European Data Protection Law:A Brief Outlook

András JóriParliamentary Commissioner for Data Protection

and Freedom of Information, Hungary

ICTtrain Training Session, 7 January 2009

A short introduction

3rd Parliamentary Commissioner of DP and FOIA

Elected by the Parliament for 6 years with a 2/3 majority of the MPs

Reports to the Parliament only

A short introduction

Main tasks: Data protection supervision Freedom of information supervision Supervision of the procedure of classification of state

secrets Giving opinions on bills and other draft legislative

instruments Examination of complaints Ex officio procedures 45 staff members (mostly lawyers)

The presentations of today’s session

European Data Protection Law: A Brief Outlook

What is data protection? What is privacy? A short history of European data protection Challenges and criticism

The European Data Protection Directive and the activity of the Article 29 Working Party

Data protection audit and data protection issues in the telecom sector

Privacy on the Internet

The notion of data protection

Data protection means the Data protection means the legallegal protection of an protection of an individual’s individual’s privacyprivacy through regulating the through regulating the processing of her/his processing of her/his personal datapersonal data and and

safeguarding certain safeguarding certain rightsrights relating to this data relating to this data appeared in Europe as an answer to the dangers of appeared in Europe as an answer to the dangers of

electronic data processing which were becoming electronic data processing which were becoming widespread during the IT revolution, beginning widespread during the IT revolution, beginning with the 1970swith the 1970s

What is privacy?

a claim, entitlement or right of an individual to determine what information about himself (or herself) may be communicated to others;– the measure of control an individual has over information about himself

information privacy, data privacy intimacies of personal identity, or who has sensory access to him a state or condition of limited access to a person, information about him,

intimacies of personal identity (Ferdinand Schoeman)

The right to privacy is „the right to be left alone” (Brandeis)

Data protection and data security

Data protection: a tool of privacy protection, aimed at personal data

Data protection is always legal protection Data security means the protection of the integrity

and confidentiality of data, irrespective of the information content and legal qualification of data.

Data security is served by legal, technical and organizational measures

Data protection and data security

Complex network of connections between data protection and data security: Most data protection laws contain rules on data

security In an open network environment, data security

tools might be at least as effective tools for privacy protection as data protection laws are (PET technologies)

Data security tools might be objects of legal regulation themselves (eg. „strong” encryption)

What are personal data?

'personal data 'shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Directive 95/46/EC)

A brief history of DP law

USA: The Right to Privacy (1890)USA: The Right to Privacy (1890) Brandeis, "Subtler and more far reaching means of Brandeis, "Subtler and more far reaching means of

invading privacy have become available to the invading privacy have become available to the government. Discovery and invention have made it government. Discovery and invention have made it possible for the government, by means far more possible for the government, by means far more effective than stretching upon the rack, to obtain effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet”disclosure in court of what is whispered in the closet”

Orwell: 1984Orwell: 1984 WWII: Misuse of state databasesWWII: Misuse of state databases The widespread use of computerized data processing The widespread use of computerized data processing

A brief history of DP law

First data protection act: Hesse (Germany), 1970First data protection act: Hesse (Germany), 1970 The primary goal of the first acts was to safeguard the The primary goal of the first acts was to safeguard the

transparency of the large – primarily state-owned – transparency of the large – primarily state-owned – databasesdatabases

They ensure some rights (primarily the right of access They ensure some rights (primarily the right of access and rectification) that will later become parts of the and rectification) that will later become parts of the right of informational self-determinationright of informational self-determination

Obligations concerning registering the databases Obligations concerning registering the databases containing personal data appearcontaining personal data appear

A brief history of DP law

1983: German Constitutional Court Decision 1983: German Constitutional Court Decision (Volkszählunsurteil): the right of informational self-(Volkszählunsurteil): the right of informational self-determination was borndetermination was born

This right includes “the authority of the individual to This right includes “the authority of the individual to decide himself, on the basis of the idea of self-decide himself, on the basis of the idea of self-determination, when and within what limits based on determination, when and within what limits based on the principle of self-determination to determine in the principle of self-determination to determine in what information about his private life should be what information about his private life should be communicated to others and to what extent.” communicated to others and to what extent.”

A brief history of DP law

1980: OEDC Guidelines on the Protection of Privacy 1980: OEDC Guidelines on the Protection of Privacy and Transborder Flows of Personal Dataand Transborder Flows of Personal Data Collection Limitation PrincipleCollection Limitation Principle Purpose Specification PrinciplePurpose Specification Principle Use Limitation PrincipleUse Limitation Principle Security Safeguards PrincipleSecurity Safeguards Principle Openness PrincipleOpenness Principle Individual Participation PrincipleIndividual Participation Principle Accountability PrincipleAccountability Principle

A brief history of DP law

1981: Council of Europe Convention for Data 1981: Council of Europe Convention for Data Protection (Convention For the Protection of Protection (Convention For the Protection of Individuals with Regard to Automatic Individuals with Regard to Automatic Processing of Personal Data)Processing of Personal Data)

EU encouraged member states to adopt the EU encouraged member states to adopt the convention convention

A brief history of DP law

… but the undesirable divergence of national legislations continues:

EU Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data)

A brief history of DP law

The Directive had to be implemented by the member states by 1998

Double objective: “(1) In accordance with this Directive, Member States shall

protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.

(2) Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.”

