Title: Conference eSociety'mk Karel Neuwirt data protection expert, Czech Republic
1 2Conferencee-Society.mkKarel Neuwirtdata
protection expert, Czech Republic
3 International Conference
e-Society.mk Karel Neuwirt data
protection expert, Czech Republic
Team
Leader of the EAR DP Project
Skopje November 15-17,
2006
4If you think technology can solve your security
problems, then you dont understand the problems
and you dont understand the technology
Bruce Schneier, Secrets Lies,
2000
5In the early 1960s when computers made their
first appearance as administrative aids, the need
to protect citizens against possible risks for
their privacy did not appear to be urgent. In
recent years, however, the need to provide
adequate safeguards for the individual has become
more acute as a result of two parallel and
interdependent processes the growing complexity
of the social fabric and the headway made
by information technology. In all fields of
human activity, electronic data processing has
been introduced as an efficient and powerful
instrument to solve complex problems. In
several European states initiatives have been
taken in the field of protection of the
individual with regard to computers, both at
legislative level and with regard to information
of the public. Bills for new legislation have
been or are in the process of being drafted
hearings and consultations are organised and
reports are produced by public and private
bodies.
6Council of Europe analysed in 1968Whether
the European Human Rights Convention and the
domestic law of the Member States offered
adequate protection to the right of personal
privacy vis-à-vis modern science and
technology.The analysis showed that the present
national legislation gave insufficient protection
of individual privacy and other rights and
interests of individuals with regard to automated
processing of personal information.In 1976, the
Committee of Ministers decided to prepare a
convention for the protection of privacy in
relation to data processing abroad and
transfrontier data processing.
7New technology and Data ProtectionNew technology
for processing of information have the potential
to violate human dignity and data protection
rights
- Videosurveillance
- Smart cards
- RFID (working document on data protection issues
related to RFID technology (doc. WP105-2005) - Biometrics
- SWIFT codes
- PNR (personal data about passengers)
- Location data GPS/GSM communication (WP 29
Opinion on the use of location data with a view
to providing added-value services doc. WP
115-2005)
8Privacy laws and legal documents need to be
respect if new technology is usedConvention for
the Protection of Human Rights and Fundamental
Freedoms (ETS No 5)Rome, November 4, 1950
9European Human Rights Convention
Article 8 (1) Everyone has the right to respect
for his private and family life, his home and his
correspondence (2) There shall be no
interference by a public authority with the
exercise of this right except as in accordance
with the law and is necessary in a democratic
society in the interests of national security,
public safety or the economic well-being of the
country, for the prevention of disorder or crime,
for the protection of morals, or for the
protection of the rights of others
10 Convention for the Protection of
Individuals with regard to the Automatic
Processing of Personal Data (ETS 108, open for
signature January 28, 1981, entry into force
October 10, 1985) Additional Protocol to the
Convention 108 (ETS 181, open for signature
November 8, 2001, entry into force July 1, 2004)
11Convention 1081st legally binding European
data protection documentTotal number of
signatures (not followed by ratification)
4Total number of ratifications/accessions
37ratification as wellAlbania
(2005) Bosnia and Hercegovina
(2006) Bulgaria (2002) Croatia
(2005) Romania (2002) Serbia (2005)
Macedonia (2006) Montenegro (2005)
Slovenia (1994)
12Council of Europe Recommendations
Recommendation No.R(2002) 9 on the protection
of personal data collected and processed for
insurance purposes (18 September 2002)
Recommendation No.R(99) 5 for the protection of
privacy on the Internet (23 February 1999)
Recommendation No.R(97) 18 on the protection of
personal data collected and processed for
statistical purposes (30 September 1997)
Recommendation No.R(97) 5 on the protection of
medical data (13 February 1997) Recommendation
No.R(95) 4 on the protection of personal data in
the area of telecommunication services, with
particular reference to telephone services (7
February 1995) Recommendation No.R(91) 10 on
the communication to third parties of personal
data held by public bodies (9 September 1991)
Recommendation No.R(90) 19 on the protection of
personal data used for payment and other
operations (13 September 1990) Recommendation
No.R(89) 2 on the protection of personal data
used for employment purposes (18 January 1989)
Recommendation No.R(87)15 regulating the use
of personal data in the police sector (17
September 1987) and the Evaluation reports of the
Recommendation First (1994), Second (1998) and
Third (2002)Recommendation No.R(86) 1 on the
protection of personal data for social security
purposes (23 January 1986) Recommendation
No.R(85) 20 on the protection of personal data
used for the purposes of direct marketing (25
October 1985) Recommendation No.R(83) 10 on the
protection of personal data used for scientific
research and statistics (23 September 1983)
replaced by Recommendation No. R(97) 18 with
regard to statistics Recommendation No.R(81)
1 on regulations for automated medical data banks
(23 January 1981)
13Data Protection in the EU
Directive 2002/58/EC (concerning the processing
of personal data and the protection of privacy in
the electronic communication sector / Directive
on privacy and electronic communication)
Directive 2006/24/EC (on the retention of data
generated or processed in connection with the
provision of publicly available electronic
communications services or of public
communications networks and amending Directive
2002/58/EC)
14Directive 95/46/ECof the European Parliament
and of the Council of 24 October 1995on the
protection of individuals with regard to the
processing of personal data and on the free
movement of such data
15EU Directive 95/46/EC
- Free internal market - Development of the
information society - Remove obstacles to the
free movement of the data - Harmonize national
provisions in DP
16EU Directive cont.
