1 / 17

Revising the Data Protection Directive Reinventing Data Protection?

4 th International Seminar on Information Law Thessaloniki. Revising the Data Protection Directive Reinventing Data Protection?. Lilian Mitrou , Ass. Professor University of the Aegean. What are we talking about ?. The Review Process

tnowak
Download Presentation

Revising the Data Protection Directive Reinventing Data Protection?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 4th International Seminar on Information Law Thessaloniki Revising the Data Protection Directive Reinventing Data Protection? Lilian Mitrou, Ass. Professor University of the Aegean

  2. What are we talking about ? • The Review Process • Strengths and Weaknesses of the Data Protection Directive • Necessity of Review? • The Challenges • Occam's razorornewrules? • Scope and purpose • Re-inventing Data Protection?

  3. The Review Process • Public consultation on the need for revising the Data Protection Directive • Communication "A comprehensive approach on personal data protection in the European Union"(November 2010) • A very important step forward in the discussion on the future of the legal framework for privacy and data protection but ..unfortunately there is no proposal yet

  4. A risky Review • Discussion and revision as risk… • Risk of weakening and restricting data protection? • A justified concern? • In the wake of 9/11 legislative proposals –including the Data Retention Directive - have been adopted , which had “no chance to be accepted” • Some of the principles underlying the system of personal data protection, such as the principles of finality and proportionality, are being slowly but clearly eroded.

  5. Εra of reviewing • The second generation of Data Protection Legislation is under review • Council of Europe: Discussion on the Review of Convention 108 (1981), which inspired the legislators of the Directive 95/46/ECand still forms the basis of most data protection laws in Europe • If the Council of Europe reaffirmed the rights laid down in Article 8 of the European Convention of Human Rights the Data Protection Directive established basic principles for the collection, storage and use of personal data.

  6. The Strengths of the Directive • Positive impact of the Directive on European on perceptions of data protection principles • Improvement of awareness • Harmonisation of data protection principles • Flexibility by application • A leading paradigm, serving as a reference and inspiration model for privacy protection outside Europe

  7. The Charter and the Lisbon Treaty • A separate Article for Data Protection (Art. 8) • Binding not only on EU institutions and bodies, but also on EU Member States when acting within the scope of EU law. • Horizontal approach and uniformity of protection among sectors • Art. 16 of the Treaty on the Functioning of the European Union : a new legal basis for data protection applicable to all processing in the area of police and judicial cooperation and common foreign and security policy

  8. Criticism Despite the substantially positive track record and general acceptance of the Directive, certain aspects have been criticised • Too heavy formalities (notifications) • Vague definitions ( data controller/ data processor) • Cumbersome and outmoded rules and tools concerning data transfer to third countries • Inconsistent enforcement and diversities among national laws • Different approaches for crucial issues (independence of DPAs)

  9. Is change necessary? • Is there a real need to rethink the foundations of data protection in today’s information society? • Not acting – and avoiding change where it is necessary – most certainly carries more risks • Increasing loss of relevance and effectiveness of data protection in a changing world. • A third generation of privacy legislation? .

  10. Technological Challenges/1 • The Data Protection Directive was conceived and adopted before the explosion of the Internet and its impacts on economy, society, life • Technological and social phenomena pose crucial challenges for data protection • Convergence of the network around a single interoperable platform • Appearance and explosive growth of the “semantic web” and Web 2.0 • Changes in identification and authentication techniques • Identity management and profiling • RFIDs and geo-location devices and applications • Cloud computing and globalisation of processing

  11. Technological Challenges/2 • Ambient intelligence: through technology and network into day-to-day life • ICTs: ubiquitous and autonomous systems • Information society no longer a parallel environment where individuals can participate on a voluntary basis, but an integrated part of our everyday lives.

  12. Occam's razor or new rules? • Data Protection Authorities try to demonstrate that the Data Protection Directives might respond to new challenges • “The level of data protection in the EU can benefit from a better application of the existing data protection principles in practice”[Art 29 DPWP – The Future of Privacy] • Principles like necessity, proportionality, data minimisation, purpose limitation and transparency have been around for 25 or 30 years and have been confirmed • Should we put emphasis on ensuring that “old” principles are applied more effectively in a changing ICT environment and socio-economic context ? • Is the Data Protection Directive sufficient in the long term?

  13. Scope and Purpose • Reflection on a “comprehensive and consistent data protection framework • .....to cover all areas of EU competence • Data Protection Directive as benchmark • EDPS: a Regulation instead of a Directive, in order to ensure direct applicability without differences and divergences and a common level of protection

  14. Time to reinvent Data Protection? • Data protection has already been invented and developed for more than four decades • Re-invent, rethink on new tools and a new architecture of data protection • Harmonisation, simplification and diversification of procedures • Strengthening the roles of individuals(data subjects), supervisory authorities and data controllers

  15. Informational self-determination • Consent of the data subject as cornerstone • Broaden the situations where express consent is required? • Consent has to be adapted to the requirements of the online environment …..avoiding a “just click submit” • Right to be forgotten: of crucial importance for the preserving the individuals’ rights especially in Web (search engines, social networks, advertising, public information)

  16. Measures for Compliance • Risk assessments and privacy impact assessments • Clear rules about the accountability of the data controller and the obligations derived from • Introduction of a provision on personal data breach notification • Introduction of collective redress mechanisms • Privacy by design- privacy by default

  17. Forward-thinking or lowest common denominator? • The EU legislator should be ambitious and forward-thinking. • Not easy to reach a consensus or – even an affordable compromise . • Risk that the 27 Member States adopt a lowest common denominator approach to privacy protection in Europe.

More Related