ECLA / IALS, 5 November 2013 EU Privacy and Data Protection Christopher Docksey 5 November 2013 ECLA/IALS, London All opinions are personal 1)the context

ECLA / IALS, 5 November 2013

EU Privacy and Data Protection

Christopher Docksey5 November 2013ECLA/IALS, London

All opinions are personal

1) the context2) data protection and electronic evidence3) EU law on privacy and data protection4) the data protection reform


(1) Context

Most personal information and most evidence are digital

Lawyers and judges need to know siginificance of digital information

Need to know and understand the :• nature of digital evidence• data protection rules of the road

Otherwise no :• remedy for the data subject• fair trial for the accused• convictions for the prosecutor


Access/use of datatransformed by technology

• Pre-digital: data in manual files, held locally • 1970s: mainframes in administrations, police

uses filtering searches• 1980s: wide IT use, PCs, Internet, data transfers• 1990s: www, digital communications,

convergence, communications privacy• 2000s: Digital audio and video, ecommerce, e-

everything, social media• 2010s: mobile, location based, cloud computing,

massive profiling, Big Data


Timeline of law and technology

Year DP legislation IT developments

1970 Hessen Arpanet has 13 nodes

1974 US Privacy Act Name “Internet”

1978 FR law, CNIL 1st spam email

1980 OECD Guidelines Usenet (now Google groups)

1981 Convention 108 IBM PC

1990 UK Computer Misuse Act www (December 25)

1995 Directive 95/46/EC Amazon.com


Timeline of and technology

Year DP legislation IT developments

2000 EU Charter Arts 7 & 8 Wikipedia (January 15, 2001)

2001 Regulation 45/2001 iPod (November 10)

2004 EDPS Decision FaceBook

2006 Data Retention Directive Twitter, iPhone (2007)

2009 TFEU Art 16, TEU Art 6(1) iPad (April 3 2010)

2012 Com proposes DP reform Google Glass testing

2013 Negotiations in EP and Council

Snowden - NSA


EU legislation on Privacy and Data Protection

• OECD Guidelines 1980 (soft law) • ECHR Convention No. 108, Art. 8: privacy• EU Charter Arts. 7 and 8• Data Protection Directive 95/46• Data Protection Regulation 45/2001• ePrivacy Directive 2002/58 • Data Retention Directive 2006/24• Framework Decision 2008/977• Article 16 TFEU and 6(1) TEU (Charter)


Challenges to Privacy• Big Data - profiling of digital traces (Cookies,

clickstream data, hyperlinks)– Social networks (FaceBook)– Search Engines / integrated databases (Google)– Deep packet inspection (BT)– Location based services (Apple)– Customer profiling (Target)

• Cloud computing

• Foreign transfers

• Data breach (Sony PlayStation: £250k)


Dates when PRISM began for each Provider:

2007 Microsoft2008 Yahoo2009 Google, Facebook2010 YouTube2011 Skype, AOL2012 Apple

Challenges to Privacy


(2) Data Protection andElectronic Evidence

• Overlapping Scope

• Data protection rules apply to the courts

• Fruits of the Poisoned Tree

• precautions to ensure admissibility of e-evidence


Overlapping Scopeelectronic evidence: data (analogue or digital) that is created, manipulated, stored or communicated by any device, computer or computer system or transmitted over a communication system, that is relevant to the process of adjudication (Mason)

processing of personal data: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (Directive 95/46, Article 2.b)


DP Rules apply to Courts• after reform, DP Reg and Dir fully apply

to the judiciary in civil and criminal cases

• already art 16 TFEU, Art 8 ECHR, Arts 7 and 8 Charter

• so all courts’ activities need to take DP into account

• only exception: supervision by DPAs

• result: possible challenges of evidence for violation of DP rules


Fruits of the Poisoned Tree• exclusionary rule of unlawfully obtained

evidence

• in some MS evidence obtained in breach of DP law inadmissible, ok in others (eg UK) so long as not “unfairly prejudicial”

• admissibility criteria: respect for (i) fundamental rights and (ii) fair trial

• e.g. substantial DP breach (eComs traffic data which should have been deleted), not just procedural (failure to appoint DPO)


precautions to ensure admissibility of e-evidence

• assess necessity and proportionality of processing on case by case basis, especially re. forensic examination of computers

• assess availability of less intrusive methods

• limit access to need to know

• limit use to purpose of collection

• ensure authorisation mechanisms to allow computer forensic examinations


(3) EU Law on Privacy: two fundamental rights

(a) the Right to Privacy

ECHR (1950), Article 8

Everyone has the right to respect for

his or her private and family life, home

and correspondence

EU Charter (2000), Article 7 :

…and communications.


