Conference on Cross Border Data Flows & Privacy
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Conference on Cross Border Data Flows & Privacy October 15-16, 2007 PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on
  • Presentation posted in: General

Conference on Cross Border Data Flows & Privacy October 15-16, 2007 Washington, D.C. The European Union’s Data Protection Framework 12 Years Later Giovanni Buttarelli

Download Presentation

Conference on Cross Border Data Flows & Privacy October 15-16, 2007

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Conference on cross border data flows privacy october 15 16 2007

  • Conference on Cross Border Data Flows & Privacy

  • October 15-16, 2007

  • Washington, D.C.

  • The European Union’s Data Protection

  • Framework 12 Years Later

  • Giovanni Buttarelli

  • Secretary General, Garante per la Protezione dei Dati Personali


Conference on cross border data flows privacy october 15 16 2007

EU legislation

  • Data protection is a fundamental right.

    • Data protection / privacy protection

    • Right to privacy: the right to be left alone

    • Data protection: right of self-determination for information


Conference on cross border data flows privacy october 15 16 2007

  • “Everyone has the right to the protection

  • of his/her personal data”

  • A new right

  • for nowadays’ dimension of privacy


Conference on cross border data flows privacy october 15 16 2007

EU legislation

  • The sources of the law

  • The main declarations:

    • Article 8 European Convention of Human Rights

    • Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108)

    • EU Charter of Fundamental Rights: Art. 8


Conference on cross border data flows privacy october 15 16 2007

EU Charter of fundamental rights

  • Article 8 - Protection of personal data

    • Everyone has the right to the protection of personal data concerning him or her.

    • Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

    • Compliance with these rules shall be subject to control by an independent authority.


Conference on cross border data flows privacy october 15 16 2007

EU legislation

  • General data protection rules:EU Directive 95/46/EC

  • Electronic communication:EU Directive 2002/58/EC

  • Police and judicial co-operation in criminal mattersEU Framework Decision COM (2005) 475

  • Other texts dealing with data protection:

  • Schengen ConventionEuropolEurojust

  • Texts on the Internet:

  • http://europa.eu.int/comm/justice_home/fsj/privacy/index_en.htm


Conference on cross border data flows privacy october 15 16 2007

EU legislation

  • DIRECTIVE 95/46/EC


Conference on cross border data flows privacy october 15 16 2007

Basic principles

  • Data Protection Directive 95/46/EC:

  • high level of protection of personal data

  • free movement of data within EU/EEA

  • Personal data: identified or identifiable person

  • Processing: broad definition

  • Applies to public and private sectors

  • Relation data subject - controller


Conference on cross border data flows privacy october 15 16 2007

Definitions

  • Article 2

  • 'personal data'shall mean any information relating to an identified or identifiable natural person ('data subject');

  • ] an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

  • 'processing of personal data' ('processing')shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

  • Processing means more than collection


Conference on cross border data flows privacy october 15 16 2007

Legitimacy

  • (Unambiguous) Consent

  • Necessary for performance of a contract

  • Necessary for compliance with a legal obligation of the controller

  • Necessary to protect the vital interest of the data subject

  • Necessary for the performance of a task of public interest or official authority

  • Legitimate interests of the controller (balance of interest)


Conference on cross border data flows privacy october 15 16 2007

Quality of data

  • Adequate, relevant and not excessive (in relation to purpose)

  • Accurate and kept up to date

  • Kept in a form which permits identification for no longer than necessary


Conference on cross border data flows privacy october 15 16 2007

Finality principle

  • Personal data must be collected for a specified, explicit and legitimate purpose

  • Not further processed in a way incompatible with those purposes


Conference on cross border data flows privacy october 15 16 2007

Sensitive data

  • Processingof sensitive data is in principle prohibited

  • Data revealing race or ethnic origin, political opinions, religious or philosophical belief, trade-union membership, health or sexual life

  • Exceptions:

    • explicit consent,

    • obligations of controller in employment field,

    • vital interests data subject or another person,

    • legitimate activities of non-profit organisation,

    • data manifestly made public or legal claims


Conference on cross border data flows privacy october 15 16 2007

Rights of the individual

  • Data protection rights

  • Information for the data subject:

    • clear and understandable language

    • sufficient information

  • Access to own data

  • Rectification

  • Objection

  • Complaint to Data Protection Authority


Conference on cross border data flows privacy october 15 16 2007

Obligations

  • Controller obligations

  • Responsible for exercise of data subjects’ rights

  • Confidentiality of the processing

  • Security of the processing

  • Notification to the data protection authority

  • Liability


Conference on cross border data flows privacy october 15 16 2007

Supervisory Authority

  • Data Protection Supervision Authorities

    • Fully independent bodies

    • Responsible for enforcing national legislation

    • Organization to be decided by Member States

    • Criteria + powers:

      • EC Directive 95/46/EC (Art. 28)

      • cf. Council of Europe: Additional protocol to Convention 108 regarding supervisory authorities and transborder data flows (ETS No. 181)

      • Full iIndependence means :

        no government control or supervision


Conference on cross border data flows privacy october 15 16 2007

  • European initiatives

  • Over 30 national DPAs

  • An independent Working Party including 27 Dpas plus observers (Article 29 of Directive 95/46/EC)

    • http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm

    • Several primary objectives:

      • To promote the uniform application of the general principles of the Directives in all Member States and the co-operation between Dpas

      • To advise the European Commission on data protection on any Community measures affecting the rights and freedoms of natural persons with regard to the processing of personal data and privacy.

      • To make recommendations to the public at large on matters relating to the protection of persons with regard to the processing of personal data and privacy in the EU


Conference on cross border data flows privacy october 15 16 2007

Transfer of data

  • The transfer of personal data is authorised

  • within the Member States of the EU and the EEA

  • (25 EU + Island + Liechtenstein + Norway)

  • (situation in 2005)


Conference on cross border data flows privacy october 15 16 2007

Transfer of data

  • Transferof personal data outside the EU/EEA under certain conditions:

  • Exceptions:

  • Adequate protection by third country

  • Adequacy decision by COM

  • Authorisation by Supervisory Authority

  • Standard contractual clauses


Conference on cross border data flows privacy october 15 16 2007

  • Resolution on Development on International Standards

  • (29^International Conference Montreal 26-28 September 2007

  • “to support the development of effective and universally accepted nternational privacy standards”


Conference on cross border data flows privacy october 15 16 2007

  • Communication from the European Commission to the European Parliament and to the Council

  • 7 March 2007

  • (2007) 87


Conference on cross border data flows privacy october 15 16 2007

  • Resolution International Co-operation (29^International Conference Montreal 26-28 September 2007)

  • “Recognise that countries have adopted different approaches to protecting personal information and enhancing privacy rights”

  • “Encourage Data Protection Commissioners to further develop their existing efforts to support international co-operation and to work with internationl organisations to strengthen data protection worldwide”


Conference on cross border data flows privacy october 15 16 2007

  • Declaration of Civil Society Organizations on the Role of Data Protection and Privacy Commissioners

  • (Montreal, September 25, 2007)

  • “The world’s Privacy Commissioners must increase their own collective efforts at protecting privacy to counterbalance the increasing cross-border efforts of the world’s security establishments”

  • “Privacy Commissioners should be more proactive in addressing the privacy impacts of commercial purposes…”


Conference on cross border data flows privacy october 15 16 2007

  • Thank you for your attention


  • Login