Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
EU Data Protection and Privacy RightsSofia, 13-14 June 2019
Synergies related to data protection between CoE and EU on selected aspects
Teresa Quintel
[AD/2019/04]
With financial support from the Justice
Programme of the European Union
Content
I. CoE and EU Data Protection Law
II. Changes under the new Regimes
III. Specific Rules for the Processing ofPersonal Data in the Law EnforcementContext
IV. Case Law on Law Enforcement Access toPersonal Data
EJTN 14 June 2019 [email protected]
I. CoE and EU Data protection law
EJTN 14 June 2019
Council of Europe European Union
ECHR Article 8 EU Charter Articles 7 and 8
Convention 108 Directive 95/46/EC
Recommendation (15)87 Framework Decision 2008/977/JHA
Modernised Convention 108 GDPR
Guide on Police Processing Directive (EU)2016/680
Convention 108
4
• CoE instrument, but the ‘Global Data Protection Convention’
• Only binding International Data Protection Treaty
• To be distinguished from the ECHR
• Global Standards for Data Protection
• 47 CoE Members + 7 non-European Membersare Party to the Convention
• Possibility for the EU to accede the Convention
EJTN 14 June 2019 [email protected]
Content
I. CoE and EU Data Protection Law
II. Changes under the new Regimes
EJTN 14 June 2019 [email protected]
II. Changes under the new Regimes: Modernised Convention 108
•Maintains the Convention’s provisions at principle-level
•Aims to ensure consistency and compatibility with otherdata protection legal frameworks
•Maintains technologically neutral provisions
•Reaffirms the Convention’s potential as a universalstandard
EJTN 14 June 2019 [email protected]
Convention 108+ and GDPR
• Convention 108 seen as the ‘mother’ of the GDPR
• On 18 May 2018 the Committee of Ministers of the CoEadopted an amendment protocol to update Convention 108
→to avoid contradictions with GDPR standards
• The Modernised Convention includes most of the importantGDPR innovations
• But does not include all of the GDPR pieces
→the Convention is held much more general
• Recital 105 GDPR→ Adequacy Finding under the GDPR
• Convention 108 Accession will in particular be taken intoaccount for assessing the Adequacy of a Third Country
EJTN 14 June 2019 [email protected]
II. Changes under the new Regimes: Modernised Convention 108
• Changes in scope
→no processing activities can be excluded from the scope of the newConvention
• Parties must demonstrate effectiveness of implementation
→may be evaluated by the Convention Committee
• Catalogue of sensitive data has been extended
→genetic and biometric data
→data on trade union membership and ethnic origin
• Intruduction of data breach notification to DPAs
• New rights for data subjects
• Supervisory authorities and Cooperation →new powers andincreased cooperation
EJTN 14 June 2019 [email protected]
The main innovations under the Modernised Convention
• proportionality
• accountability
• privacy by design
• obligation to notify data breaches
• transparency of data processing
• additional safeguards for the data subject
• possibility for International organisations to accede to the modernised Convention
EJTN 14 June 2019 [email protected]
Scope of GDPR and theModernised Convention 108• The scope of the GDPR (Articles 2 and 3)
• Competence of the EU
• Chapter 2 of Title V of the TEU
• Purely personal or household activity
• Directive(EU)2016/680
• Regulation (EU)2018/1725
• Convention 108+ as International Treaty that isaccessible to non-CoE Members
• Covers areas where the EU has no competence
• Has been complemented by Recommendationsand Guidelines
EJTN 14 June 2019 [email protected]
Convention 108 and EU Data Protection Standards
• Data Protection Principles
• Lawfulness of Processing
• Specific Conditions for Consent
• Special Categories of Personal Data
• Data Subject Rights
• Obligations for Controllers
• →Transparency, Accountability, Data Protection by Design
• Controllers/Processors →responsibility
• Remedies
• Supervisory Authorities and Cooperation
EJTN 14 June 2019 [email protected]
II. Changes under the new Regimes: GDPR
• Data Protection as Fundamental Right
• New Rights for Data Subjects
• Additional Obligations for Controllers and Processors