Which is the primary objective?

A brief History of DP law Main provisions of the Directive:Main provisions of the Directive:

it applies to “the processing of personal data wholly or partly by automatic it applies to “the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing data which form part of a filing system or are intended to form part of a filing system.” system.”

Data quality (fair and lawful data processing; specified purpose; legitimate Data quality (fair and lawful data processing; specified purpose; legitimate purpose etc.)purpose etc.)

„„Criteria for making data processing legitimate.”: the Directive specifies items Criteria for making data processing legitimate.”: the Directive specifies items of cases when the national legislation of a Member State renders personal data of cases when the national legislation of a Member State renders personal data processing (including special data) possible processing (including special data) possible

Rights of the data subjects (the right to receive information the right of access, Rights of the data subjects (the right to receive information the right of access, the right to object) the right to object)

Notification Notification Supervisory authoritySupervisory authority Judicial remedy and sanctions Judicial remedy and sanctions Personal data transfer to third countriesPersonal data transfer to third countries

A Brief History of DP law

CRITERIA FOR MAKING DATA PROCESSING LEGITIMATECRITERIA FOR MAKING DATA PROCESSING LEGITIMATE Member States shall provide that personal data may be processed only if:Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or(a) the data subject has unambiguously given his consent; or (b) (b) processing is necessary for the performance of a contractprocessing is necessary for the performance of a contract to which the data subject is to which the data subject is

party or in order to take steps at the request of the data subject prior to entering into a contract; party or in order to take steps at the request of the data subject prior to entering into a contract; oror

(c) processing is necessary for compliance with a legal obligation to which the controller is (c) processing is necessary for compliance with a legal obligation to which the controller is subject; orsubject; or

(d) processing is necessary in order to protect the vital interests of the data subject; or(d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in (e) processing is necessary for the performance of a task carried out in the public interest or in

the exercise of official authority vested in the controller or in a third party to whom the data the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; orare disclosed; or

(f) (f) processing is necessary for the purposes of the legitimate interests pursued by the processing is necessary for the purposes of the legitimate interests pursued by the controllercontroller or by the third party or parties to whom the data are disclosed, except where such or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection subject which require protection

(EU Directive, Article 7)(EU Directive, Article 7)

Data protection in the world today

Europe: EU member states (and most other states) have Europe: EU member states (and most other states) have implemented data protection acts based on the Directiveimplemented data protection acts based on the Directive (In certain European states, based on the right of informational (In certain European states, based on the right of informational

self-determination; level of protection varies considerably)self-determination; level of protection varies considerably) US: patchwork regulation, industry self-regulatin schemes US: patchwork regulation, industry self-regulatin schemes

(US privacy regulation system is not „adequate” according (US privacy regulation system is not „adequate” according to EU standards)to EU standards) Safe Harbour Agreement, PNR dataSafe Harbour Agreement, PNR data

EU-style data protection regimes appear in Asia, Canada EU-style data protection regimes appear in Asia, Canada and South-Americaand South-America

Do we need data protection law? Cons

According to other theorists, DP law causes social costs without benefits

Richard A. Posner: An Economic Theory of Privacy, 1981

More information on one’s private life means more gains both for the society and for the individual (examples: taxation, employer-employment relationship, marriage, friendship)

Secrets cause costs Privacy (and data protection) is a right of the

deceivers to conceal shameful facts about themselves

Do we need data protection law?

According to mainstream European constitutional lawyers: yes, we do German Constitutional Court, 1983: Privacy “is endangered primarily by the fact that, contrary to former practice, there

is no necessity for reaching back to manually compiled cardboard-files and documents, since data concerning the personal or material relations of a specific individual (personal data) can be stored without any technical restraint with the help of automatic data processing, and can be retrieved any time within seconds, regardless of the distance. Furthermore, in case of creating integrated information systems with other databases, data can be integrated into a partly or entirely complete picture of an individual, without the informed consent of the subject concerned, regarding the correctness and use of data.” The Court stated that the situation can be dangerous both to the individual’s right of self-determination and to democratic society “if one cannot with sufficient surety be aware of who knows what about them. Those who are unsure if differing attitudes and actions are ubiquitously noted and permanently stored, processed or distributed will try not to stand out with their behavior. Those who count with the possibility that their presence at a meeting or participation in a civil initiation might be registered by the authority, may perhaps abandon practicing their basic rights”-

Do we need data protection law?

The role of privacy in building and determining our own identity is crucial

Lack of consent

Between cultures…

www.familywatchdog.us

www.familywatchdog.us

www.familywatchdog.us

www.familywatchdog.us

Lack of consent

Between generations… The success of social networking sites:

generational gap between the privacy-savvy parents and the kids eager to show themselves

But the dangers are still here: the AOL search database case

AOL search database case

AOL search database case

AOL search database case

The future?

Third-generation data protection acts (TDDSG, 1997)

Privacy protection beyond data protection (IT-Grundrecht, German Constitutional Court, 2008)

The future?

Without privacy protectionWithout privacy protection

„„freedom will diminish in such an unnoticed freedom will diminish in such an unnoticed way as clean water and air have ”way as clean water and air have ”

(László Sólyom)(László Sólyom)

Thank you for your attention!

jori@obh.hujori@obh.hu www.obh.hu/adatvedwww.obh.hu/adatved www.dataprotection.euwww.dataprotection.eu