The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

Computer Law and Security Review

Volumn 28, Issue 2, 2012, Pages 130-142

  De Hert, Paul ^a,b   Papakonstantinou, Vagelis ^a,c  

^a VRIJE UNIVERSITEIT BRUSSEL   (Belgium)

^b TILBURG UNIVERSITY   (Netherlands)

^c INTERNATIONAL HELLENIC UNIVERSITY   (Greece)

Author keywords

Data portability; DPIAs; EU Data Protection Directive; EU General Data Protection Regulation; Individual consent; Personal data breach notifications; The right to be forgotten

Indexed keywords

DATA PRIVACY;

DATA BREACH NOTIFICATIONS; DATA PORTABILITIES; DPIAS; EU DATA PROTECTION DIRECTIVES; GENERAL DATA PROTECTION REGULATIONS; INDIVIDUAL CONSENT; RIGHT TO BE FORGOTTEN;

LAWS AND LEGISLATION;

EID: 84859050187     PISSN: 02673649     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.clsr.2012.01.011     Document Type: Article

References (86)

1. See European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), 25.01.2012, COM(2012) 11 final
2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23/11/1995 pp.0031-0050
3. See European Commission, Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, 25.01.2012, COM(2012) 10 final, (named, as per its previously leaked version, the "Police and Criminal Justice Data Protection Directive")."
4. Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters
5. For instance, the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ePrivacy Directive), or even the Framework Decision 2008/977/JHA (on the latter, see Paul de Hert and Vagelis Papakonstantinou, "The Data Protection Framework Decision of 27 November 2008) regarding police and judicial co-operation in criminal matters - A modest achievement however not the improvement some have hoped for," Computer Law & Security Review 25 (2009): 406. Reference to the Directive's model and principles may also be found in the Schengen, Eurojust, and Europol regulations or in the Eurodac system, as well as, in the PNR exchange agreements between the EU and third countries (USA, Australia, Canada)
6. See for instance the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, together with its Additional Protocol
7. See also the EDPS Opinion, 2, Tene O, Privacy: The new generations, International Data Privacy Law, 2011, Vol. 1 No. 1, pp.15-27
8. See the Explanatory Memorandum in the Regulation draft, par. 3.2
9. As initiated by the European Commission in late 2010; See, European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, 4.11.2010 (the "Commission Communication")
10. See Council conclusions on the Communication from the Commission to the European Parliament and the Council e A comprehensive approach on personal data protection in the European Union, 3071st Justice and Home Affairs Council meeting Brussels, 24 and 25 February 2011 (the "Council Conclusions")
11. See European Parliament, Committee on Civil Liberties, Justice and Home Affairs, Working Document (1 and 2) on a comprehensive approach on personal data protection in the European Union, 15.03.2011 (the "EP Working Document")
12. See Opinion of 14 January 2011 on the Communication from the Commission on "A comprehensive approach on personal data protection in the European Union" (the "EDPS Opinion")
13. See Letter from the Article 29 Working Party addressed to Vice-President Reding regarding the Article 29 WP's reaction to the Commission Communication "A comprehensive approach to personal data protection in the EU", 14.01.2011 (the "Art. 29 Working Party Letter")
14. See Commission Communication, 2.2
15. See Commission Communication, ibid, and draft Regulation, 2
16. On this issue see, for instance, of the Commission Communication par. 2.3, the Council Conclusions ("the notion of a comprehensive approach to data protection does not necessarily exclude specific rules for data protection for police and judicial cooperation in criminal matters within this comprehensive protection scheme and encourages the Commission to propose a new legal framework taking due account of the specificities of this area; certain limitations have to be set regarding the rights of individuals in the specific context in a harmonised and balanced way, when necessary and proportionate and taking into account the legitimate goals pursued by law enforcement authorities in combating crime and maintaining public security", 4), the EDPS Opinion par. 3.1, as well as, European Parliament's Committee on Civil Liberties, Justice and Home Affairs, Towards a New EU Legal Framework for Data Protection and Privacy, November 2011, chapter 4.2.3
