10.10.2014

eco Calls for Risk-Based Approach in European Data Protection Law

At the meeting of the EU Justice and Home Affairs Council this Friday in Luxembourg, another chapter in the reform of European Data Protection Law, one of the most important European legislative intentions for the digital world, is on the agenda. Oliver Süme, eco Director of Policy and Law, calls for a balanced solution for the Internet industry:

“In the reform of the European Data Protection Law, a risk-based approach should be taken. Only in this way can an appropriate balance be found between the various interests and the justified concerns in the area of data protection and in the use and processing of data.”

Specifically, the Internet industry suggests a precise definition of a range of risk levels for data processing and data usage: Not all personal data necessarily needs to be categorized as critical. “It is obvious that data in the health or banking sectors is particularly sensitive, and needs to be subject to an appropriate level of protection. Here, a risk-based approach is sensible, as it clarifies the varying levels and categories and allows for differentiation in the examination. The scope of the responsibility of a company should correspond to the risk and the danger ensuing from the data processing. In its current form, the numerous obligations for information, documentation and reporting in the draft directive are excessive, as a result of the lack of differentiation according to risk classes,” Süme explains.