Data Protection Reform
in Europe
Achim Klabunde
SIGINT2013
Cologne, 6 July 2013
@achimkla
(1) The EDPS
Established in 2004
• appointed by a joint decision of the EP
and the Council for a 5 years mandate
• Peter Hustinx, Giovanni Buttarelli
2
3 main tasks
• Supervision & Enforcement
• Policy & Consultation
• Cooperation
3
(2) The Context #privacy
Technology is transforming access/use of
data:
• Pre-digital: data in manual files, held locally
• 1970s: mainframes in administrations, police
uses filtering searches
• 1980s: wide IT use, PCs, Internet, data transfers
• 1990s: www, digital communications,
convergence, communications privacy
• 2000s: Digital audio and video, ecommerce, eeverything, social media
• 2010s: mobile, location based, cloud computing,
massive profiling, Big Data
Timeline of developments
Year
DP legislation
IT developments
1970
Hessen
Arpanet has 13 nodes
1974
US Privacy Act
Name “Internet”
1978
FR law, CNIL
1st spam email
1980
OECD Guidelines
Usenet (now Google groups)
1981
Convention 108
IBM PC
1990
UK Computer Misuse Act
www (December 25)
Timeline of developments
Year
DP legislation
IT developments
1995
Directive 95/46/EC
Amazon.com
2000
EU Charter Arts 7 & 8
Wikipedia (January 15, 2001)
2001
Regulation 45/2001
iPod (November 10)
2004
EDPS Decision
FaceBook
2006
Data Retention Directive
Twitter
2010
TFTP Agreement
iPad (April 3)
Challenges to Privacy
• Profiling of digital traces – Big Data
–
–
–
–
–
(Cookies, clickstream data, hyperlinks)
Social networks (FaceBook)
Search Engines / integrated databases (Google)
Deep packet inspection (BT)
Location based services (Apple)
Customer profiling (Target)
• Cloud computing
• Foreign transfers
• Data breach (Sony PlayStation: £250k)
Profiling of digital traces
• Chris Hoofnagle, Berkeley
• released June 26, 2012 study: James
Temple, Web Privacy Census Shows
Tracking Pervasive
• surveyed 100 most popular websites
• of these, 21 placed 100 or more cookies
on users’ computers
• 84% of cookies placed by 3rd parties
Websites setting cookies
Websites using scripts
Facebook
• Europe v Facebook : 22 complaints
• Irish Data Protection Commissioner Audit
• 12 recommendations to comply with law:
• user choice on use and sharing of information,
including in relation to third party apps
• increased transparency and controls on use of
personal data for advertising
• Information to users day to day and on all
personal data held on them
• Faster deletion of data & data in social plugins
• Greater control over tagging of photos
Google
• March 1, 2012: Google consolidation of
services’ policies into one single policy
across all sites: Google, Google+, Gmail,
Maps, YouTube etc
• CNIL / art 29WP - failure to:
-update information to users
- explain what data is being processed
- obtain consent for use of cookies
• U.S. NAAG: consequences for users of
Gmail, Google Apps, android phones
13
Challenges to Privacy
(3) EU Law on Privacy:
two fundamental rights
(a) the Right of Privacy
ECHR (1950), Article 8
Everyone has the right to respect for
his or her private and family life, home
and correspondence
EU Charter (2000), Article 7 :
…and communications.
15
(b) The Right to Protection of Personal Data
an autonomous fundamental right to selfdetermination in the Information Society
EU Charter, Article 8
Article 16, EU Treaty:
1. Everyone has the right to the protection of
personal data concerning him or her.
16
EU Charter, Article 8 (continued)
2. Such data must be processed fairly for
specified purposes and on the basis of the
consent of the person concerned or some other
legitimate basis laid down by law.
Everyone has the right of access to data which
has been collected concerning him or her, and
the right to have it rectified.
3. Compliance with these rules shall be subject to
control by an independent authority
17
EU legislation on
Privacy and Data Protection
•
•
•
•
•
•
•
•
•
OECD Guidelines 1980 (soft law)
ECHR Convention No. 108, Art. 8: privacy
EU Charter Arts. 7 and 8: … and DP
Data Protection Directive 95/46
Data Protection Regulation 45/2001
ePrivacy Directive 2002/58
Data Retention Directive 2006/24
Framework Decision 2008/977
Article 16 EU
18
EU objective: enable
lawful processing across borders
Data Protection and Internal Market
objectives of Directive 95/46:
Article 1
• MS shall protect … in particular [the] right
to privacy with respect to the processing
of personal data.
• MS shall neither restrict nor prohibit the
free flow of personal data between MS for
the [above] reasons
19
What is “Personal Data”?
