EU Privacy and Data Protection
1) the context
2) data protection and electronic evidence
3) EU law on privacy and data protection
4) the data protection reform
Christopher Docksey
5 November 2013
ECLA/IALS, London
All opinions are personal
ECLA / IALS, 5 November 2013
(1) Context
Most personal information and most evidence
are digital
Lawyers and judges need to know
siginificance of digital information
Need to know and understand the :
• nature of digital evidence
• data protection rules of the road
Otherwise no :
• remedy for the data subject
• fair trial for the accused
• convictions for the prosecutor
ECLA / IALS, 5 November 2013
Access/use of data
transformed by technology
• Pre-digital: data in manual files, held locally
• 1970s: mainframes in administrations, police
uses filtering searches
• 1980s: wide IT use, PCs, Internet, data
transfers
• 1990s: www, digital communications,
convergence, communications privacy
• 2000s: Digital audio and video, ecommerce, eeverything, social media
• 2010s: mobile, location based, cloud
computing, massive profiling, Big Data
ECLA / IALS, 5 November 2013
Timeline of law and technology
Year
DP legislation
IT developments
1970
Hessen
Arpanet has 13 nodes
1974
US Privacy Act
Name “Internet”
1978
FR law, CNIL
1st spam email
1980
OECD Guidelines
Usenet (now Google groups)
1981
Convention 108
IBM PC
1990
UK Computer Misuse Act
www (December 25)
1995
Directive 95/46/EC
Amazon.com
ECLA / IALS, 5 November 2013
Timeline of and technology
Year
DP legislation
IT developments
2000
EU Charter Arts 7 & 8
Wikipedia (January 15, 2001)
2001
Regulation 45/2001
iPod (November 10)
2004
EDPS Decision
FaceBook
2006
Data Retention Directive
Twitter, iPhone (2007)
2009
TFEU Art 16, TEU Art 6(1)
iPad (April 3 2010)
2012
Com proposes DP reform
Google Glass testing
2013
Negotiations in EP and
Council
Snowden - NSA
ECLA / IALS, 5 November 2013
EU legislation on
Privacy and Data Protection
•
•
•
•
•
•
•
•
•
OECD Guidelines 1980 (soft law)
ECHR Convention No. 108, Art. 8: privacy
EU Charter Arts. 7 and 8
Data Protection Directive 95/46
Data Protection Regulation 45/2001
ePrivacy Directive 2002/58
Data Retention Directive 2006/24
Framework Decision 2008/977
Article 16 TFEU and 6(1) TEU (Charter)
6
ECLA / IALS, 5 November 2013
Challenges to Privacy
• Big Data - profiling of digital traces
(Cookies, clickstream data, hyperlinks)
–
–
–
–
–
Social networks (FaceBook)
Search Engines / integrated databases (Google)
Deep packet inspection (BT)
Location based services (Apple)
Customer profiling (Target)
• Cloud computing
• Foreign transfers
• Data breach (Sony PlayStation: £250k)
ECLA / IALS, 5 November 2013
Challenges to Privacy
Dates when PRISM
began for each
Provider:
2007 Microsoft
2008 Yahoo
2009 Google, Facebook
2010 YouTube
2011 Skype, AOL
2012 Apple
ECLA / IALS, 5 November 2013
(2) Data Protection and
Electronic Evidence
•
•
•
•
Overlapping Scope
Data protection rules apply to the courts
Fruits of the Poisoned Tree
precautions to ensure admissibility of eevidence
9
ECLA / IALS, 5 November 2013
Overlapping Scope
electronic evidence: data (analogue or digital) that is
created, manipulated, stored or communicated by any
device, computer or computer system or transmitted
over a communication system, that is relevant to the
process of adjudication (Mason)
processing of personal data: any operation or set of
operations which is performed upon personal data,
whether or not by automatic means, such as collection,
recording, organisation, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment
or combination, blocking, erasure or destruction
ECLA / IALS, 5 November 2013
(Directive 95/46, Article 2.b)
DP Rules apply to Courts
• after reform, DP Reg and Dir fully apply
to the judiciary in civil and criminal cases
• already art 16 TFEU, Art 8 ECHR, Arts 7
and 8 Charter
• so all courts’ activities need to take DP
into account
• only exception: supervision by DPAs
• result: possible challenges of evidence
for violation of DP rules
11
ECLA / IALS, 5 November 2013
Fruits of the Poisoned Tree
• exclusionary rule of unlawfully obtained
evidence
• in some MS evidence obtained in breach of
DP law inadmissible, ok in others (eg UK) so
long as not “unfairly prejudicial”
• admissibility criteria: respect for (i)
fundamental rights and (ii) fair trial
• e.g. substantial DP breach (eComs traffic data
which should have been deleted), not just
procedural (failure to appoint DPO)
12
ECLA / IALS, 5 November 2013
precautions to ensure
admissibility of e-evidence
• assess necessity and proportionality of
processing on case by case basis, especially
re. forensic examination of computers
• assess availability of less intrusive methods
• limit access to need to know
• limit use to purpose of collection
• ensure authorisation mechanisms to allow
computer forensic examinations
13
ECLA / IALS, 5 November 2013
(3) EU Law on Privacy:
two fundamental rights
(a) the Right to Privacy
ECHR (1950), Article 8
Everyone has the right to respect for
his or her private and family life, home
and correspondence
EU Charter (2000), Article 7 :
…and communications.
