The Commission's proposed Data Protection Regulation (PDF) is a massive piece of legislation, and it touches many debates and issues: the right to be forgotten, the approach towards companies, what data protection really means to us as a society, the powers of the Commission, and the debates surrounding subsidiarity and having a comprehensive approach. I thought I'd note a few thoughts and impressions on the debate so far.
The Right to be Forgotten and what data protection means to us.
Data protection might be a right under EU Law (Article 8 of the Charter of Fundamental Rights), but it has a mixed profile across the EU. In some countries - particularly Germany; see this week's Der Spiegel for example - it is a prominent issue, but in others there isn't so much awareness. I think that this changes when you start to talk about the privacy issues behind the technical term "data protection" - how companies (such as Google and Facebook) process and use information on you, and how governments do the same for everything from welfare to law enforcement. It's about privacy, but it's also about the freedom of the individual in society: whether it is government or business, the individual shouldn't have their freedom in society unfairly limited because of how organisations collect and use data concerning them.
The EU is more advanced in many ways than the US when it comes to data protection/privacy, but there's also a debate on whether the EU is going too far, and if the EU just wants to turn the clock back to a privacy golden age or freeze privacy standards as they were before the internet. I personally think it goes deeper than a fear of the internet age - the principles of data protection can be found back in 1981 in a Council of Europe convention - and it's about a genuine cultural attitude to privacy.
A key debate about privacy and the internet age is the right to be forgotten (Article 17 in the proposal). Justice Commissioner Viviane Reding has recently said (in this week's privacy platform meeting) that it was part of the old 1995 directive on data protection (the law this regulation would replace), and that it was more a failure of the 1995 Directive that it couldn't be implemented properly. It's true that you could ask to have your data erased under the 1995 Directive, but the Regulation would impose an obligation for data controllers to try to contact those they may have transferred the data to, not to continue to publish or process it, so the right to be forgotten would be an innovation on the current law. Controllers only have to make a reasonable attempt to inform those they may have passed the data on to that the data subject has requested that their data be deleted, so they won't have to police the internet.
Should there be a right to be forgotten? I support a balanced right to be forgotten that respects the freedom of expression. Reding says that the right to be forgotten will only apply to data people themselves hand over, and it won't affect journalists or bloggers - but the proposal seems vague on this point, and there should be a more explicit attempt to balance the freedom of expression with data protection.
The Powers of the Commission.
As the proposal stands, there would be a LOT of delegated powers for the Commission, permitting the Commission to draw up some rules and definitions so that some articles can be implemented properly. This makes it difficult to know what parts of the Regulation will mean in practice. For example, Article 17(9) would give the Commission the power to draw up specific rules for the right to be forgotten in certain sectors - so the scope of the right to be forgotten can't really be explained on the basis of the current provision. Perhaps this is the provision Reding means when she says journalists will be exempt. With at least 26 such delegated powers (I haven't done a thorough count), it seems a sloppy approach to law-making by the Commission.
Subsidiarity and the Comprehensive Approach.
The Regulation won't cover the processing of data in the area of freedom, security and justice (this will be done by a proposed directive), a split in the general data protection framework that has been criticised by the European Data Protection Supervisor (PDF), among others, but both the Regulation and Directive will ensure that data protection rules apply to all data processing, not just for data that will cross borders. This has provoked a debate on subsidiarity: should all processing be covered; should the public sector be covered? Rather than a Regulation - which would mean a single, directly applicable law for the private and public sectors (except for justice and policing) - some call for a directive, so that Member States have more freedom to implement the law.
It's interesting to see the debate on subsidiarity around this law - I haven't seen much political debate on subsidiarity yet - and it seems that the implementation and legislation for rights is a key question for subsidiarity (traditionally the constitutional courts of Member States are keen to defend their role as guardians of citizens' rights, which may entail the trumping of EU law by national law). Practically, it doesn't make sense to have 27 differing laws on data protection since the added value for the internal market and citizens' rights is to have the same high standard everywhere with clear uniform rules on those data protection rights can be exercised. And when you consider the impact of globalisation on data protection, having a single EU standard that can be defended and promoted globally makes sense in the long term when it comes to protecting our privacy laws. In addition, Article 16(2) TFEU gives the EU a more general legislative power/legal base on regulating data protection than simply in connection with the internal market, which is pretty unique when it comes to fundamental rights, so the institutions have a few cards in their favour to play for harmonisation.
There may be a consensus on the need for updated data protection laws, but there's still plenty of room for argument.