EC Responds on Data Protection Consultation

The European Commission has published its response to last year's consultation on revising European Data Protection legislation, in particular Directive 95/46/EC.

The response recognises the lack of clarity on the status of IP addresses - whether or not they are personal data - which has produced contradictory court rulings, however the general impression is that the Internet needs more data protection legislation rather than less. The paper suggests specific rules on the content and form of privacy notices and the anticipated general duty to report security breaches affecting personal data. New rights are suggested, such as a right to export information from one service and import it into another, and a "right to forget", to insist that data be deleted once the reason for its processing has ended (Out-law has an interesting article on the complexities of this). The rules on consent are to be "strengthened and clarified", in particular data must be deleted if consent is withdrawn.

On international transfers, there is a recognition that current processes are not working well, and that there is a need to address transfers where there is no contract between the parties. However there is no mention of the risk-based approach recommended by both JANET and the UK's Information Commissioner. Finally there is a call for better coordination between national Data Protection regulators and transparency of the Article 29 Working Party.

As with any legislative process, the impact of this revision will be clearer when the Commission publish draft legislation next year. However this communication seems to indicate that this will be a gradual development of existing law, rather than the significant change, particularly in the area of indirectly-linked identifiers, that seems to be needed to reflect Internet reality.