Interview with Peter Hustinx on data privacy in Europe

European Data Protection Supervisor Peter Hustinx

The rapid pace of technological progress and the development of personalised services are posing serious challenges to European citizens and regulators. Eurescom mess@ge editor-in-chief Milon Gupta interviewed the European Data Protection Supervisor, Peter Hustinx, on the challenges to data privacy in Europe, and how regulators and citizens should respond to them.

Which are currently the main issues in regard to data privacy in Europe?

Our societies now depend on the good use – and thus also the well functioning – of various kinds of ICT. Internet and mobile applications are playing a crucial role. This leads to many new issues, including the widespread tracking and tracing of individual behaviour, without sufficient knowledge and control of those involved. We also discover how vulnerable we are for malicious attacks. It is therefore in everybody's interest that we make our information society more robust, more responsible and more trustworthy. Data privacy is in that sense only part of a much larger issue.

How well protected are private user data
in today’s cloud services, and what could cloud service users do to increase their privacy?

As a recent study for the European Commission by RAND Europe has shown, the current landscape for cloud computing is still characterised by a number of challenges for security, privacy and trust. Some of these challenges may be ­addressed by regulatory measures, but many others require a greater accountability of both providers and users of cloud services. Consideration of privacy and security is now too often an afterthought or treated separately, and it is often difficult to negotiate specific security terms with cloud service providers. This should clearly change. Users and providers should be more alert, and services offered to the public should be bound to minimum standards.

What are the main challenges for the revision of the EU data protection framework?

The main part of the current EU data protection framework – the Data Protection Directive 95/46/EC – is now showing its age and should be modernised to face the challenges of new technologies and globalisation. The emphasis should be put on ensuring that the present principles are more effective in practice. This will require stronger rights for data subjects, more responsibility for organisations, and stronger enforcement powers for data protection authorities. At the same time we need to ensure that the new framework will apply in all EU policy areas, including law enforcement, and that the current unhelpful diversity is reduced.

How much do data regulations in the EU member states diverge, and what should be done to harmonise them?

The current Directive aimed at greater harmonisation, but left a margin of manoeuvre to member states. After 15 years this has led to considerable diversity and complexity among member states, not including some resulting from inaccurate implementation. This is bad for the development of the internal market, but also for effective data protection. The new framework should therefore in any case reduce unhelpful diversity and clarify the scope for some remaining diversity. This would require a more detailed Directive or a Regulation, but also effective arrangements for close cooperation and greater consistency between national supervisory authorities.

To what extent are data of European ­citizens and companies protected that are stored at organisations outside of Europe?

The Directive provides that EU data protection law applies to the processing of personal data where the responsible organisation, the Controller, is established in an EU member state. This means that EU data protection law continues to apply where a controller in the EU transfers data outside the EU, for instance to a service provider in a third country, except where the responsibility is also passed on to the recipient in a third country. For both cases, the Directive provides a few additional safeguards to ensure adequate protection. This may require a special contract or another instrument such as Binding Corporate Rules.

What is the economic impact of data ­protection?

Data protection has an economic impact, certainly at a scale where it is now relevant for the well-being of our information societies. In that context, the attention has gradually shifted to the need for data protection as a condition for trust – both online and offline – and economic development. A growing need for compliance with data protection will probably also lead to growing demand for privacy professionals and for privacy products and services. At the same time, it remains important to avoid unnecessary burdens and to simplify relevant rules where possible. All this plays a crucial role in the review of the current legal framework.

What is the single most important data protection issue you would like to see solved in the next five years?

My single most important wish is that we are successful in achieving a more effective EU legal framework for data protection by 2015. This is just in time to meet the ambition for smart, sustainable and inclusive growth that is at the heart of the EU 2020 strategy.