European Data Protection Law: A Brief Outlook Andr

1
European Data Protection LawA Brief
OutlookAndrás JóriParliamentary Commissioner
for Data Protection and Freedom of Information,
HungaryICTtrain Training Session, 7 January 2009
2
A short introduction

• 3rd Parliamentary Commissioner of DP and FOIA
• Elected by the Parliament for 6 years with a 2/3
  majority of the MPs
• Reports to the Parliament only

3
A short introduction

• Main tasks
• Data protection supervision
• Freedom of information supervision
• Supervision of the procedure of classification of
  state secrets
• Giving opinions on bills and other draft
  legislative instruments
• Examination of complaints
• Ex officio procedures
• 45 staff members (mostly lawyers)

4
The presentations of todays session

• European Data Protection Law A Brief Outlook
• What is data protection? What is privacy?
• A short history of European data protection
• Challenges and criticism
• The European Data Protection Directive and the
  activity of the Article 29 Working Party
• Data protection audit and data protection issues
  in the telecom sector
• Privacy on the Internet

5
The notion of data protection

• Data protection means the legal protection of an
  individuals privacy through regulating the
  processing of her/his personal data and
• safeguarding certain rights relating to this data
• appeared in Europe as an answer to the dangers of
  electronic data processing which were becoming
  widespread during the IT revolution, beginning
  with the 1970s

6
What is privacy?

• a claim, entitlement or right of an individual to
  determine what information about himself (or
  herself) may be communicated to others the
  measure of control an individual has over
  information about himself
• ? information privacy, data privacy
• intimacies of personal identity, or who has
  sensory access to him
• a state or condition of limited access to a
  person, information about him, intimacies of
  personal identity
• (Ferdinand Schoeman)
• The right to privacy is the right to be left
  alone (Brandeis)

7
Data protection and data security

• Data protection a tool of privacy protection,
  aimed at personal data
• Data protection is always legal protection
• Data security means the protection of the
  integrity and confidentiality of data,
  irrespective of the information content and legal
  qualification of data.
• Data security is served by legal, technical and
  organizational measures

8
Data protection and data security

• Complex network of connections between data
  protection and data security
• Most data protection laws contain rules on data
  security
• In an open network environment, data security
  tools might be at least as effective tools for
  privacy protection as data protection laws are
  (PET technologies)
• Data security tools might be objects of legal
  regulation themselves (eg. strong encryption)

9
What are personal data?

• 'personal data 'shall mean any information
  relating to an identified or identifiable natural
  person ('data subject') an identifiable person
  is one who can be identified, directly or
  indirectly, in particular by reference to an
  identification number or to one or more factors
  specific to his physical, physiological, mental,
  economic, cultural or social identity (Directive
  95/46/EC)

10
A brief history of DP law

• USA The Right to Privacy (1890)
• Brandeis, "Subtler and more far reaching means of
  invading privacy have become available to the
  government. Discovery and invention have made it
  possible for the government, by means far more
  effective than stretching upon the rack, to
  obtain disclosure in court of what is whispered
  in the closet
• Orwell 1984
• WWII Misuse of state databases
• The widespread use of computerized data
  processing

11
A brief history of DP law

• First data protection act Hesse (Germany), 1970
• The primary goal of the first acts was to
  safeguard the transparency of the large
  primarily state-owned databases
• They ensure some rights (primarily the right of
  access and rectification) that will later become
  parts of the right of informational
  self-determination
• Obligations concerning registering the databases
  containing personal data appear

12
A brief history of DP law

• 1983 German Constitutional Court Decision
  (Volkszählunsurteil) the right of informational
  self-determination was born
• This right includes the authority of the
  individual to decide himself, on the basis of the
  idea of self-determination, when and within what
  limits based on the principle of
  self-determination to determine in what
  information about his private life should be
  communicated to others and to what extent.

13
A brief history of DP law

• 1980 OEDC Guidelines on the Protection of
  Privacy and Transborder Flows of Personal Data
• Collection Limitation Principle
• Purpose Specification Principle
• Use Limitation Principle
• Security Safeguards Principle
• Openness Principle
• Individual Participation Principle
• Accountability Principle

14
A brief history of DP law

• 1981 Council of Europe Convention for Data
  Protection (Convention For the Protection of
  Individuals with Regard to Automatic Processing
  of Personal Data)
• EU encouraged member states to adopt the
  convention

15
A brief history of DP law

• but the undesirable divergence of national
  legislations continues
• EU Data Protection Directive (Directive 95/46/EC
  of the European Parliament and of the Council of
  24 October 1995 on the protection of individuals
  with regard to the processing of personal data
  and on the free movement of such data)

16
A brief history of DP law

• The Directive had to be implemented by the member
  states by 1998
• Double objective
• (1) In accordance with this Directive, Member
  States shall protect the fundamental rights and
  freedoms of natural persons, and in particular
  their right to privacy with respect to the
  processing of personal data.
• (2) Member States shall neither restrict nor
  prohibit the free flow of personal data between
  Member States for reasons connected with the
  protection afforded under paragraph 1.
• Which is the primary objective?

