European Information Systems and Data Protection as Elements of the European Administrative Union (3/3) – The Right to Privacy in the Light of Media Convergence –

hard to predict and thus opens new opportunities for research especially in
administrative science.
Another part of the IMI is an alert mechanism for dangers resulting from
cross-border services. Due to its increased (potential) intrusiveness, this mechan-
ism is perfectly suited as a showcase for the new concept of privacy-by-de-
sign:
21
In order to limit (and minimize) access to the database, dierent groups
of actors (with access rights specically tailored to their respective needs) were
created (I MI actors like competent authorities, coordinator and the Commission;
IMI users like request handlers, allocators, referral handlers and local data
administrators).
22
Dierent mechanisms (checklists for the warning criteria,
supervision by national coordinators) were implemented in order to limit data
transmissions to the data relevant to the respective task.
23
Dierent standard
settings within the IMI and the creation of centralized recipient bodies in the
member states shall ensure that alert warnings are only sent to those member
states which are really aected by a danger resulting from cross-border services.
Furthermore, participants are frequently asked to check whether warnings (and
the personal data connected with it) have to remain in the system or whether
they can be deleted; IMI users are warned with on-screen-popups when they are
about to distribute or retrieve sensitive data; IMI users data protection aware-
ness shall be raised during the IMI trainee programs as well as by data protection
information and privacy statements on the IMI website.
E. Decient legal steering of the establishment of
innovative information systems
As show in the previous section the Commission has shown to be aware of data
protection issues during the creation of the IMI, the creation of an adequate legal
(data protection) framework has proven dicult.
It seems remarkable that unlike the provisions on the SIS both legal acts
implemented through the IMI (i.e. the Professional Qualications Directive
2005/36/EC, Service Directive 2006/123/EC) do not contain any specic rules
providing a clear and detailed legislative basis for the processing of data through
an internal market information system. Even the creation of an electronic in-
21 EDPS, letter of 27. July 2010, p. 3.
22 COM (2010) 170, p. 8.
23 COM (2010) 170, pp. 89.
384 Jens-Peter Schneider
formation exchange system is only stipulated by the services directive. (More)
precise guidelines can only be found in two decisions and one recommendation
issued by the European Commission.
This rather informal step-by-step approach was chosen by the European
Commission in order to eld test the system rst and draft the (legally binding)
rules on its use (which have to be enacted by the EUs legislative authorities)
later. Actually, an European Commissions legislative proposal (including propo-
sals to extend the use of the system to other areas of the internal market) is not
to be expected before the summer of 2011.
Even though one has to be aware of the risks which often go along with the
process of legalization (which may hamper innovations without improving the
factual level of data protection),
24
it is inadvisable to advance innovations in this
privacy-relevant area without any legal safeguards or guidelines. Rather, both
the risks and potential of European information systems have to be taken into
account during their creation.
25
F. Outlook
The European Law on information management and data protection is con-
stantly changing. This dynamic is a major challenge for scholarly work in this
eld of law. At the same time this dynamic provides rewarding elds of work as
well as interesting academic perspectives. European law will steer administrative
information management and data protection more successfully than today, only
if the future legislative framework is more coherent and intelligible without
neglecting justied claims for dierentiations.
It is a key aspect of the research programme of the recently founded
Research Network on EU Administrative Law (ReNeuAl) to support such a reform
by scholarly work not compromised by any institutional or organizational bias.
26
24 On the partly counterproductive juridication of data privacy protection see: Homann-
Riem, see supra note 9, pp. 516 et seqq., pp. 526 et seqq.; on the required scopes of
regulation on innovation see: Homann-Riem/Schneidern (eds), Rechtswissenschaftliche
Innovationsforschung [jurisprudential research of innovations], pp. 389 et seqq.
25 For the complications of the judicial guaranty of innovation responsibility see: Eifert/
Homann-Riem (eds), in: Innovationsverantwortung [responsibility of innovation], 2009.
26 See: http://www.reneual.eu/.
European Information Systems and Data Protection
385