Post on 23-Dec-2015
ECLA / IALS, 5 November 2013
EU Privacy and Data Protection
Christopher Docksey5 November 2013ECLA/IALS, London
All opinions are personal
1) the context2) data protection and electronic evidence3) EU law on privacy and data protection4) the data protection reform
ECLA / IALS, 5 November 2013
(1) Context
Most personal information and most evidence are digital
Lawyers and judges need to know siginificance of digital information
Need to know and understand the :• nature of digital evidence• data protection rules of the road
Otherwise no :• remedy for the data subject• fair trial for the accused• convictions for the prosecutor
ECLA / IALS, 5 November 2013
Access/use of datatransformed by technology
• Pre-digital: data in manual files, held locally • 1970s: mainframes in administrations, police
uses filtering searches• 1980s: wide IT use, PCs, Internet, data transfers• 1990s: www, digital communications,
convergence, communications privacy• 2000s: Digital audio and video, ecommerce, e-
everything, social media• 2010s: mobile, location based, cloud computing,
massive profiling, Big Data
ECLA / IALS, 5 November 2013
Timeline of law and technology
Year DP legislation IT developments
1970 Hessen Arpanet has 13 nodes
1974 US Privacy Act Name “Internet”
1978 FR law, CNIL 1st spam email
1980 OECD Guidelines Usenet (now Google groups)
1981 Convention 108 IBM PC
1990 UK Computer Misuse Act www (December 25)
1995 Directive 95/46/EC Amazon.com
ECLA / IALS, 5 November 2013
Timeline of and technology
Year DP legislation IT developments
2000 EU Charter Arts 7 & 8 Wikipedia (January 15, 2001)
2001 Regulation 45/2001 iPod (November 10)
2004 EDPS Decision FaceBook
2006 Data Retention Directive Twitter, iPhone (2007)
2009 TFEU Art 16, TEU Art 6(1) iPad (April 3 2010)
2012 Com proposes DP reform Google Glass testing
2013 Negotiations in EP and Council
Snowden - NSA
ECLA / IALS, 5 November 20136
EU legislation on Privacy and Data Protection
• OECD Guidelines 1980 (soft law) • ECHR Convention No. 108, Art. 8: privacy• EU Charter Arts. 7 and 8• Data Protection Directive 95/46• Data Protection Regulation 45/2001• ePrivacy Directive 2002/58 • Data Retention Directive 2006/24• Framework Decision 2008/977• Article 16 TFEU and 6(1) TEU (Charter)
ECLA / IALS, 5 November 2013
Challenges to Privacy• Big Data - profiling of digital traces (Cookies,
clickstream data, hyperlinks)– Social networks (FaceBook)– Search Engines / integrated databases (Google)– Deep packet inspection (BT)– Location based services (Apple)– Customer profiling (Target)
• Cloud computing
• Foreign transfers
• Data breach (Sony PlayStation: £250k)
ECLA / IALS, 5 November 2013
Dates when PRISM began for each Provider:
2007 Microsoft2008 Yahoo2009 Google, Facebook2010 YouTube2011 Skype, AOL2012 Apple
Challenges to Privacy
ECLA / IALS, 5 November 20139
(2) Data Protection andElectronic Evidence
• Overlapping Scope
• Data protection rules apply to the courts
• Fruits of the Poisoned Tree
• precautions to ensure admissibility of e-evidence
ECLA / IALS, 5 November 2013
Overlapping Scopeelectronic evidence: data (analogue or digital) that is created, manipulated, stored or communicated by any device, computer or computer system or transmitted over a communication system, that is relevant to the process of adjudication (Mason)
processing of personal data: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (Directive 95/46, Article 2.b)
ECLA / IALS, 5 November 201311
DP Rules apply to Courts• after reform, DP Reg and Dir fully apply
to the judiciary in civil and criminal cases
• already art 16 TFEU, Art 8 ECHR, Arts 7 and 8 Charter
• so all courts’ activities need to take DP into account
• only exception: supervision by DPAs
• result: possible challenges of evidence for violation of DP rules
ECLA / IALS, 5 November 201312
Fruits of the Poisoned Tree• exclusionary rule of unlawfully obtained
evidence
• in some MS evidence obtained in breach of DP law inadmissible, ok in others (eg UK) so long as not “unfairly prejudicial”
• admissibility criteria: respect for (i) fundamental rights and (ii) fair trial
• e.g. substantial DP breach (eComs traffic data which should have been deleted), not just procedural (failure to appoint DPO)
ECLA / IALS, 5 November 201313
precautions to ensure admissibility of e-evidence
• assess necessity and proportionality of processing on case by case basis, especially re. forensic examination of computers
• assess availability of less intrusive methods
• limit access to need to know
• limit use to purpose of collection
• ensure authorisation mechanisms to allow computer forensic examinations
ECLA / IALS, 5 November 201314
(3) EU Law on Privacy: two fundamental rights
(a) the Right to Privacy
ECHR (1950), Article 8
Everyone has the right to respect for
his or her private and family life, home
and correspondence
EU Charter (2000), Article 7 :
…and communications.
