Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection and the Internet – New Challenges The reform of the data protection legal framework – current developments Roberto Lattanzi Italian Data.

Published bySamson Mervyn Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Protection and the Internet – New Challenges The reform of the data protection legal framework – current developments Roberto Lattanzi Italian Data."— Presentation transcript:

1 Data Protection and the Internet – New Challenges The reform of the data protection legal framework – current developments Roberto Lattanzi Italian Data Protection Authority

2 25.01.2012. COM(2012) 11. Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regards to the processing of personal data and on the free movement of such data (General Data Protection Regulation- GDPR) Repealing Directive 95/46/EC 25.01.2012. COM(2012) 10. Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data Repealing Framework Decision 977/2008/JHA 25.01.2012

3 Why a Reform of the data protection legal framework? update the legal framework to the techno-scientific changes and developments, ensuring its effectiveness (internet – ECJ Case C-101/01 Bodil Lindqvist; biometric and genetic data) lack of full harmonisation among the EU Member States (potentially) hampering the development of the single (efficient) market: need to reduce fragmentation and administrative burdens (e.g. notification) Lisbon Treaty: data protection as a fundamental right in all EU policy fields (also in the context of law enforcement)

4 The state of the art – COD - Ordinary legislative procedure (ex-codecision procedure)– The (draft) Regulation EC Proposal 1st reading EP 1st reading Council Working Party on Information Exchange and Data Protection DAPIX LIBE Commitee – amendments Council position on EP amendments Council agrees on EP amendments – Act is adopted 3rd Reading and conciliation procedure Adoption 2nd read. EP Opinions (mandatory): EESC / CoR Amendments Council’s position 2° reading Council Rejection – Act is not adopted Opinions (opt.) : EDPS art.29 WG Gennaio 2012Febbraio 2013 December 2013 Jan. 2012Feb. 2013 EP EU Council June 2013

5 WP Art. 29 Opinion 01/2012 on the data protection reform proposals - WP 191 (23.03.2012) Opinion 08/2012 providing further input on the data protection reform discussions WP 199 (05.10.2012) Working Document 01/2013 - Input on the proposed implementing acts WP 200 (22.01.2013) See also Opinion 04/2012 on Cookie Consent Exemption WP 194 (07.06.2012) Opinion 05/2012 on Cloud Computing WP 196 (01.07.2012)EDPS Opinion of 7 March 2012 on the data protection reform package Additional EDPS Comments of 15 March 2013 on the Data Protection Reform Package See also Opinion of 16 November 2012 on the Commission's Communication on "Unleashing the potential of Cloud Computing in Europe"

6 Main innovations (1) Extension of the scope of EU data protection law (Art. 3): EU law is applicable to controllers established in third countries (also) when offering goods and services to individuals in the EU or monitoring of their behaviour (extension clearly related to the “internet reality”) New definitions (among others, genetic data, biometric data, personal data breach, main establishment, group of undertakings, binding corporate rules) & additions to existing definitions in Directive 95/46 (Art. 4) Confirmation of the well established data protection principles and their fine tuning: Privacy by design and by default (art. 22, art. 23), data minimisation principle and personal data breach notification (art. 31 and 32) «Old» and «new» rights of the data subject : the right to oblivion (Art. 11 ff. – Right to be forgotten and to erasure, art. 17: also on the Internet) and the right to data portability (Art. 18)

7 Data controller accountability’s tools: (Mandatory v. Optional) «Data Protection Officer» ( (a) the processing is carried out by a public authority or body; or (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects ) (art. 35 ff.) centralised approach on protecting data protection and privacy (mainly relying on DPAs) vs. decentralised approach (mainly relying in DPO spreading awareness and knowledge among private or public companies). The GDPR is going towards an integrated approach DPO as data protection expert (within the DC), (first) contact point within the DC for data subjects (e.g in case of complaint handling) and “bridge” between the DC and the DPA (consulting and cooperating with the competent DPA). A tool to ensure, in an independent manner (functional autonomy), the internal application of the national provisions DPO’s tasks in 3 steps: a) AUDIT ; b) DIAGNOSTIC (legal analysis and evaluation of the data processing); c) Internal RECOMMENDATIONS/PRESCRIPTIONS Data Protection Impact Assessment (art. 33 ff.) Main innovations (2)

8 DPAs (art. 46 - 54) – Independence (see ECJ Case C-518/07 Commission v. Germany; ECJ (Grand Chamber), 16 October 2012 (Case C ‑ 614/10) Commission v. Austria), functions, powers, resources; one-stop-shop principle (art. 51) Cooperation among DPAs (mutual assistance – art 55; Joint operations of supervisory authorities, such as joint investigative tasks, joint enforcement measures and other joint operations – art. 56 and Consistency mechanism: BCR, CCS) Sanctions : European Administrative sanctions - up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover (art. 78 ff.) Main innovations (3)

9 The so called «horizontal» issues Choice of the legal instrument: regulation v. directive (problem solved or open issue?) (effective) Enforceability Executing and delegated acts & EC powers (also «veto») Administrative burdens  risk based approach (?) SMEs “During the discussion, there was a large consensus that in order to reduce the administrative burden and more generally the compliance costs on companies, a more risk-based approach should be followed. In this sense, the Council instructed the competent preparatory bodies to continue to work on concrete proposals to implement a strengthened risk-based approach in the text of the draft regulation” (3207th Council of the EU meeting, Justice and Home Affairs, Brussels, 6 and 7 December 2012). «Flexibility» for the public sector (room for a new fragmentation?) Main criticalities (1)

