On 25 January 2012 the European Commission published its proposed package of reforms for the Data Protection Directive 1995, which was implemented into UK law as the Data Protection Act 1998. The comments period closed on March 7. The reform package will now pass to the European Parliament and the EU member states (meeting in the Council of Ministers) for discussion. The final package will take effect two years after adoption.
Data protection law is an important part of preserving personal privacy rights, which otherwise could be easily overwhelmed by the power of government agencies and corporations that hold information about individuals. Despite the many changes in the landscape since 1995 – at that time companies like Google and Facebook were yet to be founded, and mobile phones were used by only a tiny percentage of the population – the basic principles have held up well. What the reforms seek to do is improve the consistency of the directive's operation across the EU's 27 member countries, lower compliance costs for businesses, and make data protection regulators more accountable. The package also seeks to add new citizen rights such as the right to data portability (so that you can download all the data a particular company has about you in a format you can use) and the right to delete your data, also popularised as the right to be forgotten.
The Open Rights Group believes that individual privacy is a key human right and that data protection law is both an important protector of individual privacy and a necessary part of ensuring a fair balance of power between individuals and large organisations. Citizens need the law to assure them of the ability to control the use of their data, while today's international, data-driven businesses would prefer to have as few restrictions as possible. Large American companies in particular would like standards to be kept low and to be allowed to set their own rules, much as they do in the US, where privacy rights are governed by the lengthy contracts – privacy policies – users are expected to read and agree to.
"Information is the oil of the 21st century," said Mark Getty, the oil magnate's grandson, and on that basis ORG believes it is anti-competitive to allow individual companies to build up large silos of data they can use to lock users into their services. Increasingly, privacy is not only a human right but also part of the right to choose whom to do business with.
ORG has in general welcomed the Commission's proposals, in particular the increased consistency in the law's application across the EU; the clearer test for applicability of EU law; the principles of "privacy by design" and "privacy by default"; the requirement for notification when there are data breaches; and the right for organisations to represent individuals whose privacy rights have been harmed. More problematic are the proposals surrounding the transfer of data to non-EU countries, which fail to resolve concerns that data held in the US, particularly about EU citizens' political activities, is subject to subpoena under the Foreign Intelligence Surveillance and PATRIOT Acts. ORG believes that the proposals for data portability could also be improved; greater interoperability between services is needed, particularly with respect to smartphones, whose use is often tied to a user ID on a matching online service (for Androids, Google, and for iPhones, Apple). ORG also favours increased use of privacy risk assessments when new technology systems such as Oyster and smart meter systems are deployed.
Finally, ORG is concerned that the maximum applicable fine has been reduced to 2 percent of global corporate income (from 5 percent in earlier leaked draft), presumably in response to commercial pressure. ORG believes that strong sanctions and protections are necessary to prevent EU citizens' fundamental rights from being trampled upon.
The data protection reforms, when finalised, will also provide an opportunity for the UK to revamp its national data protection law and the functioning of the Information Commissioner's Office, both of which are weak and ineffective compared to those of other EU countries. The UK Act is not in compliance with the 1995 directive. In 2010, the European Commission asked the UK to strengthen the ICO's powers as required by EU law.
What you can do:
- Read ORG's consultation response to the call for evidence regarding the Data Protection Act.
- Read the response of the European Data Protection Supervisor, Peter Hustinx.
- Read ORG's submission to the Ministry of Justice call for evidence.
- Join ORG.