Data Protection
1 / 22

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg - PowerPoint PPT Presentation

  • Uploaded on

Data Protection & Electronic Communications Paul Van den Bulck. Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels. Brussels 23 March 2004. WWW.ULYS.NET [email protected] European Framework Data Protection General:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Lawyer at the Brussels Bar Lecturer at the University of Strasbourg' - duncan

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Data Protection & Electronic Communications Paul Van den Bulck

Lawyer at the Brussels Bar

Lecturer at the University of Strasbourg

Assistant at the University of Brussels


23 March 2004


[email protected]

Introduction overview

European Framework Data Protection


Directive 95/46 on protection of personal data

Particular: communication:

Directive 2002/58 on privacy and electronic communications

Introduction & Overview

General sector specific regulations

General: 95/46

Protection of personal data

General data protection principles


Online and offline

Public & private networks

Specific 2002/58

Privacy & electronic communications

Specific obligations

(e.g., cookies, spam)


Communication service

Public networks

General & sector specific regulations

1 general protection directive 95 46


9 Principles of Data protection

Sensitive data

1. General Protection: Directive 95/46

Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

  • Case Studies

    • Privacy Policy

    • Collection of information

    • Delivery of information


Processing of personal data

personal data:

Information concerning a data subject

identifiable natural person

Direct or indirect

Controller (EIC) or third party

Legal entity: SME?

IP address? [email protected]?


  • Processing:

    • any operation performed upon personal data

    • In the EU? Quid question on Israël?

Data protection principles

Data must be:

fairly and lawfully processed;

processed for specified, detailed and legitimate purposes;

adequate, relevant and not excessive;


not kept longer than necessary;

processed in accordance with the data subject's rights;

Secure and remain confidential;

not transferred to countries without adequate protection (outside EU);

Processing activities « must »  be notified to the supervisory authority.

Data Protection Principles

Case study 1 privacy policy

Legally required?


The name and address of the controller and processor (contract)

Purposes of the processing activity

The kind of data processed: « sensitive data »

The means to collect and process data (cf. cookies)

Inform the data subject on his/her rights and the way he/she can exercise them

The technical and organizational measures adopted to ensure the secure and confidential character

Reference to general information on data protection legislation, e.g., FAQ, or the contact details privacy officer ([email protected])

Case study 1: Privacy Policy

Case study 2 collection of information

Processing « shall mean any operation … whether or not by automatic means, such as collection, recording, organization, storage, disclosure by transmission, dissemination or otherwise making available, etc. »

Means of collection:

Data subject is aware,e.g., webform

Data subject is not aware, e.g., spy ware

Case Study 2: collection of information

Case study 3 disclosure of personal data

Broad an open notion of « processing » includes « disclosure by transmission, dissemination or otherwise making available»

Must be careful if you disclose personal information in a newsletter or on your website, e.g., personal contact details

Lindqvist case (Sweden –European Court of Justice (2003))

Case Study 3: disclosure of personal data

2 sector specific regulation

Directive 2002/58/EC on privacy and electronic communication

One of the Directives of the new « Telecom Package »

Update of Directive97/66 on privacy and telecommunications




Articulation with general framework

2. Sector Specific regulation

Sector specific regulation


« This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. »

Public networks: no private or corporate networks

« Individual » communication: no broadcasting

Scope is not always very clear & distinction sometimes too academic.

Sector Specific regulation

Includes:protection of the legitimate interests of subscribers who are legal persons (SME).

Sector specific regulation1

Contents: clarification of some principles

Cookies, spy ware

Security and confidentiality

Traffic & location data

Directories of subscribers, e.g., yellow pages


Sector specific regulation

Sector specific regulation2
Sector Specific regulation

  • Pragmatic Approach and articulation:

    • Directive 95/46 applies to all networks

    • Obligations imposed by Directive 2002/58/EC, “covered” by Directive 95/46/EC

  • Example: traffic data:

2002/58 (art 6)

Traffic data relating to subscribers… must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication

95/46 (art 6 (e))

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.





[email protected]


I am the manager of a Belgium EIC and

to facilitate the navigation on my site, I consider

to install a cookies on the PC of the visitors.

This way, I can display my site in the official

language of their place of establishment (SME)

or residence (German, Dutch French).



« However, such devices, for instance so-called "cookies", can be a

legitimate and useful tool, for example, in analysing the effectiveness of

website design and advertising, and in verifying the identity of users

engaged in on-line transactions.

Where such devices, for instance cookies, are intended for a legitimate

purpose, such as to facilitate the provision of information society

services, their use should be allowed on condition that users are

provided with clear and precise information in accordance with

Directive 95/46/EC about the purposes of cookies or similar devices so

as to ensure that users are made aware of information being placed on

the terminal equipment they are using. Users should have the

opportunity to refuse to have a cookie or similar device stored on their

terminal equipment (recital 25 of Directive 2002/58/EC) »