The legal and institutional framework for data protection

The legal and institutional framework for data protection under the 1 st Pillar Diana Alonso Blas, LL. M. Data Protection Officer February 2009 TAIEX Seminar on data protection for police and judicial cooperation in criminal matters: EU requirements, 9 -10 February 2009

Topics covered • General Directive 95/46/EC • The article 29 Working Party • The “telecoms/e-privacy Directive” 97/66/EC and 2002/58 • Regulation EC 45/2001 • Role and tasks of the European Data Protection Supervisor (EDPS) • Specific provisions for Visa, Immigration and Asylum • The future after the “Lisbon treaty”

Directive 95/46/EC (“the Directive”) • • 1. 2. • • • Based on Convention 108 of Council of Europe Two purpose of directive: Protection fundamental rights and in particular of right of privacy Free movement of information (internal market instrument). EU 15 > 27 + EEA. Implementation in national law with similar results but also differences. Scope of Community law. Not extended to law enforcement (see also PNR-cases, C-317 + 318/04) but some MS have also applied to third pillar Wide application within EC-Treaty (‘first pillar’) Introduced supervisory authorities, also with consultative powers (which was then introduced in Co. E convention through Additional Protocol) Instrument with impact worldwide as it became “model” to many countries, partly due to the prerequisite of adequate protection for third countries.

Main principles Directive • • • Lawfulness of processing (grounds) Purpose limitation Data quality and proportionality Transparency Security Rights of access, rectification, deletion and opposition • Special safeguards for sensitive data • Automated individual decisions

Restrictions to transfers of data to third countries • “Transfer”: making personal data available to a person which is outside of the legal jurisdiction of one of the countries of the EU • General principle: “Adequate protection” (compliance with content principles as well as procedural/enforcement mechanisms: good level of compliance, support and help to individual data subjects and appropriate redress). • See decisions of the EC so far (Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of Commerce's Safe harbor Privacy Principles, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection) • Exceptions in article 26 • Possibility of offering “adequate safeguards” (model contracts, binding corporate rules…)

Bodil Lindqvist case • Case C-101/01, Court of Justice Nov 03 • Member of Swedish Church; inside scope EC-law? Facts. • Local news, “processing” of sensitive data • Publication on Internet: Is that transfer to third country? – Very important part of the ruling – Clearly no intention to transfer worldwide

New element: introduction of DPA • Not included in Co. E convention (Additional Protocol) • A system of “external supervision” in the form of an independent authority is a necessary feature of a data protection compliance system • Independence: regarding appointment but also resources, dismissal procedures, no reception of instructions… • Important tasks regarding complaint-handling (data subjects’ rights protection) but also regarding awareness, monitoring of compliance, advice on legilslative developments and technological developments • Proactive enquiries might be needed. • Technical skills required. • Judicial control not enough, too burdensome.

Article 29 Working Party • Advisory Group: 1 DPA per Member State + EDPS + secretariat provided by European Commission • Full independence • It must contribute to the uniform application of the Directive • Gives opinions on level of protection (and on legislative proposals) • Very interesting work done in many fields: from “adequacy findings” to technical issues (privacy on Internet) as well as further definition of concepts. Innovative work done in fields such as binding corporate rules but also issues such as the Microsoft Passport in the past.

Directives 97/66/EC and 2002/58/EC • Special rules, complementary to main Directive • Initial directive (97/66/EC) was “telecoms directive”. It evolved into directive 2002/58/EC covering electronic communications • Spam, Confidentiality, Traffic data • Currently under review. Discussion regarding for instance if IP-Addresses are personal data (Google) • See very recent opinion of EDPS (09 January 2009) on e. Privacy Directive review and security breachs • General principle is no retention of traffic data

The exception: Directive 2006/24 • Very controversial instrument adopted after years of political discussions • Obligation to retain data for purpose of combating terrorism and serious crime. • First storage obligation on ALL citizens • What about principle of necessity? • “Traffic data”: What is it? (e-mail, internet searching) Line between traffic and content is very thin. • Directive challenged by Ireland.

On EU-Level: Regulation 45/2001 • Needed to end legal loophole: EU= MS + institutions. • A first pillar instrument, excluding Europol and Eurojust (new Europol decision brings non operational data under this regulation) • Introduces EDPS

EDPS • EDPS as new concept: supervising the institutions regarding processing of personal data • Based on Article 286 EC and Regulation 45/2001 • Needed to harmonise level of protection within institutions with level in Member States (public and private sector). • Wide responsibility ensuring respect of fundamental rights by EU-institutions. • Not only supervision (prior checking for instance) but also “consultation” and “cooperation”. • Very important opinions regarding upcoming EU legislation (website). Influential role • Role of Data Protection Officers supported by EDPS through network of DPO’s to which DPO’s of Europol and Eurojust also participate as observers • EDPS = Peter Hustinx + Giovanni Buttarelli (Assistant Supervisor) • Extremely well qualified staff members

Visa, Immigration and Asylum • Legislation for the exchange of personal data, as a tool for border control. • Includes the establishment of large scale information systems • Contains specific provisions on data protection – Regulation (EC) No 2725/2000 concerning the establishment of 'Eurodac'. – Regulation (EC) No 1987/2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II). – Regulation (EC) No 767/2008 (VIS Regulation) • Proliferation of regulations issue: not necessarily a bad thing if regulations offer high protection and are compatible with each other!

Future: (Draft) Reform Treaty • End of pillar structure • But this does not imply automatic application of Directive to everything • Sectoral declaration on DP in police and judicial cooperation in criminal matters foreseen. • Specificities of police and judicial work need to be taken into account (need for very clear and specific tailored made rules for the diverse third pillar areas). • Eurojust and Europol legal frameworks are being presently amended keeping their own DP rules and enforcement systems

Thanks for your attention! • Questions? Comments? Diana ALONSO BLAS, LL. M. Data Protection Officer Eurojust Maanweg 174 NL-2516 AB The Hague Tel: +31 70 412 5510 Fax: + 31 70 412 5505 dalonsoblas@eurojust. europa. eu www. eurojust. europa. eu