html5-img
1 / 30

Towards a European Data Protection Regulation - The Commission's Proposal and Recent Developments

Towards a European Data Protection Regulation - The Commission's Proposal and Recent Developments. Bernhard Schima EU Fellow, Yale University European Commission, Legal Service. Primary law sources of data protection. Article 8 ECHR as a general principle Article 8 Charter

haines
Télécharger la présentation

Towards a European Data Protection Regulation - The Commission's Proposal and Recent Developments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards a European Data Protection Regulation - The Commission's Proposal and Recent Developments Bernhard Schima EU Fellow, Yale University European Commission, Legal Service

  2. Primary law sources of data protection • Article 8 ECHR as a general principle • Article 8 Charter processed fairly for specified purposes on the basis of the consent of the person concerned or some other legitimate basis laid down by law  • Article 16 TFEU

  3. Evolution of secondary law sources • Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data • Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector • Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters • Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

  4. Current situation • Directive  to be implemented by Member States significant differences possible • of 1995, hardly amended  needs to be modernized • Internal market as a legal basis  more narrow mandate for the EU legislator

  5. State of legislative process I • Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) – COM(2012) 11 final, 25 January 2012 • Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data – COM(2012) 10 final, 25 January 2012

  6. State of legislative process II • EP rapporteurs Jan-Philipp Albrecht and Dimitrios Droutsas, initially almost 4000 amendments, reduced to just over 100 compromise amendments, report of the LIBE-committee voted on 21 October 2013 • MS in Council need to adopt general approach to start negotiating with EP and COM • European Council of 24/25 October 2013 refers to the need for the “timely adoption of a strong EU General Data Protection framework”, but also to “the completion of the Digital Single Market by 2015”

  7. Double objective – Article 1 • Protection of individuals with regard to the processing of personal data • Free movement of personal data

  8. Key definitions – Article 4 – I • Data subject: an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used[EP: delete phrase in bold] by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person • Personal data: any information relating to a data subject

  9. Key definitions – Article 4 – II • Processing: any operation or set of operations which is performed upon personal data or sets of personal data • Controller: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data • Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller

  10. Material scope – Article 2 • processing of personal data Not: • outside scope of EU law, in particular national security • Union institutions (own rules) • National authorities in the context of criminal law (own rules)

  11. Territorial scope – Article 3 • activities of an establishment of a controller or a processor in the Union • processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union [EP: even for free]; or (b) the monitoring of their behavior [EP: the monitoring of the data subjects]

  12. Principles – Article 5 Processing of personal data must be limited to the situations in which it is allowed by the regulation and take place in accordance with certain principles (in particular: transparency vis-à-vis the data subject, minimization, responsibility and liability of controller)

  13. Consent - Articles 4(8) and 7 • Only one of the grounds that make data processing legitimate • Freely given, specific, informed and explicit – by statement or clear affirmative action • Burden of proof on controller • Consent to processing must be distinguishable • Right to withdraw • Consent not a basis for processing in cases of significant imbalance between data subject and controller [EP: delete last provision, but add further limits on validity of consent and conditions for requesting consent]

  14. Rights of the data subject – Art. 11 et seq. • Transparent and easily accessible policies of the controller • Information to be provided by controller in clear terms and, in principle, free of charge • Right of access • Right to be forgotten and to erasure • Portability

  15. Right to be forgotten and to erasure – Article 17 • Right to obtain erasure from controller • But what if data already made public? • Controller to take all reasonable steps, including technical measures to inform third parties of request for erasure [EP: more stringent obligation on controller to take all reasonable steps to have the data erased] • Not an absolute right (freedom of expression, public interest) • Restriction on processing as an alternative in certain cases

  16. Profiling – Article 20Definition Automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.

  17. Profiling – Article 20Rules Prohibited in principle where only basis for the adoption of a measure which produces legal effects concerning this natural person or significantly affects this natural person Allowed where • carried out in the course of the entering into, or performance of, a contract; request for entering into or performance of the contract, lodged by the data subject, satisfied or suitable measures to safeguard the data subject's legitimate interests • expressly authorized by EU or national law + suitable safeguards • based on consent + suitable safeguards

  18. Data protection by design – Article 23(1) Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. [EP proposes to make this obligation a lot more concrete.]

  19. Data protection by default – Article 23(2) The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.

  20. Data breach notification – to the competent authority – Article 31 In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours. [EP: removes the 24 hours and refers to 72 hours in a recital only.]

  21. Communication to the data subject – Article 32 When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall … communicate the personal data breach to the data subject without undue delay.

  22. Data protection impact assessment – Article 33 • Replaces general and rather ineffective notification obligations • Procedure required for processing operations which present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes (followed by a list of examples) [EP proposes to add a risk analysis and to enlarge the categories of cases likely to present specific risks. EP also proposes a compliance review after the operation for which there has been an IA has been carried out.]

  23. Data protection officers – Article 35 • Compulsory where (a) processing by a public authority or body; or (b) processing by an enterprise employing 250 persons or more [EP: refer rather to the importance of data processing than to the size of the enterprise]; or (c) core activities of controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. • Role: advise and monitor

  24. Transfers to third countries – Article 40 et seq. • Principle unchanged: third country must ensure adequate level of protection • Powers of COM reinforced (Article 41) • Positive and negative decisions • Criteria: rule of law, relevant legislation, effective remedies, independent supervision, international commitments

  25. Transfers to third countries – Article 40 et seq. • Where no COM decision, transfer only by way of appropriate safeguards (Article 42) • Binding corporate rules, standard data protection clauses or contractual clauses [Safe Harbour continues to apply] • or on the basis of a limitative list of derogations (Article 44)

  26. One-stop-shop – Article 51(2) • Controller or processor established in more than one Member State: supervisory authority of the main establishment of the controller or processor competent for the supervision of the processing activities of the controller or the processor in all Member States • EP: lead authority instead (Article 54a) • Council: major issue in discussions

  27. Co-operation and consistency – Article 55 et seq. • Consistency mechanism for measures with EU wide impact • Submitted for opinion to the newly created European Data Protection Board • COM opinion possible • In exceptional cases, COM may suspend measure of nat’l data protection authority for a maximum of 12 months

  28. Remedies, liability, sanctions – Art. 73 et seq. • Complaint with supervisory authority • Judicial remedy against a supervisory authority • Judicial remedy against controller or processor (in the MS of establishment of the controller or processor or in the MS of residence of the data subject)

  29. Fines – Article 79 • Effective, proportionate and dissuasive • Graded in line with the severity of the violation • Up to 1 000 000 EUR or 2 % [EP: up to 5 %] of annual worldwide turnover for most serious violations

  30. Thank you for your attention! bernhard.schima@yale.edu

More Related