Timbus - Timeless Business

Harmonization of Data Protection within the EU: Urgent need – long negotiations

Details

Created on Wednesday, 02 October 2013 09:49

Last Updated on Tuesday, 21 October 2014 08:32

The European Commission's efforts to harmonize data protection within the EU by the means of a General Data Protection Regulation have been going on for nearly 2 years.

Let us start with a brief description of the current legal situation. The Directive 95/46/EC of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data governs the data protection within the EU. In general, member states are obliged to implement the content of directives into national law in order to achieve the desired objectives.(1) However, the Directive 95/46/EC has been implemented unevenly by the member states. For example, the term 'data transfer' is defined differently in national laws. (2) This lack of harmonization constitutes a legal risk.

A comprehensive and consistent approach with regard to data protection is necessary to ensure the fundamental right of full and effective protection of personal data. (3) 'Personal data' are any information relating to an individual. Companies deal with personal data every day. For example, they must preserve the pay roll information of the employees with regard to tax law. A vast number of further obligations to preserve personal data are imposed by law. The possibility of making data anonymous scarcely exists in all cases. Consequently, dealing with personal data is a sensitive issue, especially with regard to long-term preservation, as every process of digital preservation is covered by data protection regulations (see Art. 2 Directive 95/46/EC). This includes data transfer, which is necessary for global company structures. (4)

The different national implementations of the Directive 95/46/EC entail the risk of legal uncertainty for companies. It is a complex and difficult undertaking to work with personal data in different member states. If a company operates cross-border, different national requirements have to be fulfilled. A company which uses a digital preservation system situated in another member state must transfer data including personal data. Although data can freely flow within the EU (see Art. 1 (2) Directive 95/46/EC), specific national requirements exist and are still difficult to identify. This is an obstacle and a legal risk for both companies and data subjects as individuals. If data must be transferred to a country outside the European Union, the legal situation is even more complex as further restrictions must be considered. (5)

Within the European Union, a European Regulation can be seen as an instrument to facilitate the situation. As the trend towards international outsourcing increases, such legal methods should be taken into account. (6) A regulation would have general applicability. It would be binding in its entirety and directly applicable in all member states. (7)  Consequently, uniform rules would govern data protection within the EU. The current proposal of the Data Protection Regulation consists of two acts of law, a regulation and a directive concerning police cooperation and cooperation on crime. (8) Objectives and general principles of the Directive 95/46/EC would be maintained. (9)

The plans of the European Commission to harmonize data protection within the EU aim at supporting and promoting the 'digital society'. It would be an important and necessary step to adapt the data protection within the EU to technical developments. (10)

The proposal requires for example, that a personal data breach must be reported to the supervisory authority not later than 24 hours after becoming aware of it. (11) Easily accessible policies would guarantee transparency

• with regard to the processing of personal data

• for the exercise of data subjects' rights

• providing sufficient information for the data subject, e.g. about the identity of the controller and the purposes of the processing.

Furthermore, equivalent sanctions in the member states and effective cooperation between the supervisory authorities would increase the citizens' confidence with regard to data protection as well.

The risk of legal uncertainty for economic operators would be reduced. A coherent approach would simplify the subject matter for the economy and ensure a high standard of data protection for every individual. Economic activity and free competition would be boosted.

The proposal has been released on 25th January 2012. It must be negotiated with and decided by the Commission. Still, there are ongoing discussions with regard to the content of the regulation and it is not foreseeable when the actual harmonization of data protection within the EU will take place and which parts of the proposal will be retained.

---------------

1. Bergmann/Grupp, Handlexikon der Europäischen Union (4. Aufl. 2012), Richtlinien.
2. Hoeren et al., Legal aspects of digital preservation, p. 74; Hoeren, Harmonisierung, engmaschiges Kontrollnetz und starke Aufsichtsbehörden, SoliServ-Forum 2013 Berlin, p. 1.
3. Hoeren, Harmonisierung, engmaschiges Kontrollnetz und starke Aufsichtsbehörden, SoliServ-Forum 2013 Berlin, p. 1.
4. Hoeren et al., Legal aspects of digital preservation, p. 74.Hoeren et al., Legal aspects of digital preservation, p. 78.
5. For more information regarding International Outsourcing see Hoeren et al., Legal aspects of digital preservation, p. 86 f.
6. See Art. 288 TFEU.
7. COM(2012) 11 final, http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf (28.08.2013).
8. Recital 7 of the proposal (COM(2012) 11).
9. Hoeren, Harmonisierung, engmaschiges Kontrollnetz und starke Aufsichtsbehörden, SoliServ-Forum 2013 Berlin, p. 1.
10. Art. 32 (1) COM(2012) 11 final.
11. Art. 11 (1), Art. 14 (1) COM(2012) 11 final.