Data Protection – the Lisbon Effect Billy Hawkes Data Protection Commissioner Institute of International and European Affairs Dublin, 17 September 2009
Presentation Outline • Data Protection Now • Data Protection under Lisbon • Data Protection: Future Change
Treaties • Article 286 EC Treaty Ø Ø Community acts on the protection of individuals with regard to the processing of personal data and the free movement of such data shall apply to the institutions and bodies set up by, or on the basis of, this Treaty. independent supervisory body responsible for monitoring the application of such Community acts to Community institutions and bodies • Article 30 (1) (b) EU Treaty Ø Processing of police data subject to appropriate provisions on the protection of personal data
EU Charter of Fundamental Rights: Article 8 • Protection of personal data • 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
EU Secondary Legislation • Directive 95/46/EC Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data • Directive 2002/58/EC Privacy and Electronic Communications • Decision 2008/977/JHA Data Protection – Police and Judicial Cooperation • Specific Provisions in Title VI Bodies (Europol, Eurojust etc)
EU & Irish Legislation • Data Protection Directive 95/46/EC • Electronic Privacy Directive 2002/58/EC • EUROPOL etc • Police & Justice Decision 2008/977/JHA • Data Protection Acts 1988 & 2003 • EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008) • Corresponding Acts • (to be transposed)
Data Protection Now - Summary • Limited recognition at Treaty level • Article in Charter of Fundamental Rights • Comprehensive “First Pillar” (Internal Market) Regime • Patchy “Third Pillar” (JHA) Protection • Nothing for “Second Pillar” (CFSP)
Presentation Outline • Data Protection Now • Data Protection under Lisbon • Data Protection: Future Change
Lisbon Treaty (1) Article 16 Treaty on the Functioning of the Union • 1. Everyone has the right to the protection of personal data concerning them. • 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. • Compliance with these rules shall be subject to the control of independent authorities. …. .
Lisbon Treaty(2) Article 39 Treaty on European Union (CFSP) • In accordance with Article 16 of the Treaty on the Functioning of the European Union and by way of derogation from paragraph 2 thereof, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out activities which fall within the scope of this Chapter, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.
Lisbon Treaty(3) Declaration 20. Declaration on Article 16 of the Treaty on the Functioning of the European Union • The Conference declares that, whenever rules on protection of personal data to be adopted on the basis of Article 16 could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter. It recalls that the legislation presently applicable (see in particular Directive 95/46/EC) includes specific derogations in this regard.
Lisbon Treaty(4) Declaration 21. Declaration on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation • The Conference acknowledges that specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 of the Treaty on the Functioning of the European Union may prove necessary because of the specific nature of these fields.
Lisbon Treaty(5) Protocol 21 On the position of the United Kingdom and Ireland in respect of the Area of Freedom, Security and Justice (Article 6 a ) • The United Kingdom and Ireland shall not be bound by the rules laid down on the basis of Article 16 of the Treaty on the Functioning of the European Union which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of that Treaty where the United Kingdom and Ireland are not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16.
Data Protection post-Lisbon: Summary • Treaty Status (Article 16) • Charter of Fundamental Rights (Article 8) • Applicable across all areas of EU activity
Presentation Outline • Data Protection Now • Data Protection under Lisbon • Data Protection: Future Change
Drivers of Change • Growth of Personal Data holdings • International Data Flows increasing exponentially Ø Ø Chains of processing – “cloud” computing Remote access to personal data via Internet • Data Breaches/Data Security • State use of Personal Data Ø Ø Sharing for efficiency “Surveillance Society” • Public Opinion
Change Happening: Data Security • Consensus on need for Action Ø Ø More Data Breach Reports Public Pressure for action • Department of Finance Guidelines for Public Service • Working Group on possible need for change in Irish Legislation • Data Breach reporting obligation in new EU e. Privacy Directive Ø Commitment to broader EU measure?
Change Happening: International Data Transfers • Simplified Model Contract for transfer from EU Data Controller to non-EU Data Processor (imminent) • EU Binding Corporate Rules Ø Permit transfers within multinational group from EU to non-EU subsidiaries • Accountability key underlying concept Ø Ø New Guidelines Mutual Recognition • Once a DPA has approved a BCR, the majority of other EU DPAs will automatically approve it
Change Happening: Ireland • More emphasis on enforcement of data protection law Ø Ø Successful prosecutions for “Spam” Greater use of audit powers (including “dawn raids” where necessary) • Focus on “big picture” as well as individual complaints
“Stockholm Programme” • EU Commission Communication “An area of Freedom, Security and Justice serving the Citizen” (June 09) Ø Ø The Union must establish a comprehensive personal data protection scheme covering all areas of EU competence The Union must be a driving force behind the development and promotion of international standards for personal data protection and in the conclusion of appropriate bilateral or multilateral instruments. (Work with USA quoted approvingly)
Future Change: EU Legal Framework • Study commissioned by UK Information Commissioner (“Rand Report”) discussed By European DPAs in April 09 Ø Study acknowledged strengths of EU system but declared it “not fit for purpose” • EU Commission Data Protection Conference, May 2009 • Public Consultation on the legal framework for the protection of the fundamental right for the protection of personal data – launched July, finishes December 09 • Revised horizontal Directive 2012?
Future Change: Towards International DP Standards? • EU: Making Binding Corporate Rules work; more “adequacy” decisions? • APEC (Asia-Pacific): Privacy Principles, Pathfinder • ISO: New draft Privacy Standard • International DP Conference: Draft Standards to be approved at November (Madrid) Conference • Private Sector: IAPP (certification/training); “Accountability” Project
Future Change: Some Issues • Accountability of Organisations Ø Challenge of responsible data handling rather than compliance with prescriptive rules? • Data Protection and new Technologies • Data Protection and State activity • Role of Data Protection Authorities Ø Ø Being selective to be effective More effective enforcement
Thank You Further Guidance • www. dataprotection. ie • Data Protection Commissioner, Canal House, Station Road, Portarlington, Co Laois Tel. 1890 -252231 (Lo-call), 057 -8684800
Скачать презентацию Data Protection the Lisbon Effect Billy Hawkes
571f3d918a1462ad0b6e0ce81bb9c157.ppt