European privacy laws to be reformed

New technologies including RFID and social networking require new rules to protect citizens' right to privacy, according to the EC
Written by Matthew Broersma, Contributor on

The European Commission has announced plans to update European personal data-protection legislation, including measures to encourage companies to design privacy protection into new technologies from an early stage.

EU privacy rules must be brought up to date with changes in technology, information society and media commissioner Viviane Reding said in a speech on Thursday. She mentioned specifically the growing use of RFID tags in everyday products, the growth of social-networking websites, new types of internet-based advertising and airport security technologies such as full-body scanners.

New rules are needed not just to protect EU citizens' right to privacy, but to provide legal certainty for industry and to ensure consumers take up new technologies, the Commission said.

Reding said the new rules should encourage companies to take privacy issues into account from the beginning of a new technology's development cycle, a concept she called "privacy by design".

"Privacy by design will lead to better protection for individuals, as well as to trust and confidence in new services and products that will in turn have a positive impact on the economy," Reding said, according to a statement from the Commission.

The goal is a "clear, modern set of rules for the whole EU" on privacy, she added.

The Commission plans to begin with a reform of the EU Data Protection Directive, dating from 1995, which is implemented in the UK by the Data Protection Act.

"EU rules should allow everyone to realise their right to know when their personal data can be lawfully processed, in any area of life, whether boarding a plane, opening a bank account or surfing the internet, and to say no to it whenever they want," Reding stated.

In addition, the Commission intends to revise e-privacy rules applying specifically to telecoms and internet providers.

It is unlikely, however, to make sweeping changes to the Data Protection Directive, according to William Malcolm, an expert on information law with law firm Pinsent Masons.

"The Commission has made it clear in the past that it has no current plans to undertake fundamental reform of the directive's provisions," Malcolm said in a statement.

He said improvements to privacy do not necessarily require changes to the legal framework, but rather changes to the way organisations interpret existing laws.

"Any legal reform that helps achieve these objectives is welcome, but lawmakers need to concentrate on how they can promote awareness and cultural change in these areas in order to have the desired effect," he stated.

The Commission noted that in April 2009 it launched a legal action against the UK over concerns about ISPs' tests of Phorm, which analyses users' internet usage patterns.

"The Commission warned the UK that its law does not comply with EU rules on confidentiality in telecoms in areas like user consent to interception of communications, sanctions against unlawful interception and supervision of interception activities," the Commission said in a statement.

The case entered its second phase in November, and may be referred to the European Court of Justice if the Commission is not satisfied with the UK's response, the Commission said.

The government said in January that it would press ahead with plans to force ISPs to intercept all web communications, despite serious criticisms of the scheme.

Editorial standards