The European Union is currently reviewing the European Data Protection framework in order to ensure that European law is fit for purpose for the digital era, despite the parliamentary vote on amendments to data protection law has just been postponed for the third successive time.
EU ministers had been ready to decide whether or not to ratify the latest set of proposals in early July, but with two further postponements, the vote is now scheduled for October, with the aim of publishing the amended legislation before next May’s European elections.
Areas of particular concern include the safeguarding of individuals’ fundamental rights, as their data is used in ever more diverse ways, and fines of up to 2 per cent of global turnover are proposed for companies breaching the new legislation.
Although a tightening and strengthening of European data protection rules was first proposed in January 2012, the precise nature and extent of the changes are unknown and no significant agreements have been reached.
However, some changes may be inevitable, including more detailed record-keeping obligations for all organisations, compliance obligations imposed on data processors and mandatory privacy impact assessments.
The lack of progress, however, has fuelled fears that the legal system cannot keep pace with technological change where data collection, analysis and storage are concerned.
In fact, there is even controversy over the definitions of differing levels of privacy risk, from personally identifiable records through to truly anonymous information.
One attempt at compromise includes a definition of ‘pseudonymous data’, which is personal data processed in such a way that the data cannot be attributed to a specific individual, without the use of additional information, provided the additional information is kept separately.