Revising the EU Data Protection Directive

Posted by Thomas Myrup Kristensen 
Senior EU Policy Director

(Cross posted from

Late last month, European Union Commissioner Viviane Reding re-stated her desire to reform and modernize the EU’s Data Protection Framework Directive (95/46/EC).

She noted that the Commission is currently analyzing the over 160 responses to the public consultation and that the proposal to reform the Directive is expected to be released by the end of 2010. You can find Microsoft’s response to the public consultation on the Data Protection Directive here.

In my view, the general principles of the current Directive have survived the test of time, they are widely respected and have served as a model for several other jurisdictions. However, the significant technological evolution of the last decade as well as the growing volume and complexity of cross-border data movements mean it is timely to look at the Framework again more closely.

However, when considering the review of the framework, the actual implementation of it should never be forgotten. Today, companies doing business in several Member States face challenges to ensure a consistently high level of data protection throughout the EU. Most of these result from the inconsistent implementation of the Current Directive. One example of this is the considerable divergence in the DPA notification systems, including the matters that should be notified, conditions for exemption, procedures for exemption and so on.

International transfer mechanisms should also be reformed to cope with the increasingly global data movements. The current rules did not foresee the growth of online services and the emergence of “cloud” computing, but progress is being made. An example of this are the recently up-dated standard contractual clauses that facilitates processing activities and new business models of companies for international processing of personal data. However, care needs to be taken to avoid mechanisms becoming too prescriptive.  Instead of focusing on “checking boxes” primarily for formality’s sake, one should concentrate on the result or outcome to be achieved in practice. One example where this comes to mind relates to Binding Corporate Rules – BCR’s. These are good tools to ensure that high levels of data protection are adhered to inside a company no matter where in the world that company deals with data , but the rules currently in place need to be simplified to become truly operational.

Addressing these challenges is crucial to enable the uptake of new technological innovations, like cloud computing. However, these do not necessarily need to be postponed until the revision of the Framework is completed. They could just as easily and more quickly be addressed through policy options such as guidance from the Commission on implementation and enforcement.

Finally, as the Commission considers its reform proposal, we encourage the examination of regulatory developments in other jurisdictions and movement towards a more harmonized global regime.

With the benefit of a modernized and more harmonized regulatory framework, industry will have a solid ground to deliver on the promise of new technological developments, while the protection of European citizens’ privacy will be ensured at a consistently high level.

Please see our Vice President EU Affairs General Counsel, John Vassallo, talk about the promise of cloud computing here.

You can also listen to the speech given by Brad Smith, Microsoft’s Senior Vice President for Legal and Corporate Affairs about cloud computing and its future challenges.

Tags: ,