Never before have private data been more important and more accesible than today. Private data are the basis for transactions in areas like banking, healthcare, and social networking. Driven by digitisation and the Internet, large amounts of private data are collected, stored and analysed by government bodies as well as companies. Legislature, regulators and industry in the EU are faced with the challenge of how to protect the citizens’ personal data while at the same time enabling the free flow of data for the common good and protecting society from threats by criminals and terrorists.
The basis for citizens’ privacy rights in Europe is Article 8 of the European Convention on Human Rights (ECHR). It provides a right to respect for one's "private and family life, his home and his correspondence". According to the case law of the European Court of Human Rights, gathering information for the official census, recording fingerprints and photographs in a police register, collecting medical data or details of personal expenditures and implementing a system of personal identification has been judged to raise data privacy issues. Any state interference with a person's privacy is only acceptable for the Court, if it is in accordance with the law, pursues a legitimate goal, and if it is necessary in a democratic society.
Revision of EU data privacy rules
Finding the right balance between the citizens’ privacy and public as well as commercial needs is a major challenge in the current revision of the European Union’s data protection framework. The EU data protection directive (95/46/EC), the central pillar of data protection in the EU, was published 16 years ago. Many of the technologies and services that impact data privacy today were not around then. Think of Cloud computing, social online networks, RFID chips, location-based services, mobile data communication, and powerful search engines that impact our privacy. On the Internet, citizens in Europe and worldwide are faced with a high level of cybercrime. In many cases, the challenges for the privacy of EU citizens originate outside of the EU.
The Voss report
On 15 June 2011, a report on the revision of the data protection framework, the Voss report, was adopted by the European Parliament. One of the key requirements is that EU data protection rules must also be applied outside of the EU. When personal data is transferred and processed outside the EU, "it is imperative that data subjects' rights are fully enforced”. International data transfer procedures must be improved and "ambitious core EU data protection aspects to be used in international agreements" must be devised by the Commission.
Furthermore, the Voss report recommends that the updated data protection law should include "severe and dissuasive sanctions", including criminal penalties, for misuse and abuse of personal data. National data protection authorities should be given the necessary resources and be granted harmonised investigative and sanctioning powers, they say.
A major point of the Voss report is to strengthen the citiizens’ rights to control what is done with their personal data. Companies should avoid erecting unnecessary barriers to the individual's right to access, amend or delete his/her personal data. In addition, the individual's consent to use of his data should be considered valid “only when it is unambiguous, informed, freely given, specific and explicit", says the report.
From 4 November 2010 to 15 January 2011, the European Commission had already conducted a public consultation on the Commission's comprehensive approach to personal data protection in the European Union. The basis for the consultation was a Commission Communication on the issue, which was published on 4 November 2010.
Originally, the European Commission had planned to present a new proposal for the data protection rules by the end of 2011. Now it appears this will only happen in 2012. The delay indicates how difficult the decision-making process is.
Incidents related to data privacy
Some incidents this year have underlined the growing importance of data protection not only on regulatory but also on a technical level. In April 2011, Sony's PlayStation Network and Qriocity services were hacked and personal details, including credit card data, from approximately 77 million accounts were stolen by unknown intruders. The attack forced Sony to turn off the PlayStation Network for 23 days.
In October 2011, a different type of privacy-related event occurred. In Germany, police is allowed to secretly install a computer surveillance software (“Bundestrojaner” – Federal Trojan horse) on a suspect's computer in order to wiretap Internet telephony. The Federal Constitutional Court of Germany has ruled that the police may only use such programmes for telephony wiretappings. On 8 October 2011, the Chaos Computer Club, a German organization of hackers, found out that the software’s functionality went far beyond wiretapping, thus violating the ruling of the constitutional court. In addition, the hackers identified a number of security problems with the implementation of the federal spyware.
Both incidents show that regulatory and technological improvements will be necessary to protect citizens’ data without disrupting the legitimate use of private data by citizens, public authorities, and industry.
Improvements are particularly required in identity management and Cloud security. Industry and public authorities need to cooperate in order to reduce the risk of abuse of private data. For achieving this, Europe needs better law enforcement against cybercrime, further harmonisation and updating of regulation as well as technological measures like Privacy by Design.
■ EC data protection website
■ A comprehensive approach on personal data protection in the European Union
■ Wikipedia article on PlayStation Network outage