Internet users all over the world and Europeans in particular have adjusted the new ways of sharing their information using various social networks. Therefore, the remote data storing has become a significant part of people’s lives. It is also important to note the importance of personal data to many businesses as it has become their asset as collecting and analyzing the data of their potential customers is a very beneficial part of the certain businesses economic activities.
Considering Europe in particular, data security is a basic law that aims at protecting people’s right to take control over their personal data in an effective manner. Thus, those rights are ensured by the Article 8 of the Charter of Fundamental Rights of the European Union and the Article 16(1) of the Treaty on the Functioning of the European Union (COM 2012).
Since most of the consumers are characterized by being less confident, they often hesitate to accept new services or make purchases online. For that reason, a high level of data security will enhance trust in online services by encouraging economic competitiveness and growth of the industries among EU countries.
European Union countries need the data to flow freely within the Member States and businesses need to have clear rules in order to provide their services with the minimal administrative burden. All of that are the prerequisites of the economic growth stimulation, fostering innovations and, as a result, creating new jobs.
The EU’s data protection rules as well as their modernization will not only strengthen the dimension of the internal market ensuring a high level of individuals’ data protection, they will also promote legal clarity and consistency, which are predominant in the Digital Agenda for Europe, the European Commission's Stockholm Action Plan, and the EU’s Growth Strategy - Europe 2020.
According to COM (2012), the objectives of the EU’s 1995 Directive, which is the central legislative instrument for the protection of personal data in Europe, are to “ensure a functioning Single Market and effective protection of the fundamental rights and freedoms of individuals, and remain valid”. This Directive was adopted two decades ago when the Internet was no as developed as it is nowadays.
At the present time the existing rules are challenging digital environment providing neither the harmonization degree required, nor the efficiency, which is necessary to ensure the personal data protection right. For that reason a fundamental reform of the EU’s Data Protection Framework is being proposed by the European Commission.
The reform aims at building a strong, consistent and comprehensive data protection backbone for the modern European Union. It will reinforce individuals’ fundamental right to data protection. However, it does not mean that the other rights will not be followed. By those rights freedom of information and expression, the right of the child, the right to a fair trial and professional secrecy, the right to conduct a business and many others are meant.
On the contrary, as a new reform, it meets some critique.
Summary of Proposed Rules
Since 2009, the EU Commission, in order to prepare the reform on data protection in a transparent manner, has been engaged in an intensive dialogue with stakeholders launching various public consultations on data security. In 2010, the Commission issued a Communication on “A comprehensive approach on personal data protection in the European Union”. It helped to set out the main themes of the reform.
In 2011, the Commission was further involved in a dialogue with the European Data Protection Supervisor (EDPS 2011) and later with Europe’s National Data Protection Authorities (EDPS 2012). The main aim was to explore the options for more consistent implementation of the EU data protection rules taking into the consideration all of the EU Member States.
The above mentioned discussions revealed the needs of citizens and businesses: they wanted the Commission to reform EU data protection rules and do it in a comprehensive manner. After the impact assessment of various policy options, the European Commission proposes a consistent legislative framework across EU policies taking into the consideration all individuals’ rights and businesses interests within the frames of the dimension of Single Market.
The new framework proposed by the Commission ought to consist of the Regulation (Directive 95/46/EC replacing), which would set out the general framework of EU for data security and the Directive (Framework Decision 2008/977/JHA16 replacing) which would establish “the rules on the protection of personal data processed for the purposes of prevention, prosecution, investigation or detection of criminal cases and related judicial activities” (COM 2012). Basically the major reform elements are being set out by this Communication.
The Commission, in order to strengthen the individuals’ rights to data protection, proposes the following new rules, which aim to improve the individuals ability to control the data upon the following circumstances:
- when the individuals’ consent is required, the new rules ensure that the data is freely given, which is grounded on either the affirmative actions or the statement of the concerned person;
- when the Internet users possess the effective right of their data to be deleted upon their consent, withdrawal and when other grounds for the data retaining are absent;
- when an easy access is guaranteed through the right to have a copy of the data saved from a controller and through the free possibility to move the data from one provider to another;
- when the individuals fully realize the way their personal information is used, especially when we take into the consideration the activities of processing concerning children.
In order to strengthen individuals’ rights to data protection, which aims to better the means for them to apply their rights, the Commission proposes both making stronger the protection of national data, authorities’ power and independence, and enhancing judicial and administrative remedies when the rights to data security are being violated.
Qualified associations are meant to advance a claim to the court on individuals’ behalf. That will help them to be properly equipped when dealing with complaints effectively, carrying out the investigations efficiently, and imposing effective sanctions if needed.
The European Commission, in order to strengthen the individuals’ rights to data protection, also proposes the rules, which aim to improve the data security upon:
1. The encouragement of the usage of privacy certification schemes, privacy- enhancing technologies and privacy-friendly default setting.
2. The introduction of general obligations for the controllers of data with the aim to inform the breaches of data without any delay. In this case, both the authorities of data security as well as individuals are meant to be concerned.
In order to strengthen the rights of individuals to data protection, which targets at improving the responsibility of the processing data, the European Commission proposes the following:
1. The Data Protection Officer designation in the companies which employ more than two hundred and fifty workers and in those firms that are connected with the operations processing which expose individuals’ rights at particular risks.
2. The introduction of the “Privacy by Design” principle to be certain that the data protection guarantees are taken into consideration at the phase of systems and procedures planning.
3. The introducing of the obligation with the purpose to execute the Data Protection Impact Assessments for the companies which are involved in the risky processing (COM 2012).
