Data protection at the crossroads

Date: 12/09/02

Lawyer Christopher Kuner argues that the dialogue between data protection authorities and business must be improved.

THE EU Data Protection Directive has given Europe the advantage of a comprehensive legal framework for data protection and avoidance of sector-specific legislation which, in some other countries, has led to a patchwork of legal regulation.

As there is no doubt that European consumers and businesses expect a high level of data protection, the presence of comprehensive legislation has allowed data subjects to conduct business while remaining confident that their rights will be respected.

However, like any seven-year-old (it came into force in 1995), the directive is exhibiting growing pains caused by the fact that in the past ten years the free flow of information has become the life blood of the world economy, and data protection law has evolved from a niche area to one of fundamental importance for business.

A company with operations in numerous member states and non-European Economic Area third countries will be faced with a number of burdens and uncertainties under data protection law:

• It will have to determine which national data protection law applies to its various operations under the directive, which can be a difficult exercise even for legal scholars.
• It will have to spend a disproportionate amount of time and effort complying with requirements for transferring personal data to third countries, even though studies have demonstrated that the level of data protection compliance in Europe leaves much to be desired and may actually be lower than in some third countries.

In providing a legal basis for data transfers to third countries, it will have to comply with the requirements of each member state from which data is to be transferred, and will often have no choice but to fall back on overly-bureaucratic solutions such as the Commission-approved model contracts.

• It will have to fulfil certain bureaucratic requirements of national law which provide little protection for privacy. For instance, in most member states it will need to notify each act of data processing to local data protection authorities, even though many of them admit privately that such notifications are usually filed away and then forgotten.

In some member states it will be able to appoint a company data protection officer in lieu of notifying data processing to the authorities, but such an appointment will have legal effect only in the member state where it takes place.

• Finally, it will be subject to a bewildering variety of member state laws that have interpreted the directive in differing ways.

There is a need to develop truly pan-European solutions for data protection compliance, which is justified given the presumption established by the directive that each member state provides an 'adequate level' of data protection; for instance, notification requirements at the national level should not be imposed on companies that appoint a data protection officer with responsibility for Europe-wide compliance.

Likewise, more EU-wide solutions for data transfers (such as speedy approval of company codes of conduct) are urgently needed. It is also critical to create more harmony between member state laws, so that the same legal concepts are not interpreted in substantially differing ways around Europe.

The Commission will hopefully address these and other problems in its review of implementation of the directive.

Perhaps most importantly, the dialogue between business and data protection authorities, which has too often been marked by mutual suspicion, must be improved.

Companies need to take a more proactive approach and to see data protection compliance as a competitive advantage, rather than just a set of legal burdens to be met, while data protection regulators need to see business as a potential partner rather than an adversary and consult with business before taking decisions with a substantial commercial impact.

Pan-European regulatory initiatives such as the article 29 working party (a group of national data protection regulators established under the directive who meet regularly) need to become more transparent and open to outside input.

Business can also help by developing tools for self-regulation and best practices, which groups such as the International Chamber of Commerce have been doing in areas such as contracts for data transfer, spam, and data retention.

Data protection is also under assault by various government initiatives, both inside Europe and in third countries (such as the US), that seek to expand law enforcement powers to increase access to personal data.

In formulating requirements for data retention and access, governments should remember the lesson learned in the encryption debate a few years ago, namely that creating technical systems solely to enhance access to personal data by law enforcement is overly expensive, technically unfeasible, and ultimately unnecessary.

Data protection law needs to move from a national to a European focus, and to adopt the principles of regulatory transparency and consultation which the European institutions have been implementing in other areas. It also needs to concentrate on practices that cause actual harm to the privacy rights of data subjects, rather than on aspirational requirements that may not ultimately be enforceable, and to resist excessive demands for access to data by law enforcement.

The European system of data protection must be revamped for the internet age if it is to retain the confidence of consumers and remain a competitive advantage for business.

• Christopher Kuner is a partner at the Brussels office of US law firm Hunton & Williams. He is also vice-chairman of the special advisory group on e-related issues for the International Chamber of Commerce.

The author, a lawyer, argues that the dialogue between data protection authorities and business must be improved.