A stricter regime for profiling07 June 2016
The Privacy Challenges of the New European Commission
The European Union's executive branch has a brand new engine. Following the European Parliament's election earlier this year and after months of political manoeuvring, a new European Commission is now in place and fully operational. The Commission's functions remain as they were but under a revised structure of one president – Jean-Claude Juncker – seven vice-presidents responsible for designated policy areas and 20 commissioners. As the main policy making body in the European Union, the Commission continues to be in charge of pushing forward the ongoing data protection legislative reform that will lead to a new legal framework for privacy across the EU.
Memories of Viviane Reding and her team driving tirelessly the European data protection reform will not fade easily but their job is now in the hands of a new group of leaders wishing to make their mark. There are three key players with ultimate responsibility for the Commission's position in this process: Andrus Ansip, Vice President for the Digital Single Market, Gunther Oettinger, Commissioner for the Digital Economy and Society, and Vera Jourová, Commissioner for Justice, Consumers and Gender Equality (which includes data protection). What these leaders say or do will become reference points for the outcome of the reform and the future of privacy in Europe.
Here is a list of impending privacy-related challenges faced by the new Commission:
- Harmonisation at a time of dissent – The need for greater harmonisation was the primary motivation that convinced the Commission to reform the existing EU data protection legal framework. This objective led the previous Commission to propose a universally applicable Regulation instead of another Directive. Everything seems to suggest that the single Regulation model will prevail and that will be a victory in itself for the Commission. However, much of the prescriptive nature of the proposed Regulation is under fire and the Commission will probably need to accept a degree of vagueness and flexibility in order to accommodate the all too obvious level of dissent among Member States.
- Saving One Stop Shop – In addition to the format of the law itself, the Commission had bravely proposed a system of regulatory supervision that would make a single national data protection authority competent for overseeing the privacy practices of an organisation operating across the EU. The so-called 'One Stop Shop' model of supervision was hugely ambitious and despite its practical advantages, it has been heavily criticised by some Member States and even certain data protection authorities. As a result, a pure One Stop Shop for privacy enforcement now seems unachievable but the Commission will play a critical role in ensuring that at least some of the functioning of this model is included in the new law.
- Saving Safe Harbor – Whilst the Commission is under incessant political pressure to reinforce the privacy protection of the Safe Harbor framework, the truth is that the room for manoeuvre in negotiating an improved Safe Harbor with the U.S. government is limited. The outcome of the ongoing discussions with the U.S. Department of Commerce will be a real test of the political skills of the Commission which is bound to extract some concessions from the US knowing that no matter what it achieves, scepticism about the adequacy of Safe Harbor will continue to exist.
- Accepting the 'risk-based' approach – In recent times, it has become obvious that although data protection is still a fundamental right that must be fiercely safeguarded, technological progress could be seriously affected by a one-dimensional law. Therefore, the Council of the EU is seeking to introduce a way of taking into account the likelihood and severity of the risk of using of personal information for the rights and freedoms of individuals when determining the scope of the data protection obligations. This may clash with the original aim of the Commission to have a single and clear set of applicable rules, as different obligations may end up applying depending on the circumstances. This type of uncertainty may well be something that the Commission will need to live with.
- Bridging the legislative gap – The most difficult challenge of all is probably the most critical. The Commission is not a legislative body itself, but once the Council of the EU agrees its own draft, much work will be needed to find a way of bridging the gap between the Parliament (which approved its own draft in March 2014) and the Council. Time is ticking and if the reform is to be finalised in 2015, as the Commission has publicly promised, its art of persuasion will be tested to the limit.
In the face of these challenges, there are reasons to be optimistic. First of all, as with any renewed project, the energy levels are sky-high. It is early days and mistakes will be made, but these can be compensated by enthusiasm and hard work. It appears that we may have a very capable team in place. No single individual will have all of the answers but the interaction between DG Connect and DG Justice overseen by Vice-President Andrus Ansip may prove to provide the right formula to complete this process before it is too late.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016