Data Protection Directive revamp: UK looking sidelined?

Opinion The EU Justice Commissioner Viviane Reding, Vice-President of the European Commission, and the German Federal Minister for Consumer Protection, Ilse Aigner, have come forward with a joint statement claiming that proposals to reform the 1995 Data Protection Directive will be published by the end of January 2012.

It is clear that their promise “to achieve a robust data protection framework for Europe's internal market that can successfully address the challenges of today's digital world” is at odds with the UK view that there is little to change.

The joint statement says the following:

Data protection is highly relevant for consumers and businesses regardless of borders. It therefore needs to be addressed at the European level, through high, common European standards with global appeal. The Lisbon Treaty provides Europe with a unique opportunity to modernise and strengthen data protection rules now. We both believe that as a result of this reform process, consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies, which process their personal data, are established

The relatively weak data protection regime “enjoyed” by UK citizens following Durant appears to coming to an end.

We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a 'cloud' [my emphasis].

This will not appeal to USA companies selling services into Europe. I expect the USA to argue that the European Union is practising economic protectionism justified in terms of a bogus privacy requirement. Facebook is also on notice to reform its privacy practices.

In modernising the EU's data protection rules, we believe that consumers must be more empowered than they are today. Users should be in control of their data. This is why in our view, EU law should require that consumers give their explicit consent before their data are used. And consumers generally should have the right to delete their data at any time, especially the data they post on the internet themselves [my emphasis].

Quick memo to marketing department. Please note that “explicit consent” is not an “opt-out” – lots of love, data protection officer! Also the right to delete is almost as impracticable as a right to forget (see references); it is not the way to deal with this issue.

We will work closely together to make sure that the modernisation of the EU’s data protection rules addresses these issues and that the EU’s data privacy principles are turned into a reality for consumers and businesses everywhere in Europe.

Note that the above commentary is limited to business personal data and does not include anything about extension of a new data protection directive to law enforcement. Reading the runes, I think this means that new data protection regime could well become split into two: one component relating to upgrading Directive 95/46/EC without the law enforcement and another component dealing with just the law enforcement elements.

This in turn increases the prospect of a regulation just to upgrade Directive 95/46/EC, as the contentious law enforcement extension has been separated off for detailed discussion in a further initiative.

Also politically, I sense that the UK is in a weak position as euro-zone ministers are getting fed up with the barracking comments from UK finance ministers to “get your house in order”. I am beginning to wonder whether the Euro-sceptic tone from the UK means that any UK view on European data protection standards will be quietly sidelined.

Indeed, one way that Sarkozy, Murkel et al “can get pay-back” from the UK is to impose Euro-standards of data protection, by regulation, on the UK. After all, it won't cost them a penny but they know it would sure upset the Brits.

References

UK government's position on data protection.

Commission’s view of what is wrong with the UK’s implementation of the Data Protection Act (PDF).

Reding and Aigner's statement is here.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.