Conference on Cross Border Data Flows

1

• Conference on Cross Border Data Flows Privacy
• October 15-16, 2007
• Washington, D.C.
• The European Unions Data Protection
• Framework 12 Years Later
• Giovanni
  Buttarelli
• Secretary General, Garante per la Protezione dei
  Dati Personali

2

EU legislation

• Data protection is a fundamental right.
• Data protection / privacy protection
• Right to privacy the right to be left alone
• Data protection right of self-determination for
  information

3

• Everyone has the right to the protection
• of his/her personal data
• A new right
• for nowadays dimension of privacy

4

EU legislation

• The sources of the law
• The main declarations
• Article 8 European Convention of Human Rights
• Council of Europe Convention for the Protection
  of Individuals with regard to Automatic
  Processing of Personal Data (ETS No. 108)
• EU Charter of Fundamental Rights Art. 8

5

EU Charter of fundamental rights

• Article 8 - Protection of personal data
• Everyone has the right to the protection of
  personal data concerning him or her.
• Such data must be processed fairly for specified
  purposes and on the basis of the consent of the
  person concerned or some other legitimate basis
  laid down by law. Everyone has the right of
  access to data which has been collected
  concerning him or her, and the right to have it
  rectified.
• Compliance with these rules shall be subject to
  control by an independent authority.

6

EU legislation

• General data protection rules EU Directive
  95/46/EC
• Electronic communicationEU Directive 2002/58/EC
• Police and judicial co-operation in criminal
  mattersEU Framework Decision COM (2005) 475
• Other texts dealing with data protection
• Schengen ConventionEuropolEurojust
• Texts on the Internet
• http//europa.eu.int/comm/justice_home/fsj/privacy
  /index_en.htm

7

EU legislation

• DIRECTIVE 95/46/EC

8
Basic principles

• Data Protection Directive 95/46/EC
• high level of protection of personal data
• free movement of data within EU/EEA
• Personal data identified or identifiable person
• Processing broad definition
• Applies to public and private sectors
• Relation data subject - controller

9
Definitions

• Article 2
• 'personal data' shall mean any information
  relating to an identified or identifiable natural
  person ('data subject')
• an identifiable person is one who can be
  identified, directly or indirectly, in particular
  by reference to an identification number or to
  one or more factors specific to his physical,
  physiological, mental, economic, cultural or
  social identity
• 'processing of personal data' ('processing')
  shall mean any operation or set of operations
  which is performed upon personal data, whether or
  not by automatic means, such as collection,
  recording, organization, storage, adaptation or
  alteration, retrieval, consultation, use,
  disclosure by transmission, dissemination or
  otherwise making available, alignment or
  combination, blocking, erasure or destruction
• Processing means more than collection

10
Legitimacy

• (Unambiguous) Consent
• Necessary for performance of a contract
• Necessary for compliance with a legal obligation
  of the controller
• Necessary to protect the vital interest of the
  data subject
• Necessary for the performance of a task of public
  interest or official authority
• Legitimate interests of the controller (balance
  of interest)

11
Quality of data

• Adequate, relevant and not excessive (in
  relation to purpose)
• Accurate and kept up to date
• Kept in a form which permits identification for
  no longer than necessary

12
Finality principle

• Personal data must be collected for a specified,
  explicit and legitimate purpose
• Not further processed in a way incompatible with
  those purposes

13
Sensitive data

• Processing of sensitive data is in principle
  prohibited
• Data revealing race or ethnic origin, political
  opinions, religious or philosophical belief,
  trade-union membership, health or sexual life
• Exceptions
• explicit consent,
• obligations of controller in employment field,
• vital interests data subject or another person,
• legitimate activities of non-profit organisation,
  
• data manifestly made public or legal claims

14
Rights of the individual

• Data protection rights
• Information for the data subject
• clear and understandable language
• sufficient information
• Access to own data
• Rectification
• Objection
• Complaint to Data Protection Authority

15
Obligations

• Controller obligations
• Responsible for exercise of data subjects rights
• Confidentiality of the processing
• Security of the processing
• Notification to the data protection authority
• Liability

16

Supervisory Authority

• Data Protection Supervision Authorities
• Fully independent bodies
• Responsible for enforcing national legislation
• Organization to be decided by Member States
• Criteria powers
• EC Directive 95/46/EC (Art. 28)
• cf. Council of Europe Additional protocol to
  Convention 108 regarding supervisory authorities
  and transborder data flows (ETS No. 181)
• Full iIndependence means
• no government control or supervision

17

• European initiatives
• Over 30 national DPAs
• An independent Working Party including 27
  Dpas plus observers (Article 29 of Directive
  95/46/EC)
• http//ec.europa.eu/justice_home/fsj/privacy/worki
  nggroup/index_en.htm
• Several primary objectives
• To promote the uniform application of the general
  principles of the Directives in all Member States
  and the co-operation between Dpas
• To advise the European Commission on data
  protection on any Community measures affecting
  the rights and freedoms of natural persons with
  regard to the processing of personal data and
  privacy.
• To make recommendations to the public at large on
  matters relating to the protection of persons
  with regard to the processing of personal data
  and privacy in the EU

18
Transfer of data

• The transfer of personal data is authorised
• within the Member States of the EU and the EEA
• (25 EU Island Liechtenstein Norway)
• (situation in 2005)

19
Transfer of data

• Transfer of personal data outside the EU/EEA
  under certain conditions
• Exceptions
• Adequate protection by third country
• Adequacy decision by COM
• Authorisation by Supervisory Authority
• Standard contractual clauses

20

• Resolution on Development on International
  Standards
• (29International Conference Montreal 26-28
  September 2007
• to support the development of effective and
  universally accepted nternational privacy
  standards

21

• Communication from the European Commission to the
  European Parliament and to the Council
• 7 March 2007
• (2007) 87

22

• Resolution International Co-operation
  (29International Conference Montreal 26-28
  September 2007)
• Recognise that countries have adopted different
  approaches to protecting personal information and
  enhancing privacy rights
• Encourage Data Protection Commissioners to
  further develop their existing efforts to support
  international co-operation and to work with
  internationl organisations to strengthen data
  protection worldwide

23

• Declaration of Civil Society Organizations on
  the Role of Data Protection and Privacy
  Commissioners
• (Montreal, September 25, 2007)
• The worlds Privacy Commissioners must increase
  their own collective efforts at protecting
  privacy to counterbalance the increasing
  cross-border efforts of the worlds security
  establishments
• Privacy Commissioners should be more proactive
  in addressing the privacy impacts of commercial
  purposes

24

• Thank you for your attention