- Количество слайдов: 25
Technology– the Data Protection Challenge Billy Hawkes Data Protection Commissioner HEAnet Conference Kilkenny, 13 November 2009
Ubiquitous Technology • Part of daily life • Increased reliance – especially on Information Technology • The Internet - Major Benefits Ø Ø What would we do without search engines? What would teenagers do without social networking/Instant Messaging? • The Future “Technology of Things”?
New Technologies • • Geo-location RFID (Radio Frequency IDentification) Biometrics DNA
Lots of Personal Data …. • Increased commercial and State gathering of personal information and “data mining” • Temptation to present Privacy as an obstacle rather than an entitlement But • Increasing appreciation that privacy protection is good customer service and a “bottom line” issue
Technology and Data Protection • Data Protection Law developed in response to proliferation of Information Technology • Recognition that capacity to process and link personal information could be a threat to privacy • Data Protection Law originally applied only to electronic processing of personal information
EU & Irish Legislation • Data Protection Directive 95/46/EC • Electronic Privacy Directive 2002/58/EC • EUROPOL etc • Police & Justice Decision 2008/977/JHA • Data Protection Acts 1988 & 2003 • EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008) • Corresponding Acts • (to be transposed)
The Data Protection Rules 1. Fair obtaining & processing • Consent 2. Specified purpose 3. No disclosure • unless “compatible” 4. Safe and secure 5. 6. 7. 8. Accurate, up-to-date Relevant, not excessive Retention period Right of access
Data Protection & egovernment • Drive for more customer-friendly public services, with maximum e-delivery • Data sharing within government: how far? • Convenience & efficiency V Privacy • Govt working on framework for Identity Management and Privacy
Privacy & State Security • Shifting balance in “post 9 -11” world • Data Retention, CCTV, Data Sharing, Border Controls – “Surveillance Society”? • Proposed Compulsory biometric ID Card for non-nationals; towards National Identity Card? • Intensified police/immigration cooperation
Things go Wrong …. . • • • Jobs. ie Blood Transfusion Service Garda/Social & Family Affairs/Revenue TK Maxx UK: HMRC (Revenue), HSBC Bank
Eurobarometer 2008 Individual (DS) Concern about Data Protection EU Average Ireland % % Concerned 63. 8 70. 5 Not Concerned 34. 8 28. 2 Don’t know / no answer 1. 4 1. 3
Eurobarometer 2008 Organisations View of Necessity of Data Protection Law Requirements EU Average % Ireland % Tend to agree on necessity 91 99 Tend to disagree 6 0 Don’t know / No answer 3 0
Eurobarometer 2008 Anti-Terrorism Phone Call Monitoring: Individual (DS) View EU Average % Ireland % No 25. 2 50. 3 Yes, but only people who are suspected of terrorist activities 34. 6 21. 8 Yes, but even suspected terrorists should only be monitored under the supervision of a judge or with equivalent safeguards 21. 2 14. 6 Yes, in all cases 15. 9 11. 4 3 1. 8 Don’t know / No answer
Eurbarometer 2008 Anti-Terrorism Internet Monitoring: Individual (DS) View EU Average & Ireland % No 18. 9 31. 3 Yes, but only people who are suspected of terrorist activities 31. 7 23. 2 Yes, but even suspected terrorists should only be monitored under the supervision of a judge or with equivalent safeguards 17. 8 17. 1 Yes, in all cases 24. 8 25. 9 Don’t know / No answer 6. 9 2. 5
Eurobarometer 2008 Organisations’ Use of transferred Data Enhanced Security for Internet- EU Average % Ireland % Yes 67 88 No 32 11 Don’t know / No answer 2 2
Change Happening: Data Security • Consensus on need for Action Ø Ø More Data Breach Reports Public Pressure for action • Department of Finance Guidelines for Public Service • Working Group on possible need for change in Irish Legislation • Data Breach reporting obligation in new EU e. Privacy Directive Ø Commitment to broader EU measure?
Change Happening: Ireland • More emphasis on enforcement of data protection law Ø Ø Successful prosecutions for “Spam” Greater use of audit powers (including “dawn raids” where necessary) • Focus on “big picture” as well as individual complaints
Lisbon Treaty Article 16 Treaty on the Functioning of the Union • 1. Everyone has the right to the protection of personal data concerning them. • 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. • Compliance with these rules shall be subject to the control of independent authorities. …. .
“Stockholm Programme” • EU Commission Communication “An area of Freedom, Security and Justice serving the Citizen” (June 09) Ø Ø The Union must establish a comprehensive personal data protection scheme covering all areas of EU competence The Union must be a driving force behind the development and promotion of international standards for personal data protection and in the conclusion of appropriate bilateral or multilateral instruments. (Work with USA quoted approvingly)
Future Change: EU Legal Framework • Study commissioned by UK Information Commissioner (“Rand Report”) discussed By European DPAs in April 09 Ø Study acknowledged strengths of EU system but declared it “not fit for purpose” • EU Commission Data Protection Conference, May 2009 • Public Consultation on the legal framework for the protection of the fundamental right for the protection of personal data – launched July, finishes December 09 • Revised horizontal Directive 2012?
Future Change: Towards International DP Standards? • EU: Making Binding Corporate Rules work; more “adequacy” decisions? • APEC (Asia-Pacific): Privacy Principles, Pathfinder • ISO: New draft Privacy Standard • International DP Conference: Draft Standards approved at November (Madrid) Conference • Private Sector: IAPP (certification/training); “Accountability” Project
Protecting Privacy – How? • Empowering Individuals (e. g. Electoral Register ‘opt-out’; Phone etc ‘opt-out’; Access Right) • Law and the Courts • Role of the Market & self-regulation • International data flows - Towards international principles?
Privacy and Technology • Tension – manageable? • Privacy by Design – Privacy Enhancing Technologies • Work with Industry • Security Breach Legislation? • How to control State (mis-) use?
Thank You • www. dataprotection. ie