ECLA / IALS, 5 November 201315
(b) the Right to Protection of Personal Data
an autonomous fundamental right to self-determination in the Information Society
Article 16, EU Treaty
EU Charter, Article 8 :
1. Everyone has the right to the protection of personal data concerning him or her.
ECLA / IALS, 5 November 201316
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority
ECLA / IALS, 5 November 201317
(a) fair processing: lex certanecessity and proportionality
Article 8(2) ECHR – justification for interference with the right to privacy:
• In accordance with the law
• Necessary in a democratic society for national security, public safety, crime, health or morals, protection of others’ rights and freedoms
ECLA / IALS, 5 November 201318
Case C-465/00 - Rundfunk
• Disclosure of names/salaries by Court of Auditors in report to Parliament; necessary also to disclose to general public?
• Article 6 of Directive 95/46 must be interpreted in light of Article 8(2) ECHR
• Data must be processed in conformity with requirements of necessity and proportionality, as in Article 6
• These also apply to Article 13 derogations
ECLA / IALS, 5 November 201319
Flight data: legal basisUS PNR: Joined Cases C-317-318/04
ECJ and AG: wrong legal basisoutside scope of Directive and Article 95 EC: •57: concerns processing necessary for public security and law-enforcement purposes, not the supply of services •58: the transfer falls within framework established by public authorities re public security
ECLA / IALS, 5 November 201320
Flight data: legalityUS PNR: Joined Cases C-317-318/04
AG: not manifestly inadequate: •Adequacy different to equivalence•Broad margin of discretion •Justified interference per Article 8(2)•Legitimate purpose, proportional use•34 PNR elements not excessive•3.5 year data retention not excessive•Effective administrative review
ECLA / IALS, 5 November 201321
After the PNR ruling
• PNR II and PNR III – EU-US Agreements
• SWIFT / TFTP
• EU PNR
• HLCG - umbrella Agreement
• Data Retention Directive
ECLA / IALS, 5 November 201322
Data Retention: legal basis
Case 301/06, Ireland v Parliament and Council (legal basis after PNR ruling)
Directive 2006/24: telecoms and ISPs must retain •traffic data (not content)•for period between 6 months and 2 years•available to national competent authorities to combat “serious crime” as defined by national law
ECLA / IALS, 5 November 201323
Data Retention: fair processing
• National implementing laws ruled unconstitutional in CZ, DE and RO
• Joined Cases C-293/12, Digital Rights Ireland and C-594/12, Seitlinger:– Violation of rights to privacy and data protection
(arts 7 and 8 of Charter)– Necessity: criminals will use anonymously– Proportionality: lack of evidence– Scope for abuse: possibility of illegal profiling
ECLA / IALS, 5 November 2013
(4) The Data Protection Reform
• Public consultation (May-Dec 2009)
–Written input received: 150-200
• Commission reflection (Jan-Sept 2010)
–Stakeholder meetings, impact analysis
• Communication (4 November 2010)
–Consultation & additional feedback
• Commission proposals for a Regulation and a Directive 25 January 2012
ECLA / IALS, 5 November 2013
Main drivers of the Reform
• Technological development: more effective protection needed
• Globalisation: more consistency needed within EU and internationally
• Lisbon Treaty: a new legal base for horizontal EU-wide data protection law
Parallel Reform processes
• Modernisation of Convention 108• Review of OECD Guidelines
ECLA / IALS, 5 November 2013
The Data Protection Reform Package
• Policy Communication (COM(2012) 9 final)
• “General” Data Protection Regulation (COM(2012) 11 final)
• Directive for police and criminal justice authorities (COM(2012) 10 final)
• Implementation Report for Council Framework Decision 2008/977/JHA
• Impact Assessment
ECLA / IALS, 5 November 2013
State of play
• Albrecht report: January 2013
• 4000+ amendments
• Council partial common position: June 2013
• LIBE vote: 21 October 2013
• European Council: 25 October
• Adoption 2014 or 2015?
