Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction: Principles of data protection Guy Stessens EU Council Secretariat.

Published byDustin Cole Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction: Principles of data protection Guy Stessens EU Council Secretariat."— Presentation transcript:

1 Introduction: Principles of data protection Guy Stessens EU Council Secretariat

2 Overview Origin and relation to the right to privacy Origin and relation to the right to privacy Fundamental right ( but no prohibition of processing of personal data) Fundamental right ( but no prohibition of processing of personal data) Data Protection Requirements = Restrictions on the processing of data - obligations for controller (objective) AND rights of citizens - the data subject (subjective). Data Protection Requirements = Restrictions on the processing of data - obligations for controller (objective) AND rights of citizens - the data subject (subjective).

3 Origins of data protection Technological developments -1960s- 1970s for USA, two major reasons: Technological developments -1960s- 1970s for USA, two major reasons: Technical progress based on the development of computers Technical progress based on the development of computers Socio-political reason, raising fear of governmental surveillance “ Big brother Socio-political reason, raising fear of governmental surveillance “ Big brother  ‘Informational self determination  ‘Informational self determination

4 Origins of data protection Legal developments in Europe (1970 – 1981) 1970: First law on data protection was enacted by the German Federal State of Hessen (07.10.1970). 1970: First law on data protection was enacted by the German Federal State of Hessen (07.10.1970). Sweden (1973), Germany (1976), France (1978), Denmark (1978), Norway (1978), Austria (1978) and Luxembourg (1979) introduced national legislation on data protection Sweden (1973), Germany (1976), France (1978), Denmark (1978), Norway (1978), Austria (1978) and Luxembourg (1979) introduced national legislation on data protection

5 Origins of data protection Council of Europe, Convention 108 (1981) Council of Europe, Convention 108 (1981) In the following years, data protection legislation was enacted by In the following years, data protection legislation was enacted by Finland (1987), The Netherlands (1988), Portugal (1991), Spain (1992), Belgium (1992), Italy and Greece Finland (1987), The Netherlands (1988), Portugal (1991), Spain (1992), Belgium (1992), Italy and Greece

6 Data protection and privacy: new challenges New technologies New technologies Internet Internet On-line social networking On-line social networking e-commerce e-commerce Video surveillance Video surveillance On-line cloud computing On-line cloud computing Electronic health records Electronic health records Automatic face recognition Automatic face recognition New gov’t tools New gov’t tools Access to databases Profiling Tools for secure travel - new ID documents Biometric data, DNA Terrorism (09/11) Terrorism (09/11) Increased focus an security technologies Increased interest to monitor citizens Expanding powers of security agencies

7 Data Protection – A Fundamental Right Notions of private life, privacy and integrity (= human dignity) Notions of private life, privacy and integrity (= human dignity) « NO-right » vs positive obligations « NO-right » vs positive obligations US Supreme Court ( Brandeis (1856-1941)): ‘Right to be left alone’. A protected private sphere US Supreme Court (Louis Brandeis (1856-1941)) : ‘Right to be left alone’. A protected private sphere horizontal vs. vertical application horizontal vs. vertical application

8 Data Protection – A Fundamental Right Distinction with professional secrecy (Rules on disclosure) Distinction with professional secrecy (Rules on disclosure) Private life/Privacy extends to professional activities (ECHR: Niemetz) Private life/Privacy extends to professional activities (ECHR: Niemetz)

9 Data Protection – A Fundamental Right Closely linked to privacy but not the same (Art 7 and 8 of Charter of the EU). Closely linked to privacy but not the same (Art 7 and 8 of Charter of the EU). Developed from Art 8 ECHR: Rotaru (2000) on systematic collection and storage of public information Developed from Art 8 ECHR: Rotaru (2000) on systematic collection and storage of public information Narrower than privacy: Only what Americans call ‘data privacy’ Narrower than privacy: Only what Americans call ‘data privacy’ Wider than privacy: Also to protect other rights such as non discrimination; invasion of privacy is no precondition. Wider than privacy: Also to protect other rights such as non discrimination; invasion of privacy is no precondition.

