Privacy & Information Security Law Blog

On November 17, 2011, the German Association for Data Protection and Data Security (“GDD”) held its 35th Privacy Conference (“DAFTA”) in Cologne, Germany. At the opening plenary session, Paul Nemitz, Director for Fundamental Rights and Citizenship of the European Commission, announced that the European Commission plans to implement a Regulation that is directly applicable to all EU Member States, to harmonize data protection laws in Europe.

The GDD reports that, according to Nemitz, an EU Regulation is needed to regulate data protection. In his opinion, such a legal instrument would reduce the complexity of data protection law and may facilitate EU-wide standardization of the rules on data protection. In addition, according to Nemitz, the Commission would follow requests by businesses to implement uniform and comprehensible rules. In particular, small and medium-sized enterprises need clear rules that apply across Europe.

According to the GDD report, the planned EU Regulation is supposed to clarify the responsibility of data protection supervisory authorities. In cases where companies operate in several EU Member States, only the regulatory body of the country where the company has its headquarters should be competent to supervise (a “One-Stop Shop” approach). EU citizens, however, would retain the ability to assert their data protection rights before the supervisory authority in their home country. The sanctions available to the supervisory authorities would be strengthened significantly and designed more effectively.

Further, the GDD states that the principle of “self-control” by corporate data protection officers would be implemented EU-wide. According to the GDD, the European Commission plans to introduce a requirement that large companies appoint data protection officers. At the same time, these companies would be required to undertake a privacy impact assessment regarding their use of IT.

A crucial innovation of the Regulation would be a requirement to introduce privacy-friendly default settings for IT systems. “Privacy by default” would become an obligation in certain cases. The GDD states that the European Commission hopes this would lead to economic growth potential as citizens and consumers are able to use IT without concerns regarding possible misuse of their personal data. According to the GDD report, the European Commission expects the value of data protection as a competitive advantage to increase in the future.

The GDD’s report indicates that the Commission plans to present the EU Regulation on January 25, 2012.