EU Commission plans more harmonisation of data protection law
EU data protection law needs to be more closely harmonized, the European Commission's vice president has said.Justice, Fundamental Rights and Citizenship Commissioner Viviane Reding said that laws adopted by the European Union's 27 member states should be changed so that they are closer to each other and to EU privacy directives.
Reding told a meeting of the EU's data protection commissioners that EU law on data protection was too fragmented.
"One of the main concerns expressed by businesses in the recent consultations is the lack of harmonisation and the divergences of national measures and practices implementing our 1995 [Data Protection] Directive," said Reding. "It is therefore clear that we need to provide further harmonisation and approximation of data protection rules at EU level."
Reding was addressing the Article 29 Working Party, a committee comprising the data protection watchdogs from the EU's member countries. She told the officials that current data protection law was not doing its job properly.
"The internal market requires not only that personal data can flow freely from one Member State to another, but also that the fundamental rights of individuals are safeguarded," she said. "Provided that all data protection guarantees are in place and properly applied, personal data should freely circulate within the EU and, where necessary and appropriate, be transferred to third countries. This requires us to provide a level playing field for all economic operators in different Member States. This is currently not the case."
Reding outlined a number of changes to EU data protection law that she said were necessary. As more and more people use increasingly data-intensive online services, she said that their privacy needed to be better protected.
" I believe we need to strengthen individuals' rights by ensuring that they enjoy a high level of protection and maintain control over their data. This is particularly important in the on-line environment, where often privacy policies are unclear, non-transparent and not always in full compliance with existing rules," she said.
"Individuals need to be well and clearly informed, in a transparent way, by data controllers - be it services providers, search engines or others - about how and by whom their data are collected and processed," said Reding. "They need to know what their rights are if they want to access, rectify or delete their data. And they should be able to actually exercise these rights without excessive constraints."
Reding said that the administrative burden on companies could be reduced by changing certain procedures, but that this could only happen if businesses took their data protection responsibilities more seriously.
"Businesses and public authorities, however will need to better assume their responsibilities by putting in place certain mechanisms such as the appointment of Data Protection Officers, the carrying out of Privacy Impact Assessments and applying a 'Privacy by Design' approach," she said.
Reding said that EU countries needed to do more to share data when dealing with criminal matters, and that individual countries and the EU needed to share more data internationally.
"I intend to improve, strengthen and streamline the current procedures for international data transfers, including in the areas of police cooperation and judicial cooperation in criminal matters," she said.
"In some cases the conclusion of international agreements - like the one we are about to negotiate with the US on data protection in judicial and police cooperation in criminal matters - can also be an effective tool to enhance cooperation and allow for an exchange of information with the relevant authorities," she said.
Reding told a meeting in Washington this week that she wanted to create an 'umbrella' data protection agreement with the US under which greater volumes of personal data could be shared but still protected to a standard acceptable in the EU.
"This agreement will establish a legal framework for data protection, but it will not constitute in itself the legal basis for specific transfers of personal data," she told the Article 29 Working Party. "A transfer of personal data will continue to require a specific agreement providing the legal basis for it."
"My intention is to be ambitious and negotiate a good agreement with the US, ensuring a high-level of data protection and providing all necessary guarantees and mechanisms for effective enforcement and compliance," she said.