EDPS opinion

The EDPS has issued its opinion (pdf) on the European Commission communication regarding improved implementation of the Data Protection Directive 95/46/EC. Some of the key points (from the opinion):

"In his assessment of the communication, the EDPS will address in particular the following perspectives that are relevant in respect of these changes:

•Improvement of the implementation of the Directive itself: how to make data protection more effective? A mix of policy instruments is needed for such an improvement varying from a better communication with society to a stricter enforcement of data protection law.

•The interaction with technology: new technological developments such as developments in data sharing, RFID systems, biometrics and identity managements systems have a clear impact on the requirements for an effective legal framework for data protection. Also, the need for effective protection of the personal data of an individual can impose limitations on the use of these new technologies. Interaction is thus two-sided: the technology influences the legislation and the legislation influences the technology.

•Global privacy and jurisdiction issues, dealing with the external borders of the European Union.

Whereas the jurisdiction of the Community legislator is limited to the territory of the European Union, the external borders become less relevant for data flows. The economy depends more and more on global networks. Companies based in the European Union increasingly outsource activities, including the processing of personal data to third countries. Moreover, recent cases like SWIFT and PNR confirm that other jurisdictions show interest in 'EU-3 See point 37 of this opinion.3originating data'. In general, the physical place of a processing operation is less relevant.

•Data protection and law enforcement: recent threats to society, whether or not related to terrorism, have led to (demands for) more possibilities for law enforcement authorities to collect, store and exchange personal data. In some cases, private parties are actively involved, as recent cases show. The dividing line with the third pillar of the EU-Treaty (in which area the Directive does not apply) becomes on the one hand more important and on the other hand more fluid. There is even a risk that in certain cases, personal data will not be protected either by first pillar or by third pillar instruments (the 'legal loophole').

•The consequences, in any event for data protection and law enforcement, of the entry into force of the Reform Treaty, now foreseen for 2009."

Although the Data Protection Directive is unlikely to be altered in the short-term, the subject of effective national data protection laws and the topic on global privacy and jurisdiction issues will continue to relevant for sometime to come. I see another article at some point!