20 June 2011 Roberto Lattanzi 1

“Data Protection: Before and After the Lisbon Treaty”

Roberto Lattanzi

(Italian Data Protection Authority)

Privacy: Beginning or the End?Istanbul, Sabanci University -20-21

June 2011

The (new) right to data protection (in the II Chapter of The Charter of the Fundamental

Rights (“liberty”) as a watershed

Article 7 (Respect for private and family life)Everyone has the right to respect for his or her private and family life, home and communications.

Article 8 (Protection of personal data)1. Everyone has the right to the protection of personal data concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.

Art. 52(1) Scope and interpretation of rights and principlesAny limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

2

Needs and reasons behind data protection laws

Information technology and concentration of personal information in “modern” (post-industrial and information-centered) societies; data protection is a transnational topic

Advantages: efficiency, quality of services, decrease in administrative costs, empowernment of government action (increase of surveillance tools)

Risks for individual given by concentration and circulation of personal information, especially if without their knowledge (public powers, multinational companies and, now, the wide spread of information on the internet: new risks: spread everywhere; right to be forgotten?): unlawful processing of personal data, processing of inaccurate/outdated personal data, abuse or unauthorised disclosure of such data. Risks for democracies and individual self-determination.

In the information society in order to protect the individuals the habeas corpus has to be integrated by the habeas data (“electronic persona”).

3

A look behind: data protection before the Charter

US Congress Hearings on the National data center («The Computer and Invasion of Privacy», Subcomm. of the Comm. on Government Operations, 1966)

National legislations (Land Hessen, Scandinavian countries etc.)- public and private sectors OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 1980 –

(Paris), soft law approach Council of Europe Convention of Strasbourg 1981, data protection as a fundamental right

(development of the art. 8 ECHR 1950: see also on health data ECHR, 25.2.1997, Z c. Finlandia, App. 22009/93; 27.8.1997, M.S. c. Svezia, App. 20837/92)

BVerfG 1983: informationelles Selbstbestimmungsrecht; (and now Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität informationstechnischer Systeme: cfr. BVerfG, 1 BvR 370/07,27 February 2008,) wide effects: e.g. Supreme Court of Canada: informational privacy the right of the individual to determine for himself when, how and to what extent he will release personal information about himself» (R. v. Duarte, [1990] 1 S.C.R. 30, 46

Data protection recognised as autonomous right in some national Constitutions Directive 95/46/EC (free flow of personal data within the internal market); Directive 97/66/EC

(now Directive 2002/58/EC), privacy in telecommunications (Electronic communications) With the Charter, data protection is recognised as autonomous fundamental right. From the

informal market to the fundamental right dimension

4

Data protection Principles (I)

EU general legal framework in data protection Directive 95/46 (under revision): see particularly art. 3(2). Main data protection principles:

Personal data (sometimes controversial to be identified) processed fairly (e.g. transparency principle) and lawfully (data protection as horizontal matters)

finality, necessity and quality principles (privacy by design) consent or other legitimate basis for legitimate processing data security requirements (+ data breach notification) processing of certain categories of data (sensitive data) is, as a rule,

prohibited transfer of personal data to third countries not offering an “adequate” level

of protection is prohibited Rights of the data subject and control by an independent authority

5

Data protection authorities (II)

Legal basis: national legislation for DPAs and, for the EDPS, art. 286 Treaty EC and Reg. n. 45/2001

Indipendent (data protection) authority (see ECJ Case C-518/07 Commission v. Germany)

Main tasks: Supervision (for the EDPS of the European institutions and bodies and

“coordinated supervision” in SIS, VIS and Eurodac) Consultation on legislative proposals Cooperation, with national supervisory authorities and supervisory bodies in

the former 'third pillar' of the EU Power to engage in legal proceeding: for the EDPS see ECJ PNR Case

{Judgment of the Court of 30 May 2006, European Parliament v. Council of the European Union (C-317/04) and Commission of the European Communities (C-318/04, Joined cases C-317/04 and C-318/04, ECR [2006] P. I-4721}

Member of the Article 29 Working Party6

Data protection and “pillars” before the Lisbon Treaty

Directive 95/46/EC did not apply neither to the s.c. Second pillar (Common Foreign and Security Policy) nor to the Third pillar (i.e. Judicial and police cooperation): intergovernmental approach

Difficult to identify boundaries between I and III Pillar (e.g. PNR & Data retention cases)

Therefore in the Judicial and police cooperation matters:

Art. 8 European Convention on Human Rights 1950 (ECHR) + Strasbourg CoE Convention n. 108/1981 [Recommendation No R (87) 15 regulating the use of personal data in the police sector,17.9.1987; Recommendation R (92) 1 on the use of analysis of deoxyribonucleic acid (DNA) within the framework of the criminal justice system]