17. See, for instance, Article 14 of the Framework Decision
18. For instance, Passenger Name Records (PNR) processing was found security-related, despite of the fact that data are collected by airline carriers for commercial purposes (see, for instance, Vagelis Papakonstantinou and Paul de Hert, "The PNR Agreement and Transatlantic anti-Terrorism co-Operation: no Firm Human Rights Framework on either Side of the Atlantic," Common Market Law Review 46 (2009): 885e919.). On the other hand, the retention of telecommunications data, equally collected by telecommunications providers for commercial purposes, has been judged as commercial processing (as established by the ECJ in its Case C- 301/06, Ireland v. Parliament and Council)
19. See Art. 3.1 of the Directive and Art. 4 of the draft Regulation
20. See Art. 3 of the draft Regulation and Art. 2 of the Directive
21. See draft Regulation, Recital 24
22. See also the Commission Communication, 2.1.1
23. See Art. 29 Working Party, Opinion 4/2007 on the concept of personal data
24. See Commission Communication, 2.1.6, Council Conclusions, 8
25. Only the "conditions" of the processing were added as a distinguishing characteristic for data controllers (See Art. 4 of the draft Regulation and Art. 2 of the Directive)
26. See in particular Art. 29 of the draft Regulation
27. See Art. 24 of the draft Regulation
28. See Art. 4(1) of the draft Regulation in comparison with Art. 2(a) of the Directive
29. For instance, in the SWIFT case, whereby the headquarters are in Belgium but the company also operates two operating centers in The Netherlands and in the USA and also several sales offices elsewhere in Europe, the data protection authorities faced substantial trouble while attempting to identify the data controller and separate it from data processors and other participants in the processing. See the relevant Article 29 Working Group SWIFT Opinion (WP 128, 22.11.2006) and also Moerel L, Back to basics: When does EU data protection law apply? International Data Privacy Law, 2011, Vol.1 No.2, p.106ff
30. See also the Commission Communication, 2.2.4
31. See draft Regulation Explanation, par. 3.4.2
32. See also draft Regulation, Recital 30
33. See also D. Bigo, S. Carrera, Gl. González Fuster, E. Guild, P. De Hert, J. Jeandesboz&V. Papakonstantinous, Towards a New EU Legal Framework for Data Protection and Privacy: Challenges, Principles and the Role of the European Parliament, Commissioned by Policy Department C on Citizens' Rights and Constitutional Affairs of the Directorate General for Internal Policies of the European Parliament, Brussels, European Parliament, 2011, p.22ff.
34. De Hert, P. 'From the Principle of Accountability to System Responsibility. Key Concepts in Data Protection Law and Human Rights Law discussions', in Zombor, F. (ed.), International Data Protection Conference 2011, Hungary, Hungarian Official Journal Publisher, 2011, 88e120
35. See further: B. Van Alsenoy Allocating responsibility among controllers, processors and "everything in between": the definition of actors and roles in Directive 95/46/EC [2012] 28 CLSR 25 at p. 40
36. See also the Commission Communication, 2.2.4, Art. 29 Working Party Letter, c
37. This requirement is more relaxed when it comes to Justice and Home Affairs personal data processing (where, for the time being, the 2008/977/JHA Framework Decision applies). See critically: D. Bigo, S. Carrera, Gl. González Fuster, E. Guild, P. De Hert, J. Jeandesboz & V. Papakonstantinous, Towards a New EU Legal Framework for Data Protection and Privacy: Challenges, Principles and the Role of the European Parliament, Commissioned by Policy Department C on Citizens' Rights and Constitutional Affairs of the Directorate General for Internal Policies of the European Parliament, Brussels, European Parliament, 2011, p. 110e113
