Implementation of personal data protection strategy
1 / 10

Implementation of Personal Data Protection Strategy - PowerPoint PPT Presentation

  • Uploaded on

Implementation of Personal Data Protection Strategy. Kick-off Event 7.2.2011 Expert Workshop Presentation by Christof Tschohl Legal Researcher Ludwig Boltzmann Institute of Human Rights (BIM), Austria. The Bridge between Technique and Law in Data Protection Matters.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Implementation of Personal Data Protection Strategy' - zilya

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Implementation of personal data protection strategy
Implementation of Personal Data Protection Strategy

Kick-off Event 7.2.2011

Expert Workshop

Presentation by

Christof Tschohl

Legal Researcher

Ludwig Boltzmann Institute of Human Rights (BIM), Austria

The Bridge between

Techniqueand Law

in Data ProtectionMatters

Data protection and modern information technology
Data Protection and modern Information Technology

The idea of Data Protection is not new!

  • No mere creation of modern information society and information technology

    • Since the idea of a liberal society and freedom of citizens break through

    • The first European Constitutions more than 150 years ago (common history)

      • Sanctityofthe Home andSecrecy of Letters  mandatory: based in lawand just due to a judicialdecree

  • New is the increasing dimension of the possible interference due to technology

    • Use of modern technology is widespread and standard in modern society

    • Improvement for the flow of information and therefore the democratic capacity

    • But also bears a huge potential of control over citizens and society

  • EU Acquis contains both – Protection and Invasion for Privacy

    • States` Margin of Appreciation within transformation – especially technical details

  • Legislation and the determination of technical means
    Legislation and the determination of technical means

    • Legislation necessarily has to cover a wide range of possible circumstances

      • Thus it has to be more cursory and can hardly catch every detailed question

      • Law must beclearenoughtodeterminewhatisallowedor not

      • On the same time  sufficientrangefortheSingle European Market

        • Private Autonomy / Technology Neutrality / Free Flow of Information

  • The (nearly) boundless possibilities of technology vs. necessity of lawful limitations

    • Technical development concentrates firstly to increase the possibilities and reduce the limitations

      • “what is allowed is up to the management and the lawyers”

  • Technical solutions necessarily have to deal with all details

    • “it must not be understood by everyone, it just must work”

  • EU Acquis contains both – Protection and Threats for the information society

    • States` Margin of Appreciation – especially in technical details

  • Similarities of the disciplines technique and law
    Similarities of the Disciplines Technique and Law

    • Both need to determine in substance the purpose and the scope of the “Application”

      • Technique is often just the “vehicle” to transpose the law

  • Both need to define the organisational environment and the procedures

    • Technique often just effects the procedural decisions of law or management

  • Both need to anticipate the non-conformance-scenarios

    • Necessary to define the process if it doesn’t work like it should

  • Finally both need to serve the Humans, and not the other way around !

  • The bridging necessity and the intersection points
    The “Bridging”-Necessity and the Intersection Points

    • Not every technique-relevant norm must contain detailed technical determination

      • Like the technology does not need everywhere stick to legislative requirements

      • Weneedtoidentifythe „entrypoints“ wheretechnology must be limited

        • tokeepthebasicruleoflaw – principleeffective

  • Legislation needs to understand the level of interference due to technology

    • Means some kind of “Risk Assessment” on a more abstract level

    • Where specific risks are identified  necessity for clear determination of the purposes which have to be accomplished by technical means

      • No blanket delegation of the technical transposition

  • Example of a bridge norm in montenegrin pdpa
    Example of a “Bridge-Norm” in Montenegrin PDPA

    • Article 7 para 2 PDPA:

    • “ (…)

    • If the processing of personal data is carried out by electronic means, the personal data filing system controller must ensure that the information system automatically records the recipients of personal data, data which were processed, legal grounds for the use of personal data, time of logging on to the system and time of logging out of the system.“

    •  very modern and highly interesting approach!

    • Technical terms likely need to be specified by law or regulation

      • “carried out by electronic means”:

        • Is hereof covered e.g. every e-mail which contains personal information?

    • “information system automatically records”:

      • Has the recording system to ensure on a technical level that this logging cannot be altered (revision security)?

    Possible ways to build the bridge
    Possible Ways to build the Bridge

    • Already in the process of legislation should be a sound communication between Lawyers and Engineers

      • By forming working groups which should seek for a good balance between people from both disciplines

  • Working groups need sufficient time and occasions for understanding each other

    • Stakeholders often need first to launch their interests, only workgroups on regular basis give enough room for understanding the “cracking points”

  • Achievements of such “Translation Work” should be documented and available

    • For the following praxis as well as further developments  Sustainability

  • Q & A

    Thank you for your attention!

    I am looking forward to your questions!

    Component i harmonization of legislation with eu data protection standards
    Component I: Harmonization of legislation with EU Data Protection standards



    Register of filing systems

    and controllers

    Analysis of

    compliance with EU Acquis

    Action plan and

    formation of working groups

    Identifying regulations to be adjusted

    Analysis ofdomesticLegislation regarding Personal Data

    Component ii training on data protection
    Component II: Training on Data Protection Protection standards

    Training for

    private sector

    Training for public


    Training for state authorities

    Linked to

    Component I: Activities 1.7. + 1.8.


    Manuals for filing system controllers

    and citizens (Component I)

    Revision of professional training plan