The European Commission and Parliament are currently in the process of reviewing and amending drafts of a new Data Protection Regulation. This note suggests three compelling reasons why the Regulation should be kept strong, and some specific areas in which amendments are ill advised and should be rejected.
First, the Regulation will not be an isolated law. Other international and regional organisations are watching to see what it will contain, as they formulate and revise their own guidance in this area. Among the relevant initiatives are the modernisation of the Council of Europe's Convention 108, the revision of the OECD's Privacy Guidelines, and APEC’s Cross Border Privacy Rules system. A weak or poorly drafted EU Regulation could have a detrimental effect on a much larger scale, if other guidance is either weakened to match it, or is kept strong and thus becomes incompatible.
Second, data protection itself is not an isolated right. It is an enabling one, without which other rights such as privacy, freedom of expression and self-determination are seriously undermined.
Third, the Regulation must address a reality of modern life: “personal data” can no longer simply be defined as a neat short-list of data items. The technology of data aggregation, data mining and monetisation exploits data in ways that were not anticipated in the early days of data protection law – but which have a significant impact on individuals' privacy nonetheless. Laws and policies must, therefore, be modernised to take account of privacy outcomes, rather than focus on outdated ideas of what data needs to be protected.
With that in mind, there is reason to be wary of any amendment which could weaken the Regulation's effectiveness in the following areas:
– The Regulation should be based on the principle of protecting the rights, freedoms and interests of the data subject, not just data.
– The Regulation should, however, adequately protect any information on the basis of which an individual may be identified and/or singled out for different treatment.
– Where data are collected that could be used to affect the rights, freedoms and interests of the data subject, it should be on the basis of explicit, unambiguous, informed and freely-given consent or clearly demonstrable legitimate need.
– The Regulation should foster the practical implementation of principles of data minimisation, development and use of privacy-enhancing tools and strategies, and privacy as a core feature of any services.
There are, of course, some commercial entities with an interest in ensuring that these provisions are weakened as far as possible. The commercial value of personal data, and its potential effect on economic activity, should of course be a factor in determining policy in this area – but not the sole or dominant factor. It is directly in the EU's economic interest to create a regulatory environment in which commercial exploitation is properly counter-balanced by due respect for the social benefits of effective data protection, and for the rights of the individuals whose personal data is used.
Regulation taken to either extreme is unlikely to be workable. For instance, trying to prohibit all cross-border flows of data would not only hinder economic activity, it would also put the EU at odds with most other cross-border privacy initiatives. Conversely, however, if data subjects have no effective protection against the abuse of personal data, this can be both economically and socially damaging. The Internet Society's view is that this balance needs to be carefully drawn, and arrived at through a consultative and genuinely multi-stakeholder approach that gives due weight to data subjects' rights, economic and commercial factors, social considerations, and the global nature of online activity.