1) Introduction and international context
Over the past decades growing use of processing of personal data has increased the risk of its illegality and made it necessary to introduce privacy protection in relation to this data. On the other hand, the need of harmonizing national legislations emerged after the adoption of the first data protection acts, in order to enable the flow of personal data between the countries, whose level of protection varied greatly.
The first developments in harmonization of data protection were the OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data, formulated in 1980. As stated in preamble, the Guidelines were created in order to “avoid the creation of unjustified obstacles to the development of economic and social relations among Member countries”. Provisions of the Guidelines are applicable to all data management, not only automated. However, they remain nonbinding.
The next step on the way to harmonization was The European Convention on Data Protection of 1981 negotiated within the Council of Europe. Convention applies to “personal data files” and its automatic processing in public and private sectors. To this day, it still remains the world’s only binding international legal instrument in this field, opened to signature by any country, including countries which are not members of the Council of Europe.
Both documents are based on the same set of principles, including: notice, use limitation, consent, security, disclosure, individual participation and accountability.
2) European law
In Europe, the right to protection of personal data is a fundamental right. It is different from, but closely linked to, the right to respect for private and family life. This distinction is set by the EU Charter of Fundamental Rights – which mentions the two rights separately in Articles 7 and 8, respectively.
The EU data protection law has been harmonized and highly developed.
Constitution of a frontier free (genuine) Internal Market and development of the so-called ‘information society’ increase the flow of personal data between Member States of the EU.
2.1 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
The central piece of EU Data Protection legislation, the Directive is based on Article 100a of the Treaty establishing the European Community. The need for such regulations was brought about by the differences in the national data protection laws and the consequent obstacles to the creation of a single internal market. To standardize the protection of data privacy, said Directive was enacted in 1995.
The Directive regulates the processing of personal data, weather it is automated or not.
“Controllers” (i.e. natural or legal persons, which determine the means and purposes for processing of personal data) are responsible for compliance of this processing with the Directive. The provisions of the Directive are applicable not only when a controller is established in the EU, but also when he uses the technical means situated in the EU in order to process data (like for example Google).
It is novelty, that it sets the “criteria for making data processing legitimate”. It means that the Directive specifies conditions that must be met in order to process the data legally. It also sets forth circumstances when data processing is possible at all – for example consent of the data subject.
Besides, it regulates in details data subject’s right to receive information when his personal data are processed, the right to access the data already processed and the right to object at any time to the processing for the purpose of direct marketing.
The data subject has the right to demand deletion or blocking of the data that is incomplete, inaccurate or non-conforming with the rules of the Directive.
Personal data can be processed only for specified and legitimate purposes and only on the basis of proportionality – as long as it is not excessive in relation to these purposes.
Each Member State is required to set up a supervisory authority. It must be an independent body that monitors the data protection level, gives advice and starts proceedings when the regulations have been violated. A new element is the obligation for the data controller to notify the supervisory authority before he starts data processing.
Another novelty is the concept of the “adequate level of protection”, stating that personal data can be transferred to the third country, only if the country provides such adequate level. The Commission has so far recognized Switzerland, Canada, Argentina, Guernsey and Isle of Man as providing adequate protection, so data can be transferred from EU to these countries.
The deadline for implementation of the Directive was indicated for the end of 1998. All the Member States have enacted their national legislations conforming to the provisions of the Directive.
2.2 Directive 2002/58/EC on Privacy and Electronic Communications
The so-called e-Privacy Directive was adopted in 2002 as a continuation and as well complementation of 95/46/EC Directive.
It regulates privacy and data protection issues as a result of new online marketing practices and has been drafted specifically to meet the requirements of new digital technologies.
Unlike the Data Protection Directive, which applies only to individuals, e-Privacy Directive addresses to both, natural and legal persons.
Any form of interception or storage of private communications is prohibited without the user’s prior consent.
