2.2 The Internal Market Dimension
2.2.1 INCREASING LEGAL CERTAINTY AND PROVIDING A LEVEL PLAYING FIELD FOR DATA CONTROLLERS
Privacy International agrees that further harmonisation of national laws should take place given the cross-border nature of data flows, and not just European but generally global. However, we want to ensure that further harmonisation does not result in reducing the protection of individual privacy to the level of the weaker national laws, such as the UK. Examination of means to achieve further harmonisation of rules should have a clear preference for ‘levelling up’ to the highest common standards.
2.2.2 REDUCING THE ADMINISTRATIVE BURDEN
We agree with the analysis in the Communication that the current system of notification should be simplified. Any such review should result in more coherent rules across member countries; the development of a ‘model’ notification should be considered. We would not support however abolition of the notification system, as it can have an impact both on enforcement and transparency.
2.2.3 CLARIFYING THE RULES ON APPLICABLE LAW AND MEMBER STATES’ RESPONSIBILITY
We strongly agree with the expressed need to ensure the same degree of privacy protections of EU data subjects, regardless of the geographic location of the data controller, and therefore support review and clarification of existing provisions. We believe that if services are targeted at EU citizens, the law of the person’s (data subject’s) country of residence should apply.
We support further clarification of applicable law, and note in this context the valuable Opinion 8/2010 issued in December 2010 by the Article 29 Working Party.
2.2.4 ENHANCING DATA CONTROLLERS RESPONSIBILITY
We would support the introduction of a specific ‘accountability principle’ for both data controllers and data processors as appropriate, providing this is not a substitute for responsibility to comply with data protection legislation, but an additional obligation. Such an obligation would mean that data controllers would have to demonstrate compliance with the legislation, and take appropriate measures to do so.
We would also urge the Commission to consider and clarify the roles and responsibilities of all those responsible for data processing, as in practice it is difficult for individual people to distinguish between a ‘controller’ and a ‘processor’, or a third party or a non-third party. Such relationships are increasingly complex, for example with the advent of cloud computing or in multi-national companies. Therefore we consider that data protection obligations and liability for breaches should be extended to data processors and third parties. This can also be achieved through specific contract terms, as it is now the case in other types of consumer contracts. So for example, social networking sites can be required to have contracts providing minimum standards of data protection when engaging third party service providers.
Regarding PETS and privacy by design as mentioned in the general remarks above, we do not consider that the Communication gives these issues a fair hearing. We strongly believe that technical means and technological solutions can help people to be in control of their personal information and also help the enforcement efforts. Therefore we urge the Commission to include privacy by design as an explicit and mandatory principle in any new framework for data protection. This would include both processes and technologies and give the necessary spurs both to ICT manufacturers and data controllers.
2.2.5 ENCOURAGING SELF-REGULATORY INITIATIVES AND EXPLORING EU CERTIFICATION SCHEMES
We do not believe that self-regulation is the right approach in the field of data protection, and not compatible with the nature of data protection as a fundamental right in Europe. Furthermore, since the natural self-interest of service and goods providers is to gather and share as much data as possible, and much of this can be done without the knowledge of the individual, self-regulation without any firm controls for its effective implementation would be the equivalent of putting the wolf in charge of the sheep. A good example of this is the self-regulatory proposal in the field of behavioural advertising which is widely considered by consumer organisations and others as a poor response to privacy protection needs. We do however strongly support co-operative approaches, and forms of so-called co-regulation, for e.g. industry codes that clarify and support binding rules.
We suggest that such initiatives are only truly effective when they are backed up by the prospect of strong enforcement action by independent supervisory authorities.
We have strong reservations about the value of ‘privacy seals’, which can often create an illusion of privacy protection without delivering anything additional to legal obligations, and we especially question the value of privacy seals operated by for-profit companies when the profits of the seal program are wholly dependent on the revenues from seal holders.