38. Draft Regulation, Art. 4(8)
39. See draft Regulation, Explanation, 3.4.1
40. See draft Regulation, Recital 25
41. See draft Regulation Art 7 and Recital 32
42. See Robinson, N., Graux, H., Botterman, Maarten. and Valeri Lorenzo 'Review of the European Data Protection Directive' RAND Europe 2009
43. In Articles 14, 15 and 19 respectively
44. In Articles 11 and 12
45. See Commission Communication, 2.1.3
46. Or explain, see for instance Article 13 and Articles 16 and 17
47. See also Mayer-Schonberger V, Delete: The Virtue of Forgetting in the Digital Age, Princeton University Press, 2009. Originally, the term was usually employed to refer to measures such as the deletion of criminal records in order to allow convicted persons to 'make a new start' in life. In the data protection context, the expression is used in relation to the concretisation and adaptation of the rights of the data subject, and in particular the right to delete personal data and the right to object to personal data processing in the online world. Particularly the advent of social networking websites has accentuated the problem, because by now, through extensive 'tagging' and other mass personal data uploading in hundreds of millions of individual profiles, the amount of information collected on any individual has increased exponentially. All this information is readily available, through the effective use of internet search engines. See also Tene O, Privacy: The new generations, International Data Privacy Law, 2011, Vol. 1 No. 1, p. 21
48. In France, a public debate on the "droit à l'oubli" was formally launched in 2009 and first resulted in the adoption of a Charter in which search engines and collaborative sites agree to adopt a series of measures ensuring the implementation of the principles of purpose limitation, consent, right to information, right to access, right to rectification and opposition, as foreseen in French data protection law, in relation with data voluntarily published online by the data subjects (see Secrétariat d'Etat à la Prospective et au Développement de l'économie numérique (2010)
49. Charte du droit à l'oubli dans les sites collaborateurs et les moteurs de recherche, Paris. On public support for these issues, see Bigot, Régis and Patricia Croutte (2010)
50. La diffusion des technologies de l'information et de la communication dans la sociétéfrançaise, N 269, Centre de Recherche pour l'Etude et l'Observation des Conditions de Vie (CRÉDOC), Paris, p. 131). In Spain, the 'derecho al olvido' has been discussed especially in relation with the possibility to impose mechanisms that would ensure the rapid and easy deletion of personal data from social networks and search engines' results, possibly including mechanisms that prevent indexation of personal data. The Agencia Española de Protección de Datos (AEPD) has been litigating against Google in this area, and the European Court of Justice is expected to define search engines' obligations derived from EU law through a preliminary ruling requested by the Audiencia Nacional
51. See Commission Communication, 2.1.3
52. See Art. 29 Working Party Letter, i
53. See Council Conclusions, p. 6
54. See EDPS Opinion, p. 18 and also Hijmans H, ibid
55. See Hijmans H, ibid. See, also Koops, E-J, "Forgetting Footprints, Shunning Shadows. A Critical Analysis Of The 'Right To Be Forgotten' In Big Data Practice," SCRIPTed 8, no. 3 (December 2011)
56. See also The Register, Google exec questions Reding's 'Right to be forgotten' pledge e Says certain aspects of article 17 are 'unworkable', 26.01.2012
57. For instance, as in the Computer Programs Directive; see also Miller J/Hoffman D, Sponsoring trust in tomorrow's technology: towards a global digital infrastructure policy, International Data Privacy Law, 2011, Vol.1 No.2, p.85
58. See also The Economist, Data Protectionism e Serfing the Web, 11.11.2010
59. See also EP Working Document 2, p. 3
60. See also Commission Communication, 2.1.3. The EDPS considers data portability and the right to be forgotten as "connected concepts put forward by the Commission to strengthen data subjects' rights" (EDPS Opinion, 83 and 89), and also suggests that they be "limited to the electronic environment" (91)