- Applies to any operation or set of operations
which is performed upon personal data
processing - Personal data the data relating to
any identified or identifiable individual data
subject - Controller determines the purposes
and the means of processing
17Electronic Product Codes (EPC)RFID technology
push to adopt EPC to improve law and fairly
practice- consumers should be notified when
RFID tag is present- RFID tag should be
disabled by default after payment- tag should
be placed on product packaging instead of on or
within the product- tag should be easily
recognizable and readers readily visible- the
process of reading should be visible -
information about the reason for use of the
tag- information about data security.Directive
95/46/EC requires appropriate technical and
organisational measures shall be taken against
any form of unauthorized or unlawful processing
of personal data
18Video surveillance and detection techniques
- Council of Europe document
- Guiding principles for the protection of
individuals with regard to the collection and - processing of personal data by means of video
surveillance (2002) - EU documents
- Opinion 4/2004 on the Processing of Personal Data
by means of Video - Surveillance (document 11750/02/EN -WP 89,2004)
The specific features of the - processing of personal information included in
sound and image data have been - expressly highlighted by Directive 95/46/EC,
which refers to them expressly in several - points.
- Green Paper on detection technologies in the work
of law enforcement, - customs and other security authorities
(COM(2006)474 final, Brussels, 1.9.2006)
Design, manufacture and use of detection
technologies and associated technologies,
together with legislation or other measures
aiming to regulate or promote them must fully
comply with Fundamental Rights. Particular
attention must be paid to compliance with the
protection of personal data.
19Smart cards and RFIDCouncil of Europe
documentReport on the protection and guiding
principles of personal data with regard to the
use of smart cards (2001, www.coe.int/dataprotect
ion) EU documentsWorking document on data
protection issues related to RFID technology
(10107/05/EN, WP105,2005)E-passports move a
step to becoming secure global smart card
identification documents.
20Swift Codes (the Society for Worldwide Interbank
Financial Telecommunication)Swift is a
Belgium-based hub for international bank
transactions from about 200 countries
(established in 1973)Swift volunteered to give
U.S. access to the database for indicating
terrorist financing- U.S. scrutinised millions
of financing records that had nothing to do with
terrorism for last five years - transnational
data transfer to U.S. government violates EU data
protection law- the EU Article 29 Working Party
(EC independent advisory group of DP experts)
issued a press release (Sept.2006) and will
continue to analyse the problem- the problem the
EU Parliament will be debated- all clients and
institutions have right to know what happened to
their confidential data. They have a
constitutional right that their data are
processed in accordance with privacy rules and
with full respect to banking secrecy, the WP 29
chairman Peter Schaar said.
21PNR (Passenger Name Record)- airline PNR
contains 34 types of data on passenger- pull
system under which U.S. accesses database- EP
and European Court of Justice struck down the
agreement signed by EU- new temporary agreement
to be negotiated in June 2007- the push system
under which the airlines will provide information
case-by-case basis (within 15 minutes of
departure) when new Agreement reached- EP are
pushing a more coherent approach to exchange
passengers information
22BiometricsBiometric features are biological,
physical, physiological, behavioural or similar
human body characteristics used to establish the
identity of individual. Many of these
characteristic are considered so unique that they
qualify to identify individual by automated
methods- sensitive data? - big growth IT
projects for biometrics- the Council of Europe
(progress report on the application of the
principles of C108 to the collection and
processing of biometric data, 2005) - the EU
(Working document on biometrics, 12168/02/EN,WP
80, 2003) - biometric passports
23Business and new technologyPrivacy and data
protection fair practice steps- to ensure, the
business is in compliance with applicable data
protection laws- guarantee that the business
has in place adequate information security policy
and procedures to keep personal data secure -
notification individuals of when and how their
personal data may be collected and processed-
put in place contractual controls where personal
data is being processed by third parties- allow
individuals to have the right to disenable
technology (tags) if they so choose.
24- ?? ?????????? ?? ?????? ????????!
- Falimenderit per vemendjen!
- Thank you for your attention!
- Dr Karel
Neuwirt karel.neuwirt_at_centrum.cz