350 likes | 464 Vues
European Data Protection Law: A Brief Outlook András Jóri Parliamentary Commissioner for Data Protection and Freedom of Information, Hungary ICTtrain Training Session, 7 January 2009. 3rd Parliamentary Commissioner of DP and FOIA
E N D
European Data Protection Law:A Brief OutlookAndrás JóriParliamentary Commissioner for Data Protection and Freedom of Information, HungaryICTtrain Training Session, 7 January 2009
3rd Parliamentary Commissioner of DP and FOIA Elected by the Parliament for 6 years with a 2/3 majority of the MPs Reports to the Parliament only A short introduction
Main tasks: Data protection supervision Freedom of information supervision Supervision of the procedure of classification of state secrets Giving opinions on bills and other draft legislative instruments Examination of complaints Ex officio procedures 45 staff members (mostly lawyers) A short introduction
European Data Protection Law: A Brief Outlook What is data protection? What is privacy? A short history of European data protection Challenges and criticism The European Data Protection Directive and the activity of the Article 29 Working Party Data protection audit and data protection issues in the telecom sector Privacy on the Internet The presentations of today’s session
Data protection means the legal protection of an individual’s privacy through regulating the processing of her/his personal data and safeguarding certain rights relating to this data appeared in Europe as an answer to the dangers of electronic data processing which were becoming widespread during the IT revolution, beginning with the 1970s The notion of data protection
a claim, entitlement or right of an individual to determine what information about himself (or herself) may be communicated to others;– the measure of control an individual has over information about himself information privacy, data privacy intimacies of personal identity, or who has sensory access to him a state or condition of limited access to a person, information about him, intimacies of personal identity (Ferdinand Schoeman) The right to privacy is „the right to be left alone” (Brandeis) What is privacy?
Data protection: a tool of privacy protection, aimed at personal data Data protection is always legal protection Data security means the protection of the integrity and confidentiality of data, irrespective of the information content and legal qualification of data. Data security is served by legal, technical and organizational measures Data protection and data security
Complex network of connections between data protection and data security: Most data protection laws contain rules on data security In an open network environment, data security tools might be at least as effective tools for privacy protection as data protection laws are (PET technologies) Data security tools might be objects of legal regulation themselves (eg. „strong” encryption) Data protection and data security
'personal data 'shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Directive 95/46/EC) What are personal data?
USA: The Right to Privacy (1890) Brandeis, "Subtler and more far reaching means of invading privacy have become available to the government. Discovery and invention have made it possible for the government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet” Orwell: 1984 WWII: Misuse of state databases The widespread use of computerized data processing A brief history of DP law
First data protection act: Hesse (Germany), 1970 The primary goal of the first acts was to safeguard the transparency of the large – primarily state-owned – databases They ensure some rights (primarily the right of access and rectification) that will later become parts of the right of informational self-determination Obligations concerning registering the databases containing personal data appear A brief history of DP law
1983: German Constitutional Court Decision (Volkszählunsurteil): the right of informational self-determination was born This right includes “the authority of the individual to decide himself, on the basis of the idea of self-determination, when and within what limits based on the principle of self-determination to determine in what information about his private life should be communicated to others and to what extent.” A brief history of DP law
1980: OEDC Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Collection Limitation Principle Purpose Specification Principle Use Limitation Principle Security Safeguards Principle Openness Principle Individual Participation Principle Accountability Principle A brief history of DP law
1981: Council of Europe Convention for Data Protection (Convention For the Protection of Individuals with Regard to Automatic Processing of Personal Data) EU encouraged member states to adopt the convention A brief history of DP law
… but the undesirable divergence of national legislations continues: EU Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data) A brief history of DP law
The Directive had to be implemented by the member states by 1998 Double objective: “(1) In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. (2) Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.” Which is the primary objective? A brief history of DP law
Main provisions of the Directive: it applies to “the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.” Data quality (fair and lawful data processing; specified purpose; legitimate purpose etc.) „Criteria for making data processing legitimate.”: the Directive specifies items of cases when the national legislation of a Member State renders personal data processing (including special data) possible Rights of the data subjects (the right to receive information the right of access, the right to object) Notification Supervisory authority Judicial remedy and sanctions Personal data transfer to third countries A brief History of DP law
CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection (EU Directive, Article 7) A Brief History of DP law
Europe: EU member states (and most other states) have implemented data protection acts based on the Directive (In certain European states, based on the right of informational self-determination; level of protection varies considerably) US: patchwork regulation, industry self-regulatin schemes (US privacy regulation system is not „adequate” according to EU standards) Safe Harbour Agreement, PNR data EU-style data protection regimes appear in Asia, Canada and South-America Data protection in the world today
According to other theorists, DP law causes social costs without benefits Richard A. Posner: An Economic Theory of Privacy, 1981 More information on one’s private life means more gains both for the society and for the individual (examples: taxation, employer-employment relationship, marriage, friendship) Secrets cause costs Privacy (and data protection) is a right of the deceivers to conceal shameful facts about themselves Do we need data protection law? Cons
According to mainstream European constitutional lawyers: yes, we do German Constitutional Court, 1983: Privacy “is endangered primarily by the fact that, contrary to former practice, there is no necessity for reaching back to manually compiled cardboard-files and documents, since data concerning the personal or material relations of a specific individual (personal data) can be stored without any technical restraint with the help of automatic data processing, and can be retrieved any time within seconds, regardless of the distance. Furthermore, in case of creating integrated information systems with other databases, data can be integrated into a partly or entirely complete picture of an individual, without the informed consent of the subject concerned, regarding the correctness and use of data.” The Court stated that the situation can be dangerous both to the individual’s right of self-determination and to democratic society “if one cannot with sufficient surety be aware of who knows what about them. Those who are unsure if differing attitudes and actions are ubiquitously noted and permanently stored, processed or distributed will try not to stand out with their behavior. Those who count with the possibility that their presence at a meeting or participation in a civil initiation might be registered by the authority, may perhaps abandon practicing their basic rights”- Do we need data protection law?
The role of privacy in building and determining our own identity is crucial Do we need data protection law?
Between cultures… Lack of consent
Between generations… The success of social networking sites: generational gap between the privacy-savvy parents and the kids eager to show themselves Lack of consent
But the dangers are still here: the AOL search database case
Third-generation data protection acts (TDDSG, 1997) Privacy protection beyond data protection (IT-Grundrecht, German Constitutional Court, 2008) The future?
Without privacy protection „freedom will diminish in such an unnoticed way as clean water and air have ” (László Sólyom) The future?
jori@obh.hu www.obh.hu/adatved www.dataprotection.eu Thank you for your attention!