Slide 1
The European approach to data protection
What is specific to the EC data protection model?
Is all of the US approach to privacy inapplicable in the EU?
Georges de la Loyère
Commissioner
Commission Nationale de l’Informatique et des Libertés (CNIL)
Safe Harbor Workshop – Washington D.C. – Wednesday December 7th, 2005
The EU model in two points:
The EU model in two points:
 | Comprehensive data protection laws |
EC Directives : Directive 95/46 and Directive 2002/58
| Independent supervisory authorities |
« Data protection authorities » (DPAs)
Very different from US model at first sight - but US & EU models are not contradictory and have common features
Comprehensive EC data protection and privacy legislation (1)
Comprehensive EC data protection and privacy legislation (1)
| Two EC Directives: |
– Directive 95/46 : the « framework Directive »
– Directive 2002/58: the « e-privacy directive »
The 2nd specifies the 1st on issues of privacy in electronic communications
| Directives « transposed » into national laws: |
Directives set « objectives » that MS are bound to attain, while remaining free to decide how this may done in their national laws
| Now comprehensive DP legislation in 25 EU MS |
Comprehensive EC data protection and privacy legislation (2)
Comprehensive EC data protection and privacy legislation (2)
| « Comprehensive » = « applicable to all sectors of activity covered by the rules » |
| EC Directives are very wide in scope: all public- or private-sector activities that have an impact on freedom of movement (goods and services) – in practice, all economic activities |
| Do not cover « third pillar matters », ie police and justice activities, BUT: |
| States have adopted national rules also in that field |
| Work just started to adopt common EU rules in that sphere as well |
Data Protection Laws in Europe
Data Protection Laws in Europe
| Apply to « processing of personal data » |
| « Processing » means more than « collection »: |
« any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction »
(…)
(…)
(…)
| « Personal data » means much more than « name and surname »: |
– « any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity »
– Ex: number on car number plate; social security number; biometrics features…
« Data Protection Principles » (1)
« Data Protection Principles » (1)
| Processing must be « legitimate »: |
– Data subject’s consent
– Data controller’s legitimate interest & rights of individual complied with
– Compliance with applicable legislation, etc.
| Data must be obtained fairly and lawfully, |
| Used only for their original, specific purpose, |
| Adequate, relevant and not excessive to that purpose, |
| Accurate and up to date |
(…)
« Data Protection Principles » (2)
« Data Protection Principles » (2)
| Data must be kept secure and processing operations must be secure |
| Data must be destroyed when purpose completed |
| Data subjects have rights: right to information, right of access, erasure and rectification |
– These rights are enforceable : enforcement by judicial authorities, but also by data protection authorities
Many of those principles are common sense and are common to the US model (ex: « purpose principle » in Privacy Act)
Independent supervisory authorities
| One public authority per MS responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive |
| Must be independent: |
– May receive no instructions from government,
– Have their own budget,
– Have their own staff,
– Set their own rules of procedure, etc.
| Independence is hard to obtain, and is hard to maintain |
Independent supervisory authorities
Very wide missions of DPAs
Very wide missions of DPAs
| Are consulted by government when drawing up administrative measures or regulations with a privacy impact |
| Hear claims lodged by data subjects |
| Inform data subjects and data controllers of their rights and duties |
| Receive notifications, issue prior opinions and authorizations of certain processing operations |
| Play an “alert function” on privacy risks incurred by new IT developments |
| Etc. |
Powers of DPAs (1)
Powers of DPAs (1)
| Vary from country to country |
| Minimum: investigative powers and « effective powers of intervention » (art.28 EC Dir.): |
– ensuring appropriate publication of opinions
– ordering blocking, erasure or destruction of data,
– imposing temporary or definitive ban on processing,
– warning or admonishing controller,
– referring matters to national parliaments or other political institutions
– inform the judicial authorities of DP breaches and possibly engage in judicial proceedings
Powers of DPAs (2)
Powers of DPAs (2)
| Some DPAs have specific sanction powers |
(e.g. Spain, Portugal, Italy, more recently France) :
– Power to issue compliance orders
– If failure to comply with such orders, possibility to issue fines or other administrative sanctions
– Such sanction powers are usually combined with important investigation powers
| However: DPAs do not use their sanction powers as a 1st option: cooperation, discussion with controllers is the normal first stage for enforcement actions |
Cooperation between EU DPAs : « the Article 29 Working Party »
Cooperation between EU DPAs : « the Article 29 Working Party »
| Instituted by Art.29 of Directive 95/46 |
| Advisory status |
| Acts independently |
| Very wide missions: issuance of EU guidance on application of EU Privacy Directives and ensuring common application of DP principles throughout the EU |
| More and more identified as « the door to knock on » by companies : clearly indispensable |
Another specificity of EU model
Another specificity of EU model
| Rules on international data transfers (Art.25 & sq. Directive 95/46) |
– Have a clear impact on the development of privacy and DP laws in the world
– Specificity mirrored in Convention 108, in Canadian, HK laws
– One of the most active field for Art.29WP work (« binding corporate rules », « Art.26(1) derogations », « standard contractual clauses », &… « Safe Harbor »)
Conclusion: « are we so different? »
Conclusion: « are we so different? »
| There are « US features » in EU model: |
– see e.g. « EU-wide codes of conduct » (Art.27 Directive 96/46)
| We have to cooperate, whatever our models: |
– spam,
– IT development
– International transfers
| Safe Harbor is a great example of a successful cooperation effort : we have to advertise it, and make it work better on both sides |
Thank you
Commission nationale de l’informatique et des libertés
Commission nationale de l’informatique et des libertés
| 21 RUE SAINT GUILLAUME |
75340 PARIS CEDEX 07
| TEL 00 33 1 53 73 22 22 |
| www.cnil.fr |