170 likes | 187 Views
4 th International Seminar on Information Law Thessaloniki. Revising the Data Protection Directive Reinventing Data Protection?. Lilian Mitrou , Ass. Professor University of the Aegean. What are we talking about ?. The Review Process
E N D
4th International Seminar on Information Law Thessaloniki Revising the Data Protection Directive Reinventing Data Protection? Lilian Mitrou, Ass. Professor University of the Aegean
What are we talking about ? • The Review Process • Strengths and Weaknesses of the Data Protection Directive • Necessity of Review? • The Challenges • Occam's razorornewrules? • Scope and purpose • Re-inventing Data Protection?
The Review Process • Public consultation on the need for revising the Data Protection Directive • Communication "A comprehensive approach on personal data protection in the European Union"(November 2010) • A very important step forward in the discussion on the future of the legal framework for privacy and data protection but ..unfortunately there is no proposal yet
A risky Review • Discussion and revision as risk… • Risk of weakening and restricting data protection? • A justified concern? • In the wake of 9/11 legislative proposals –including the Data Retention Directive - have been adopted , which had “no chance to be accepted” • Some of the principles underlying the system of personal data protection, such as the principles of finality and proportionality, are being slowly but clearly eroded.
Εra of reviewing • The second generation of Data Protection Legislation is under review • Council of Europe: Discussion on the Review of Convention 108 (1981), which inspired the legislators of the Directive 95/46/ECand still forms the basis of most data protection laws in Europe • If the Council of Europe reaffirmed the rights laid down in Article 8 of the European Convention of Human Rights the Data Protection Directive established basic principles for the collection, storage and use of personal data.
The Strengths of the Directive • Positive impact of the Directive on European on perceptions of data protection principles • Improvement of awareness • Harmonisation of data protection principles • Flexibility by application • A leading paradigm, serving as a reference and inspiration model for privacy protection outside Europe
The Charter and the Lisbon Treaty • A separate Article for Data Protection (Art. 8) • Binding not only on EU institutions and bodies, but also on EU Member States when acting within the scope of EU law. • Horizontal approach and uniformity of protection among sectors • Art. 16 of the Treaty on the Functioning of the European Union : a new legal basis for data protection applicable to all processing in the area of police and judicial cooperation and common foreign and security policy
Criticism Despite the substantially positive track record and general acceptance of the Directive, certain aspects have been criticised • Too heavy formalities (notifications) • Vague definitions ( data controller/ data processor) • Cumbersome and outmoded rules and tools concerning data transfer to third countries • Inconsistent enforcement and diversities among national laws • Different approaches for crucial issues (independence of DPAs)
Is change necessary? • Is there a real need to rethink the foundations of data protection in today’s information society? • Not acting – and avoiding change where it is necessary – most certainly carries more risks • Increasing loss of relevance and effectiveness of data protection in a changing world. • A third generation of privacy legislation? .
Technological Challenges/1 • The Data Protection Directive was conceived and adopted before the explosion of the Internet and its impacts on economy, society, life • Technological and social phenomena pose crucial challenges for data protection • Convergence of the network around a single interoperable platform • Appearance and explosive growth of the “semantic web” and Web 2.0 • Changes in identification and authentication techniques • Identity management and profiling • RFIDs and geo-location devices and applications • Cloud computing and globalisation of processing
Technological Challenges/2 • Ambient intelligence: through technology and network into day-to-day life • ICTs: ubiquitous and autonomous systems • Information society no longer a parallel environment where individuals can participate on a voluntary basis, but an integrated part of our everyday lives.
Occam's razor or new rules? • Data Protection Authorities try to demonstrate that the Data Protection Directives might respond to new challenges • “The level of data protection in the EU can benefit from a better application of the existing data protection principles in practice”[Art 29 DPWP – The Future of Privacy] • Principles like necessity, proportionality, data minimisation, purpose limitation and transparency have been around for 25 or 30 years and have been confirmed • Should we put emphasis on ensuring that “old” principles are applied more effectively in a changing ICT environment and socio-economic context ? • Is the Data Protection Directive sufficient in the long term?
Scope and Purpose • Reflection on a “comprehensive and consistent data protection framework • .....to cover all areas of EU competence • Data Protection Directive as benchmark • EDPS: a Regulation instead of a Directive, in order to ensure direct applicability without differences and divergences and a common level of protection
Time to reinvent Data Protection? • Data protection has already been invented and developed for more than four decades • Re-invent, rethink on new tools and a new architecture of data protection • Harmonisation, simplification and diversification of procedures • Strengthening the roles of individuals(data subjects), supervisory authorities and data controllers
Informational self-determination • Consent of the data subject as cornerstone • Broaden the situations where express consent is required? • Consent has to be adapted to the requirements of the online environment …..avoiding a “just click submit” • Right to be forgotten: of crucial importance for the preserving the individuals’ rights especially in Web (search engines, social networks, advertising, public information)
Measures for Compliance • Risk assessments and privacy impact assessments • Clear rules about the accountability of the data controller and the obligations derived from • Introduction of a provision on personal data breach notification • Introduction of collective redress mechanisms • Privacy by design- privacy by default
Forward-thinking or lowest common denominator? • The EU legislator should be ambitious and forward-thinking. • Not easy to reach a consensus or – even an affordable compromise . • Risk that the 27 Member States adopt a lowest common denominator approach to privacy protection in Europe.