The Future of Data Protection

The European Commission is due to publish a proposal in January 2012 which will outline plans for new legislation to replace the current raft of data protection rules across the EU.

Whilst this is unlikely to directly result in changes to the cookie law, it is widely expected that new rules will focus on strengthening the privacy rights of individuals which will potentially have a much wider impact on businesses.

In anticipation of the Commission’s proposals, the UK’s ICO has recently published some of it’s own views on the forthcoming changes, so it is well worth looking at some of the core aspects of what is being proposed.

Right to be Forgotten
An idea that has been talked about quite a lot by the Commission is the right of an individual to demand that a company or organisation delete personal data held about them.

As the ICO points out, this could have serious implications for journalism and freedom of expression, if taken to its logical conclusion.  Whilst people should have a reasonable expectation of a right to privacy, the ability to re-write your own history would seem to over step the mark.

Privacy by Design
There is a general encouragement of the idea that organisations should have an obligation to put privacy at the centre of any activity that involves personal data collection.  The ICO also supports the idea of regularly reviewing systems and processes from a privacy perspective, even while it acknowledges the difficulty of enforcing such activity.

Regulatory Powers
The ICO, perhaps unsurprisingly, supports an increase to its powers to regulate the private sector in particular.  This would include the same powers to audit businesses with respect to their data protection practices, that it currently has with public sector bodies.

Funding for this work would continue to come from the ability impose fines, following the ‘polluter pays’ principle.

Harmonisation
The ICO wants to see a new data protection framework that is based more on standards rather than prescriptive processes that organisations are expected to follow.

The Commission for its part is looking to create more of a level playing field across EU member states in respect of data protection.

However when you look at the differences in the implemenation of the cookie directive in different countries, it is difficult to see how harmonisation can be achieved without such prescription. 

If you don’t make it clear how a set of regulations should be enforced, you leave them wide open to all sorts of interpretations at country level, which almost inevitably leads to something more akin to a rocky road than a level playing field.