In order to ensure a high level of personal data protection in the field of police and judicial cooperation in criminal matters and to facilitate the data exchange between corresponding authorities of the Member States within the frames of the data protection reform package, the Commission proposes the following three functions of the Directive:
- the application of general data protection principles to judicial and police cooperation in various criminal matters with respect to the specific nature of those areas;
- the provision of the individuals’ rights to be informed when police or/and judicial authorities access or handle their personal data. It is necessary for the effective detection prosecution, investigation and prevention of criminal offences;
- the establishment of particular rules in order to cover the nature of law enforcement activities. In this case, a distinction between different categories of data subjects whose rights may greatly vary has to be taken into account.
The new reformed EU framework aims at ensuring a high level of data security in order to intensify mutual trust between police and judicial authorities in various Member States. It helps to further contribute to a free data flow and promote efficient cooperation between judicial authorities and police.
As the rights of individuals must be ensured when the personal data leaves the EU boarders or whenever the individuals of Member States are targeted with their data being used by the third country service providers, the new data protection standards have to be applied despite of the company geographical location. In order to address the challenges of the globalization process, flexible tools and mechanisms are needed. Thus, the Commission proposes to take the following measures:
1. Lucid rules which define the applicability of the EU law to data controllers that are set in the third countries.
2. Adequate decisions are to be taken by the European Commission grounded on certain criteria, including criminal justice and police cooperation.
3. Reinforcement and simplification of international rules transfer to the countries that are not covered by an adequacy decision in order to ease the legitimate data flows.
4. Dialogue with the strategic partners such as third countries and international organizations with the aim to promote high and worldwide interoperable standards of data security (COM 2012).
Obviously, the new reform has many advantages since the development of the EU’s 1995 Directive. In the next part, the reasons for criticism of the legislative framework on personal data protection will be explored.
Criticism: Why the New Reform is Condemned?
As it was mentioned in the previous section, the ways in which individuals are able to exercise their right to data protection are not sufficiently agreed across the Member States. At the same time, the powers of the national authorities that are responsible for the data protection are not harmonized to the extent that ensures effective and consistent rules application. It means that actual exercising of such rights is more complicated in some Member States compared to the others, especially when the online rights protection is meant.
The difficulties mentioned above are also due to the big volumes of data collected daily. Moreover, many users are often not even fully informed about their data being collected. However, some of those who are aware still feel that they do not totally control their own data due to being improperly informed regarding what happens to their personal data, for what purposes and to whom it is transmitted. Frequently, people do not know even how to exercise their rights online.
Despite the objective of the current Directive to ensure an equivalent data protection level within the whole EU, the considerable divergence between the 27 States is still present in the issued rules. As a result, the data controllers may have a chance to use different national laws and requirements of all the Member States. Therefore, there is a chance for legal uncertainty and, thus, uneven protection for individuals. Such situation mau cause administrative businesses burdens and provoke unnecessary expenditures. It is also a great disadvantage for those companies that operate in the Single Market with a prospective desire to expand their business abroad.
The other issue is the resources and the responsibilities of the national authorities, which are responsible for data protection. They vary considerably from one state to another. In some cases, they are unable to perform their enforcement tasks satisfactorily. Thus, the cooperation among these authorities at the European level has to lead to consistent enforcement and should be significantly improved.
Another issue which was criticised in this reform is the requirement application regarding the protection of data as well as its privacy regulations to any company active in the EU, regardless if it is a European country or not. It means that companies such as Microsoft or Google that are based in the United States of America are to be subjected to the European Union regulations.
Rittweger and Molloy (2012) also comment on the publication of the Draft Regulation stating that the choice of replacing the Directive 95/46/EC with the Draft Regulation is a very significant instrument because the EU regulations can be applied for the Member States, which will help to reach the highest harmonization level under the law of the Union. They present the estimated data protection costs per year and claim that “greater legal certainty comes at a price, and concerns have been voiced (most notably in Germany) about the shift in the balance of power away from the Member States and towards the Commission” (Rittweger & Molloy 2012).
The scholars are certain that despite the fact that Draft Regulation can be applicable, specific areas still exist which will allow the Member States to have the power of enacting national legislation. For example, Article 80 is associated with the obligation of the Member States to accept the exemptions from certain Regulation provisions meaning the right to freedom of speech with the protection of personal data (Rittweger & Molloy 2012).
The Member States should become the rule-makers in all the areas, which is another major weakness on the Draft Regulation. Research, health and employment sectors are considered as the most intensive regarding data processing, which would be beneficial for only high harmonization level of rules on the national level. It is inevitable in the context of employment, because employers struggle a lot to handle the complicacy of data security. The main reason for this situation if the increased globalization of the businesses, which results in the growth of the outsourcing functions of human resource.
From the above mentioned it is obvious that the proposed reform on data protection is inevitable in building a strong, consistent and comprehensive backbone for the modern European Union. This can be achieved by reinforcing individuals’ fundamental right to the protection of their data and following the other rights as well. At the same time, its criticism that the EU Member States decreed and applied it in a different manner may lead to its uneven implementation.
Changing the format to the Regulation will not allow to make the variations in future within the Member States that theoretically should lead to higher certainty for EU organizations and particular for the citizens. It is very important when taking into account the growth of Cloud Computing, as the data is no longer stored and can be accessed in various countries at the same time as it is naturally for certain companies to operate internationally. As a result, it is impossible to avoid the European Union's Data Protection Reform. However, it should certainly adopt data protection practices that would be beneficial to all of the stakeholders.