14
ECLA / IALS, 5 November 2013
(b) the Right to
Protection of Personal Data
an autonomous fundamental right to selfdetermination in the Information Society
Article 16, EU Treaty
EU Charter, Article 8 :
1. Everyone has the right to the
protection of personal data concerning
him or her.
15
ECLA / IALS, 5 November 2013
2. Such data must be processed fairly for
specified purposes and on the basis of
the consent of the person concerned or
some other legitimate basis laid down by
law.
Everyone has the right of access to data
which has been collected concerning him
or her, and the right to have it rectified.
3. Compliance with these rules shall be
subject to control by an independent
authority
16
ECLA / IALS, 5 November 2013
(a) fair processing: lex certa
necessity and proportionality
Article 8(2) ECHR – justification for
interference with the right to privacy:
• In accordance with the law
• Necessary in a democratic society for
national security, public safety, crime,
health or morals, protection of others’
rights and freedoms
17
ECLA / IALS, 5 November 2013
Case C-465/00 - Rundfunk
• Disclosure of names/salaries by Court of
Auditors in report to Parliament; necessary
also to disclose to general public?
• Article 6 of Directive 95/46 must be
interpreted in light of Article 8(2) ECHR
• Data must be processed in conformity with
requirements of necessity and
proportionality, as in Article 6
• These also apply to Article 13 derogations
18
ECLA / IALS, 5 November 2013
Flight data: legal basis
US PNR: Joined Cases C-317-318/04
ECJ and AG: wrong legal basis
outside scope of Directive and Article 95 EC:
•57: concerns processing necessary for
public security and law-enforcement
purposes, not the supply of services
•58: the transfer falls within framework
established by public authorities re public
security
19
ECLA / IALS, 5 November 2013
Flight data: legality
US PNR: Joined Cases C-317-318/04
AG: not manifestly inadequate:
•Adequacy different to equivalence
•Broad margin of discretion
•Justified interference per Article 8(2)
•Legitimate purpose, proportional use
•34 PNR elements not excessive
•3.5 year data retention not excessive
•Effective administrative
review
20
ECLA / IALS, 5 November 2013
After the PNR ruling
• PNR II and PNR III – EU-US Agreements
• SWIFT / TFTP
• EU PNR
• HLCG - umbrella Agreement
• Data Retention Directive
21
ECLA / IALS, 5 November 2013
Data Retention: legal basis
Case 301/06, Ireland v Parliament and
Council (legal basis after PNR ruling)
Directive 2006/24: telecoms and ISPs must
retain
•traffic data (not content)
•for period between 6 months and 2 years
•available to national competent authorities to
combat “serious crime” as defined by national
law
22
ECLA / IALS, 5 November 2013
Data Retention: fair processing
• National implementing laws ruled
unconstitutional in CZ, DE and RO
• Joined Cases C-293/12, Digital Rights
Ireland and C-594/12, Seitlinger:
– Violation of rights to privacy and data protection
(arts 7 and 8 of Charter)
– Necessity: criminals will use anonymously
– Proportionality: lack of evidence
– Scope for abuse: possibility of illegal profiling
23
ECLA / IALS, 5 November 2013
(4) The Data Protection Reform
• Public consultation (May-Dec 2009)
–Written input received: 150-200
• Commission reflection (Jan-Sept 2010)
–Stakeholder meetings, impact analysis
• Communication (4 November 2010)
–Consultation & additional feedback
• Commission proposals for a Regulation
and a Directive  25 January 2012
ECLA / IALS, 5 November 2013
Main drivers of the Reform
• Technological development: more effective
protection needed
• Globalisation: more consistency needed
within EU and internationally
• Lisbon Treaty: a new legal base for horizontal
EU-wide data protection law
Parallel Reform processes
• Modernisation of Convention 108
• Review of OECD Guidelines
ECLA / IALS, 5 November 2013
The Data Protection
Reform Package
•
•
Policy Communication (COM(2012) 9 final)
“General” Data Protection Regulation
(COM(2012) 11 final)
•
•
•
Directive for police and criminal justice
authorities (COM(2012) 10 final)
Implementation Report for Council
Framework Decision 2008/977/JHA
Impact Assessment
ECLA / IALS, 5 November 2013
State of play
• Albrecht report: January 2013
• 4000+ amendments
• Council partial common position:
June 2013
• LIBE vote: 21 October 2013
• European Council: 25 October
• Adoption 2014 or 2015?