61. See Fortune magazine, Facebook vs. Google: The battle for the future of the Web, November 21, 2011
62. See the Commission Communication, 2.5
63. See Art. 28 of the Directive
64. Art. 46.1 of the draft Regulation
65. Articles 47 and 48 of the draft Regulation, see also Explanation, par. 3.4.6.1
66. See Art. 51 of the draft Regulation and Explanation, par. 3.4.6.2
67. See Art. 46.2 of the draft Regulation
68. See EDPS Opinion, 62
69. See Art. 28 of the draft Regulation
70. Art. 4.3 "in the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority". Data controllers, however, should also take care that "when the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall also notify the subscriber or individual of the breach without undue delay". See also Barcelo R/Traung P, The Emerging European Union Security Breach Legal Framework: The 2002/58 E-Privacy Directive and Beyond, p. 89
71. See Barcelo R/Traung P, The Emerging European Union Security Breach Legal Framework: The 2002/58 E-Privacy Directive and Beyond, in Gutwirth S/Poullet Y/De Hert P (eds.), Data Protection in a Profiled World, Springer, 2010, pp. 77ff
72. See, for instance, UK's families put on fraud alert, BBC News, 20 November2007, Previous cases ofmissingdata,BBCNews, 25May2009
73. However, it has been noted that "fear of reputational sanction may lead, notwithstanding the legal mandate, to excessive secrecy about security breaches involving sensitive customer information", Schwartz P/Janger E, Anonymous Disclosure of Security Breaches, in Securing Privacy in the Internet Age, 221 Stanford Law Press, Anupam Chandler, Lauren Gelman & Margaret Jane Radin, eds. (2008), p.224. See also Schwartz P/Janger E, Notification of Data Security Breaches, 105 Michigan Law Review 913 (2007)
74. It should be noted that the EDPS finds the balance achieved in the ePrivacy Directive as adequate for the Directive purposes as well (see EDPS Opinion, 77)
75. See also the Art. 29 Working Party's Working Document 01/2011 on the current EU personal data breach framework and recommendations for future policy developments (WP184), 05.04.2011
76. "Privacy Impact Assessment" (PIA) outside the EU
77. See Wright D., "Should privacy impact assessments be mandatory?", Communications of ACM, July 2011; Wright D. & De Hert, P. (eds.), Privacy Impact Assessment, Series: Law, Governance and Technology Series, Vol. 6, Dordrecht, Springer, 2012, 523p
78. The UK was the first country in Europe to develop a PIA manual in 2007. Cf. Information Commissioner's Office, Privacy Impact Assessment Handbook, Version 2.0 (2009), http://www.ico.gov.uk/upload/documents/pia-handbook-html-v2/ files/ PIAhandbookV2.pdf
79. European Commission, Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments. Final Report, 20 January 2010, http://ec.europa.eu/justice/policies/privacy/ docs/studies/new-privacy- challenges/final-report-en.pdf
80. European Parliament, Resolution of 5 May 2010 on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada. http://www. europarl.europa.eu/sides/getDoc.do?pubRef-// EP//TEXTTAP7-TA-2010-01440DOCXMLV0//EN
81. Reding, V., Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship, "Towards a true Single Market of data protection", SPEECH/10/ 386, Meeting of the Art. 29 Working Party re "Review of the Data protection legal framework", Brussels, 14 July 2010. http://europa.eu/rapid/pressReleasesAction.do?referenceSPEECH/10/386
82. See Commission Communication, 2.2.4
83. See Art. 34.2 of the draft Regulation
84. See the Commission Communication, 2.5, and also Art. 29 Working Party Letter, f. From his part, the EDPS questioned "the fact that the Commission (and more specifically the Unit) is at the same time member, secretariat and addressee of the Working Party's opinions" (143); he also suggested that the way in which himself and the Working Party co-operate could be fine-tuned (152ff.)
85. See Article 71.1 of the draft Regulation
86. Compare Article 30.5 of the Directive and Article 66.4 of the draft Regulation