So far the most discussed and controversial aspects of the directive relate to the “opt-in” system that applies to direct marketing practices. The “opt-in” regime introduced by the Directive requires direct marketers to ask for permission before sending unsolicited messages (spam) to potential clients (e-mails or text messages, for example). This is the opposite to the US “opt-out” regime which permits such marketing practices until a given recipient tells them to stop. However, under e-Privacy Directive, two categories of e-mails are also allowed, the first exemption is for existing costumer relation and the second for marketing of similar product and services.
The Directive also sets out specific conditions for installing so-called Internet “cookies” on computers. In their legitimate form, cookies serve as locating devices for website operators to coordinate interaction with their viewers. In other, however, cookies can help webmasters track back and identify each individual visitor of a website. Once a visitor has revealed his identity (for example by filling an online form), his subsequent visits can be traced and followed closely, revealing browsing behavior that helps direct marketers tailor personalized advertising sent by e-mail, including unsolicited ones. Under the provisions of the Directive the costumer must be given the possibility to opt-out from receiving cookies.
Another provision relates to data retention. According to the Directive, businesses providing communication networks can retain traffic data (telephone calls and e-mails) only for the purpose of billing. Afterwards, traffic data has to be erased or anonymized. Data may be retained upon user’s consent for marketing services.
2.3 Directive 2006/24/EC – Data Retention Directive
In 2006 the EU formally adopted the “Directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC”.
In general terms, the Directive aims to harmonize Member State’s provisions relating to the retention of communications data, in order to ensure that this data is available for the purposes of investigation, detection and prosecution of serious crimes.
The Directive is only concerned with the traffic and location data of legal and natural persons. It explicitly states that the retention of the content of electronic communications is outside its scope.
The Directive requires that data will be retained for a period of not less than six months and not more than two years.
Several categories of data, which must be retained, are set out.
2.4 European Data Protection Supervisor
The European Data Protection Supervisor (EDPS) was set up under Article 286 of the Treaty establishing the European Communities within the context of harmonizing data protection legislation in the EU. A number of specific duties of the EDPS are laid down in Regulation 45/2001. While Directive 95/46/EC addresses personal data processing in the member states, Regulation 45/2001 covers the European institutions and bodies.
The EDPS is an independent authority, whose general objective is to ensure that the EC institutions and bodies respect the right to privacy when they process personal data, as well as to give advice on new legislation with data protection implication. A number of specific duties of the EDPS are stipulated in Regulation 45/2001.
Moreover, the Regulation requires all institutions and bodies to appoint an internal Data Protection Officer.
Peter Hustinx (EDPS) and Joaquín Bayo Delgado (Assistant Supervisor) are members of the institution, appointed by joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 17 January 2004 and started the process of building up the supervisory authority.
2.5 Article 29 Working Party/ opinion WP 148
Working Party on the Protection of Individuals with regard to the Processing of Personal Data was set up pursuant to the Article 29 of Data Protection Directive.
Working Party is made up of the Data Protection Commissioners from the EU, together with a representative of the EU Commission. The Working Party is independent and acts in an advisory capacity. The Working Party seeks to harmonize the application of data protection rules throughout the EU and publishes opinions and recommendations on various data protection topics. It also advises the EU Commission on the adequacy of data protection standards in non-EU countries.
On 4th of April 2008 The Working Party has issued an opinion on the data protection issues related to search engines.
The Article 29 Working Party analyzed the position and practices of Search Engine Providers under the principles of EU Data Protection Law.
According to the opinion, search engine providers, fall within the scope of EU Data Protection Directive. Search history data, processed by the Search Engine Providers, such as IP addresses and web cookies, with a unique user ID, facilitate a more careful identification of the individual. Article 29 Working Party took a stance, that data like IP address, allowing tracking back the user and therefore his potential identification, constitutes personal data (i.e. information relating to an identified or identifiable natural person). This definition is very broad, and consequently the search engine provider must be viewed as the controller of the processing of the users’ personal data. As follows, providers are obliged to comply with regulations of Data Protection Directive.
