INTERNET USER’S RIGHTS AND FUNDAMENTAL FREEDOMS DAYCoE and ECHR Standards on Data Protection and Right to Privacy Online

05/02/2023

Right to privacy/data protection online

Who controls our data Revelations by Edward Snowden Role of Private Sector Safe Harbour/Privacy Shield Positive obligation of the State

CoEModernised Convention 108 EUGeneral Data Protection Regulation

Council of Europe RegulationEuropean Convention on Human Rights

Article 8Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Council of Europe RegulationEuropean Convention on Human

Rights ARTICLE 9

Freedom of thought, conscience and religion 1. Everyone has the right to freedom of thought, conscience and religion; this right includes freedom to change his religion or belief and freedom, either alone or in community with others and in public or private, to manifest his religion or belief, in worship, teaching, practice and observance. 2. Freedom to manifest one’s religion or beliefs shall be subject only to such limitations as are prescribed by law and are necessary in a democratic society in the interests of public safety, for the protection of public order, health or morals, or for the protection of the rights and freedoms of others.

Council of Europe Data Protection regulation

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS. 108) 1981

Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (ETS. 181) 2001

Modernisation of Convention (modernisation proposal adopted 2012)

Recommendation CM/Rec(2010)13 of the Committee of Ministers to member states on the protection of individuals with regard to automatic processing of personal data in the context of profiling

Council of Europe internet regulation

Recommendation CM/Rec(2016)5[1] of the Committee of Ministers to member States on Internet freedom

Recommendation CM/Rec(2012)4 of the Committee of Ministers to member States on the protection of human rights with regard to social networking services

Recommendation CM/Rec(2012)3 of the Committee of Ministers to member States on the protection of human rights with regard to search engines

Declaration of the Committee of Ministers on protecting the dignity, security and privacy of children on the Internet (Adopted by the Committee of Ministers on 20 February 2008)

European Court of human rightsdata protection case law

K.U. v Finland Roman Zakharov v. Russia (Application no. 47143/06) December 4,

2015

Relevant Documents: Case Law of the European Court of Human Rights Concerning the Protec

tion of Personal Data (2013)

Internet: case-law of the European Court of Human Rights (2015)

Handbook on European data protection law

Council of Europe Data protection terminology The key principles of European data protection law The rules of European data protection law The data subject’s rights and their enforcement Transborder data flows Data protection in the context of police and criminal justice Other specific European data protection laws Available in English…. Romanian

European Union agency for fundamental rights

European uniondata protection regulation and authorities

Data protection directive General Data Protection Regulation Opinions of the Article 29 Working Party

Article 29 Working Party European Data Protection Supervisor European Court of Justice

TrendsOPERATORS SHOULD NOT BE OBLIGED TO RETAIN DATAGOOGLE SEARCH TO COMPLY WITH DATA SUBJECT’S RIGHTSAGREEMENT ON DATA TRANSFER TO US COMPANIES IS INVALID

Data retention Digital Rights Ireland and Seitlinger and OthersJoined Cases C-293/12 and C-594/12, 8 April 2014

Data Retention Directive 2006all providers of publicly available electronic communications services or of public communications networks to keep all “meta data” for the period of minimum 6 months to maximum 24 month Court ruling: the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to

the protection of personal data the directive fails to lay down any objective criterion which would ensure that the competent national authorities

have access to the data the directive imposes a period of at least six months, without making any distinction between the categories of data

on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of

abuse and against any unlawful access and use of the data the directive does not fully ensure the control of compliance with the requirements of protection and security by an

independent authorityEU legislature has exceeded the limits imposed by compliance with the principle of proportionality

Right to be forgottenGoogle Spain SL v. AEPD (the DPA) & Mario Costeja Gonzalez C-131/12, 13 May 2014

A Spanish citizen disputed an article about him available also via Google search results complained to Spanish Data Protection Authority, which ruled that Google should remove the disputed item from the search results and the latter challenged the ruling at the ECJCourt ruling:- Google is a data controller - Data protection directive applicable- Data subject’s rights apply - Right to be forgotten- Right to be delisted

Safe harbourMaximillian Schrems v Data Protection Commissioner C-362/14, 6 October 2015

Austrian citizen complained to Irish DPA about his personal data being transferred from Irish Facebook subsidiary to Facebook. Irish DPA rejected the complaint that in a decision of 26 July 2000 the Commission considered that, under the ‘safe harbour’ scheme, the United States ensures an adequate level of protection of the personal data transferredCourt ruling national security, public interest and law enforcement requirements of the United States prevail

over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements

not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, thus the rule of law.

the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

the Safe Harbour Decision is invalid

effects on data protection in Council of Europe countries

Anti-Counterfeiting Trade Agreement – ACTAsigned in October 2011 by Australia, Canada, Japan, Morocco, New Zealand, Singapore, South Korea, and the United States. In 2012, Mexico, the European Union and 22 countries which are member states of the European Union signed as well Foreign Intelligence Surveillance Act of 1978 – FISA Copyright regulation National laws …..

Other forums for data

protection

Click icon to add picture• International Conference of Data Protection and Privacy Commissioners

• International Working Group on Data Protection in Telecommunications

• European Conference of Data Protection Authorities

• Central and Eastern Europe Data Protection Authorities

- OECD- GPEN - EuroDIG• IGF ...

Data protection is ever present and yet challenges remain

Why?

Impact of internetDifferent national law

Concept of Privacy

googleFacebook

Twitter

Mobile apps

Thank you! CONTACT: NEVENA.RUZIC@POVERENIK.RS

@NEVR