(b) the Right to Protection of Personal Data

an autonomous fundamental right to self-determination in the Information Society

Article 16, EU Treaty

EU Charter, Article 8 :

1. Everyone has the right to the protection of personal data concerning him or her.


2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority


(a) fair processing: lex certanecessity and proportionality

Article 8(2) ECHR – justification for interference with the right to privacy:

• In accordance with the law

• Necessary in a democratic society for national security, public safety, crime, health or morals, protection of others’ rights and freedoms


Case C-465/00 - Rundfunk

• Disclosure of names/salaries by Court of Auditors in report to Parliament; necessary also to disclose to general public?

• Article 6 of Directive 95/46 must be interpreted in light of Article 8(2) ECHR

• Data must be processed in conformity with requirements of necessity and proportionality, as in Article 6

• These also apply to Article 13 derogations


Flight data: legal basisUS PNR: Joined Cases C-317-318/04

ECJ and AG: wrong legal basisoutside scope of Directive and Article 95 EC: •57: concerns processing necessary for public security and law-enforcement purposes, not the supply of services •58: the transfer falls within framework established by public authorities re public security


Flight data: legalityUS PNR: Joined Cases C-317-318/04

AG: not manifestly inadequate: •Adequacy different to equivalence•Broad margin of discretion •Justified interference per Article 8(2)•Legitimate purpose, proportional use•34 PNR elements not excessive•3.5 year data retention not excessive•Effective administrative review


After the PNR ruling

• PNR II and PNR III – EU-US Agreements

• SWIFT / TFTP

• EU PNR

• HLCG - umbrella Agreement

• Data Retention Directive


Data Retention: legal basis

Case 301/06, Ireland v Parliament and Council (legal basis after PNR ruling)

Directive 2006/24: telecoms and ISPs must retain •traffic data (not content)•for period between 6 months and 2 years•available to national competent authorities to combat “serious crime” as defined by national law


Data Retention: fair processing

• National implementing laws ruled unconstitutional in CZ, DE and RO

• Joined Cases C-293/12, Digital Rights Ireland and C-594/12, Seitlinger:– Violation of rights to privacy and data protection

(arts 7 and 8 of Charter)– Necessity: criminals will use anonymously– Proportionality: lack of evidence– Scope for abuse: possibility of illegal profiling


(4) The Data Protection Reform

• Public consultation (May-Dec 2009)

–Written input received: 150-200

• Commission reflection (Jan-Sept 2010)

–Stakeholder meetings, impact analysis

• Communication (4 November 2010)

–Consultation & additional feedback

• Commission proposals for a Regulation and a Directive 25 January 2012


Main drivers of the Reform

• Technological development: more effective protection needed

• Globalisation: more consistency needed within EU and internationally

• Lisbon Treaty: a new legal base for horizontal EU-wide data protection law

Parallel Reform processes

• Modernisation of Convention 108• Review of OECD Guidelines


The Data Protection Reform Package

• Policy Communication (COM(2012) 9 final)

• “General” Data Protection Regulation (COM(2012) 11 final)

• Directive for police and criminal justice authorities (COM(2012) 10 final)

• Implementation Report for Council Framework Decision 2008/977/JHA

• Impact Assessment


State of play

• Albrecht report: January 2013

• 4000+ amendments

• Council partial common position: June 2013

• LIBE vote: 21 October 2013

• European Council: 25 October

• Adoption 2014 or 2015?


