In the midst of continuing privacy tussles, such as over Facebook’s and Google’s privacy policies, and somewhat unexpected new challenges, such as the PRISM and TEMPORA revelations, arguably the most important legislative activity in the privacy field this past year unfolded in the European Union.
Almost two decades ago, and before the Internet became popular, the European Union put in place comprehensive data protection and privacy legislation, the so-called data protection directive. It was the result of years of intense negotiations and mandated that EU member states implement a high level of privacy protection as laid out in the directive by passing appropriate national laws covering data processing of personal information in both the public and the private sector.
In the wake of the Internet’s meteoric rise to permeate almost all areas of life, and with social networking platforms and mobile smartphones turning into mass phenomena, the European Commission put forward a plan to update the EU’s privacy framework and bring it into the 21st century. To that end, in late 2011 the Commission circulated a new draft privacy regulation, to be enacted by the European Union.
This draft regulation is an evolution of the directive, but it also breaks with the past, both structurally and substantively. Structurally, as a regulation it would become directly applicable law in the European Union rather than (as the directive) needing to be implemented through national legislation. This would mean that implementation differences that to an extent have plagued the European privacy framework would disappear (although enforcement differences might continue). Substantively, the draft includes four innovations: (1) a “right to be forgotten”; (2) a right of data portability; (3) data breach notification requirements; and (4) an increased role for accountability—all paired with more stringent enforcement that includes drastically higher fines for breaches.
While touted by the Commission as a complete overhaul of the privacy framework that meets not simply present but also future privacy challenges, the draft is relatively conservative. Some of its “novel” elements already exist in some form in the existing directive, and were merely expanded (and rebranded). This can be seen both as an advantage (because at its core it signals continuity) and as a disadvantage (because it may be an insufficient reaction to changing times). Expectedly given its prominence, the draft was heavily criticized by stakeholders, who alternately argued that it went either too far or not far enough.
In 2012, intense discussion over the Commission draft ensued in Brussels and throughout Europe. The European Parliament held hearings, and both the European Parliament and the European Council (who must formally vote for such a regulation to be enacted) put forward their own drafts. These clarified the “right to be forgotten” and redirected the data portability right, while data breach duties and enforcement actions were watered down to make them more palatable to industry.
Significant differences in opinion on details persist between Commission, Council, and Parliament, with the Commission aiming to get a regulation passed as soon as possible, the Council somewhat reluctant, and the Parliament arguing for a pragmatic, yet effective measure protecting citizens. The next twelve months will likely be crucial in whether and what regulation will protect the privacy in Europe in the years to come.
European Commission, Data Protection: Newsroom, http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm.