Overall, the Communication reflects well the feedback from the series of stakeholder consultations, impact assessments and studies carried out in preparation to the review; it gives a fairly comprehensive picture of the new challenges to effective privacy protection; and it reflects well issues that will need to be addressed in the planned review of the data protection framework. The key objectives outlined are the right ones, though those connected to strengthening individual rights and improving enforcement must remain the absolute priorities.
However, in our view, there are a few areas that it fails to address as fully as needed:
Privacy enhancing technologies (PETs) and privacy by design is mentioned briefly in the context of enhancing the data controllers’ responsibilities (2.2.4), but these are essential tools to ensure effective privacy protections that have been paid lip service in the past but not used. They deserve a place in their own right, including examining ways in how they can be practically adopted. In many online transactions it is not necessary to give away personal information and effective authentication technologies do exist. However they have not been widely adopted, or used, because it is rarely in the interest of service providers to adopt or promote such technologies, since their business models depend on constant data harvesting, and since such information has economic value. So there is an inherent tension between the rights of the individuals in legislation, and the desire of a great number of service providers to circumvent those rights as much as possible. These kinds of tensions will need to be solved if a review of the legislation is to succeed.
While the need for enhancing transparency is rightly acknowledged, there is no mention of the challenges posed by people’s natural behaviour (behavioural economics) and the need to address this within a future review. Any measure adopted in future legislation that will have data collection as default is bound to fail, as it has until now. So considerations of behavioural economics are particularly important in the context of discussions of various default settings and user control, as well as future risk/detriment assessments. Only privacy by default, data minimisation and avoiding unnecessary identification will meet the stated goal of strengthening individuals’ rights.
There is little mention of the challenge of dealing with the issue of individuals as data controllers - i.e. user generated content, bloggers, video makers that release a constant wave of personal data which is often public by default. This is a phenomenon that did not exist at the time of the formulation of the current directive, and needs to be addressed in any future review, since an individual using a platform service cannot be treated in law in the same way as large service provider weather public or private. In this respect we agree with those that recommend settings of maximum privacy by default on the platforms that provide services to individuals (blogging sites, social networks, etc).
While the challenges identified are indeed very real, we are concerned that they are all given equal status. In our view the effectiveness of personal information protection and effective enforcement should be the prime and overriding objectives, while lessening administrative burdens, making transfers simple, etc, should come as secondary objectives, albeit desirable.
We ask the Commission to address all these issues comprehensively during the coming process of the review of the legislation, in order to ensure a meaningful ‘strengthening’ of people’s privacy rights. As the Communication acknowledges, the EU will need to have a consolidated general framework, which can be complemented with more specific rules and alternative measures.
We give some more specific comments in the sections below, following the main headings and contents of the Communication.