10 Data Protection – A Fundamental Right Wider than privacy: Article 8 ECHR does not apply to the private sector. Wider than privacy: Article 8 ECHR does not apply to the private sector. The right to a private life would not necessarily include all personal data. The right to a private life would not necessarily include all personal data. The right of access to data as such not covered by the concept of the right to privacy as expressed in Article 8 The right of access to data as such not covered by the concept of the right to privacy as expressed in Article 8

11 Data Protection – A Fundamental Right Distinction recognised in C-465/00, Österreichischer Rundfunk. Privacy is more than private life (also work- related issues), but qualified interest. Data protection covers all processing of personal data. Distinction recognised in C-465/00, Österreichischer Rundfunk. Privacy is more than private life (also work- related issues), but qualified interest. Data protection covers all processing of personal data. In practice Article 8 ECHR (and Strasbourg jurisprudence) plays important role.. In practice Article 8 ECHR (and Strasbourg jurisprudence) plays important role..

12 What is data protection? Article 8 Charter of Fundamental Rights of the EU: Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. 3. Compliance with these rules shall be subject to control by an independent authority.

13 What are personal data ? any information relating to an identified or identifiable individual/ natural person (“data subject”) any information relating to an identified or identifiable individual/ natural person (“data subject”) CoE Convention 108 - 1995 Directive (Article 29 WP, Opinion 4/2007) CoE Convention 108 - 1995 Directive (Article 29 WP, Opinion 4/2007) ‘any information’: no restriction to private information! ‘any information’: no restriction to private information! ‘relating to’ ‘relating to’

14 What are personal data ? ‘an identified or identifiable’: an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; ‘an identified or identifiable’: an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; anonymous information is excluded anonymous information is excluded ‘natural person’ ‘natural person’

15 What is processing? ? CollectionCombination Preservation Transmission Recording Closure Exchange Accumulation Organisation Erasure Sorting Classification StorageDestruction BlockingHolding AlterationModification Liquidation Acquisition Consultation Searching Registration Browsing Retrieval TransferringArrangement Re-organisation Dissemination Use Making available DisclosurePublication Utilisation Logical operation Displacement ProvisionAccessibility Transformation CollectionCombination Preservation Transmission Recording Closure Exchange Accumulation Organisation Erasure Sorting Classification StorageDestruction BlockingHolding AlterationModification Liquidation Acquisition Consultation Searching Registration Browsing Retrieval TransferringArrangement Re-organisation Dissemination Use Making available DisclosurePublication Utilisation Logical operation Displacement ProvisionAccessibility Transformation

16 Data protection principles Quality of data (Art. 5 Conv 108) a. obtained and processed fairly and lawfully Quality of data (Art. 5 Conv 108) a. obtained and processed fairly and lawfully b. stored for specified and legitimate purposes and not used in a way incompatible with those purposes c. adequate, relevant, and not excessive in relation to the purposes for which they are stored d. accurate and, where necessary, kept up to date e. preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored

17 Dat protection requirements Principle of purpose limitation Principle of purpose limitation personal data shall be stored for specific and legitimate purposes and not used in a way incompatible with those purposes Principle of necessity and proportionality Principle of necessity and proportionality Processing shall be adequate, relevant and not excessive in relation to the purposes for which they are stored

18 Data protection requirements Principle of accuracy personal data shall be accurate and, where necessary, kept up to date Principle of accuracy personal data shall be accurate and, where necessary, kept up to date Data retention periods no longer than is required for the purpose for which those data are stored Data retention periods no longer than is required for the purpose for which those data are stored

19 Data protection requirements Transparency Transparency Informing the data subject Informing the data subject Rights and remedies Rights and remedies Right to object, access, rectify, block or erase Right to object, access, rectify, block or erase Judicial remedy, data protection authority Judicial remedy, data protection authority

20 Data protection requirements Data security appropriate security measures for the protection of personal data store in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination Data security appropriate security measures for the protection of personal data store in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination

