European Commission Head of Data Protection Unit Bruno Gencarelli, during a seminar in Malta, said that businesses processing data will be governed by one single law with one supervisory authority through an upcoming new EU regulation. "One continent, one law, one regulation".
An event organised by the Malta IT Law Association (MITLA), held at Smart City, saw a discussion about the General Data Protection Regulation currently strongly being considered by EU institutions.
MITLA President Antonio Ghio said the legislation tackles the struggle between balancing privacy rights for subjects and the data controllers who utilise vast amounts of data.
Mr Gencarelli spoke of a one-stop shop in terms of authority in this regard. Each country will have one authority, one point of contact for businesses.
Businesses shopping for countries
Dr Ghio asked Mr Gencarelli whether this could lead to forum shopping, where a company would have a friendly relationship with the authority in that particular country and choose to set up there.
"Such a risk of forum shopping might exist today, and the one stop shop is in response to that. When dealing with cross-border cases, where, for example a subject from one country has complained about a company based in another, the authority must agree with other authorities involved, such as those where the complaint was lodged. This means that a country's authority will not be able to decide on its own and would need to consider the entirety of the issue," Mr Gencarelli said
"Member states also chose to introduce a dispute settlement body where if data protection authorities involved in a case do not agree with one another, then that case will be brought before the EU dispute resolution system and the solution will be imposed. This is, of course, a strong incentive against foreign shopping".
Mr Gencarelli added that the proposed regulation has been on the table for over three years and described the regulation as an ambitious reform.
He hopes that the reform will come to a close by the end of this year. "Why, as the Commission, have we tabled this proposal? This is a specific response to a need and demand for reform in this area, that strongly emerged from an EU wide consultation launched prior to the reform".
He said that an update to legislation is needed considering the technological advancements since 1995. "Back then, only 1% of the population used the internet... and Facebook founder Mark Zuckerberg was still attending school. Since then the digital world has changed, bringing enormous potential for growth".
"Personal data is often the currency of the digital economy and as such needs stability and trust. Surveys show that the main concern of EU citizens when shopping online, when using an online service, is data privacy and security. Users don't feel sufficiently empowered to make informed judgements in this regard".
"Since 1995 our own EU framework has evolved, he said, mentioning the charter for fundamental rights. He explained that a demand for reform also came from EU and the non-EU business community". Currently our rules are based on a directive that was transposed into different national laws with important differences, Mr Gencarelli told the audience. "As such, a fragmented landscape has resulted in certain problems. The idea here is to have a level playing field for companies working within the EU".
Social Dialogue Minister Helena Dalli, delivering the first speech, said that the culture to safeguard personal data in Malta is somewhat short-sighted. "Most organisations believe it legitimate to collect information for a specific purpose, yet use it for another". Malta attaches great importance to data protection placing great responsibility on public service to lead by example, she added.
Both private and public organisations must change their culture and review procedures and carry out internal restructuring in relation to the regulation, the Minister explained
"Privacy is a fundamental human right". She stressed that this right is safeguarded both at local and European level.
"Malta places great importance on data protection and the government places great responsibility on public service to lead by example," the Minister added.
Turning to the idea of a one stop shop, the Minister stated that companies will only deal with a single supervising authority within each country, and heavy fines would be imposed on those who do not respect the rules.
Touching upon social media, the Minister explained that the internet allows another fundamental right... freedom of expression. "The internet is not owned by a single person or group, but is open for everyone". She mentioned human rights risks when such technology is abused, through racist hate speech and cyber bullying.
Regulation does not go far enough
The new Data Protection Regulation does not go far enough in tackling surveillance by security and intelligence agencies, Professor of Information Policy, Security & Technology Law Joseph A. Cannataci said.
Professor Cannataci was introduced as one of the fathers of data protection in Malta.
“Assume for a second that every single current proposal we have for the reform package is unanimously approved. Would that solve the Snowden issue…. No and it is not designed to do so. If you are looking for a remedy in this package one would be looking in the wrong place.
Surveillance by security and intelligence services is normally carried out in the name of national security, which is a reserved area for the nation state. The EU Parliament has no competence in this matter.
“When the Snowden issue was raised in the European Council, the UK said this was out of scope. Until the treaty of the Union is changed, this is out of scope. Does this mean there are no EU institutions that can handle it… no. If one goes to the Council of Europe, then it has the competence to deal with the matter. I’m not saying this will happen due to political expediency but there are ways of dealing with this”.
Professor Cannataci explained how the data protection package originally included regulations relating to law enforcement agencies, however this has been removed and is proposed as a directive.
Commercial attorney at Microsoft Dr. Remco Hendrikse spoke of cloud computing, where trust is a pivotal concept. “When customers consider moving to the cloud they are concerned about losing a degree of control of their data, where not they entrust that data with a different entity. Businesses for example, will no longer host their data on their own servers, but through cloud computing would have their data stored elsewhere”.
“Moving data to a cloud provider does not mean customers lose control and in our contracts we make clear that the data still belongs to the client”. As for protection, he said that, as a cloud provider, they are committed to protecting client’s data.
Saviour Cachia – Information and Data Protection Commissioner, referring to the single point of contact authority that will be established, explained that should disagreement exist between authorities from different countries then a binding decision can be given by the EU Data Protection Board.