European Privacy and Data Protection Policy

1
European Privacy and Data Protection Policy

• Peter Hustinx
• 7 June 2007

2
Why Privacy Matters

• ICT dependent society
• Fundamental rights
• Legal obligations
• Rising expectations
• Risks and realities
• Privacy governance

3
Why Compliance Matters

• The Bridge to Reality
• Data Protection in action
• Delivering values in practice
• Facing up to consequences
• Top down, planning control?
• Measuring your effectiveness
• Need for a compliance strategy

4
Changing Context?

• Privacy versus Security
• Narrow vision
• Preserving balance
• Monitoring safeguards
• Security and Privacy
• Broader vision
• Increased sensitivity
• Conditions for success
• Surveillance society
• Privacy by design

5
EU Data Protection

• CoE Convention 108
• Principles, subject rights, supervisory
  authorities
• EC Directives 95/46 and 97/66 (2002/58)
• Article 286 EC Treaty
• Regulation (EC) 45/2001
• Community institutions and bodies
• Scope of Community law
• Österreichischer Rundfunk gt PNR Cases
• EU Charter gt Constitutional Treaty?

6
Role of EDPS

• Article 286 EC Treaty
• Regulation (EC) 45/2001
• Independent authority
• Supervision
• Consultation
• Cooperation
• Intervention ECJ
• CMLR October 2006

7
Consultation

• Consultation Policy
• Article 28.2 of Regulation 45/2001
• Inventory for 2007 relevant initiatives (16 gt
  36)
• First Pillar
• Better implementation of Directive 95/46/EC
• Communications on RFID and PET
• Revision of E-Privacy Directive 2002/58/EC
• Third Pillar
• Data Protection Framework
• Implementation of Prüm Treaty

8
Directive 95/46/EC

• Purpose of Directive
• Harmonisation of national law
• Free flow of personal data
• First Commission Report
• Work Program 2003-2004
• Discussion with Member States
• Priority for enforcement
• Notification and information
• International transfers
• Promotion of PETs

9
Commission 2006

• Directive 95/46/EC State of Play
• Implementation has improved
• Some countries should do better
• Directive is fulfilling objectives
• Rules are substantially appropriate
• Interaction with new technology
• Relationship with public interests

10
Commission 2006

• Directive 95/46/EC Perspectives
• No proposals for amendment
• Focus on better implementation
• Infringement procedures
• Interpretation of provisions
• Work Program continues
• Contributions from WP29
• Guidance on new technologies
• Reconsideration in due course

11
Interpretation

• Provisions of Directive 95/46/EC
• Personal data
• Controller / processor
• Applicable law
• Incompatible use
• Unambiguous consent
• Legitimate interests
• Supervisory authority

12
WP29 on Personal Data

• Any information .
• content, nature, format
• relating to
• content, purpose, result
• an identified or identifiable
• reasonable means
• natural person
• living individual, business data

13
Privacy Technology

• Directive 2002/58/EC
• Revision of e-Privacy
• Security measures
• Communication on RFID
• Applicability Directive 95/46/EC
• Impact of key provisions
• Need for additional measures
• Communication on PETs
• Analysis and standards
• Supporting practical use

14
Opinions on Third Pillar

• Data Protection Framework (I-II)
• Common standards of wide scope
• Consistency with Directive 95/46/EC
• Implementation of Prüm Treaty
• Cautious approach of availability
• Relies on existing national laws
• Need for minimum harmonisation
• Data Protection Framework (III)
• Condition for effective law enforcement
• Substantial improvement needed

15
Court Interventions

• PNR cases
• Joint cases C-317/04 and C-318/04 before ECJ
• Public access to documents
• Cases T-170/03 (British American Tobacco),
  T-161/04 (Valero Jordano) and T-194/04 (Bavarian
  Lager) at CFI
• Data retention directive 2006/24/EC
• Case C-301/06 (Ireland vs Council and EP) at ECJ
• Scope of legal basis in first pillar?

16
Global Privacy

• Transatlantic Data Protection
• Values and Perspectives
• Safe Harbor, PNR and SWIFT
• Scope for a Common Framework
• Global Privacy and Data Protection
• Feasibility of Global Standards
• Developing Compliant Practices
• London Initiative (November 2006)
• Making Data Protection More Effective

17

• More information
• www.edps.europa.eu
• edps_at_edps.europa.eu
• Postal address
• Rue Wiertz 60 - MO 63
• B-1047 Brussels