ECLA / IALS, 5 November 2013
Objectives of the Reform• Continuity, build on existing framework: underlying principles still
valid• Strengthen data subjects’ rights• Make controllers more accountable• Improve harmonisation (Regulation) and consistency of approach
by DPAs• Strengthen supervision & enforcement• Substantially increase the level of data protection in law
enforcement
ECLA / IALS, 5 November 2013
I: The Regulation
• Choice of measure: greater legal certainty
• Jurisdiction and scope
Strengthened rights of data subject
• Explicit Consent
• Right to be Forgotten / Portability (Arts 17-18
• Stronger right to object (Art 19)
• Enhanced transparency
• Scope for collective action (Art 73.2)
ECLA / IALS, 5 November 2013
Right to be forgottenCNIL (FR) – reports a growing problem:• 2012 - 6,000 complaints overall• more than 1,000 re. right to be forgotten, more or less
directly• increase in complaints by 42% in one year
Reg art 17 right to be forgotten • erasure & abstention from further dissemination• no longer necessary, data subject withdraws consent• take all reasonable steps to inform 3rd parties• Albrecht: not where consented
ECLA / IALS, 5 November 2013
The right to be forgotten:Case C-131/12, Google v AEPD
• Is there an (absolute) right to be forgotten under existing law?– Art 12: erasure of data whose processing
does not comply with Directive– Art 14(a): object on compelling legitimate
grounds relating to particular situation
• Can a newspaper also be ordered to remove a name from its index?
ECLA / IALS, 5 November 2013
Strengthening the framework:• Accountability (Art 22)
• Privacy by Design / by Default (Art 23)
• Data breach notification
• International Data Transfers
• Stronger DPAs and more effective enforcement across the Internal Market (cooperation and Consistency Mechanism)
• Fines
ECLA / IALS, 5 November 201333
II. Directive - criminaljustice and police cooperation– Lisbon, Declaration 21: specific rules– Directive: to retain flexibility in a sensitive area– Replaces Framework Decision 2008/977/JHA– Gives power to Commission to enforce the rules– General DP rules applied to police & judicial
cooperation in criminal matters (LIBE: gaps filled)– Covers domestic processes and all transfers – Harmonised criteria on necessary limitations to an
individual’s rights
ECLA / IALS, 5 November 2013
The Directive Criticisms of Proposal - fails to introduce a
consistent and high level of data protection:
• Purpose limitation unclear
• No obligation to demonstrate compliance
• Weak conditions on international transfers
• Unduly limited powers of DPAs
Key elements for electronic evidence:
• in original Commission proposal, and
• in amendments voted by LIBE committee
ECLA / IALS, 5 November 2013
Article 4: principles relating to data processing
• No incompatible data processing (see art 7a)
• Limited to minimum necessary and NOT beyond context (recital 19 deleted)
• Securely protected against unauthorised or unlawful dp and loss, destruction, damage
• Limited to duly authorised staff, need to know
• Establish time limits for deletion /periodic review (new 4b)
ECLA / IALS, 5 November 2013
Article 5: different categories of data subjects
MS shall distinguish between categories•Reasonable (not serious) grounds that have/about to commit criminal offence•Persons convicted of a crime•Victims or presumed victims of crime•Third parties, eg witnesses
Other data subjects: only as long as necessary to establish relevance or for targeted, preventive purposes
ECLA / IALS, 5 November 2013
Article 6: accuracy and reliability
• Distinguish facts and personal assessments
• Do not transmit/make available inaccurate, incomplete or not up to date data, assess quality before transmission and include assessment data (new 2a)
• Notify recipient of incorrect data or unlawful transmission, recipient must rectify or erase without delay (new 2b)
ECLA / IALS, 5 November 2013
Article 8a : genetic data
• for criminal investigation or judicial procedure
• may only be used to establish a genetic link within framework of adducing evidence
• retention only as long as necessary and where convicted of serious offences against persons, and subject to strict storage periods
• Longer storage, especially when found at crime scene, only when not attributable to individual
ECLA / IALS, 5 November 2013
Article 27: security of processing
Criteria: risks of processing and nature of data, state of the art and implementation cost•Equipment access control•Data media control •User control•Data access control•Communication control•Transport control•Reliability and integrity•Recovery
ECLA / IALS, 5 November 2013
Article 46: powers of DPAs
• Art 46(1)(f): to order rectification, erasure or destruction of all unlawfully processed data
• Art 46(1) (g): to impose temporary or definitive ban on processing
• Art 46(5): to bring violations to the attention of the judicial authorities
• Art 46(6): to impose penalties in respect of administrative offences
ECLA / IALS, 5 November 2013
Thank you for your attention!
For more information:
www.edps.europa.eu
edps@edps.europa.eu
@EU_EDPS