Another important conclusion of the Article 29 Working Party concerns the territorial application. The opinion clearly states that rules set forth in Data Protection Directive apply to the processing of personal data by search engine provider also when the provider’s head office is located outside the EU. The applicability of the legislation of one of the EU Member States may be the result of the use by the provider of “technical means” located in the territory of the Member State concerned. Data centers, servers and PC’s are the examples of such equipment, because the provider uses them to collect personal data.
Article 29 WP stated however, that the Data Retention Directive does not apply to the providers of the search engines. Search queries are considered to be content information, not the traffic one and, as already mentioned, Data Retention Directive does not apply to such data.
As postulated in the opinion, the search history that can be tracked back to individuals can only be retained for up to six months. Longer periods are allowed only if they are strictly necessary for the service. Users should be informed about the retention policy that is relevant to their data.
3) Safe harbor agreement
The enactment of the EU Data Protection Directive has threatened to stop the transfer of personal data from the EU countries to the US, since the US, with it’s self-regulation approach, does not meet the adequacy standard.
In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor” agreement. The agreement allows US companies doing business in the EU to adhere to a set of principles (Safe Harbor Principles), The EU considers the provided level of protection as adequate in case of companies that join this programme. Companies must certify to the Commerce Department that they will follow the regulations of the EU Directive, if the company does not live up to the agreement, it would be subject of a prosecution by the Federal Trade Commission.
4) Latest concerns
The Lisbon Treaty was signed in December 2007. Notwithstanding the many critics raised by this Treaty, it will bring two major improvements to the EU and its citizens. First, the Charter of Fundamental Rights of the European Union will become part of the Community established, including its articles 7 (Respect for private and family life) and 8 (Protection of personal data). Secondly, the Treaty will allow the accession of the EU to the European Convention on Human Rights and, hence, will give EU citizens the possibility of being protected against abuses of their human rights by EU institutions. This improvement would be much welcome, especially – though not exclusively – considering the current inadequacy of data protection under third pillar (justice and home affairs). But 2007 has also brought its share of concerns regarding privacy and personal data protection developments at the EU level.
“All governments have the duty to protect their citizens from the terrorist threat, but the response should be lawful, intelligent and effective”, the Secretary General of the Council of Europe stated, on the occasion of the Data Protection Day. “I am concerned that some of the recent arrangements for data exchange, which were introduced at the insistence of the US Government, fail to meet these criteria”, he opportunely added.
4.1 Social networking
On 27 May 2008, the European Network and Information Society Agency (ENISA) called for new legislation that would regulate social networking sites. ENISA, which was created in 2004 to oversee online security measures in the 27 EU countries, issued a preliminary report in which it pointed out, that social networking sites, such as Facebook and MySpace need more regulation to protect their users against the risk. Some of the related to social networking identified by ENISA are related to face recognition, digital dossiers, reputation damage, social engineering attacks on enterprises, ID theft and others. It also considers crucial to raise the awareness about how social networking sites work and security issues involved.
4.2 Passenger name records
In June 2007, final agreement was reached between EU and USA on European PNR (Passengers Name Records) data. The agreement reduced the dataset from 34 to 19 pieces. The data may be kept during a total period of 15 years. It was claimed that for the first time, EU citizens will also be covered by the US Privacy Act which means they can enforce their rights in US courts. The agreement received harsh criticism from the EU Parliament, Article 29 Working Group, and the European data protection supervisor.
Later in the year, the EU announced its project of creating its own European PNR system. The plan, put forward in November by the EC, is similar to the EU-US agreement. The EU will have to collect 19 pieces of personal data on air passengers coming into and leaving the EU space, including phone number, e-mail address, travel agent, full itinerary, billing data and baggage information. The information will be collected in analysis units that will make a “risk assessment” of the traveler, which could lead to the questioning or even refusal of the entry. The data is to be kept for five years and then another eight years in a “dormant” database. This plan has already been criticized by the Parliament, the Article 29 Group and the EDPS. Some member States have already adopted such measures at national level.
By Magdalena JÓŹWIAK, Intellectual property lawyer
Published by european-legaladvice.com in 2008
Leave a Reply