Via Raul Mendez, Attorney, LLM IT Law, Privacy Expert in European Union international Privacy Law.

On March 31st, 2011, European union Vice-President Viviane Reding announced that the new Privacy Directive will not unduly punish the industry. The industry is Data Controllers who collect protected data in the European Union. She indicated that she holds five priorities in mind which will help businesses stay profitable in a highly protected data environment.
Her five priorities are:
1) HARMONIZATION OF LAWS WILL TRIGGER SAVINGS. There will be harmonization of regulations in all Member States. With this priority, Vice-President Reding explains, businesses present in all Member States will not find themselves in a patchwork of regulations;
2) THE NEW LAW WILL GIVE DATA CONTROLLERS ACCES TO USERS WHO DO NOT CURRENTLY SHARE THEIR DATA. When users do not trust new technologies, the technology providers and data controllers do not have access to those who do not share their data for fear of misuse.
3) SIMPLIFY RULES FOR APPLICABLE LAWS. Data controllers handling data from many of the Member States have higher costs because of the legal uncertainty. The simultaneous application of several laws should be avoided. As a consequence, the cost of handling data from many Member States will be reduced.
4) FACILITATE STREAMLINE AND IMPROVE THE INTERNATIONAL TRANSFERS OF DATA. With this principle complex contractual agreements may be avoided if UE data standards are adopted by “groups of companies.” However, this principle will only become a reality once the new data protection directive is in force.
Meanwhile, intra-company standards rules will be officially included in the new directive. “Mutual Recognition” will then have to be followed by all of the Data Protection Authorities.
5) MAKING ONLY DELICATE PERSONAL DATA PROCESSING NOTIFICATIONS MANDATORY. With this principle, businesses will cut down red tape and costs.
The priorities do bring certainty, and the field is evened out for EU operators and non-adequate third-countries operators.
However, the priorities make me think what I have said in the past. The Safe Harbor Program will no longer be available. Rather, as I have also said in the past, there will be a system similar to that of contractual agreements. It perhaps will be more of a self submitting intra-company standards rules which will have to be approved by the DPA with the most significant contacts.
By integrating self submitting intra company standards, two issues are solved:
1) JURISDCITION. By willingly indicating that a data controller will submit and follow to the laws of a Member State’s jurisdiction, the data controller becomes amenable to service and the possibility of being sued (maybe class action suits)for violations of the privacy directives.
2) UNIFORMITY AND AUTOMATION. Specific types of company standards will make it easier to sort out the data controllers. Perhaps, resources will be better allocated. DPA’s may deputize different assistant DPA’s depending on the industry, the type of violations and the possible fines and sanctions. DPA’s may possibly be able to use automated administrative judges in minor cases of violations of privacy. This type of administration of justice is currently being researched in Universities across the European Union.
If I were a data controller I would probably be doing the following:
a) Assess which of the 27 Member States has the most significant contacts with the Data Controller. Perhaps the location of the EU headquarters will do, but Member State shopping may be frowned upon;
b) Perhaps start planning the adoption of EU Data compliant procedures for the Data Controllers and its processors;
c) Appoint an agent in one of the 27 Member States.
However, we will not have a full picture until the summer when the first proposal will be published. I cannot wait to see it.

(Source: linkedin.com)