OPINION26 February 2010

For your information


The legal framework underpinning data protection laws in Europe is under review. So what does this mean for the research industry? Here, Efamro president Stig Holmer offers his view on current EU thinking, and argues that a new data protection directive is likely.

Last year the European Commission published a consultation on the legal framework for the fundamental right to protect personal data. The consultation sought views on new challenges to protecting individuals’ data. For research, data protection legislation is vital to what we do. It is the responsibility of all research organisations to ensure that they understand the legislation and implement it correctly on a corporate level.

The last review of the data protection directive in 2002 resulted in no change. However, on this occasion it is important to realise that, whatever the research sector does, a new directive is very likely, not least because of extensive changes to the EU’s legal and constitutional framework.

Since the consultation several developments have given an indication of likely changes ahead. First is the appointment of Viviane Reding as the new Commissioner for Justice, Fundamental Rights and Citizenship, with responsibility for data protection. Reding was previously Commissioner for Information Society and Media and led the revision of the telecoms directives last year. These contained provisions requiring internet service providers to notify customers and data protection authorities if their data had been lost or mishandled, and required informed consent for the use of cookies. Reding has already clearly stated her intention to expand mandatory data breach notification to all data controllers.

There have also been indications from the Commission that it is actively considering a new data protection principle of “privacy by design”. This principle would require privacy and data protection compliance to be designed into systems holding information right from the start, rather than being bolted on afterwards or ignored, as has often been the case in the past.

A third likely area for change is clarification of definitions, such as ‘personal data’ and ‘data controller’, to achieve more consistent data protection legislation across the union. There is a wide divergence in opinion and practice on all these matters across the EU, from the strict rights-based view employed in Germany to the more pragmatic risk-based approach of the UK. Greater harmonisation is likely. Consequently some countries’ practices are more likely to be affected than others.

Research had many positives to put forward in its submission to the consultation, which was prepared by Efamro and Esomar. Research has long had robust codes which enshrined the data protection principles long before the legislation was introduced, and we need to remind legislators of that. Research has a history of respecting data rights. Across Europe complaints about research are either low or non-existent. A recurring problem for research is that legislation introduced to address broader concerns such as direct marketing or behavioural advertising is drafted in such a way that research unintentionally becomes swept up into it.

In light of the potentially challenging political and legislative battles ahead, it is imperative that the research sector remains united, engaged and focused on putting forward a coherent case to protect its interests and the interests of those who rely on good-quality research.

The Efamro-Esomar submission was just the first step on this journey. We will need to have meetings with key individuals within the Commission, and to engage key suppliers in this process. Efamro is creating a forum for research privacy officers across the EU that will work to ensure that the interests of the sector are clearly and adequately put forward in the forthcoming directive revision.