Personal data protection in Internet

1
Personal data protection in Internet

• Thomas Papaliagkas, LLM

2
Greek Law

• Law 2472/97 transposed the Directive 95/46/EC
  into internal Greek Law
• Law 3625/07 Forecoming amendments
• Law 3741/06 transposed the Directive 2002/58/EC
  into internal Greek Law

3
Community Law

• The Directive 1995/46/EC is the main text upon
  personal data protection in European Union
• The Directive 2002/58/EC particularises and
  complement Directive 95/46/EC protection of the
  right to privacy, with respect to the processing
  of personal data in the electronic communication
  sector and to ensure the free movement of such
  data and of electronic communication equipment
  and services in the Community

4
Main Definitions

• 'Personal Data' "any information relating to an
  identified or identifiable natural person ("data
  subject") an identifiable person is one who can
  be identified, directly or indirectly (Art. 2
  para 1 a of Law 2472/97). May be made in
  particular by reference to an identification
  number or to one or more factors specific to his
  physical, physiological, mental, economic,
  cultural or social identity, as referred in the
  provision of Art. 1 para. 1 of the Directive
  95/46/EC.
• This definition is very broad, as long as
  "personal data" is any data through which anyone
  is able to link the information to a person

5
Main definitions

• Processing means "any operation or set of
  operations which is performed upon personal data,
  whether or not by automatic means, such as
  collection, recording, organization, storage,
  adaptation or alteration, retrieval,
  consultation, use, disclosure by transmission,
  dissemination or otherwise making available,
  alignment or combination, blocking, erasure or
  destruction" (Art. 2 para 1 d Law 2472/97)

6
Main definitions

• "Controller" The natural or artificial person,
  public authority, agency or any other body which
  alone or jointly with others determines the
  purposes and means of the processing of personal
  data (Art. 2 para 1 ? Law 2472/97).
• 'The data subject's consent' any freely given
  specific and informed indication of his wishes by
  which the data subject signifies his agreement to
  personal data relating to him being processed.
• By any means, consent may be given by any
  appropriate method enabling a freely given
  specific and informed indication of the user's
  wishes, including by ticking a box when visiting
  an Internet website.

7
Main definitions

• 'sensitive personal data' include data related
  to tribe or nationality of the subject, politic
  views, religion and philosophical beliefs, taking
  part in political party or syndicate, health,
  social welfare and sexual life, to penal
  sentences, and to participating in any other
  person's unions like the above mentioned (Art. 2
  para 1 ? Act 2742/97, as amended by the provision
  of Art. 8 para 3 of the Act 3625/2007).

8
Basic Principles

• Principles
• The main principles of both the Directive ant
  Greek Act are common. Generally, personal data
  processing is forbidden, except when certain
  conditions are met.
• These conditions fall into three categories
  transparency, legitimate purpose and
  proportionality.

9
Principle of Transparency

• Data may be processed only under the following
  circumstances (art. 7)
• 1) when the data subject has given his consent
• 2) when the processing is necessary for the
  performance of or the entering into a contract
• 3) when processing is necessary for compliance
  with a legal obligation
• 4) when processing is necessary in order to
  protect the vital interests of the data subject
• 5) processing is necessary for the performance of
  a task carried out in the public interest or in
  the exercise of official authority vested in the
  controller or in a third party to whom the data

10
Principle of Legitimate Purpose

• Legitimate purpose
• Personal data can only be processed for specified
  explicit and legitimate purposes and may not be
  processed further in a way incompatible with
  those purposes. (art. 6 b) Further processing of
  data for historical, statistical or scientific
  purposes shall not be considered as incompatible
  provided that Member States provide appropriate
  safeguards.

11

• Proportionality
• Personal data may be processed only insofar as it
  is adequate, relevant and not excessive in
  relation to the purposes for which they are
  collected and/or further processed.
• The data must be accurate and, where necessary,
  kept up to date every reasonable step must be
  taken to ensure that data which are inaccurate or
  incomplete, having regard to the purposes for
  which they were collected or for which they are
  further processed, are erased or rectified (art.
  6)

12
Principle of Legitimate Purpose

• The data shouldn't be kept in a form which
  permits identification of data subjects for
  longer than is necessary for the purposes for
  which the data were collected or for which they
  are further processed. Member States shall lay
  down appropriate safeguards for personal data
  stored for longer periods for historical,
  statistical or scientific use. (art. 6)
• When sensitive personal data (can be religious
  beliefs, political opinions, health, sexual
  orientation, race, membership of past
  organisations) are being processed, extra
  restrictions apply. (art. 8)

13
Supervisory Authority

• Supervisory authority and the public register of
  processing operations
• Each member state must set up a supervisory
  authority, an independent body that will monitor
  the data protection level in that member state,
  give advice to the government about
  administrative measures and regulations, and
  start legal proceedings when data protection
  regulation has been violated. (art. 28)
  Individuals may lodge complaints about violations
  to the supervisory authority or in a court of law

14
Authority for Personal Data Protection

• In all of Member States have been founded a
  supervisory authority, in a form of an
  independent body. The provisions of Art. 28 were
  implemented in Greek law by the provisions of
  Art. 15-20 of the Act. 2472/97. It is an
  independent body that monitors the data
  protection level in Greece, which is called
  (???? ?ed?µ???? ???s?p???? ?a?a?t??a or
  Authority for Personal Data).

