Since 2006, the Data Protection Day (also called Privacy Day outside Europe) is celebrated worldwide. The Council of Europe adopted this day to commemorate the opening for signature of the Council of Europe’s Data Protection Convention (known as “Convention 108”), on 28th January 1981.
Convention 108 was the first legally binding international instrument in the field of Data Protection. Over the years, it has become a cornerstone of data protection principles worldwide. It was modernized in 2018.
The principles of the Convention 108 inspired the first EU Data Protection Directive 95/46/EC back in 1995, which still remain in the new General Data Protection Regulation (GDPR).
Today’s EU GDPR has turned into a global gold standard for data protection. Many countries outside the European Union are following it as a model and are inspired by its Accountability principle and Risk Based approach. Many geographies from different legal traditions have recognized the value of having a comprehensive legal framework on Data Protection for the benefit of citizens, industry and public authorities.
However, whilst the European model is spreading worldwide, criticism towards EU GDPR is increasing at home.
- Some in industry complain that GDPR is not entirely adaptable to new technological developments and new data uses.
- Some Member States are sharing the same concerns and calling for careful examination on how GDPR is applied to and is able to respond to challenges posed by new technologies.
- The European Data Protection Board (EDPS) and National Data Protection Authorities (which are its members) face ethical questions that legal analysis alone cannot address. They fear that the notion of personal data will not be relevant anymore. Therefore, something additional to the GDPR is needed.
Consequently, a moment to stop and to reflect is necessary.
The technologically neutral, principles-based approach of GPDR constitutes its undeniable strength in order to remain future proof and adaptable to emerging technologies and new uses of data.
As a counter example, the ongoing debate around the new set of ePrivacy rules, specific to the e-communications sector, shows how legislative instruments should not be built.
The proposed ePrivacy rules have two main objectives: enhanced level playing field and future proof, technology neutral rules. However, neither of these objectives has been achieved so far.
Similarly to the GDPR, the proposed ePrivacy Regulation should build on sound principles-based legal grounds for processing, that are generic, future-proof and adaptable to any new specific purpose that may arise. On the contrary, the proposed ePrivacy Regulation is just listing concrete purposes and tries to legitimize them with any new exception envisaged (eg.: necessary for the transmission of the communication, for the security, for Quality of Service, for network optimisation, etc. etc.),
More than three years of unsuccessful negotiations on ePrivacy clearly reflects that a future proof legal instrument cannot be built upon exceptions. Overreliance on outdated exceptions makes a poor text, not fit for purpose and that can have a very negative impact on European companies and European economy, at large, without delivering better privacy protection for citizens.
The President of the European Commission, Ursula von der Leyen, announced that she wants to make Europe fit for the digital age. In that context, the proposed ePrivacy Regulation which is maintaining a sector-specific approach and restrictive rules based on exceptions of today, not of tomorrow, clearly frustrates this ambition.
By May 2020, European Commission will issue the first Report on the evaluation of GDPR, taking into account developments in information technology and in the light of the state of progress in the information society (Art. 97 GDPR). May 2020 is a unique opportunity to rethink the specificities of ePrivacy within a broader context. For that, including the principle of confidentiality of communications within GDPR would make unnecessary sector specific ePrivacy rules. Therefore, a complete re-set of the ePrivacy legislative file is necessary.