Data Protection Principles as Basic Foundation for Data Protection in EU/EEA

Introduction to Data Protection Theory Seminar - AFIN

31. 01. 2007

Stephen K. Karanja

Protection of Personal Data in EU and EEA

• Main Data Protection Laws– OECD guidelines on protection of privacy and transborder flows of

personal data - 1980

– Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (ETS No 108) of 1981

– EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

– National data protection laws.

» Norwegian Personal Data Act (PDA) 2000

What are Data protection Principles?

• Abstractions from rules

• Good practices

• Safeguards– ECHR & case law

• Normative force

• Balancing Interests

• Influence new data protection laws

• Principles and Interests (Norwegian interest theory)

Basic Principles

• Fairly and Lawful

• Minimality

• Purpose Specification

• Data Quality

• Data Security

• Sensitivity

• Individual Participation– Constellation of rights

--------------------------------------------------------

• Anonymity– Requirement for technological and organisational measures

– Pseudonames

• Fully Automatic Decision Making Art. 15 Directive

Fairly and Lawful Principle

• Art. 6 (1)(a) Directive & §11(a) PDA personal data must be processed fairly and lawfully

• Most important principle• What does Fairly Mean?

– Conform to laid down rules and procedures– Sensitive and take account of data subjects interests and reasonable

expectations – proportionality and balance– Transparency – not secret – no deception

• What does Lawful Mean?– Legality principle– permitted by law or authorised– Done with lawful justification or excuse (legitimate) - Article 7 Directive &

§8 & 9 PDA– Article 8(2) ECHR & case law– Transparency

• Applies also to establishment of information systems

Minimality Principle

• Art. 6(1)(e) & § 28 PDA• Necessary – personal data collected should be limited

to what is necessary to achieve the purposes for which the data are gathered and further processed

• What is necessary? – Art. 7 & 8 Directive – §8 & 9 PDA– Art. 8 (2) ECHR case law – “a pressing social need” i.e.

proportionate to the legitimate aim pursued. Incal v. Turkey (1998) 29 EHRR 449 §57

– SAS Braathens request for taking passenger’s fingerprints

• Non-excessiveness, proportionality (to the purpose) Art. 6 (1)(c) Directive & § 11(d) PDA

• Data erasure and anonymity § 11(e), 27 & 28 PDA

Purpose Specification Principle

• Art. 6(1)(b) Directive & §11(b) PDA

• Personal data shall be processed for specified, lawful/legitimate purposes and not processed in ways that are incompatible with those purposes.

– Specified, defined or stated purpose

– Lawful/legitimate purpose - proportionality

– Further processing not incompatible with original purpose

– Transparency

• Entails also acceptance by society

Data Quality

• Personal data should be valid with respect to what they are intended to describe, and relevant and complete with respect to the purpose for which they are intended to be processed. - Art. 6 (1)(c)(d) Directive & §11(d)(e) PDA

• Adequacy– Relevancy

– Non-excessiveness

• Accuracy– Up to datedness

– Completeness

– Rectification (supplement) and erasure or blocking

• Data Controller should establish measures to ensure data quality

Data Security

• Ensure that data are not destroyed accidentally and not subject to unauthorised access, alteration, destruction or disclosure - Art. 17 Directive & § 13 PDA

– Implement appropriate technical and organisational measures

– Securing technical equipment and networks

– Contracts where processing is carried out on behalf of the controller

• Accessibility

Sensitivity Principle• Limits the processing of certain types of data which are regarded

as especially sensitive for data subject and requires specific safeguards as compared with other personal data - Art. 8 Directive & § 9 PDA

• What is sensitive data?– Art. 8 (1) Directive & § 2 (8) PDA – personal data revealing racial or ethnic

origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life.

– Data relating to criminal act – a person has been suspected of, charged with, indicted or convicted of a criminal act.

• Exemptions– Art. 8 (2) Directive & § 9 PDA

• Personal Identity Numbers or other identification numbers or identifier of general application

– § 12 PDA – can only be used where objective need for certain identification and necessary to achieve such identification

– Data Inspectorate may require the use of PIN in order to ensure that the personal data are of adequate quality. (Privacy Enhancing Technology)

Individual Participation• A set of data subject’s rights. The rights are designed to enable

data subjects to have a degree of control and participate in the processing of their personal data

• Balance of power • Self-determination or individual control principle• The rights

– Right of access Art. 12 Directive & § 18 PDA– Right to rectification, erasure and blocking– Right to information regarding automated decisions ( Art. 15 Directive & § 22

PDA)– Right to object Art. 14 Directive

» Adversary affect the data subject» Direct marketing

– Obligation to notify or provide information» When data are collected from the data subject» When data are collected from other persons» In connection to with the use of personal profiles § 21 PDA

– Right to demand manual processing § 25 PDA

Exemptions

• Rights are not always absolute. Exemptions allow processing of personal data where State or societal interests may override individual interests i.e. protection of fundamental values in a democratic society

• Mitigate conflict or balance competing interests

• General exceptions– Art. 3(2)

– Art. 9 Directive

– Art. 13 Directive & § 22 PDA

» Limitations – provided for by legislative measure and must be necessary.

• Specific exceptions– Sensitive data

Conclusion

• The Principles dealt with here are the most fundamental but not all.

• They are not all reflected in all national laws. There are differences and emphasis.

• New principles may arise with the advancement of technology.