Data Protection Principles as Basic Foundation for Data Protection in EUEEA

1
Data Protection Principles as Basic Foundation
for Data Protection in EU/EEA

• Introduction to Data Protection Theory Seminar -
  AFIN
• 31. 01. 2007
• Stephen K. Karanja

2
Protection of Personal Data in EU and EEA

• Main Data Protection Laws
• OECD guidelines on protection of privacy and
  transborder flows of personal data - 1980
• Council of Europe Convention for the protection
  of individuals with regard to automatic
  processing of personal data (ETS No 108) of 1981
• EU Directive 95/46/EC on the protection of
  individuals with regard to the processing of
  personal data and on the free movement of such
  data
• National data protection laws.
• Norwegian Personal Data Act (PDA) 2000

3
What are Data protection Principles?

• Abstractions from rules
• Good practices
• Safeguards
• ECHR case law
• Normative force
• Balancing Interests
• Influence new data protection laws
• Principles and Interests (Norwegian interest
  theory)

4
Basic Principles

• Fairly and Lawful
• Minimality
• Purpose Specification
• Data Quality
• Data Security
• Sensitivity
• Individual Participation
• Constellation of rights
• --------------------------------------------------
  ------
• Anonymity
• Requirement for technological and organisational
  measures
• Pseudonames
• Fully Automatic Decision Making Art. 15 Directive

5
Fairly and Lawful Principle

• Art. 6 (1)(a) Directive 11(a) PDA personal
  data must be processed fairly and lawfully
• Most important principle
• What does Fairly Mean?
• Conform to laid down rules and procedures
• Sensitive and take account of data subjects
  interests and reasonable expectations
  proportionality and balance
• Transparency not secret no deception
• What does Lawful Mean?
• Legality principle permitted by law or
  authorised
• Done with lawful justification or excuse
  (legitimate) - Article 7 Directive 8 9 PDA
• Article 8(2) ECHR case law
• Transparency
• Applies also to establishment of information
  systems

6
Minimality Principle

• Art. 6(1)(e) 28 PDA
• Necessary personal data collected should be
  limited to what is necessary to achieve the
  purposes for which the data are gathered and
  further processed
• What is necessary?
• Art. 7 8 Directive
• 8 9 PDA
• Art. 8 (2) ECHR case law a pressing social
  need i.e. proportionate to the legitimate aim
  pursued. Incal v. Turkey (1998) 29 EHRR 449 57
• SAS Braathens request for taking passengers
  fingerprints
• Non-excessiveness, proportionality (to the
  purpose) Art. 6 (1)(c) Directive 11(d) PDA
• Data erasure and anonymity 11(e), 27 28 PDA

7
Purpose Specification Principle

• Art. 6(1)(b) Directive 11(b) PDA
• Personal data shall be processed for specified,
  lawful/legitimate purposes and not processed in
  ways that are incompatible with those purposes.
• Specified, defined or stated purpose
• Lawful/legitimate purpose - proportionality
• Further processing not incompatible with original
  purpose
• Transparency
• Entails also acceptance by society

8
Data Quality

• Personal data should be valid with respect to
  what they are intended to describe, and relevant
  and complete with respect to the purpose for
  which they are intended to be processed. - Art. 6
  (1)(c)(d) Directive 11(d)(e) PDA
• Adequacy
• Relevancy
• Non-excessiveness
• Accuracy
• Up to datedness
• Completeness
• Rectification (supplement) and erasure or
  blocking
• Data Controller should establish measures to
  ensure data quality

9
Data Security

• Ensure that data are not destroyed accidentally
  and not subject to unauthorised access,
  alteration, destruction or disclosure - Art. 17
  Directive 13 PDA
• Implement appropriate technical and
  organisational measures
• Securing technical equipment and networks
• Contracts where processing is carried out on
  behalf of the controller
• Accessibility

10
Sensitivity Principle

• Limits the processing of certain types of data
  which are regarded as especially sensitive for
  data subject and requires specific safeguards as
  compared with other personal data - Art. 8
  Directive 9 PDA
• What is sensitive data?
• Art. 8 (1) Directive 2 (8) PDA personal
  data revealing racial or ethnic origin, political
  opinions, religious or philosophical beliefs,
  trade-union membership, and health or sex life.
• Data relating to criminal act a person has been
  suspected of, charged with, indicted or convicted
  of a criminal act.
• Exemptions
• Art. 8 (2) Directive 9 PDA
• Personal Identity Numbers or other identification
  numbers or identifier of general application
• 12 PDA can only be used where objective need
  for certain identification and necessary to
  achieve such identification
• Data Inspectorate may require the use of PIN in
  order to ensure that the personal data are of
  adequate quality. (Privacy Enhancing Technology)

11
Individual Participation

• A set of data subjects rights. The rights are
  designed to enable data subjects to have a degree
  of control and participate in the processing of
  their personal data
• Balance of power
• Self-determination or individual control
  principle
• The rights
• Right of access Art. 12 Directive 18 PDA
• Right to rectification, erasure and blocking
• Right to information regarding automated
  decisions ( Art. 15 Directive 22 PDA)
• Right to object Art. 14 Directive
• Adversary affect the data subject
• Direct marketing
• Obligation to notify or provide information
• When data are collected from the data subject
• When data are collected from other persons
• In connection to with the use of personal
  profiles 21 PDA
• Right to demand manual processing 25 PDA

12
Exemptions

• Rights are not always absolute. Exemptions allow
  processing of personal data where State or
  societal interests may override individual
  interests i.e. protection of fundamental values
  in a democratic society
• Mitigate conflict or balance competing interests
• General exceptions
• Art. 3(2)
• Art. 9 Directive
• Art. 13 Directive 22 PDA
• Limitations provided for by legislative measure
  and must be necessary.
• Specific exceptions
• Sensitive data

13
Conclusion

• The Principles dealt with here are the most
  fundamental but not all.
• They are not all reflected in all national laws.
  There are differences and emphasis.
• New principles may arise with the advancement of
  technology.