2012 is an important year for data protection, as EU, the global leader in data protection policies, is going to reform the system centered around Directive 95/46. The measures are expected to be launched for debate early this year, so they could enter into force in 2014.
- It should be clear that this is not the time to reinvent data protection. It has been invented and is now recognised as a fundamental right in the Lisbon Treaty. Instead, much attention should be given to making data protection more effective in practice.
- Another point in this context is the need for greater harmonisation of rules across the EU. The present diversity of national rules is not helpful for effective data protection, and even counterproductive.
- More effective data protection also requires that data subjects should be enabled to exercise their present rights more easily and should be given a few additional rights to protect their interests where needed. An interesting example is the right to require that personal data are deleted or transferred to another provider – the “right to be forgotten” or the “right to data portability” – which might be particularly useful in the context of social networks or other online services.
- Strengthening the rights of data subjects would also require a clarification of the situations where consent is required and the conditions that have to be met for valid consent. A lack of clarity about this often leads to a weaker position of data subjects, particularly in the online environment.
- Data controllers are now responsible for compliance with data protection rules, but in practice this often only leads to formal arrangements and responsibility “at the end” if something goes wrong. Instead, they should be mandated to be more active and to take all those measures which are necessary to ensure that data protection rules are complied with.
- At this stage, it is also important to clearly define the external scope of EU data protection law. The concept that EU law should not only apply when the responsible data controller is established in Europe, but also when EU consumers are “targeted” – regardless from where over the Internet – seems to attract more and more support.