On 6 July 2011, the European Parliament adopted a non-binding resolution (the "Resolution") on the communication of the European Commission (the "Commission") on a "comprehensive approach on personal data protection in the European Union" (the "Communication"). This Communication was published on 4 November 2010 and sets out the Commission's strategy for the reform of EU Directive 95/46 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Data Protection Directive") (See, Van Bael & Bellis on Belgian Business Law, Volume 2010, No. 11, p. 3).
In the Resolution, the European Parliament welcomes the Communication and its key objectives: (i) strengthening individuals' rights; (ii) enhancing the internal market; (iii) revising the data protection rules in the area of police and judicial cooperation in criminal matters; (iv) ensuring a high level of protection for international data transfers; and (v) enforcing the data protection rules more efficiently. In addition, the European Parliament endorses the new measures considered by the Commission, including the introduction of a "right to be forgotten", the principle of "data portability", the principle of "accountability" and the principle of "privacy by design". The European Parliament calls on the Commission to ensure that the revised legal framework will provide for full harmonisation at the highest level and coherence and consistency, while keeping bureaucratic and financial burdens to a minimum.
As regards obligations for data controllers, the European Parliament welcomes in particular the possibility of making the appointment of data protection officers mandatory and considers it essential to make privacy impact assessments compulsory. Moreover, it encourages the Commission to introduce a system of mandatory general personal data breach notifications.
The Resolution also raises a number of issues which the European Parliament urges the Commission to take into account when drafting its legislative proposal for the reform of the Data Protection Directive.
For instance, the Resolution calls on the Commission to respond to the increasing use of social networking sites and online behavioural advertising and the privacy risks these entail. In particular, it urges the Commission to include in its legislative proposal provisions on profiling and specific rules to protect vulnerable persons, especially children and minors. The Resolution furthermore points to the difficulties of applying current data protection legislation to cloud computing and requests the Commission to clarify the capacities of data controllers, data processors and hosts in order to better allocate the corresponding legal responsibilities and enable data subjects to exercise their rights in a cloud computing context. The Resolution also requests that the revised regime provide instruments enabling conglomerates perceived as single entities to act as such rather than as a multitude of separate units.
As regards international data transfers, the Resolution calls on the Commission to (i) streamline and strengthen the current procedures for international data transfers; (ii) clarify the adequacy procedure and criteria; (iii) define the core EU data protection aspects to be introduced in international agreements concluded by the European Union; (iv) enhance cooperation between the European Union and third countries, international organisations and standardisation organisations; and (v) assess the effectiveness and correct application of the US Safe Harbour Principles.
Finally, the Resolution underlines the need for effective enforcement of data protection rules and lists a series of proposals to achieve this objective, such as the introduction of collective redress mechanisms. Moreover, the Resolution points to the benefits of self-regulatory initiatives, e.g., codes of conduct or EU certification schemes. It calls on the Commission to carry out an impact assessment of self-regulatory initiatives as tools for better enforcement of data protection rules. The Resolution also urges the Commission to strengthen the independence and investigative and sanctioning powers of the national data protection authorities.
The Commission is expected to present its legislative proposal on the reform of the Data Protection Directive later this year. In a press release issued on 6 July 2011, EU Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding welcomed the Resolution and stated that the Commission will take the Resolution into account when preparing its legislative proposal. Interestingly, Commissioner Reding underlined the prominent role for data security and stated that she plans to introduce a mandatory requirement to notify data security breaches for all sectors.
The Resolution can be found at http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2011-0323.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.