ECLA / IALS, 5 November 2013
Objectives of the Reform
• Continuity, build on existing framework:
underlying principles still valid
• Strengthen data subjects’ rights
• Make controllers more accountable
• Improve harmonisation (Regulation) and
consistency of approach by DPAs
• Strengthen supervision & enforcement
• Substantially increase the level of data
protection in law enforcement
ECLA / IALS, 5 November 2013
I: The Regulation
• Choice of measure: greater legal certainty
• Jurisdiction and scope
Strengthened rights of data subject
• Explicit Consent
• Right to be Forgotten / Portability (Arts 17-18
• Stronger right to object (Art 19)
• Enhanced transparency
• Scope for collective action (Art 73.2)
ECLA / IALS, 5 November 2013
Right to be forgotten
CNIL (FR) – reports a growing problem:
• 2012 - 6,000 complaints overall
• more than 1,000 re. right to be forgotten, more or
less directly
• increase in complaints by 42% in one year
Reg art 17 right to be forgotten
• erasure & abstention from further dissemination
• no longer necessary, data subject withdraws consent
• take all reasonable steps to inform 3rd parties
• Albrecht: not where consented
ECLA / IALS, 5 November 2013
The right to be forgotten:
Case C-131/12, Google v AEPD
• Is there an (absolute) right to be forgotten
under existing law?
– Art 12: erasure of data whose processing
does not comply with Directive
– Art 14(a): object on compelling legitimate
grounds relating to particular situation
• Can a newspaper also be ordered to
remove a name from its index?
ECLA / IALS, 5 November 2013
Strengthening the framework:
•
•
•
•
•
Accountability (Art 22)
Privacy by Design / by Default (Art 23)
Data breach notification
International Data Transfers
Stronger DPAs and more effective
enforcement across the Internal Market
(cooperation and Consistency Mechanism)
• Fines
ECLA / IALS, 5 November 2013
II. Directive - criminal
justice and police cooperation
– Lisbon, Declaration 21: specific rules
– Directive: to retain flexibility in a sensitive area
– Replaces Framework Decision 2008/977/JHA
– Gives power to Commission to enforce the rules
– General DP rules applied to police & judicial
cooperation in criminal matters (LIBE: gaps filled)
– Covers domestic processes and all transfers
– Harmonised criteria on necessary limitations to an
individual’s rights
33
ECLA / IALS, 5 November 2013
The Directive
Criticisms of Proposal - fails to introduce a
consistent and high level of data protection:
• Purpose limitation unclear
• No obligation to demonstrate compliance
• Weak conditions on international transfers
• Unduly limited powers of DPAs
Key elements for electronic evidence:
• in original Commission proposal, and
• in amendments voted by LIBE committee
ECLA / IALS, 5 November 2013
Article 4: principles
relating to data processing
• No incompatible data processing (see art 7a)
• Limited to minimum necessary and NOT
beyond context (recital 19 deleted)
• Securely protected against unauthorised or
unlawful dp and loss, destruction, damage
• Limited to duly authorised staff, need to know
• Establish time limits for deletion /periodic
review (new 4b)
ECLA / IALS, 5 November 2013
Article 5: different
categories of data subjects
MS shall distinguish between categories
•Reasonable (not serious) grounds that have/about to
commit criminal offence
•Persons convicted of a crime
•Victims or presumed victims of crime
•Third parties, eg witnesses
Other data subjects: only as long as necessary
to establish relevance or for targeted,
preventive purposes
ECLA / IALS, 5 November 2013
Article 6: accuracy
and reliability
• Distinguish facts and personal assessments
• Do not transmit/make available inaccurate,
incomplete or not up to date data, assess
quality before transmission and include
assessment data (new 2a)
• Notify recipient of incorrect data or unlawful
transmission, recipient must rectify or erase
without delay (new 2b)
ECLA / IALS, 5 November 2013
Article 8a : genetic data
• for criminal investigation or judicial procedure
• may only be used to establish a genetic link
within framework of adducing evidence
• retention only as long as necessary and
where convicted of serious offences against
persons, and subject to strict storage periods
• Longer storage, especially when found at
crime scene, only when not attributable to
individual
ECLA / IALS, 5 November 2013
Article 27:
security of processing
Criteria: risks of processing and nature of data,
state of the art and implementation cost
•Equipment access control
•Data media control
•User control
•Data access control
•Communication control
•Transport control
•Reliability and integrity
•Recovery
ECLA / IALS, 5 November 2013
Article 46:
powers of DPAs
• Art 46(1)(f): to order rectification, erasure or
destruction of all unlawfully processed data
• Art 46(1) (g): to impose temporary or definitive ban
on processing
• Art 46(5): to bring violations to the attention of the
judicial authorities
• Art 46(6): to impose penalties in respect of
administrative offences
ECLA / IALS, 5 November 2013
Thank you for your attention!
For more information:
www.edps.europa.eu
edps@edps.europa.eu
@EU_EDPS
ECLA / IALS, 5 November 2013