EU Privacy Direction

Last week I had the privilege of attending a seminar at which Peter Hustinx, the EU Privacy Commissioner outlined the future approach on personal data protection in the European Union. This approach includes “a right to be forgotten” as well as mandatory data breach reporting.

Given that the WikiLeaks website has recently released 2.5 million documents that were supposedly “private” reports by US embassies - you might ask “what does privacy mean?” Well privacy in this context is more narrowly defined to be privacy of personal information.

In the EU privacy is based on the European Convention on Human Rights, article 8 of this convention guarantees a right to privacy:

Everyone has the right for his private and family life, his home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

So the correspondence leaked by WikiLeaks is only covered by this insofar as it reveals information about individuals in a way that they did not consent to. But the WikiLeaks case is still very relevant because it demonstrates the challenges that are posed by the ability of IT systems to store massive amounts of data and for this data to be widely disseminated through the internet. The challenge for organizations is to be able to share information for legitimate purposes while preventing that information from leaking out or being used for illegitimate purposes.

15 years ago the EU led the world in the area of privacy legislation, however rapid technological developments and globalisation have profoundly changed the world around us, and brought new challenges for the protection of personal data. To meet these challenges, in early November, the EU published a document describing the direction for privacy and data protection. This document contains the following introductory paragraph:

“Today technology allows individuals to share information about their behaviour and preferences easily and make it publicly and globally available on an unprecedented scale. Social networking sites, with hundreds of millions of members spread across the globe, are perhaps the most obvious, but not the only, example of this phenomenon. ‘Cloud computing’ - i.e., Internet-based computing whereby software, shared resources and information are on remote servers (‘in the cloud’) could also pose challenges to data protection, as it may involve the loss of individuals' control over their potentially sensitive information when they store their data with programs hosted on someone else's hardware. A recent study confirmed that there seems to be a convergence of views – of Data Protection Authorities, business associations and consumers' organisations – that risks to privacy and the protection of personal data associated with online activity are increasing.”

The strategy sets out proposals on how to modernise the EU framework for data protection rules through a series of key goals:

Strengthening individuals rights (Directive 95/46/EC) so that the collection and use of personal data is limited to the minimum necessary. To improve the notion of informed consent, to consider mandatory breach notification (like for e-Privacy Directive 2002/58/EC (amended by Directive 2009/136/EC) which applies to Telecommunication providers. To provide a “right to be forgotten” when their data is no longer needed or they want their data to be deleted.
Enhancing the internal market dimension. Data Protection in the EU has a strong internal market dimension, i.e., the need to ensure the free flow of personal data between Member States within the internal market. As a consequence, the Directive’s harmonisation of national data protection laws is not limited to minimal harmonisation but amounts to harmonisation that is generally complete.
Revising the data protection rules in the area of police and judicial cooperation in criminal matters. There is a need to have a ‘comprehensive protection scheme’ and to strengthen the EU's stance in protecting the personal data of the individual in the context of all EU policies, including law enforcement and crime prevention.
The global dimension of data protection. Clarifying and simplifying the rules for international data transfers. Data processing is globalised and calls for the development of universal principles for the protection of individuals with regard to the processing of personal data.

In conclusion The Commission will propose legislation in 2011 aimed at revising the legal framework for data protection with the objective of strengthening the EU's stance in protecting the personal data of the individual in the context of all EU policies, including law enforcement and crime prevention, taking into account the specificities of these areas. Non legislative measures, such as encouraging self-regulation and exploring the feasibility of EU privacy seals, will be pursued in parallel.

So what does this all mean for organizations and individuals? There is no doubt that mandatory data breach notification will focus the minds of organizations on the security of their IT systems. Much has been made of theft of data by cyber criminals, however while this is important, misuse of data by insiders is also a significant problem. I would expect to see an increased interest in “Data Leak Prevention” technology which can control the transmission of data based on its content and encryption to control access to data which gets “lost”.

From the perspective of individuals – the direction does little to protect people from themselves. The person using a social networking site remains at liberty to give away personal information about themselves – even to their own detriment, as has been illustrated by many recent news stories. They can also send ill judged messages that are publicly visible using Twitter – which have on occasions led to criminal convictions. Perhaps the “right to be forgotten” could include these classes of data?