LILIAN MITROU & MARIA KARYDA
127
degree of regulatory harmonization in member states, its enforcement has been
diversified and inconsistent
5
.
Moreover, the debate about the legal nature of IP
addresses, the notion of data and consent, the applicability of EU law to online
social networks and search engines signalized the need to ensure at least more
clarity (DPWP 2009 a).
Principles like necessity, proportionality, data minimisation, purpose limitation
and transparency have been around for 25 or 30 years and have been confirmed –
even not always properly enforced - over and over again (DPWP 2009a). They have
proved their usefulness and adequacy (Mitrou 2010). However, many argued that
the Data Protection Directive required at least “some maintenance”, if only because
it was conceived and adopted before the explosion of the Internet and the impacts
of this explosion on economy, society and every-day life” (EDPS 2011a). The con-
vergence of the network around a single interoperable platform, changes in identi-
fication and authentication techniques, identity management and profiling, social
networks, cloud computing, behavioural advertising, RFIDs, geo-location devices
and applications have profoundly changed the way and the extent in which data are
processed and posed crucial challenges for data protection.
Such technological challenges as well challenges resulting from social and po-
litical changes and choices
6
threaten to make the application of data protection
rules at least more difficult. New technologies interwoven with the globalisation
of processing pose new risks for personal autonomy
7
and increase the imbalance
of power between the data subject and data controllers. The present array of
norms fails to shield users from risks and harms not easily remedied on an Inter-
5. Differences in the way that each EU country implements the law have led to an uneven level
of protection for personal data, depending on where an individual lives or buys goods and
services. The judgment of the European Court of Justice on case C-518/07 (
Commission v.
Germany
) has for example proved that there were and still are different approaches concerning
the independence of the Data Protection Authorities.
6. In the wake of each terrorist attack in Europe during the last decade, earlier legislative pro-
posals, which had no chance to be accepted, were re-introduced, and new policies with simi-
lar objectives were drafted to extend state surveillance authority. Ubiquitous data availabil-
ity, widespread and often excessive information sharing and surveillance often via automated
means that are inclined not only to errors but also to discriminatory effects marked this new
security environment. After 9/11, many reference criteria changed and the guarantees were
reduced everywhere in the world, as shown particularly by the Patriot Act in the USA and the
European decisions on transfer of airline passenger data, the so-called PNR data to the US as
well as on the retention of electronic communications data.
7. Increased automated analyses of easily-accessible data, data mining and excessive profiling
bear the risk of individuals becoming mere objects, treated (and even discriminated against)
on the basis of “profiles”, probabilities and predictions.