Patchwork of regulations (e.g. Europol, Eurojust, the Schengen Information System (SIS) and the Customs Information System (CIS))

Council Framework Decision 2008/977/JHA of 27.11.2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (to be transposed by 27.11.2010)

7

Data protection after the Lisbon Treaty

EU Charter of Fundamental Rights is binding (art. 8): see Court of Justice in Schecke-case Data protection, as a fundamental right recognized in the EU Charter (art. 8), binds the EU

institutions and bodies and the Member States when they are applying Union law; The entry into force of the Treaty of Lisbon (1st December 2009) has abolished the former

pillar structure and created a general basis for laying down EU rules relating to the protection of personal data: Article 16 TFEU provide for a general and horizontal legal basis for data protection measures in the private and in the public sector, including the area of police and judicial cooperation (former third pillar)

Police and justice should in the future be included in the general framework for data protection (if the case, with additional specific rules for police and justice: see particularly Declaration 21 attached to the Treaty)

In the meantime (see art. 10 of the Protocol n. 36 on transitional provisions attached to the treaties of the European Union), legal effects of all acts adopted before the entry in force of the Lisbon Treaty shall be preserved until they are repealed, annulled or amended (therefore FD will continue to apply); they will “cease to have effect five years after the date of entry into force of the Treaty of Lisbon”.

8

Data protection and DPAs as core elements within all the EU policies

Art. 16 (ex Art. 286) of Treaty on the Functioning of the European Union (TFEU)1. Everyone has the right to the protection of personal data concerning them.2. The European Parliament and the Council, acting in accordance with the ordinary legislative

procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.”

Art. 39 of Treaty on the European Union (TEU)“In accordance with Article 16 of the Treaty on the Functioning of the European Union and by

way of derogation from paragraph 2 thereof, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out activities which fall within the scope of this Chapter [i.e. Specific Provisions on the Common Foreign and Security Policy], and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.”

9

EU vs US Approach

EU general legal framework (Directive 95/46): public and private sectors (so called omnibus law, with exceptions) + DPAs and sectorial laws :

Data protection & privacy in communication (Directive 2002/58; e-Privacy Directive, 2009/136)

Data retention directive (under revision)

US “patchwork” approach (e.g. Privacy Act; Fair credit reporting act; Fair Debt Collection Practices Act; Video Privacy Protection Act; HIPPA)

10

What is going on?

In EU: The Stockholm Programme (An open and secure Europe serving and protecting the

citizen, Dec. 2009): exchanges of personal data are a crucial element of success in building an effective Area of Freedom, Security and Justice: the AFSJ cannot be developed without full respect for the right to data protection (as assured by Article 8 of the Charter and Article 16 TFEU, and to be further elaborated in secondary legislation)

Communication EC, A comprehensive approach on personal data protection in the European Union, Brussels, 4.11.2010, COM(2010) 609 final: «the core principles of the Directive are still valid and that its technologically neutral character should be preserved».

Revision of Directive 95/46/EC: expected proposal in second semester 2011 (regulation vs directive or directive plus regulation?)

In US (informational privacy):

(New) Proposed legislations:‘‘Commercial Privacy Bill of Rights Act of 2011’’, (bipartisan sen. Kerry & McCain);

“The location privacy protection Act of 2011” (sen. Franken)

11

Emerging areas(the devil is hidden in the details)

Emerging areas: Smart grids/smart metering; (Geo)Location data and mobility; Cloud computing; Data warehousing/data mining; ITS; Rfid (internet of things)

Common elements and dangers:

a. Growing predominance of technology with ever increasing impact on personal and social life and ever decreasing control on techno-social applications, which are growingly complex and difficult to grasp;

b. drifting away from national jurisdictions and (increasingly easy) availability of information havens.

12

Tools in order to preserve data protection and privacy

Clear legal framework integrated by “regulierte Selbstregulierung” Institutional control by DPAs and need for developing effective supranational co-

operation mechanisms between them (Article 29 WP; twinings) Organisational guarantees and accountability by data controller: Transparency. Data

subjects should be clearly informed about the exact purposes of the personal data collection and processing, the type of data collected, the place and duration of storage; Security measures for accessing personal data should include an audit system to prohibit the misuse of information; Right of access. Data subjects should have the right to access, inspect and correct if necessary all their personal data.

Minimization principle, Privacy Impact Assessment & System Design (privacy by design: e.g. symbol on the devise which warns that location is “on”)

General education and awareness of the public: the individuals are the better protectors of themselves

Unrelenting search for the widest possible international consensus to uphold the human values underlying data protection

13

More information

www.garanteprivacy.it

r.lattanzi@garanteprivacy.it

Postal address:

Piazza di Monte Citorio 121

00186 Roma

14