• any information relating to an
identified or identifiable natural
person (data subject);
• an identifiable person is one who
can be identified, directly or
indirectly, in particular by reference
to an identification number or to one
or more factors specific to his or her
physical, physiological, mental,
economic, cultural or social identity.
22
Examples of personal data
• CVs, diplomas, recommendation letters, criminal
records, medical certificates, photos;
• Students databases with all your administrative and
evaluation related data held by your university;
• Medical data and health related data, genetic data;
• Customer data held by your telephone company,
telephone calls and voice mails;
• Your information held by your email account provider;
• Transport data, body scanners in airports;
• Video-surveillance cameras
• …
23
Some basic rules…
24
1. Personal data must be processed fairly
for specified purposes and on the basis
of the consent of the person concerned
or some other legitimate basis laid down
by law.
2. Everyone has the right of access to data
which has been collected concerning
him or her, and the right to have it
rectified.
3. Compliance with these rules shall be
subject to control by an independent
authority
EU legislation
•
•
•
•
•
•
•
•
•
25
OECD Guidelines 1980 (soft law)
ECHR Convention No. 108, Art. 8: privacy
EU Charter Arts. 7 and 8: … and DP
Data Protection Directive 95/46
Data Protection Regulation 45/2001
ePrivacy Directive 2002/58
Data Retention Directive 2006/24
Framework Decision 2008/977
Article 16 EU
EU Data Protection Reform
#eudatap
• Public consultation (May-Dec 2009)
– Written input received: 150-200
• Commission reflection (Jan-Sept 2010)
– Stakeholder meetings, impact analysis
• Communication (4 November 2010)
– Consultation & additional feedback
• Commission proposals for a Regulation and a
Directive  25 January 2012
• Co-decision EP + Council  2013-2014
26
Visit www.edps.europa.eu
for more information!
A New Data Protection Legal Framework
Reasons for a substantive reform
• Globalisation: increased transnational flows of data to be facilitated while
ensuring adequate protection
• Technological changes
• Institutional changes: the Lisbon Treaty and the Charter
• A fragmented legal framework at EU level: need for more harmonisation
and of new coherent and uniformly applied EU rules
• Legal certainty
• Need for change with regard to police and judicial activities
A. The Chapeau communication
B. The draft Regulation
I.
II.
III.
IV.
V.
VI.
General assessment
Scope, new definitions or principles
Data subjects
Data controllers
Supervision and enforcement
Transfer to third countries
C. The Directive for law enforcement
The draft Regulation
I. General Assessment
The new Data Protection framework:
-
A huge step forward for data protection in the
EU
-
Still lacks comprehensiveness
I. General Assessment
The EU DP reform:
- Enhances harmonisation of data protection
- Reinforces position and rights of data subject
particularly on-line
- Strengthens responsibility of data controller
- Strengthens DPA´s supervision and enforcement
BUT: - does not remedy lack of comprehensiveness
- gives rise to a number of horizontal issues
II. Scope, new definitions or principles
Territorial scope:
-
Controller of processor established within EU
- Non EU-based controllers:
‘offering goods and services to’ or
‘monitoring behaviour of’data subjects in the EU
II. Scope, new definitions or principles
-
Personal data (including in principle location data and
identifiers: cookied and IP addresses)
New definitions: ‘personal data breach’, ‘genetic data’ and
‘biometric data’
Notion of ‘main establishment’ (for the controller and the
processor)
Data minimization (limitation of amount of data)
Better information about data processing
Genuine consent, improper when there is a significant
imbalance of power (i.e. employment sector)
Safeguards for processing of children´s data
Increased level of security of data
III. Data subjects
Reinforces position and rights of data subject:
• Right to be forgotten (17)
- Right to request erasure and prevention for further
dissemination
- Exceptions
• Right to data portability (18)
III. Data subjects
• Right to object (19)
- Specific legal grounds
- Marketing purposes: free of charge +
information
• Measures based on profiling (20)
Only if: - Performance of a contract + safeguards
- Union or Member State law + safeguards
- Consent of the data subject
And: - not based solely on special categories of data
IV. Data controllers