Objectives of the Reform• Continuity, build on existing framework: underlying principles still

valid• Strengthen data subjects’ rights• Make controllers more accountable• Improve harmonisation (Regulation) and consistency of approach

by DPAs• Strengthen supervision & enforcement• Substantially increase the level of data protection in law

enforcement


I: The Regulation

• Choice of measure: greater legal certainty

• Jurisdiction and scope

Strengthened rights of data subject

• Explicit Consent

• Right to be Forgotten / Portability (Arts 17-18

• Stronger right to object (Art 19)

• Enhanced transparency

• Scope for collective action (Art 73.2)


Right to be forgottenCNIL (FR) – reports a growing problem:• 2012 - 6,000 complaints overall• more than 1,000 re. right to be forgotten, more or less

directly• increase in complaints by 42% in one year

Reg art 17 right to be forgotten • erasure & abstention from further dissemination• no longer necessary, data subject withdraws consent• take all reasonable steps to inform 3rd parties• Albrecht: not where consented


The right to be forgotten:Case C-131/12, Google v AEPD

• Is there an (absolute) right to be forgotten under existing law?– Art 12: erasure of data whose processing

does not comply with Directive– Art 14(a): object on compelling legitimate

grounds relating to particular situation

• Can a newspaper also be ordered to remove a name from its index?


Strengthening the framework:• Accountability (Art 22)

• Privacy by Design / by Default (Art 23)

• Data breach notification

• International Data Transfers

• Stronger DPAs and more effective enforcement across the Internal Market (cooperation and Consistency Mechanism)

• Fines


II. Directive - criminaljustice and police cooperation– Lisbon, Declaration 21: specific rules– Directive: to retain flexibility in a sensitive area– Replaces Framework Decision 2008/977/JHA– Gives power to Commission to enforce the rules– General DP rules applied to police & judicial

cooperation in criminal matters (LIBE: gaps filled)– Covers domestic processes and all transfers – Harmonised criteria on necessary limitations to an

individual’s rights


The Directive Criticisms of Proposal - fails to introduce a

consistent and high level of data protection:

• Purpose limitation unclear

• No obligation to demonstrate compliance

• Weak conditions on international transfers

• Unduly limited powers of DPAs

Key elements for electronic evidence:

• in original Commission proposal, and

• in amendments voted by LIBE committee


Article 4: principles relating to data processing

• No incompatible data processing (see art 7a)

• Limited to minimum necessary and NOT beyond context (recital 19 deleted)

• Securely protected against unauthorised or unlawful dp and loss, destruction, damage

• Limited to duly authorised staff, need to know

• Establish time limits for deletion /periodic review (new 4b)


Article 5: different categories of data subjects

MS shall distinguish between categories•Reasonable (not serious) grounds that have/about to commit criminal offence•Persons convicted of a crime•Victims or presumed victims of crime•Third parties, eg witnesses

Other data subjects: only as long as necessary to establish relevance or for targeted, preventive purposes


Article 6: accuracy and reliability

• Distinguish facts and personal assessments

• Do not transmit/make available inaccurate, incomplete or not up to date data, assess quality before transmission and include assessment data (new 2a)

• Notify recipient of incorrect data or unlawful transmission, recipient must rectify or erase without delay (new 2b)


Article 8a : genetic data

• for criminal investigation or judicial procedure

• may only be used to establish a genetic link within framework of adducing evidence

• retention only as long as necessary and where convicted of serious offences against persons, and subject to strict storage periods

• Longer storage, especially when found at crime scene, only when not attributable to individual


Article 27: security of processing

Criteria: risks of processing and nature of data, state of the art and implementation cost•Equipment access control•Data media control •User control•Data access control•Communication control•Transport control•Reliability and integrity•Recovery


Article 46: powers of DPAs

• Art 46(1)(f): to order rectification, erasure or destruction of all unlawfully processed data

• Art 46(1) (g): to impose temporary or definitive ban on processing

• Art 46(5): to bring violations to the attention of the judicial authorities

• Art 46(6): to impose penalties in respect of administrative offences


Thank you for your attention!

For more information:

www.edps.europa.eu

[email protected]

@EU_EDPS

Documents

ECLA / IALS, 5 November 2013 EU Privacy and Data Protection Christopher Docksey 5 November 2013 ECLA/IALS, London All opinions are personal 1)the context