21 Data protection requirements Notification Notification Trans-border data flows Trans-border data flows Between MS: OK Between MS: OK With third States: NO except With third States: NO except if adequate level

22 Data protection requirements Processing of sensitive data is prohibited Processing of sensitive data is prohibited The degree of sensitivity of categories of data depends on the legal and sociological context of the country concerned The degree of sensitivity of categories of data depends on the legal and sociological context of the country concerned Special categories of data/sensitive data = personal data revealing: Special categories of data/sensitive data = personal data revealing: political opinions, political opinions, racial or ethnic origin, racial or ethnic origin, religious or philosophical beliefs, religious or philosophical beliefs, trade-union membership, trade-union membership, data concerning health and sex life data concerning health and sex life

23 Scope Data Protection Directive Applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non automated filing systems (traditional paper files). Applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non automated filing systems (traditional paper files). Directive does NOT apply to the processing of data Directive does NOT apply to the processing of data by a natural person in the course of purely personal or household activities; by a natural person in the course of purely personal or household activities; in the course of an activity which falls outside the scope of Community law, such as operations concerning public security, defence or State security. in the course of an activity which falls outside the scope of Community law, such as operations concerning public security, defence or State security.

24 Independent supervision Essential element of data protection (different US approach) – why Essential element of data protection (different US approach) – why Proactive enquiries (possible secrecy of data processing) might be needed Proactive enquiries (possible secrecy of data processing) might be needed Technical skills required Technical skills required Judicial control not enough Judicial control not enough

25 Independent supervision Tasks consultation when drawing up administrative measures/regulations related to processing of personal data informing parliament /public complaints handling investigative powers (ex-officio) measures (ordering blocking processing)warning/admonishment engage in legal proceedings or bring infringements to attention of judicial authorities sanctions/fines

26 DPA’s & EDPS Data Protection Authorities (DPAs) ensure that the right of protection of personal data is respected in the Member States of the EU. Data Protection Authorities (DPAs) ensure that the right of protection of personal data is respected in the Member States of the EU. The EDPS = independent authority of the same nature The EDPS = independent authority of the same nature ensures these rights in the EU administration ensures these rights in the EU administration

27 Role of DPA data subject interact DPA interact data controller interact

28

Download ppt "Introduction: Principles of data protection Guy Stessens EU Council Secretariat."

Similar presentations

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
European CommissionDirectorate-General Justice, Freedom and Security Data Protection 1 Conference on Cross Border Data Flows & Privacy October 15-16, 2007.

European CommissionDirectorate-General Justice, Freedom and Security Data Protection 1 Conference on Cross Border Data Flows & Privacy October 15-16, 2007.
Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.

Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.
Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.

Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.

Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.
European Data Protection Supervisor 1 A new body in the European Institutional Landscape : the EDPS Presentation at the Court of Justice Hielke HIJMANS.

European Data Protection Supervisor 1 A new body in the European Institutional Landscape : the EDPS Presentation at the Court of Justice Hielke HIJMANS.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Signature (unit, name, etc.) Introduction to biometrics from a legal perspective Yue Liu Mar. 2007 NRCCL, UIO.

Signature (unit, name, etc.) Introduction to biometrics from a legal perspective Yue Liu Mar NRCCL, UIO.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
1 1 Legal aspects of incident reporting and data collection : Fear of the Dark? Meeting on “Incident Reporting in Radiotherapy” 3rd of September – Federal.

1 1 Legal aspects of incident reporting and data collection : Fear of the Dark? Meeting on “Incident Reporting in Radiotherapy” 3rd of September – Federal.
ILONA GAVRONSKA GROUP IL-41 INTERNATIONAL LAW DEPARTMENT KYIV - 2011 NATIONAL ACADEMY OF SCIENCES OF UKRAINE KYIV UNIVERSITY OF LAW.

ILONA GAVRONSKA GROUP IL-41 INTERNATIONAL LAW DEPARTMENT KYIV NATIONAL ACADEMY OF SCIENCES OF UKRAINE KYIV UNIVERSITY OF LAW.
A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.

A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005

Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005

Similar presentations

Ads by Google