Strengthen responsibilities of the controller
Accountability (22 onwards):
- “measures to ensure and demonstrate
compliance with the Regulation”
- “mechanisms to ensure the verification
of the effectiveness of the measures”
IV. Data controllers

Information and communication
-
Right to expect transparent and easily accessible policies
Intelligible form, clear and plain language (11)
Procedures and mechanisms (12)
Communication to recipients (13)
Content of the information (14)
IV. Data controllers

Data protection by design and by default (23)

Documentation (28)
Principle:
- All processing operations under the
controller’s responsibility
Exceptions:
- Natural person without commercial interest
- Enterprises or organisation < 250 employees and
activity ancillary to the main activity
IV. Data controllers

Data Protection Impact Assessment (33)
- Processing operations presenting specific risks
- List of DPA
- Possible adjustement for ‘SMEs’(delegated acts)

Notification of data breaches (31, 32)
- Notification to the supervisory authority
- Communication to the data subjects
IV. Data controllers

Designation of data protection officers
(35 onwards)
Where: - Public authority or body
- Enterprise ≥ 250 employees
- Core activity = regular and systematic monitoring of
data subjects
Tasks: - Inform and advise
- Monitor the implementation
Contact point
VI. Transfer to third countries
- Only if adequate level of protection
- Except if appropriate safeguards
- Contractual clauses or BCR
- Specific derogation
V. Supervision and enforcement
- One stop shop – ‘main establishment’ (4(13), 51) – Lead
authority?
- European Data Protection Board (64 onwards)
- Consistency (57 onwards)
- Sanctions (79)
BUT:
- Role of Commission
- Compulsory sanctions
- Strong sanctions and remedies
- Wide choices data subject
- Redress for interest groups
- Sanctions up to 1 mln Euro/2% turnover
Reform and
ePrivacy Directive
• Regulation does not impose additional obligations on natural
or legal persons for processing by providers of electronic
communications services subject to specific obligations with
the same objective set out in Directive 2002/58/EC
specific regime remains the same
• However, Article 1(2) of Directive 2002/58/EC is to be
deleted: not anymore applicable to legal persons
• Pending issue: ePrivacy to be updated in order to be
consistent with new Framework
EU Data Protection Reform
• Commission proposals for a Regulation and a Directive
 25 January 2012
• Co-decision EP + Council
• EP:
–
–
–
–
Draft report January 2013 (Jan Philip Albrecht, LIBE Committee)
Consulting Committees ITRE, IMCO, EMPL, JURI March 2013
LIBE vote: April, May, June, July, September 2013
Elections: May 2014
• Council:
– Irish Presidency: Council 6/7 June
» agrees that “amended text for chapters I to IV is a good basis
for further progress” on Regulation.
– Lithuanian Presidency: 1 July – 31 December 2013
44
Information sources
•
•
•
•
•
EDPS: edps.europa.eu
EP Oeil: www.europarl.europa.eu/oeil
PreLex: ec.europa.eu/prelex
Regulation: 2012/0011/COD
Directive: 2012/0010/COD
Thank you for your attention
For more information:
www.edps.europa.eu
edps@edps.europa.eu
@EU_EDPS
@achimkla