The reform of the EU data protection regulation

Executive summary

The increasing demand for data protection due to new technological applications and the necessity to reinforce user’s trust in services provided by the public and private sector is inducing legislators to approve data protection laws or amend the existing regulations in order to adapt them to the technological evolution and new challenges.
In this context the US and EU regulations have a central role due to the dimension of their marketplaces and the consequent impact of data protection on consumer protection. From this perspective, the impact of the EU Proposal on data protection regulation should be analyzed in order to evaluate its effect on online user’s behavior and, consequently, on business strategies.

Background

In 2012, the European Commission proposed a reform of the EU legal framework on data protection. The EU proposal for a general data protection regulation represents an evolution of the existing EU model, derived from the adoption of the Directive 95/46/EC in each Member State. The proposal intends to grant a higher level of protection and a more homogeneous processing of data.
The Proposal shifts the focus of the regulation from users’ self-determination to accountability and risk assessment (e.g,. data protection impact assessment, privacy by design). Nevertheless the “notice and choice” model remains a fundamental aspect of the new framework.

Objectives

1. Analyze the ongoing debate on the new proposal in the different stages of the legislative process.

2. Assess the impact of the future regulation on the social and economic context.

3. Consider the limits of the EU proposal and the issues that are not adequately addressed by the European legislator (i.e., Big Data analytics, group privacy, social surveillance, trans-border data flows).

Results

As one of the main research results, it emerges that, in the aforementioned scenario, keeping the focus of data protection only on the individual and its decisions is no longer adequate. If legislators consider data protection as a fundamental right, it is necessary to reinforce its protection in order to make it effective and not conditioned by asymmetries between data subject and data controllers. This aim is implemented by the EU proposal by means of three different instruments, such as data protection impact assessment, privacy by design/by default solutions and the data minimization principle.
Part of the output of this research thread was included in a deliverable within the “Privacy” joint research activity in of the EINS Network of Excellence (p. 42).
Further analyses and reflections have been presented by Nexa Director of Privacy Alessandro Mantelero in selected workshops and conferences, amongst which the Fifth Northumbria Information Rights Conference (Gateshead, UK, May 1, 2013), and the Global Workshop on Data Uses and Impacts (London, UK, May 30-31, 2013), and the 9th International Conference on Internet, Law & Politics (Barcelona, Spain, June, 25-26, 2013) (see project page for a detailed list).