10 (Possible) lack of harmonisation due to the lawfulness principle or concerning given (wide) sectors, e.g. the «workplace privacy» issue: (Article 82 (1) recognizes to Member States the possibility to “adopt by law specific rules regulating the processing of employees' personal data in the employment context” (see Protection of Personal Data in Work-related Relations, STUDY, LIBE, 2013, 66 ff. : “patchwork of national rules.”) Scope of application of the GDPR (anonymous data, pseudonymous data, which remain personal data; personal or household activity; need of clarification of the notion of “main establishment” to reduce risk of abuses and ensure that the concept of a “one stop-shop” for companies is effective ) “uncertainty as regards rights and obligation in borderline issues, for instance where commercial data is accessed by law enforcement authorities for law enforcement purposes and transfers between authorities that are responsible for law enforcement and those that are not” (Albrecht report). DPAs & EDPB (financial, technical and human) resources for DPAs cooperation among DPAs (e.g. cross border investigation, standardised procedural rules) Coordination among DPAs (e.g. conducting joint actions) and with the EDPB, preserving at the same time (all involved) DPAs’ independence (lead DPA): need to address the case of possible divergences between DPAs and/or the EDPB Main criticalities (2)

11 European Commission – Justice – Data Protection page: http://ec.europa.eu/justice/data- protection/index_en.htm

12 For the Irish Presidency (and the Council) no single part of the Regulation can be considered agreed until the text of the whole Regulation is agreed (May 31, 2013, the Justice and Home Affairs Council of the European Union) Vote postponed at the LIBE Committee Risk of a race to the bottom, notwithstanding the (declared) preservation of the existing protection level & guarantees More tasks to the DPAs? For sure, and an encreased need of cooperation/coordination between them  the European Data Protection Board in search of a role (up to now: Art. 29 Working Party) Applicable law and judicial redress Impact on the national legislation of the field: two / three years for implementing measures, if necessary

13 Many thanks Grazie! http://www.garanteprivacy.it r.lattanzi@garanteprivacy.it

Download ppt "Data Protection and the Internet – New Challenges The reform of the data protection legal framework – current developments Roberto Lattanzi Italian Data."

Similar presentations

1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.

1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
A European Data Protection Framework for the 21st century Paul NEMITZ Director DG JUSTICE – Fundamental Rights and Union Citizenship.

A European Data Protection Framework for the 21st century Paul NEMITZ Director DG JUSTICE – Fundamental Rights and Union Citizenship.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The fundamentals of EC competition law

The fundamentals of EC competition law
Eurojust The European Union’s Judicial Cooperation Unit.

Eurojust The European Union’s Judicial Cooperation Unit.
An Ocean of Opportunity: An integrated maritime policy for the EU 1 Places of refuge: General legal framework and developments within IMO and the EU Alexandros.

An Ocean of Opportunity: An integrated maritime policy for the EU 1 Places of refuge: General legal framework and developments within IMO and the EU Alexandros.
The Treaties, Institutions and Policies of the EU

The Treaties, Institutions and Policies of the EU
Europol’s tailor-made data protection framework

Europol’s tailor-made data protection framework
MINISTRY OF FINANCE 4-7.11.2003Counsellor, docent, Dr Tuomas Pöysti1 The Constitutionalisation and Evolution of Penal Law and Control Policy in the European.

MINISTRY OF FINANCE Counsellor, docent, Dr Tuomas Pöysti1 The Constitutionalisation and Evolution of Penal Law and Control Policy in the European.
ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.

ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.
EU Criminal Law Introduction, Lisbon Treaty. EU criminal legislation EU cannot adopt a general EU criminal code EU cannot adopt a general EU criminal.

EU Criminal Law Introduction, Lisbon Treaty. EU criminal legislation EU cannot adopt a general EU criminal code EU cannot adopt a general EU criminal.
COMMISSION FOR PERSONAL DATA PROTECTION 14 TH Meeting, CEEDPA 20-21 may, Kyiv LEGAL FRAMEWORK FOR DATA PROTECTION, COMPETENCES AND PRIORITIES OF THE COMMISSION.

COMMISSION FOR PERSONAL DATA PROTECTION 14 TH Meeting, CEEDPA may, Kyiv LEGAL FRAMEWORK FOR DATA PROTECTION, COMPETENCES AND PRIORITIES OF THE COMMISSION.
WORLD MEETING OF CUSTOMS LAW BRUSSELS 2013 4, 5 - 6 September “ Studies on Harmonization of Customs Law and Contributions of the Academy for updating and.

WORLD MEETING OF CUSTOMS LAW BRUSSELS , September “ Studies on Harmonization of Customs Law and Contributions of the Academy for updating and.
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.

Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.

EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
Principles of good practice Jana Kunická Community Philanthropy Initiative Coordinator European Foundation Centre.

Principles of good practice Jana Kunická Community Philanthropy Initiative Coordinator European Foundation Centre.
1 THE THIRD ENERGY PACKAGE – THE ENERGY COMMUNITY APPROACH Energy Community Secretariat 20 th Forum of the Croatian Energy Association and WEC National.

1 THE THIRD ENERGY PACKAGE – THE ENERGY COMMUNITY APPROACH Energy Community Secretariat 20 th Forum of the Croatian Energy Association and WEC National.
Data Protection – Future EU Law and the Compliance Function Billy Hawkes Data Protection Commissioner ACOI Dublin, 17 April 2012.

Data Protection – Future EU Law and the Compliance Function Billy Hawkes Data Protection Commissioner ACOI Dublin, 17 April 2012.

Similar presentations

Ads by Google