17
A brief History of DP law

• Main provisions of the Directive
• it applies to the processing of personal data
  wholly or partly by automatic means, and to the
  processing otherwise than by automatic means of
  personal data which form part of a filing system
  or are intended to form part of a filing system.
  
• Data quality (fair and lawful data processing
  specified purpose legitimate purpose etc.)
• Criteria for making data processing
  legitimate. the Directive specifies items of
  cases when the national legislation of a Member
  State renders personal data processing (including
  special data) possible
• Rights of the data subjects (the right to receive
  information the right of access, the right to
  object)
• Notification
• Supervisory authority
• Judicial remedy and sanctions
• Personal data transfer to third countries

18
A Brief History of DP law

• CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE
• Member States shall provide that personal data
  may be processed only if
• (a) the data subject has unambiguously given his
  consent or
• (b) processing is necessary for the performance
  of a contract to which the data subject is party
  or in order to take steps at the request of the
  data subject prior to entering into a contract
  or
• (c) processing is necessary for compliance with a
  legal obligation to which the controller is
  subject or
• (d) processing is necessary in order to protect
  the vital interests of the data subject or
• (e) processing is necessary for the performance
  of a task carried out in the public interest or
  in the exercise of official authority vested in
  the controller or in a third party to whom the
  data are disclosed or
• (f) processing is necessary for the purposes of
  the legitimate interests pursued by the
  controller or by the third party or parties to
  whom the data are disclosed, except where such
  interests are overridden by the interests for
  fundamental rights and freedoms of the data
  subject which require protection
• (EU Directive, Article 7)

19
Data protection in the world today

• Europe EU member states (and most other states)
  have implemented data protection acts based on
  the Directive
• (In certain European states, based on the right
  of informational self-determination level of
  protection varies considerably)
• US patchwork regulation, industry self-regulatin
  schemes (US privacy regulation system is not
  adequate according to EU standards)
• Safe Harbour Agreement, PNR data
• EU-style data protection regimes appear in Asia,
  Canada and South-America

20
Do we need data protection law? Cons

• According to other theorists, DP law causes
  social costs without benefits
• Richard A. Posner An Economic Theory of Privacy,
  1981
• More information on ones private life means more
  gains both for the society and for the individual
  (examples taxation, employer-employment
  relationship, marriage, friendship)
• Secrets cause costs
• Privacy (and data protection) is a right of the
  deceivers to conceal shameful facts about
  themselves

21
Do we need data protection law?

• According to mainstream European constitutional
  lawyers yes, we do
• German Constitutional Court, 1983
• Privacy is endangered primarily by the fact
  that, contrary to former practice, there is no
  necessity for reaching back to manually compiled
  cardboard-files and documents, since data
  concerning the personal or material relations of
  a specific individual (personal data) can be
  stored without any technical restraint with the
  help of automatic data processing, and can be
  retrieved any time within seconds, regardless of
  the distance. Furthermore, in case of creating
  integrated information systems with other
  databases, data can be integrated into a partly
  or entirely complete picture of an individual,
  without the informed consent of the subject
  concerned, regarding the correctness and use of
  data. The Court stated that the situation can be
  dangerous both to the individuals right of
  self-determination and to democratic society if
  one cannot with sufficient surety be aware of who
  knows what about them. Those who are unsure if
  differing attitudes and actions are ubiquitously
  noted and permanently stored, processed or
  distributed will try not to stand out with their
  behavior. Those who count with the possibility
  that their presence at a meeting or participation
  in a civil initiation might be registered by the
  authority, may perhaps abandon practicing their
  basic rights-

22
Do we need data protection law?

• The role of privacy in building and determining
  our own identity is crucial

23
Lack of consent

• Between cultures

24
www.familywatchdog.us
25
www.familywatchdog.us
26
www.familywatchdog.us
27
www.familywatchdog.us
28
Lack of consent

• Between generations
• The success of social networking sites
  generational gap between the privacy-savvy
  parents and the kids eager to show themselves

29
But the dangers are still here the AOL search
database case
30
AOL search database case
31
AOL search database case
32
AOL search database case
33
The future?

• Third-generation data protection acts (TDDSG,
  1997)
• Privacy protection beyond data protection
  (IT-Grundrecht, German Constitutional Court, 2008)

34
The future?

• Without privacy protection
• freedom will diminish in such an unnoticed way
  as clean water and air have
• (László Sólyom)

35
Thank you for your attention!

• jori_at_obh.hu
• www.obh.hu/adatved
• www.dataprotection.eu