Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Automatic inter-state exchange of data:
Safeguarding data protection and fundamental rights
Giuseppe Busia
Secretary General of the Italian Data Protection Authority
Article 29 Working Party1
The Article 29 Working Party
Independent European advisory body on data protection and privacy set up under Article 29 ofDirective 95/46/EC
Brings together representatives of data protection authorities of the European Union and arepresentative of the Commission
Its main tasks (Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC) are: to examine any question covering the application of the national measures adopted under
the two Directives in order to contribute to the uniform application of such measures; to give the Commission an opinion on the level of protection in the Community and in third
countries; to advise the Commission on any proposed amendment of the Directives, on any additional
or specific measures to safeguard data protection rights and on any other proposedCommunity measures affecting such rights and freedoms;
to give an opinion on codes of conduct drawn up at Community level; to make recommendations on all matters relating to the protection of persons with regard to
the processing of personal data in the Community
Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 2
Reconciling interests: fight to tax evasion and fundamental rights
The legitimate fight against tax evasion should be pursued with full respect forindividuals’ fundamental rights, namely the right to private life and the protection ofpersonal data as required by European and International legal instruments:
Treaty on the Functioning of the European Union: Article 16
Charter of Fundamental Rights (Articles 7 and 8)
European Convention on Human Rights: Article 8
Convention for the Protection of Individuals with regard to Automatic processing of Personal Data - Convention 108/1981
OECD Privacy Guidelines
Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 3
CRS: challenges for data protection
Personal data related to a large amount of individuals
Exponential increase of the risks inherent to the data
Automatic exchange (on annual basis)
Need for a clear definition of the purpose
Need for necessity and proportionality
Need for transparency and data subjects’ rights
Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 4
CJEU Data Retention Judgment
CJEU Judgment of 8 April 2014 (Case C-293/12 and C-594/12) declared the Data Retention Directive to be invalid. The Court found that the Directive:
entails a wide-ranging and particularly serious interference with the fundamental rights toprivacy and to the protection of personal data;
fails to sufficiently circumscribe such interference to ensure that it is limited to what is strictlynecessary for the purpose of fighting ‘serious crime’, thereby leaving it too open for MemberStates to decide on the scope of data retention;
fails to define the guarantees surrounding data retention, i.e. objective criteria to determine theretention periods, appropriate technical and organisational security measures and conditions forthe access and use of the data by competent national authorities.
Consequences for automatic processing of data:National legislators, authorities and institutions should be aware of the principles stated by the CJEU,which apply a fortiori to those processing operations designed to monitor behaviors which do nothave a criminal connotation, also in view of avoiding the negative consequences of furtherinvalidations.
Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 5
Data Protection principles (1) Legal basis: Multilateral/bilateral agreements should contain substantive data protection provisions (not a
mere reference to DP tools). Moreover, national procedures (involvement of Parliament, DPA) should berespected to create adequate, clear and foreseable legal basis (Article 6a of Directive 95/46)
Data transfers: Transfers from the EU to third countries are only allowed if said third countries ensure anadequate level of protection (Article 25 of Directive 95/46). Legitimate transfers may also take place if basedon the specific legal basis foreseen by Article 26 (e.g. the transfer is necessary on important public interestgrounds, provided that such an interest is clearly defined and overrides the data subject’s right to privacy).WP29 Opinion (WP114): repeated, mass or structural transfers of personal data should be governed byappropriate agreements which should be legally binding and fully take into account the data protectionsafeguards.
Purpose limitation: Any inter-state agreeement should clearly identify the purposes for which data arecollected and validly used (Article 6b of Directive 95/46). What’s «tax evasion»? (legal acts, illegal acts,serious financial crimes?)
Necessity and proportionality: Need to prove the necessity of the processing and that the required data arethe mininum necessary for attaining the purpose (Article 6c of Directive 95/46)
Data Retention: Any decision to retain data must be subject to appropriate differentiation, limitations,exceptions (see Data Retention Judgment). Need to define appropriate data retention timing (Article 6e ofDirective 95/46)
Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014
6
Data Protection principles (2)
Transparency: Clear information should leave data subjects in a position to understand what is happening totheir personal data and how to exercise their rights. Any restriction or exemption to transparency rulesshould be limited and justified, respecting the strict criteria of Article 13 of Directive 95/46
Data subjects’ rights: Appropriate mechanisms for an easy exercise of rights (any restriction should belimited and justified: article 13 of Directive 95/46)
Controllership: Data controllers (and data processors) should be clearly identified. A correct allocation ofcontrollership is a crucial step to ensure compliance and data subjects’ rights (Article 2d and 2e of Directive95/46). Controllers should choose processors providing sufficient guarantees (Article 17.3 of Directive 95/46)
Onward transfers: Data controllers should ensure guarantees for onward transfers in particular ensuringthat data are not used for other purposes without appropriate safeguards
Security measures: Strict security measures to avoid accidental or unlawful destruction or unauthoriseddisclosure/access and other unlawful form of processing (Article 17.1 of Directive 95/46)
Privacy impact assessment: Members states should consider to implement an agreed Privacy ImpactAssessment to ensure that DP safeguards are addressed, and a consistent standard is applied for thepractical implementation of CRS
Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 7