Strengthening the rights of the individual
“We are going to strengthen the individual's rights,” Kwasny told us. “For instance, the convention so far did not foresee any formal rights of opposition to data protection by the individual. This will be introduced.”
She said that the Council is making a new distinction between controllers and processors of data which does not exist in the current text. She added that the chains of responsibility and obligation relating to each of these needs to be addressed, and the Council wants to clarify these for all parties.
She also said that companies will need to provide greater transparency. “There was already a right of information of the individual. They had the right to be informed of the processing [of their data], but this idea of introducing transparency into the convention would mean that the processor [and] the controller [of information] need a pro-active approach to it.”
However, Kwasny said that accountability, where businesses are held responsible for the use of data, and privacy by design, where businesses implement features that protect privacy at the early design stages of their products, are two things the Council wants to integrate.
“We don't expressly refer to those, but we translate them into action that [companies] have to take.”
We queried why these two areas are not explicitly stated in the updated convention proposals and how companies will know about it if it is implied rather than stated.
Kwasny said that these are relatively new principles, that privacy by design is a requirement and that many companies are already fully aware of it and are trying to implement it. She said that for those who are not aware of it, however, it will be in the law. Of course, the fact that it is not explicitly stated raises questions over how effective the convention will be at getting more companies to introduce privacy by design in the first place.
This approach of leaving out specifics appears to be intentional, however, as one of the key points of the proposal is to ensure “technologically neutral provisions”, which means that the text of the convention will not explicitly refer to any specific technology, in the same way that the original convention was extremely broad in its wording.
“If today we were to refer to a specific category of technology I think in two years time the text would be completely outdated, which would be worse,” Kwasny said. “The neutrality in the reference to the technology is vital. That's what will sustain the protection.”
The Council also wants to bring in a requirement for provisional notification of data security breaches, but Kwasny said that it needs to be nuanced and will likely only come into play when a certain volume or type of data is exposed in a breach.
Kwasny said that this already exists within the EU in terms of the telecommunications industry, but that the EU might extend these rules to all areas that deal with data processing.
The Council believes that its proposals are “an open instrument” and that the convention was drafted with a global perspective in mind. The Council is particularly keen to promote adoption of the convention throughout the world, since data protection is a global issue.
Kwasny said that trans-border data flows will likely be the most difficult part of the proposals to address. “Either we get it right what we put in the provisions on data flows and it will secure really global potential at the convention [or] it will be too cumbersome or too difficult.”
The idea behind trans-border data flow is to ensure that all participating countries ensure there is a free flow of data between them and that data protection is not used as an obstacle to prevent this. This approach would also apply to the flow of information to countries who do not adhere to the convention, providing there is an adequate level of data protection in place.