Privacy & Information Security Law Blog

On October 24, 2012, Peter Hustinx, the European Data Protection Supervisor, speaking at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay, called the proposed EU Data Protection Regulation an “ambitious” undertaking, designed to achieve three goals.

First, Hustinx said the regulation is intended to provide the structure for European data protection for at least the next 20 years.

Second, the draft regulation will eliminate the wide variety of requirements that has resulted from the current EU Data Protection Directive’s being transposed into national law in 27 member states.

Finally, Hustinx noted that the regulation will reflect an approach to data protection firmly based in the conviction that privacy is a human right.

Calling the proposed regulation an exercise in both “continuity and change,” Hustinx stressed that the innovation will come not in basic principles, but in how data protection is implemented in practice and in enforcement. In particular, he singled out the objectives of making data protection “simpler,” of doing away with the “old fashioned one-to-one communication of processing” to regulatory authorities, and of providing a “one-stop shop” for controllers, processors and data subjects.

That said, Hustinx concluded by noting that the regulation does reflect some different emphases than the current Data Protection Directive, including enhanced “data subject control” through consent and the opportunity to object to data processing.

He also indicated that there is strong emphasis on the responsibilities of governmental and private-sector organizations. Hustinx noted that, in the future, organizations engaged in data processing would be required to “ensure compliance” by verifying that the necessary measures were in place and being able to “provide evidence of compliance”—what he described as the “accountability principle.”

Finally, Hustinx warned that there was some expansion in scope, recognizing the role of the Internet, so that “you do not have to be located in Europe to have an effect there and be covered by the regulation.”

The open portion of the conference concludes this evening with a presentation by the Hon. José Alberto Mujica Cordano, President of Uruguay. On October 25, the conference moves into closed session for commissioners and their staff only. Under a new format, the entire day will be spent on one substantive issue: data profiling. Centre for Information Policy Leadership Senior Policy Advisor Fred H. Cate is one of four scheduled speakers.