Striking the right balance between boosting business competitiveness and safeguarding consumers’ privacy lies at the heart of discussions surrounding the reform of the General Data Protection legislation. The newly-launched EPHA’s Briefing on the General Data Protection Reform explores some of the key issues at stake from a health policy perspective.
The European Commission tabled two proposals in January 2012 to set up a new legal framework for the protection of personal data in Europe. Its ambitious legislative proposal includes a binding Regulation on General Data Protection which comprises tightened harmonisation rules with implications for individuals, companies and public authorities. The proposed framework also puts forward Directive rules pertaining to the protection of personal data processed for the purposes of criminal offences and related judicial activities.
The current centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC, was adopted in 1995 with two objectives in mind: to protect the fundamental right to data protection; and to guarantee the free flow of personal data between Member States. It was complemented by Framework Decision 2008/977/JHA as a general instrument at Union level for the protection of personal data in the areas of police co-operation, and judicial co-operation in criminal matters.
While the legal framework remains sound as far as objectives and principles are concerned, it has not prevented neither fragmentation in the way personal data protection is implemented across the Union, nor legal uncertainty or a widespread public perception that there are significant risks associated with online activity. Overall, stakeholders feel that the rules are not fit to deal with increasingly complex technological developments in the digital age.
In this context, and recognising that streamlining and greater clarity is necessary across the EU, EPHA’s Briefing on the General Data Protection Reform explores some of the main issues and sticking points pertaining to the proposed Regulation, including the following concerns:
the need for special protection of health data;
clear rules for data access and data portability;
processing data on grounds of public interest;
promoting better digital literacy, and protecting vulnerable groups online (e.g., children); and
enabling health research.
EPHA’s Briefing argues that it is crucial to “strike a feasible balance between the rights of individuals to access and protect their personal data, and the necessity to make data available to authorised officials in the public interest” , like avoiding public health risks, enabling appropriate and timely medical interventions, and supporting health research. However, the implications of individuals wishing to ‘’opt out’’ and/or delete their personal health data must be respected. Finally, there is a dichotomy between the need for data collection to improve services and offer consumer choice vs. potentially harmful online tracking of data and profiling by commercial actors.
There are also important links and overlaps with other legislative frameworks, amongst them the Digital Agenda for Europe, the Cross-border Patients’ Rights Directive, Clinical Trials, and of course eHealth. Hence EPHA also underscores that the ’’digital divide’’ must not become larger as a result of health literacy deficits.
Following the joint EU-US conference on ’’Privacy and protection of personal data’’ in March, the European Parliament (EP) has started working on the Commission texts, which will be handled by EP’s the Civil Liberties (LIBE) Committee during 2012 and 2013. The Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation) is handled by Rapporteur Jan Philipp Albrecht (Greens/EFA, Germany). Parallelly, the Proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data is handled by Rapporteur Dimitrios Droutsas (S&D, Greece).
On 29 May, the LIBE Committee organised a workshop on the proposed Regulation. MEP Albrecht emphasised that a set of coherent and harmonised data protection rules will boost European businesses’ competitiveness and help better protect consumers’ rights. The workshop gathered stakeholders including MEPs, civil society representatives, lawyers, internet company representatives and other privacy experts and activists discussing the scope and principles, data subject rights, as well as data protection authorities and obligations for data controllers. Two days later, a debate took place on the whole package (Regulation and Directive), hosted by MEP Droutsas.
On June 21, the EP’s Internal Market and Consumer Protection (IMCO) Committee also exchanged its views on the proposed Regulation. The Rapporteur Lara Comi (EPP, Italy) focused on four main themes: 1) The main challenges presented by new technologies and which priority action needs to be taken; 2) The rights of data subjects and ensuring consumer protection in case of data breaches; 3) The relationship between authorities and data controllers; and 4) The link between the online and offline world -e.g. protecting children online and from misleading advertising.
Over the next few weeks EPHA will continue to monitor progress on the file, engage in stakeholder meetings, and develop a position in collaboration with its relevant Working Groups for distribution to policy makers and the media.
For further information
EPHA related articles
European Parliament and Member States at odds over access to documents
Digital Agenda Commissioner in favour of joint procurement to support cloud computing: will that benefit citizens?
Digital Agenda: New coalition strives to keep children safe online
EPHA position on the eHealth Action Plan 2012-2020