1 / 10

Implementation of Personal Data Protection Strategy

Implementation of Personal Data Protection Strategy. Kick-off Event 7.2.2011 Expert Workshop Presentation by Christof Tschohl Legal Researcher Ludwig Boltzmann Institute of Human Rights (BIM), Austria. The Bridge between Technique and Law in Data Protection Matters.

zilya
Télécharger la présentation

Implementation of Personal Data Protection Strategy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementation of Personal Data Protection Strategy Kick-off Event 7.2.2011 Expert Workshop Presentation by Christof Tschohl Legal Researcher Ludwig Boltzmann Institute of Human Rights (BIM), Austria The Bridge between Techniqueand Law in Data ProtectionMatters

  2. Data Protection and modern Information Technology The idea of Data Protection is not new! • No mere creation of modern information society and information technology • Since the idea of a liberal society and freedom of citizens break through • The first European Constitutions more than 150 years ago (common history) • Sanctityofthe Home andSecrecy of Letters  mandatory: based in lawand just due to a judicialdecree • New is the increasing dimension of the possible interference due to technology • Use of modern technology is widespread and standard in modern society • Improvement for the flow of information and therefore the democratic capacity • But also bears a huge potential of control over citizens and society • EU Acquis contains both – Protection and Invasion for Privacy • States` Margin of Appreciation within transformation – especially technical details

  3. Legislation and the determination of technical means • Legislation necessarily has to cover a wide range of possible circumstances • Thus it has to be more cursory and can hardly catch every detailed question • Law must beclearenoughtodeterminewhatisallowedor not • On the same time  sufficientrangefortheSingle European Market • Private Autonomy / Technology Neutrality / Free Flow of Information • The (nearly) boundless possibilities of technology vs. necessity of lawful limitations • Technical development concentrates firstly to increase the possibilities and reduce the limitations • “what is allowed is up to the management and the lawyers” • Technical solutions necessarily have to deal with all details • “it must not be understood by everyone, it just must work” • EU Acquis contains both – Protection and Threats for the information society • States` Margin of Appreciation – especially in technical details

  4. Similarities of the Disciplines Technique and Law • Both need to determine in substance the purpose and the scope of the “Application” • Technique is often just the “vehicle” to transpose the law • Both need to define the organisational environment and the procedures • Technique often just effects the procedural decisions of law or management • Both need to anticipate the non-conformance-scenarios • Necessary to define the process if it doesn’t work like it should • Finally both need to serve the Humans, and not the other way around !

  5. The “Bridging”-Necessity and the Intersection Points • Not every technique-relevant norm must contain detailed technical determination • Like the technology does not need everywhere stick to legislative requirements • Weneedtoidentifythe „entrypoints“ wheretechnology must be limited • tokeepthebasicruleoflaw – principleeffective • Legislation needs to understand the level of interference due to technology • Means some kind of “Risk Assessment” on a more abstract level • Where specific risks are identified  necessity for clear determination of the purposes which have to be accomplished by technical means • No blanket delegation of the technical transposition

  6. Example of a “Bridge-Norm” in Montenegrin PDPA • Article 7 para 2 PDPA: • “ (…) • If the processing of personal data is carried out by electronic means, the personal data filing system controller must ensure that the information system automatically records the recipients of personal data, data which were processed, legal grounds for the use of personal data, time of logging on to the system and time of logging out of the system.“ •  very modern and highly interesting approach! • Technical terms likely need to be specified by law or regulation • “carried out by electronic means”: • Is hereof covered e.g. every e-mail which contains personal information? • “information system automatically records”: • Has the recording system to ensure on a technical level that this logging cannot be altered (revision security)?

  7. Possible Ways to build the Bridge • Already in the process of legislation should be a sound communication between Lawyers and Engineers • By forming working groups which should seek for a good balance between people from both disciplines • Working groups need sufficient time and occasions for understanding each other • Stakeholders often need first to launch their interests, only workgroups on regular basis give enough room for understanding the “cracking points” • Achievements of such “Translation Work” should be documented and available • For the following praxis as well as further developments  Sustainability

  8. Q & A Thank you for your attention! I am looking forward to your questions!

  9. Component I: Harmonization of legislation with EU Data Protection standards Further Harmonization Register of filing systems and controllers Analysis of compliance with EU Acquis Action plan and formation of working groups Identifying regulations to be adjusted Analysis ofdomesticLegislation regarding Personal Data

  10. Component II: Training on Data Protection Training for private sector Training for public institutions Training for state authorities Linked to Component I: Activities 1.7. + 1.8. Manuals Manuals for filing system controllers and citizens (Component I) Revision of professional training plan

More Related