Out-Law / Your Daily Need-To-Know

New Data Protection Board to co-ordinate EU-wide enforcement, says Commissioner

Out-Law News | 08 Dec 2011 | 12:45 pm | 4 min. read

A new oversight body will be set up under a new EU data protection regime to help regulators investigate and enforce compliance with EU laws, the EU's Justice Commissioner has said.

Viviane Reding outlined plans to establish a European Data Protection Board from the existing Article 29 Working Party as part of planned reforms to EU data protection law. The Article 29 Working Party is a committee of the national privacy watchdogs from the EU's 27 member states and includes representation from the UK's Information Commissioner's Office (ICO).

Reding said the new Board would help regulators enforce the new laws, which are expected to be formally proposed by the European Commission next month. The secretariat supporting the Board should operate out of the existing European Data Protection Supervisor's (EDPS) office, she said. The EDPS is responsible for ensuring EU bodies comply with data protection laws.

Under the plans, when a problem cuts across national borders one national authority should be the "lead authority" in dealing with the issue.

The new regime should include a single, "uniform and coherent" data protection law that applies in all EU member states, Reding said. Under the plans data protection authorities from other countries would be allowed to collaborate in investigations where issues crossed border, would be able to force the lead authority to take enforcement action and "discuss remedies," whilst the new Board would also have a say in enforcement action, she said.

The proposals would cut out multiple "parallel investigations without coordination" and require national regulators which currently cannot be forced to take enforcement action to enforce the law, Reding said.

"Fragmented enforcement is bad enforcement, in particular when you face web giants. It is not what our citizens expect from data protection law and from the authorities established to enforce this law," Reding said at a meeting of the Article 29 Working Party in Brussels on Wednesday.

"We therefore need better coordination inside the EU. Three conditions must be met to make this possible. The first is that there must be one single lead authority responsible for the action in a particular case. The second is that other authorities from other Member States should have the means to require the leader to act, to accept joint actions, and to discuss the remedy. The third is that Article 29 Working Party must have an important role in this mechanism," she said.

"When the reform will enter into force, a new European Data Protection Board will be created from the current Article 29 Working Party. Given its enhanced future responsibilities the Board should have an efficient and dedicated secretariat. How to do it? I think that this secretariat should be hosted by the European Data Protection Supervisor's office which would be a cost-effective solution drawing upon the ready-made experience of that office," Reding said.

Reding said that the proposals would not lead the European Commission to taking over enforcement of data protection laws. "Let me stress that the European Commission has neither the intention nor the means at its disposal to take over your role as interpreters and enforcers of data protection rules on the ground, or as decision-makers on individual cases. On the contrary, with the reform, you will have a fully independent secretariat at your disposal and better tools to develop a common legal doctrine," she said.

Reding laid out further plans to enable internet users to switch their personal data, such as photos and videos, between competing cloud computing services without leaving a "trace" behind. Cloud computing refers to the storage of files and programs on an internet-based network rather than on local computing resources. It allows internet users to access or store information without owning the software to do it and many online companies, such as Google, operate huge servers that store the data and deliver it to users.

"Users should have the freedom to take all their data with them when they choose to leave a cloud service, and to leave no digital traces behind. Individuals should not be discouraged from switching from one cloud service to another," the Justice Commissioner said in a separate speech at a conference on cloud computing in Brussels.

"After all, the photos, videos and contacts that people build up on their profiles belong to them, not the company. It means that their photos, agendas, e-mails and profiles should be given back to them in a widely used format that makes it simple to transfer elsewhere. There should be no downside risk if someone wants to cancel an account, erase a profile or move all of their data to a competitor. Companies should not erect hurdles when people want to change. Such 'locking-in' not only stifles effective competition but, more importantly, deprives users of their effective right to freely chose and freely change the best privacy environments for their personal data. This right to 'data portability' will be an essential element of the legislative reform," Reding said.

Plans to force all organisations to report serious personal data breaches will also be included in the new regime proposals, Reding said. The EU's existing Privacy and Electronic Communications Directive requires telecoms companies to keep customer data confidential and secure and inform national DPAs and their customers about breaches of personal data.

"When a data breach happens, a company will have to inform the national supervisory authority immediately and the individual whose data has been compromised or stolen. We have seen lengthy delays in telling customers that their data has been compromised. There can be no excuses for not letting people know what has happened to their personal information. These data security breaches risk undermining peoples' trust in the digital economy. My proposal introduces a general obligation for data controllers to notify such breaches immediately. The new legislation will bring all industries on par with the telecoms sector where security and breach notification are compulsory," Reding said.

The European Commission has confirmed that a leaked draft (116-page / 661KB PDF) of the new EU data protection proposals is authentic, according to a report by The Register. The draft is in the form of a regulation, which would mean that the new data protection regime could take effect immediately following adoption if approved in its current state. EU directives have to be implemented in national laws before they become effective.