Monday, 25 October 2010

EU to criminalise data protection breaches? (based on unpublished Commission paper)

Privacy advocates may be pleased to hear that, according to a European Commission document obtained by Bloomberg's Aoife White (which I'm blogging as I've not seen it reported much elsewhere), the proposed updates to the EU Data Protection Directive, which won't be fully public till 2011, may include -

Expanded criminal penalties to enforce data protection requirements regulating how personal data is dealt with - the Bloomberg report quoted the Commission's paper as saying it's "essential to have effective provisions on remedies and sanctions” including “criminal sanctions in case of serious data protection violations".

A right to oblivion, the right to be forgotten - a right for data subjects to get their personal details deleted, and to get "lists of friends, photos or medical records removed".

Enhanced enforcement capabilities for regulators and others? - the Bloomberg article said that  "The proposals may also make it easier for data protection authorities and consumer groups to file lawsuits over privacy breaches" but unfortunately didn't expand on how the proposals intend to achieve that.

Bloomberg got Matthew Newman, a spokesman for Commissioner Reding, to confirm that they've not decided yet whether the new data protection laws should be mandatory or only guidelines -but unfortunately the article didn't spell out which aspects he was talking about. It would be odd if all the new rules were either mandatory or guidelines only, although it seems from the context that he was probably talking about criminalisation of breaches. If so, "guidelines only" still wouldn't change the current position.

The Bloomberg article said regarding the timetable that

"Changes could be made to the commission’s document before regulators discuss it on Dec. 4. They will then ask for support from national governments and EU lawmakers before they draw up draft legislation in mid-2011."

Sounds like Bloomberg managed to obtain a draft or leaked draft of the Commission's internal document (draft Communication?) - Yahoo, they said, wouldn't comment on the proposals "because the EU plan hasn't yet been published".

See also: search data retention periods for Google, Microsoft and Yahoo.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.