In 1995, when the European Union adopted a data-protection directive, the world was a much simpler place. Amazon and eBay were just starting up, and Google and Facebook still years away. And those were also the years before 11 September, before cybercrime and before cyberattacks. 

Since then, online information has expanded exponentially, and so too has the exploitation of that mass of data – for commercial reasons, for committing crime, and for trying to prevent crime, to counter terrorism, and to control migration. Against that background, it is no surprise that the European Commission last July launched a consultation on the future of the EU’s current data-protection architecture.

Viviane Reding, the European commissioner for justice, will now have a chance to overhaul the current rules, starting with a review of the data-protection directive. The directive outlines the core elements of data protection that member states are required to implement in domestic law. Under its Article 29, national data- protection commissioners have been meeting at EU level to advise on data-protection issues.

Evolving technology

Now that individuals and governments can create, exchange and manipulate data, new rules are needed to ensure that data protection gets due consideration in a rapidly evolving world.

Many of the digital traces that we leave behind as consumers are transparent and voluntary, for example when we buy a good or service using a credit card. Others are not: the transmission of personal details of transatlantic airline passengers or the sharing of bank-transfer information with US authorities takes place without most consumers being aware of it, let alone having agreed to it. In 2002, a directive on privacy and electronic communications – the e-privacy directive – was adopted to address some of the issues produced by technological change since the 1995 directive.

Networking and commerce

As commissioner for information society in 2004-09, Reding highlighted the dangers of social networking sites and online commerce. In her current job, she will need to integrate solutions for the privacy concerns raised by information technology into a broader framework for data protection in fields such as financial services, transport or health care.

“Protection against data breaches cannot be limited to electronic communications networks alone,” Reding said in January, “but may need to be addressed in new EU rules which cover online services as well.” She has announced that she will propose a reform of the directive before the end of the year.

Peter Hustinx, the European data-protection supervisor, believes that the environment for an overhaul of the EU’s data-protection architecture is supportive. The Lisbon treaty has made the protection of personal data a fundamental right and the European Parliament now has co-decision over agreements in law enforcement.

“We are at a point where there is a constitutional, institutional focus on data protection safeguards and a political will,” Hustinx says. “This is a very important moment, to go from a fundamental right to the delivery of that right, with a Commission that is strongly committed to the digital agenda and at the same time negotiating global privacy,” he says.