Adequate Protection of Personal Data

Adequate Protection of Personal Data

The European Union – United States

Safe Harbor Framework:

Bridging Differences in Approaches

To Data Protection

December 7, 2005, Washington

Peter Schaar

Federal Data Protection Commissioner, Germany

Chairman of the Article 29 Working Party

Seite 1 © Bundesbeauftragter für den Datenschutz http://www.bfd.bund.de

Particular problems in 3rd countries

Particular problems in 3rd countries

● Different protection levels in public and private sectors

● No general data protection legislation (only specific laws for certain particular areas)

● federal systems (Germany, Canada, USA)

– differences between various states

– some US states have explicit privacy protection in their state constitution, others not

– States with / without data protection legislation

● Supervisory authority

– Requirement of an independent DPA

– Internal data protection officers

– special case: FTC – consumer privacy

Seite 2 © Bundesbeauftragter für den Datenschutz http://www.bfd.bund.de

Adequacy – legal alternatives

Adequacy – legal alternatives

● European Directive 95/46/EC

● Principle of adequate protection – basic rule for transfer of data to third countries:
- Art. 25 (6) decision process
- Art. 29 WP no explicit role
– Member States and Commission (Article 31 (2))

● Art. 26 derogations for countries not ensuring adequate level of protection

Seite 3 © Bundesbeauftragter für den Datenschutz http://www.bfd.bund.de

Adequate protection?

Adequate protection?

● Basic principles have to be included:

– purpose limitation

– data quality and proportionality

– transparency and security

– rights of data subject to access, rectification and objection

– restrictions on onward transfers to other 3rd countries

● Requirements for procedural/enforcement mechanisms

– external supervision

– independent DPA

– sanctions

– support/help to individual data subjects

– appropriate redress to injured party

Seite 4 © Bundesbeauftragter für den Datenschutz http://www.bfd.bund.de

Commission’s decisions [Art. 25 (6)]

Commission’s decisions [Art. 25 (6)]

Recognition of adequate protection

● Switzerland: 26 July 2000 [C(2000)2304]

● Canada: 20 December 2001 [C(2001) 4539]

● Argentina: 30 June 2003 [C(2003)1731]

● USA – only Safe Harbor and PNR – no general decision

Seite 5 © Bundesbeauftragter für den Datenschutz http://www.bfd.bund.de

Alternatives to adequacy decisions

Alternatives to adequacy decisions

● MS may authorize transfer of data where data controllers offer adequate safeguards [Art. 26 (2)]
- standard contractual clauses
- binding corporate rules

● Derogations of Art. 26 (1), e.g.:
- consent of the data subject
- necessary for a contract
- important public interest

● Restrictive interpretation of derogations

Seite 6 © Bundesbeauftragter für den Datenschutz http://www.bfd.bund.de

Conclusions

Conclusions

● Enlargement of safe harbors

● Codes of conduct for specific sectors

● Sector specific adequacy decisions?

● Binding corporate rules (one stop shopping)

● Federal US data protection act?

Seite 7 © Bundesbeauftragter für den Datenschutz http://www.bfd.bund.de

Contact details

Contact details

Peter Schaar

Federal Data Protection Commissioner

Chairman of the Article 29 Working Party

Husarenstr. 30

D-53117 Bonn

Tel: +49 (0) 1888 77 99 100

Fax: +49 (0) 1888 10 77 99 550

http://www.bfd.bund.de

Seite 8 © Bundesbeauftragter für den Datenschutz http://www.bfd.bund.de