The most important data protection legal instruments are from times past and review processes have been initiated. We refer to: (i) the so-called Convention 108 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data), adopted by the Council of Europe in 1981, as the first legally binding international instrument on data protection; (ii) the OECD "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data", also issued in 1981; and the Data Protection Directive 95/46/EC.
- An amended Convention 108: a new data protection framework?
The Council of Europe is engaged in the process of modernising its Convention 108. The process has just started. 10 March 2011 was established as the deadline to submit views on its list of 30 consultation questions available at http://www.coe.int. The review will be conducted in a process that is expected take several years. It is therefore far too early to speculate on the changes that will be made to Convention 108. The speech published in January this year (at the 5th Data Protection Day) by the European Data Protection Supervisor (Peter Hustinx) on new European rules on data protection, regarding the modernization of Convention 108, may shed some light on the matter: "(…) this is not the time to reinvent data protection. It has already been invented and developed in a process of decades and all energy should now be put in making its principles more effective in practice. This involves harmonization, simplification of procedures and strengthening the roles of data controllers, data subjects and supervisory authorities, in order to deal with the challenges of new technologies and globalisation."
- OECD Privacy Guidelines 30th anniversary and review
On 6 April 2011, the OECD Working Party on Information Security and Privacy issued "The evolving privacy landscape: 30 years after the OECD privacy guidelines" and laid the foundations for their review in order to address the current environment for privacy and transborder flows of personal data:
"A renewed focus in recent years on finding common approaches to privacy protection at a global level, such as the development of international standards, is a response to the borderless nature of data flows, concerns around impediments to those flows, and the different cultural and legal traditions that have shaped the implementation of the Guidelines over the past 30 years. It is also a response to the challenges posed by technological and business model changes in recent years. The Guidelines have, in many respects, faced these challenges well. It is clear, however, that global solutions are needed and that a better understanding of different cultures' views of privacy and the social and economic value of transborder data flows is required to achieve this goal. (…) Various innovations in privacy governance have appeared over the past two decades to respond to the challenges to privacy that have resulted from technological changes. They vary from technological responses to the use of privacy by design and a focus on data management, from international and regional networks and cooperation efforts to a deepening examination of the role of accountability, and the need for education and awareness. Close attention may need to be given to the role these responses can play in improving privacy protection."
- The review of Data Protection Directive 95/46/EC
The European Commission has taken the initiative to review Data Protection Directive 95/46/EC and opened a public consultation (which ended on 15 January 2011) across the EU based on its Communication to the European Parliament, the Council, the Economic and Social Committee of the Regions concerning a "comprehensive approach on personal data protection in the European Union", adopted on 4 November 2010.
This Communication defines the road map for the review of Data Protection Directive 95/46EC and identifies specific challenges, including the need to: (1) clarify and specify the application of data protection principles to new technologies (e.g., cloud computing or behavioural advertisement); (2) increase harmonization between data protection laws of EU Member States; (3) simplify cross-border data transfers and make them less burdensome; and (4) increase effective enforcement by local data protection authorities.
The "European Privacy Platform" group of the European Parliament held a meeting in Brussels on 16 March 2011, which provided some insight into the likely structure and content of the proposed reviews of the Directive that the European Commission has been working on for the last few months. In particular, Viviane Reding, Vice-President of the European Commission, called for an overhaul of the Data Protection Directive to be based on "four pillars":
- Right to be forgotten/oblivion (droit à l'oubli): this would involve a comprehensive set of new rules and a reworking of existing rules which would ensure that an individual has an effective right to withdraw consent to data processing. In addition, the burden would be put on data controllers to show that they have a legal basis for processing data.
- Transparency: individuals must be informed about what data are collected, for what purposes and how that data might be used by third parties. They must be clear as to their rights and what authority to address if those rights are violated. Risks associated with the processing of their personal data must be made clear to them so that they do not lose control over their data and their data is not misused. She specified that "greater clarity" would be required to sign up to social networks, and that children must be made aware of the risks of social networks.
- Privacy by default: privacy by default would remove the considerable operational effort often required to control one's personal information. Privacy settings are currently not a reliable indication of consumers' consent and may actually negate the consent they seek to rely on.
- Protection regardless of data location: EU law should apply regardless of the geographical location of data processing and the means used by the controller to process the data. Thus, according to Commissioner Reding, any online service targeted at EU consumers must comply with EU data protection law; in this regard, she specifically mentioned "US-based social networks."
The Commission's review should serve as the basis for further discussions of data protection rules and, ultimately, new legislation (perhaps in the form of a Regulation rather than a new Directive), which the Commission expects to propose this summer.