Data protection : a challenge for the Churches as well
The coming revision of the EU data protection framework will not only involve debates about law but it will also offer an opportunity to discuss new social phenomena related to the Internet.
In late November the UK’s Information Commissioner served two organisations with the first financial penalties for serious data breaches. Hertfordshire County Council was ordered to pay £ 100,000 for incidents where highly sensitive personal information involving details of a child sexual abuse case and child custody were leaked. The competence to impose financial penalties for data breaches up to £ 500,000 is new in the UK, but it could soon be the reality in other countries.
Just a few weeks earlier, the European Commission published a long awaited Communication setting out the strategy for adapting the existing data protection legislation to meet the challenges brought about by the rapidly developing new technologies and globalisation. On the basis of the Communication, and the subsequent consultation running until 15 January, the Commission is expected to present concrete legislative proposals in mid 2011.
The EU rules protecting the right to privacy date back to 1995. Directive 95/46 on the protection of individuals with regard to the processing of personal data set a milestone in the history of the protection of personal data in the EU and was an inspiration for other countries. However, despite the fact that the Directive is built on neutral and solid formulations and strong data protection principles applying to all industries and technologies it can no longer meet new challenges. During the last 15 years the technology has developed so much that it has started to invade our private lives often without us realizing and understanding the consequences. Therefore, the revision became a matter of urgency.
The revision will also be a breakthrough from the institutional point of view. Directive 95/46 was based on the internal market provisions, as there was no other legal basis available. The Lisbon Treaty introduced a single legal basis for adopting data protection legislation in all fields, also encompassing police and judicial cooperation in criminal matters. Finally, the Charter of Fundamental Rights proclaims that the right to privacy is a fundamental right.
In short, the present Communication sketches a broad outline of the Commission's ideas, but carefully spells out the different options in terms of legislative and non-legislative measures that may be proposed. It is clear that any future framework will aim primarily at strengthening the rights of individuals in relation to the collection and the processing of their data. For data controllers and processors the framework would be stricter, more rigid and would involve more responsibilities. Additionally, the revision will include inter alia clarifying the definition of consent to collect and process personal data, simplifying the procedure for registration of databases, clarifying the rules on international data transfers. Possibly, a mandatory general data breach notification will be introduced.
Churches and church organisations administer databases and, like any other entities, must respect the law. For them the most important aspect of the revision might encompass new measures improving the exercise of the right of access, rectification, erasure or blocking of data. Moreover, the new law might strengthen the right of individuals to have their data deleted or removed when they are no longer needed for the purposes for which they were originally collected. Nowadays, when many people decide to leave the Church and demand the deletion of their personal data from parish records, Churches will have to be prudent about possible new obligations. The revision will not amend the basic rules concerning the processing of special categories of data such as those relating to religion and belief. However, the Commission wants to spell out the obligations of data controllers even more clearly. It might mean the necessity for revising internal Church policies relating to data security and data processing.
Data protection is not only about introducing laws to regulate and punish the violation of privacy. When millions of people push the limits of privacy by using online social networks like Facebook, it becomes difficult to define what is private and personal. New IT technologies clearly lead to new unprecedented social phenomena and trends, where people establish personal relations without personal contact and where the responsibility for the content of what is published online is blurred. The real challenge lies in understanding that law cannot be a tool to fix all social problems. It will be fascinating to follow the coming EU debates on data protection and to see how politicians deal with this question.