged that the current Directive isn’t fit for purpose. In particular, it doesn’t meet the challenges posed by technological change and globalisation. Since the Directive was adopted in 1995, information sharing has become much easier and much faster (e.g. through social networking sites) and data collection has become more elaborate and harder to detect. As a result, there is a good deal of uncertainty about how to apply the data protection principles. This in turn has led to divergent application of the rules by different Member States.

The Article 29 Working Party, an influential body of representatives from regulators across the EU, has tried to keep pace with developments by issuing opinions on everything from search engines to behavioural advertising, but the Commission believes it is time for a complete re-think. In particular, it wants more effective and harmonised enforcement, having learnt from the wildly differing (and in some cases flatly contradictory) approaches taken by regulators last year to Google Street View.

To this end, the Communication identifies six key objectives for reform:

1. •strengthening individuals’ rights;
   

2. •ensuring a level playing field for data controllers across all Member States;
   

3. •reinforcing data controllers’ responsibilities;
   

4. •strengthening but also streamlining the procedures for international transfers;
   

5. •more effective enforcement; and
   

6. •specifically revising the rules for police and judicial cooperation in criminal matters.
   

In broad terms the Commission appears unlikely to tamper with many of the basic principles of the current regime: purpose limitation, proportionality, legitimacy of processing and respect for data subjects’ rights are all seen as fundamental. But (and this is a big ‘but’) there are a number of other areas where significant changes are on the cards.

First off is clarification of some key concepts such as the definition of personal data and the rules for consent, both of which are in dire need of proper harmonisation across the EU.

Secondly, we’re likely to see the introduction of breach notification rules. The Commission believes this will increase transparency by building on existing obligations applying to ISPs and telecoms operators under the ePrivacy Directive, and on the approach being taken by some national regulators (including the UK’s ICO) who already recommend the reporting of breaches.

Thirdly, in an attempt to simplify procedures for international transfers, the Commission intends to promote the development of what it calls ‘universal’ principles, international legal standards and other standardising codes (e.g. through organisations like the ISO and CEN).

Fourthly, the Commission is considering a new ‘accountability principle’ which would require data controllers to implement ‘appropriate and effective’ measures not just for complying with data protection rules but also to ensure they can demonstrate their compliance on request. This will probably translate into the mandatory appointment of a data protection officer and an obligation to carry out privacy impact assessments in specific cases which are considered high risk. There is also much talk about ‘privacy by design’ whereby data protection is embedded throughout the technology life cycle, from the early stages of development, through deployment, use and ultimate disposal.

A fifth limb of the proposed reforms is the so-called ‘right to be forgotten’. This would give individuals the right to be removed from the databases of social networks, companies and public organisations unless the data controller can prove that it needs to retain the information.  The issue is controversial, in part because it will impact large internet companies based outside the EU who have millions of EU-based members.

Finally, the Commission proposes to improve the enforcement regime through a combination of tougher sanctions, harmonisation of the role of national regulators and improved cooperation over cross-border matters.

There has been much debate over the last 18 months about all these proposals. Whatever the detailed outcome, one thing is clear: a more muscular data protection framework is on its way.