European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy Peter Hustinx 7 June 2007

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Why Privacy Matters ICT dependent society Fundamental rights Legal obligations Rising expectations Risks and realities Privacy governance

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Why Compliance Matters The Bridge to Reality Data Protection in action “Delivering values” in practice Facing up to consequences Top down, planning & control? Measuring your effectiveness Need for a compliance strategy

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Changing Context? Privacy versus Security –“Narrow vision” –Preserving balance –Monitoring safeguards Security and Privacy –“Broader vision” –Increased sensitivity –Conditions for success “Surveillance society” –Privacy by design

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 EU Data Protection CoE Convention 108 –Principles, subject rights, supervisory authorities EC Directives 95/46 and 97/66 (2002/58) Article 286 EC Treaty Regulation (EC) 45/2001 –Community institutions and bodies –Scope of Community law Österreichischer Rundfunk > PNR Cases EU Charter > Constitutional Treaty?

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Role of EDPS Article 286 EC Treaty Regulation (EC) 45/2001 Independent authority –Supervision –Consultation –Cooperation »Intervention ECJ CMLR October 2006

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Consultation Consultation Policy –Article 28.2 of Regulation 45/2001 –Inventory for 2007: relevant initiatives (16 > 36) First Pillar –Better implementation of Directive 95/46/EC –Communications on RFID and PET –Revision of E-Privacy Directive 2002/58/EC Third Pillar –Data Protection Framework –Implementation of Prüm Treaty

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Directive 95/46/EC Purpose of Directive –Harmonisation of national law –Free flow of personal data First Commission Report Work Program –Discussion with Member States –Priority for enforcement –Notification and information –International transfers –Promotion of PETs

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Commission 2006 Directive 95/46/EC – State of Play –Implementation has improved –Some countries should do better –Directive is fulfilling objectives –Rules are substantially appropriate –Interaction with new technology –Relationship with public interests

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Commission 2006 Directive 95/46/EC – Perspectives –No proposals for amendment »Focus on better implementation –Infringement procedures –Interpretation of provisions –Work Program continues –Contributions from WP29 –Guidance on new technologies –Reconsideration in due course

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Interpretation Provisions of Directive 95/46/EC –Personal data –Controller / processor –Applicable law –Incompatible use –Unambiguous consent –Legitimate interests –Supervisory authority

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 WP29 on Personal Data “Any information ….” –content, nature, format “… relating to …” –content, purpose, result “… an identified or identifiable …” –reasonable means “… natural person” –living individual, business data

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Privacy & Technology Directive 2002/58/EC –Revision of e-Privacy –Security measures Communication on RFID –Applicability Directive 95/46/EC –Impact of key provisions –Need for additional measures Communication on PETs –Analysis and standards –Supporting practical use

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Opinions on Third Pillar Data Protection Framework (I-II) –Common standards of wide scope –Consistency with Directive 95/46/EC Implementation of Prüm Treaty –Cautious approach of availability –Relies on existing national laws –Need for minimum harmonisation Data Protection Framework (III) –Condition for effective law enforcement –Substantial improvement needed

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Court Interventions PNR cases –Joint cases C-317/04 and C-318/04 before ECJ Public access to documents –Cases T-170/03 (British American Tobacco), T-161/04 (Valero Jordano) and T-194/04 (Bavarian Lager) at CFI Data retention directive 2006/24/EC –Case C-301/06 (Ireland vs Council and EP) at ECJ »Scope of legal basis in first pillar?

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 Global Privacy Transatlantic Data Protection –Values and Perspectives –Safe Harbor, PNR and SWIFT –Scope for a Common Framework Global Privacy and Data Protection –Feasibility of Global Standards –Developing Compliant Practices London Initiative (November 2006) –“Making Data Protection More Effective”

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 More information: Postal address: Rue Wiertz 60 - MO 63 B-1047 Brussels