15
The European Data Protection Supervisor (EDPS)

• According to the provisions of the Directive
  95/46/EC an independent authority was founded,
  aiming to watch and guarantee personal data
  protection this is the European Data Protection
  Supervisor (EDPS).
• The EDPS has three main functions supervision,
  consultation, and cooperation.

16
EDPS Function of Supervision

• various forms
• The bulk of it is presently based on
  notifications of processing operations presenting
  specific risks. These need to be prior checked by
  the EDPS. Based on the facts submitted to him,
  the EDPS will examine the processing of personal
  data in relation to Regulation 45/2001. In most
  cases, this exercise leads to a set of
  recommendations that the institution or body need
  to implement, so as to ensure compliance with
  data protection rules.
• The EDPS also receives complaints from EU staff
  members as well as from other people who feel
  that their personal data have been mishandled by
  a Community institution or body. If a complaint
  is admissible, the EDPS usually carries out an
  inquiry. The findings are communicated to the
  complainant, and necessary measures are adopted.

17
EDPS Supervision

• The EDPS may also carry out inquiries on his own
  initiative. Inquiries and inspections are
  essential for a supervisory authority to have the
  means for fact-finding, following up of cases and
  monitoring of compliance in general.
• n order to monitor compliance with Regulation
  45/2001, the EDPS largely relies on the Data
  Protection Officers (DPOs) who are to be
  appointed in each institution/body. Apart from
  bilateral meetings and contacts with the DPOs,
  the EDPS also takes part in the regular meetings
  of the DPO network.
• Since January 2004, the EDPS has ensured the
  supervision of the central unit of Eurodac, a
  database of fingerprints of applicants for asylum
  and immigrants found illegally in the EU.

18
EDPS Function of Consultation

• The EDPS advises the EU institutions and bodies
  on data protection issues in a range of policy
  areas. His consultative role relates to proposals
  for new legislation as well as soft law
  instruments like communications that affect
  personal data protection in the EU. He also
  monitors new technologies that may have an impact
  on data protection.

19
EDPS Function of Consultation

• 2007 priorities broaden, with increasing focus
  on other areas of Community law, such as
  electronic communications and information society
  as well as public health.
• Examines the data protection and privacy impact
  of proposed new legislation. The Policy paper of
  2005 elaborates how this role is interpreted in
  terms of limitations in scope, working methods
  and main orientations. The EDPS uses different
  instruments in order to exercise this role.
• 1) planning tool Each year in December, the EDPS
  publishes an inventory of his priorities for the
  coming year.
• 2) Public opinion. By issuing opinions on a
  regular basis, the EDPS establishes a consistent
  policy on data protection issues. The opinions
  are addressed to those involved in the
  legislative negotiations, but also published on
  the website as well as through the Official
  Journal of the EU.
• 3) The EDPS comments, which address data
  protection issues for instance in Commission
  communications.
• 4) Intervenes in cases before the Court of
  Justice, the Court of First Instance and the
  Civil Service Tribunal.

20
Function of Cooperation

• Covers work on specific issues, as well as more
  structural collaboration together with other data
  protection authorities.
• Aim of the EDPS to promote consistency in the
  protection of personal data.
• The central forum for cooperation in the EU is
  the Article 29 Working Party. This is where the
  national data protection authorities meet to
  exchange views on current issues, to discuss a
  common interpretation of data protection
  legislation and to give expert advice to the
  European Commission. The EDPS also participates
  in the work to ensure good data protection in the
  EU's third pillar,

21
Social Networking Technologies

• FacebookAfter a public backlash in the US,
  including more than 50,000 Facebook users'
  signatures on a protest petition, Facebook
  executives apologised and allowed an opt-out
  option on the programme.
• the Directive doesnt allow them to pick just one
  EU country and comply with its Data Protection
  laws. Directive 95/46 Recital 19 puts an onus on
  a Data Controller established in multiple
  territories to fulfill the obligations of all
  those states.

22
Facebook

• 1) Is it subject to European law?
• Legal Problem. Facebook Inc already has an office
  in London. This also puts them within the
  alternate definition of establishment ( in the
  UK )
• 2) Case of Ireland

23
Other Social Networking Sites

• MySpace and Friendster, as well as online dating
  sites like eHarmony.com, may require departing
  users to confirm their wishes several times but
  in the end, they offer a delete option

24
Anonymous or Pseudonymous Users

• Anonymous or pseudonymous users
• A different class of identifiers having similar
  characteristics, IP addresses, was considered in
  the Article 29 Working Party's Opinion 4/2007 on
  the Concept of Personal Data

25
Hellenic Data Protection Authority

• The Art. 29 Working Party is deeply concerned
  about the development taking place in Greece
  after the resignation of the President and 5
  members of the Hellenic Data Protection Authority
• Problem of real independence

26
Conclusion

• - Can Internet be auto-balanced?
• - Greek Conseil d' Etat case-law
• - theproblem is not theoretic the problem is
  execution. The legal frame can be easily amended,
  as soon as we find the problem. But, really, who
  is able to catch the illegals?

27
(No Transcript)