Rethinking European data protection law
By Dr Christopher Kuner
On the occasion of International Data Protection Day on the 28th of January, I would like to explore how European data protection law can become more efficient and effective, and better tailored to the needs of individuals.
The European Commission’s proposal of January 2012 to reform EU data protection law has been the subject of intense discussion. It had been hoped that the legislative process would be completed by now, but the EU institutions have yet to agree on a final text. With upcoming elections to the European Parliament and selection of a new European Commission later in 2014, finalization of the proposal may be delayed by European politics, which provides the chance to reconsider how the law needs to change.
Since its development in the late 1990s, EU data protection law has become both indispensible and unsupportable. Indispensible, because the central and ubiquitous role of personal data processing has made a strong legal framework crucial both to protect the rights of individuals and to allow the development of the digital economy. And unsupportable, because the current framework delivers a poor level of compliance; is confusing for both individuals and data controllers; and is difficult to apply and understand in practice.
These problems have long been recognized, but a consensus on how to remedy them has yet to emerge. Attempts at reform (including both legislative proposals and papers developed by experts and think tanks) have often suffered from various flaws. For example, excessive attention has been paid to a small number of important normative questions (e.g., what constitutes personal data, and the distinction between data controllers and data processors) that has distracted attention from achieving a high level of compliance in practice. Some initiatives have also suggested amendment of the underlying principles of the law, even though they are anchored in the constitutional framework of the EU and are not subject to change.
Many proposals (including the one from the Commission) contain laudable elements, but their structure and language are too complex for individuals to understand and apply. There has also been a “flavor of the month” approach to reform, with attention focused for political reasons on specific sectors or types of data processing (e.g., search engines, online social networks, cloud computing etc.), while other issues of equal or greater importance have received less attention.
Finally, the EU data protection framework is comprised of a combination of different directives, case law, Commission decisions, recommendations of data protection regulators etc., the interface between which can be difficult to understand even for experts. And the broad exemptions in data protection law for areas such as data processing by law enforcement leave large gaps in protection.
It is time to explore a new approach to reform of the EU data protection framework that would result in legal instruments that can be understood by ordinary individuals, and focuses on their needs. This means that main concerns should include intelligibility and the avoidance of jargon, as well as allowing individuals to assert their rights easily and effectively.
The fundamental normative rules of data protection law have proven their worth, and attention should be focused on how effective compliance approaches can be implemented. This means that greater attention should be paid to the developing standardized compliance tools (checklists, training procedures etc.); facilitating the recognition of codes of practice and trustmarks; using technological solutions to protect privacy; and working with existing institutions in other areas with strong ties to individuals and data controllers (e.g., local chambers of commerce and consumer protection organizations). The compliance needs of smaller organizations have also been largely overlooked, and more attention should be devoted to helping them integrate data protection into their everyday practices.
A legal framework for data protection should avoid inflation in the number of legislative instruments; provide better coordination between the different sources of law; and avoid wide-ranging exemptions from the rules. A key concern in this regard should be to develop a framework that provides legal certainty for individuals, data controllers, and regulators. More imagination should also be shown to involve the public in the drafting of legislation (e.g., through the use of focus groups or wikis).
These goals will have to be addressed if the EU is to adopt a data protection framework that is future-proof, protective of individual rights, and supportive of the digital economy.
Dr. Christopher Kuner is editor-in-chief of the journal International Data Privacy Law. He is author of European Data Protection Law: Corporate Compliance and Regulation, and the new book Transborder Data Flow Regulation and Data Privacy Law. Dr. Kuner is associate professor at the University of Copenhagen, an Honorary Fellow of the Centre for European Legal Studies, University of Cambridge, and Senior Of Counsel at Wilson Sonsini Goodrich & Rosati in Brussels.
To read more on data privacy, Oxford Journals has made a collection of papers on the topic free to access for a limited time.
Combining thoughtful, high level analysis with a practical approach, International Data Privacy Law has a global focus on all aspects of privacy and data protection, including data processing at a company level, international data transfers, civil liberties issues (e.g., government surveillance), technology issues relating to privacy, international security breaches, and conflicts between US privacy rules and European data protection law.
Subscribe to the OUPblog via email or RSS.
Subscribe to only law articles on the OUPblog via email or RSS.
Image credit: Many red opened locks around one closed blue lock. By maxkabakov via iStockphoto.