European Commission sets out strategy to strengthen EU data protection rules
happens to your personal data when you board a plane, open a bank
account, or share photos online? How is this data used and by whom? How
do you permanently delete profile information on social networking
websites? Can you transfer your contacts and photos to another service?
Controlling your information, having access to your data, being able to
modify or delete it – these are essential rights that have to be
guaranteed in today's digital world. To address these issues, the
European Commission today set out a strategy on how to protect
individuals' data in all policy areas, including law enforcement, while
reducing red tape for business and guaranteeing the free circulation of
data within the EU. This policy review will be used by the Commission
with the results of a public consultation to revise the EU’s 1995 Data Protection Directive. The Commission will then propose legislation in 2011.
"The protection of personal data is a fundamental right," said Vice-President Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship.
"To guarantee this right, we need clear and consistent data protection
rules. We also need to bring our laws up to date with the challenges
raised by new technologies and globalisation. The Commission will put
forward legislation next year to strengthen individuals' rights while
also removing red tape to ensure the free flow of data within the EU’s
sets out proposals on how to modernise the EU framework for data
protection rules through a series of key goals:
Strengthening individuals' rights so
that the collection and use of personal data is limited to the minimum
necessary. Individuals should also be clearly informed in a transparent
way on how, why, by whom, and for how long their data is collected and
used. People should be able to give their informed consent to the
processing of their personal data, for example when surfing online, and
should have the "right to be forgotten" when their data is no longer
needed or they want their data to be deleted.
Enhancing the Single Market dimension by
reducing the administrative burden on companies and ensuring a true
level-playing field. Current differences in implementing EU data
protection rules and a lack of clarity about which country's rules apply
harm the free flow of personal data within the EU and raise costs.
Revising data protection rules in the area of police and criminal justice so
that individuals' personal data is also protected in these areas. Under
the Lisbon Treaty, the EU now has the possibility to lay down
comprehensive and coherent rules on data protection for all sectors,
including police and criminal justice. Naturally, the specificities and
needs of these sectors will be taken into account. Under the review,
data retained for law enforcement purposes should also be covered by the
new legislative framework. The Commission is also reviewing the 2006
Data Retention Directive, under which companies are required to store
communication traffic data for a period of between six months and two
Ensuring high levels of protection for data transferred outside the EU
by improving and streamlining procedures for international data
transfers. The EU should strive for the same levels of protection in
cooperation with third countries and promote high standards for data
protection at a global level.
More effective enforcement of the rules, by strengthening and further harmonising the role
and powers of Data Protection Authorities. Improved cooperation and
coordination is also strongly needed to ensure a more consistent
application of data protection rules across the Single Market.
The way forward
Commission's policy review will serve as a basis for further discussion
and assessment. The Commission is calling on all stakeholders and the
public to comment on the review's proposals until 15 January 2011.
Submissions can be made on the Commission’s public consultation web
on this, the Commission will present proposals for a new general data
protection legal framework in 2011, which will then need to be
negotiated and adopted by the European Parliament and the Council.
addition, the Commission will examine other measures, such as
encouraging awareness-raising campaigns on data protection rights and
possible self-regulation initiatives by industry.
EU data protection rules (the 1995 Data Protection Directive 95/46/EC)
aim to protect the fundamental rights and freedoms of natural persons,
and in particular the right to data protection, as well as the free flow
of data. This general Data Protection Directive has been complemented
by other legal instruments, such as the e-Privacy Directive for the
communications sector. There are also specific rules for the protection
of personal data in police and judicial cooperation in criminal matters (Framework Decision 2008/977/JHA).
right to the protection of personal data is explicitly recognised in
Article 8 of the EU's Charter of Fundamental Rights and in the Lisbon
Treaty. The Treaty provides the legal basis for rules on data protection
for all activities within the scope of EU law under Article 16.
2009, the Commission launched a review of the current legal framework
on data protection, starting with a high-level conference in May 2009,
followed by a public consultation running until the end of 2009.
Targeted stakeholders consultations were organised throughout 2010. In
January 2010, Vice-President Viviane Reding announced the Commission's
intention to modernise EU data privacy rules in a speech on Data
Protection Day (see IP/10/63 and SPEECH/10/441)
in her previous role as Information Society Commissioner. Today’s
Communication was produced in agreement with Neelie Kroes, EU
Commissioner in charge of the Digital Agenda.