• Risk-Based Approach
• Privacy by Design and by Default
• New Security Obligations
• Supervision
• Cooperation between DPAs
• Enforcement
EJTN 14 June 2019 [email protected]
Content
I. CoE and EU Data Protection Law
II. Changes under the new Regimes
III. Specific rules for the Processing of Personal Data in the Law Enforcement Context
EJTN 14 June 2019 [email protected]
III. CoE Police Guidelines
• Adopted on 15 February 2018 to provide clear guidance and toupdate the ‘insufficiently detailed’ Recommendation (87)15
• Endorses the relevance of the Principles enshrined inRecommendation (87)15
• Gives orientations for practical situations the police may face
• Balance between the objectives of general public interest, and therespect for the rights of individuals to privacy and data protection
• Purpose Limitation to what is necessary and proportionate for theprevention, investigation and prosecution of a criminal offence
• Data security, accuracy, accountability, human intervention inpredictive analysis and ethical considerations for processing
• Recognition of the need to carry out proper DPIAs before usingnew technologies
EJTN 14 June 2019 [email protected]
Directive (EU)2016/680‘Law Enforcement Directive’
• Repealed a Framework Decision from 2008
→now applicable to all ‘domestic‘ processing of personal data
• Recognizes the needed flexibility for competent authorities in theperformance of their tasks
→different transparency requirements and restriction of rights
• Material and Personal Scope
→Both personal and material scope must be satisfied
• Regulation vs Directive
→minimum harmonization
→definitions may differ in the Member States
• Only one legal basis
→where processing is necessary for the prevention, investigation, detection orprosecution of criminal offences or the execution of criminal penalties
• Grey zones in terms of application?
→GDPR, ‘national security‘
EJTN 14 June 2019 [email protected]
Distinct features of the Directive[compared to the GDPR]
• Particularities in terms of principles
• Data minimization and purpose limitation
• Subsequent processing vs. Further processing
• Categorization of data and Quality of data
• Restrictions of data subject rights
• Notification of data subjects
• Indirect data subject rights
• Other obligations→major improvements
• Logging, DPIAs, Prior Consultation, DP by Design, Notification of data breaches, mandatory DPOs
• Powers of the National Supervisory Authorities
EJTN 14 June 2019 [email protected]
Similarities between theLaw Enforcement Directive and the Police Guide
• Openness to the operational needs of the police
• More flexible rules for the processing of personal datain the law enforcement context
• Specific conditions regarding the limitation of datasubject rights
• Conditions for the subsequent use of data
• Processing of special categories of data
• New processing techniques require a DPIA
• Both recognize the necessity for direct cooperationwith service providers
• Rules on international transfers, also to private bodies
EJTN 14 June 2019 [email protected]
Transfers of personal data to third countries and international organizations under the Directive
• The architecture of Chapter V on internationaltransfers is the same as under the GDPR, but thelogic applied to such transfers under the Directive isdifferent
• Cascading System under the Directive
• Novelty: ‘asymmetrical transfers‘ under Article 39 ofthe Directive
• Direct data exchanges between private actors andlaw enforcement actors
• Only in very exceptional cases, where it is strictlynecessary for the fulfilment of the tasks of police
EJTN 14 June 2019 [email protected]
Content
I. CoE and EU Data Protection Law
II. Changes under the new frameworks
III. Specific rules for the Processing of Personal Data in the Law Enforcement Context
IV. Case Law on Law Enforcement Access toPersonal Data
EJTN 14 June 2019 [email protected]
IV. Access to Personal Data by Law Enforcement
• Digital Rights Ireland (2014)
• Schrems (2015)
• Tele2/Watson (2016)
• Opinion 1/15 (2017)
• Ministerio Fiscal (2018)
• Privacy International →Case no. C-623/17
EJTN 14 June 2019 [email protected]
With financial support from the Justice
Programme of the European Union
Thank you!