1 / 42

HIPSSA Project

HIPSSA Project. Support for Harmonization of the ICT Policies in Sub-Sahara Africa. Data protection principles and the model-law Jean-Marc Van Gyseghem, HIPSSA expert. Table of contents. Study framework; Analyzed references Determination of the principles: Openness; Definitions;

zeus-albert
Download Presentation

HIPSSA Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPSSA Project Support for Harmonization of the ICT Policies in Sub-Sahara Africa Data protection principles and the model-law Jean-Marc Van Gyseghem, HIPSSA expert

  2. Table of contents • Study framework; • Analyzed references • Determination of the principles: • Openness; • Definitions; • Purposes; • Legitimacy; • Necessity/proportionality; • Data quality; • Special categories of data;

  3. Table of contents • Security; • Confidentiality; • Accountability • Rights of the data subject; • Sanction; • Protection authority; • Transborder data flows. • Skeleton of the Draft of the model-law

  4. Framework of the analysis • Objectives: • Suggest an analysis of the international frameworks on data protection; • Suggest a panorama of: • International references; • Principles mentionned in the international references; • Suggest a model-law taking in accound these principles.

  5. International references analyzed • Africa: • draft on the establishment of a credible legal framework for cyber security in Africa; • Supplementary act a/sa…/12/09 on guidelines on personal data protection within ECOWAS • Protocol on Health (SADC) • Protocol against corruption (SADC) • Protocol on extradition (SADC) • Protocol on mutual legal assistance in criminal matters (SADC) • Cybersecurity draft policy Guidelines (COMESA) • Comesa model law on electronic transactions and guide to enactment 2010 (COMESA) • Supplementary act a/sa.1/01/07 on the harmonization of policies and of the regulatory framework for the information and communication technology (ict) sector

  6. International references analyzed • United Nations: • Guidelines for the Regulation of Computerized Personal Data Files • OECD • Guidelines on the Protection of Privacy and Transborder Flows of Personal Data • OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy

  7. International references analyzed • Council of Europe • Convention for the Protection of Human Rights and Fundamental Freedoms • Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data • Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows

  8. International references analyzed • European Union • Charter of Fundamental Rights of the European Union • Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data • Directive 2002/58 on electronic communications was adopted (2002). It's also known as the e-Privacy Directive

  9. International references analyzed • Conference of Madrid (2009) • Madrid Resolution • Asia-Pacific Economic Cooperation (APEC) • Privacy framework

  10. Determination of the principles • Openness • Most important principle; • Openness towards the data subject; • Other principles stem from this one: • Information of the data subject; • Rights of access; • Notification to protection authority (https://www.privacycommission.be/elg/publicRegister.htm?decArchiveId=36689) • Etc. • Article 23 (and articles 14, 15, 24, etc)

  11. Determination of the principles • Definitions • Allow a comprehension of the various terms used in the given legislation; • Allow a standardization; • Article 1

  12. Determination of the principles • Specified purpose • Allow data subjetc to know what his/her data are processed for; • Allow the data subject to control the processing of his/her personal data (informational auto determination); • Set a time of storage of the personal data before the deletion/anonymisation. • Article 10.

  13. Determination of the principles • Necessity/proprotionnality • Processing necessary to the specified purpose (choice of the less invasive way); • Data which are necessary for the processing • Chapters 3 & 4.

  14. Determination of the principles • Legitimacy • Must be in accordance with the expectation of the individuals; • In accordance with the law • Chapter 4, sections 2 & 3

  15. Determination of the principles • Special categories of data • Religion; • Ethnic; • Health • Sexuality; • Filiation; • Etc • Articles 8 and following

  16. Determination of the principles • Security/confidentiality • Security: two levels: • Organizational: • Training given to the people who process personal data; • Establishment of a structure to avoid: • Lost of data; • Unauthorized access; • Etc. • Technical: • Access management; • Management of the lasting quality of the data (against deletion, deterioration, etc) • Chapter 5, sections 2 & 3.

  17. Determination of the principles • Data processing • Work under the instruction of the data controller; • Contract between data controller and data processor; • Articles 17 & 18.

  18. Determination of the principles • Accountability: • to make the data controller and data processor aware of their responsibilities ; • Obligation to give explanation to the protection authorities and data subject. • Article 23

  19. Determination of the principles • Data subject rights • access; • Rectification; • Etc. • Chapter 6

  20. Determination of the principles • Sanctions • Civil (liability) • Criminal with a preventive action and a repressive action; • Administrative (protection authority) with a preventive action and a repressive action; • Chapter 7, section 15 & chapters 8, 9 and 10.

  21. Determination of the principles • Protection authority • Independent; • Protect the principles mentioned before • Preventive action; • Repressive action; • Punisher; • … • Chapter 7

  22. Determination of the principles • Transborder data flow: • Based an a equivalent protection in case of transfer to another country: • By legal rules; • By contract; • By hybrid systems (safe harbor principle) • Chapter 12

  23. The skeleton of the draft of a model-law

  24. Chapter 1 • Definitions: • Datasubject; • Under age child; • Sensitive data; • …

  25. Chapter 2 • Scope: • = any processing of personal data perform wholly or partly by automated means, and to the processing of personal data otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system • ≠ processing of personal data by a natural person in the course of purely personal or household activities

  26. Chapter 2 • Applicable law: • activities of any controller permanently established on [given country] territory or in a place where [given country] law applies by virtue of international public law; • if the means used, which can be automatic or other means located on [given country] territory, are not the same as the means used for processing personal data only for the purposes of transit of personal data through [given country] territory.

  27. Chapter 3 • Quality of the data: • Adequate, relevant and not excessive to the purpose • Accurate and up-to-date • Under an identifying way only for the length of the processing • Etc.

  28. Chapter 4 • General rules on the lawfulness: • Generality • Purpose • Legitimacy • Non-sensitive data • Sensitive data • Etc.

  29. Chapter 5 • Duties of the data controller and data processor: • information • confidentiality • Notification to the protection authority • Publicity of the processing • accountability

  30. Chapter 6 • Rights of the data subject: • Right of access • Right of rectification, deletion, temporary limitation of access • Delays • Capacitation • Automated decision • Representation of the data subject

  31. Chapter 7 • Protection authority • Status and composition • Competencies • Financing

  32. Chapter 8 • Recourses to the judicial authority • Access to the judicial authority; • Class action

  33. Chapter 9 • Responsability • Compensation; • Data controller’s liability strengthening

  34. Chapter 10 Sanctions

  35. Chapter 11 • Limitations: • National security; • Journalism; • Etc …

  36. Chapter 12 • Transborder flows: • Member States of SADC; • Non member States of SADC;

  37. Chapter 13 Code of conduct

  38. Chapter 14 Whistelblowing

  39. Thanks a lot for your attention Jean-Marc Van Gyseghem jmvangyseghem@rawlingsgiles.be jean-marc.vangyseghem@fundp.ac.be Member of the Bar of Brussels (Belgium) Head of a Research Unit at the University of Namur (Belgium) Union Internationale des Télécommunications International Telecommunication Union

More Related