After weeks of suspense and rumors, last Wednesday the European Commission finally introduced long-awaited legislation to update the 1995 Data Protection Directive, the primary instrument governing personal privacy in Europe. These changes had been widely anticipated by the privacy community, and were spurred in large part by two distinct motivations: (1) the desire to provide users stronger rights over their personal information, and (2) a wish to harmonize divergent privacy laws across all the European Union.
Ironically, the same goals drove the passage of the first EU Data Protection Directive 17 years ago. At that time, there were few comprehensive privacy laws in Europe (or anywhere else, for that matter). The initial Directive required member states to pass enacting legislation codifying the principles contained within the document, whilst allowing for a margin of interpretation that would prove its limits in practice. In the intervening years, the EU’s 27 member states have all implemented and interpreted the Directive in varying ways, leading to a fair amount of confusion for companies offering services across the internal market. And while each country is slightly different, enforcement has been consistently spotty across the continent, leaving users with the suspicion that their information is not adequately protected as companies utilize increasingly sophisticated technologies to track user behavior.
Read more »