When is Happy Data Protection Day in the EU?

The 28 January is Data Protection Day, apparently - or possibly Privacy Day, depending on where you are: On 26 April 2006, the Committee of Ministers of the Council of Europe decided to launch a Data Protection Day, to be celebrated each year on...


The 28 January is Data Protection Day, apparently – or possibly Privacy Day, depending on where you are:

On 26 April 2006, the Committee of Ministers of the Council of Europe decided to launch a Data Protection Day, to be celebrated each year on 28 January.

Why the 28 January? This date corresponds to the anniversary of the opening for signature of the Council of Europe’s Convention 108 for the Protection of individuals with regard to automatic processing of personal data which has been for over 30 years a cornerstone of data protection, in Europe and beyond.

Data Protection Day is now celebrated globally and is called the “Privacy Day” outside Europe.

To my shame, I had never heard about the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data:

the first legally binding international instrument with worldwide significance on data protection – draws inspiration directly from the European Convention on Human Rights and Fundamental Freedoms, which was opened for signature in 1950. In particular, Article 8 of this Convention states that “Everyone has the right to respect for his private and family life, his home and his correspondence”. This right can only be restricted by a public authority in accordance with domestic law and in so far as it is necessary, in a democratic society, for the defence of a number of legitimate aims.

Until recently, that might have seemed pretty standard phrasing, but in the light Edward Snowden’s revelations about massive surveillance being conducted on all of us, all the time, that phrase “Everyone has the right to respect for his private and family life, his home and his correspondence” suddenly gains a new importance, since that is precisely what we no longer have.

That’s particularly galling because until last year, most people would have said the EU had the most stringent data protection laws in the world. Not perfect, mind, which was why a massive update was announced by the European Commission back in January 2012:

The European Commission has today proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy. Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around ‚¬2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

Unfortunately, even before the leaks about the activities of the NSA and GCHQ, the revised data protection rules were getting bogged down in battles of what changes should be made to the proposals. Many were about minor details, while others – particularly those relating to the transfer of data from Europe to the US – dealt with hugely important issues. As I wrote last year, it turned out that some submitted amendments in the latter areas had been written by US lobbyists – a measure of how desperately companies there want to water down EU data protection regulations. Then along came Mr Snowden to throw another spanner in the works, and to slow things down even more.

So where does this massively complex and important piece of legislation stand now? The European Commission has just issued a long, helpful and weirdly upbeat assessment entitled “Data Protection Day 2014: Full Speed on EU Data Protection Reform”:

Two years ago, in January 2012, the European Commission proposed a reform of the EU’s data protection rules to make them fit for the 21st century (see IP/12/46). The reform consists of a draft Regulation setting out a general EU framework for data protection and a draft Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. The proposals are currently being discussed by the two European Union co-legislators, the European Parliament and the Council of the EU in which national Ministers sit.

Of course, that’s rather ambiguous: “currently being discussed” could mean anything. Here’s what else the announcement has to say on timelines:

The data protection reform is a priority for the Greek Presidency. The Presidency convened a tripartite meeting in Athens (on 22 January) with the European Commission, the two European Parliament rapporteurs and the next Presidency of the EU (Italy) to work out a road map for agreeing on the data protection reform swiftly. The objective is to agree on a mandate for negotiation with the European Parliament before the end of the Greek Presidency.

The European Parliament is expected to adopt the proposals in first reading in the April 2014 Plenary session.

An agreement on the data protection reform is thus possible before the end of this year.

That seems rather over-optimistic to me, but I hope I’m wrong. We desperately need an updated and effective framework for protecting data in Europe. While we’re waiting, you might like to read the rest of the European Commission’s document, which usefully spells out some of the details of what might be coming:

There is a clear need to close the growing rift between individuals and the companies that process their data: nine out of ten Europeans (92%) say they are concerned about mobile apps collecting their data without their consent. Seven Europeans out of ten are concerned about the potential use that companies may make of the information disclosed (see Annex).

The data protection reform will strengthen citizens' rights and thereby help restore trust. Better data protection rules mean you can be more confident about how your personal data is treated, particularly online. The new rules will put citizens back in control of their data, notably through:

A right to be forgotten: When you no longer want your data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press (see separate section on this). Easier access to your own data: A right to data portability will make it easier for you to transfer your personal data between service providers. Allowing you to decide how your data is used: When your consent is required to process your data, you must be asked to give it explicitly. It cannot be assumed. Saying nothing is not the same thing as saying yes. Businesses and organisations will also need to inform you without undue delay about data breaches that could adversely affect you. The right to know when your data has been hacked: for example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours) so that users can take appropriate measures. Data protection first, not an afterthought: ‘Privacy by design’ and ‘privacy by default’ will also become essential principles in EU data protection rules – this means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm – for example on social networks or mobile apps.

Whether we will ever be able to celebrate Data Protection Day with new data protection rules in Europe remains to be seen.

Follow me @glynmoody on Twitter or identi.ca, and glynmoody on Google

Find your next job with computerworld UK jobs