Article 29 Working Party response to EC Consultation

The Article 29 Working Party is the group of all the national data protection regulators in Europe, who jointly publish opinions and commentary on law and practice in the area of data protection. Their response to the Commission's consultation on modernising the Data Protection Directive has now been published.

They make recommendations in four areas, at least three of which may be relevant to our provision and use of on-line services:

"Clarify the application of some key rules and principles of data protection (such as consent and transparency)". The working party note that supposed "consent" is over-used as a justification for processing personal data and that there are many circumstances where proper informed consent cannot be given. For these cases, the Directive provides "necessity" as a much better basis, both for organisations processing personal data and for those whose personal data is processed (the UK Information Commissioner has in the past gone further and stated that consent should only be used as a justification if no other is available). This is something I have been going on about for years, and is one of the basic ideas behind the recommendations on handling personal data in the UK Access Management Federation.

"Innovate the framework by introducing additional principles (such as ‘privacy by design’ and ‘accountability’)". Privacy by design is about having privacy protection built in to processes, rather than trying to bolt it on afterwards. Technologies can actually help with this, rather than their more often reported role of making existing processes even more privacy invasive. Under accountability the Working Party recognise that the measures necessary to protect personal data will vary depending on the type and quantity of data being held. This risk-based approach is a welcome development from the current legislation's less flexible implementation.

"Strengthen the effectiveness of the system by modernising arrangements in Directive 95/46/EC (e.g. by limiting bureaucratic burdens)". There is particular mention here of the problems of exchanging personal data with organisations outside Europe, which the current system only permits under a very restricted and complex set of rules. Focusing the responsibility of data controllers on protecting personal data, rather than on complying with this bureaucracy, should improve both privacy and operational arrangements.

"Include the fundamental principles of data protection into one comprehensive legal framework, which also applies to police and judicial cooperation in criminal matters". This is largely a matter of European legal process, which has previously separated common market issues from justice and security ones, resulting in parallel sets of legislation and process that are not always consistent. The Lisbon Treaty removed this distinction, so bringing the two areas closer together should be a natural result of that Treaty.

The full response is available on the Working Party's website. This is unlikely to produce an immediate change in law (the European process takes many months and there is then typically a period of 18 months for Member States to update their own laws), but the general direction seems promising.