Embed Size (px)
Citation preview
Personal data protection in Internet
Thomas Papaliagkas, LLM
Greek Law
Law 2472/97: transposed the Directive 95/46/EC into internal Greek Law
Law 3625/07: Forecoming amendments
Law 3741/06: transposed the Directive 2002/58/EC into internal Greek Law
Community Law
The Directive 1995/46/EC is the main text upon personal data protection in European Union
The Directive 2002/58/EC particularises and complement Directive 95/46/EC protection of the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community
Main Definitions
'Personal Data': "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly (Art. 2 para 1 α of Law 2472/97). May be made in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, as referred in the provision of Art. 1 para. 1 of the Directive 95/46/EC.
This definition is very broad, as long as "personal data" is any data through which anyone is able to link the information to a person
Main definitions
Processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (Art. 2 para 1 δ Law 2472/97)
Main definitions
"Controller": The natural or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (Art. 2 para 1 ζ Law 2472/97).
'The data subject's consent': any freely given specific and informed
indication of his wishes by which the data subject signifies his
agreement to personal data relating to him being processed.
By any means, consent may be given by any appropriate method enabling
a freely given specific and informed indication of the user's wishes,
including by ticking a box when visiting an Internet website.
Main definitions
'sensitive personal data': include data related to tribe or nationality of the subject, politic views, religion and philosophical beliefs, taking part in political party or syndicate, health, social welfare and sexual life, to penal sentences, and to participating in any other person's unions like the above mentioned (Art. 2 para 1 γ Act 2742/97, as amended by the provision of Art. 8 para 3 of the Act 3625/2007).
Basic Principles
Principles
The main principles of both the Directive ant Greek Act are common. Generally, personal data processing is forbidden, except when certain conditions are met.
These conditions fall into three categories: transparency, legitimate purpose and proportionality.
Principle of Transparency
Data may be processed only under the following circumstances (art. 7):
1) when the data subject has given his consent
2) when the processing is necessary for the performance of or the entering
into a contract
3) when processing is necessary for compliance with a legal obligation4) when processing is necessary in order to protect the vital interests of
the data subject
5) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the
controller or in a third party to whom the data
Principle of Legitimate Purpose
Legitimate purpose
Personal data can only be processed for specified explicit and
legitimate purposes and may not be processed further in a
way incompatible with those purposes. (art. 6 b) Further
processing of data for historical, statistical or scientific
purposes shall not be considered as incompatible provided
that Member States provide appropriate safeguards.
Proportionality
Personal data may be processed only insofar as it is adequate,
relevant and not excessive in relation to the purposes for which
they are collected and/or further processed.
The data must be accurate and, where necessary, kept up to date;
every reasonable step must be taken to ensure that data which
are inaccurate or incomplete, having regard to the purposes for
which they were collected or for which they are further
processed, are erased or rectified; (art. 6)
Principle of Legitimate Purpose
The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6)
When sensitive personal data (can be: religious beliefs, political
opinions, health, sexual orientation, race, membership of past
organisations) are being processed, extra restrictions apply. (art.
8)
Supervisory Authority
Supervisory authority and the public register of processing operations
Each member state must set up a supervisory authority, an
independent body that will monitor the data protection level
in that member state, give advice to the government about
administrative measures and regulations, and start legal
proceedings when data protection regulation has been
violated. (art. 28) Individuals may lodge complaints about
violations to the supervisory authority or in a court of law
Authority for Personal Data Protection
In all of Member States have been founded a supervisory authority, in a form of an independent body. The provisions of Art. 28 were implemented in Greek law by the provisions of Art. 15-20 of the Act. 2472/97. It is an independent body that monitors the data protection level in Greece, which is called (“Αρχή Δεδομένων Προσωπικού Χαρακτήρα” or “Authority for Personal Data”).
The European Data Protection Supervisor (EDPS)
According to the provisions of the Directive 95/46/EC an
independent authority was founded, aiming to watch and
guarantee personal data protection; this is the European
Data Protection Supervisor (EDPS).
The EDPS has three main functions: supervision,
consultation, and cooperation.
EDPS: Function of Supervision
various forms:
The bulk of it is presently based on notifications of processing operations
presenting specific risks. These need to be prior checked by the EDPS.
Based on the facts submitted to him, the EDPS will examine the
processing of personal data in relation to Regulation 45/2001. In most
cases, this exercise leads to a set of recommendations that the institution
or body need to implement, so as to ensure compliance with data
protection rules. The EDPS also receives complaints from EU staff members as well as from
other people who feel that their personal data have been mishandled by a Community institution or body. If a complaint is admissible, the EDPS usually carries out an inquiry. The findings are communicated to the complainant, and necessary measures are adopted.
EDPS: Supervision
The EDPS may also carry out inquiries on his own initiative. Inquiries and inspections are essential for a supervisory authority to have the means for fact-finding, following up of cases and monitoring of compliance in general.
n order to monitor compliance with Regulation 45/2001, the EDPS largely relies
on the Data Protection Officers (DPOs) who are to be appointed in each
institution/body. Apart from bilateral meetings and contacts with the DPOs,
the EDPS also takes part in the regular meetings of the DPO network.
Since January 2004, the EDPS has ensured the supervision of the central unit of
Eurodac, a database of fingerprints of applicants for asylum and immigrants
found illegally in the EU.
EDPS Function of Consultation
The EDPS advises the EU institutions and bodies on data
protection issues in a range of policy areas. His
consultative role relates to proposals for new legislation as
well as soft law instruments like communications that affect
personal data protection in the EU. He also monitors new
technologies that may have an impact on data protection.
EDPS Function of Consultation
2007: priorities broaden, with increasing focus on other areas of Community law, such as electronic communications and information society as well as public health.
Examines the data protection and privacy impact of proposed new legislation. The Policy paper of
2005 elaborates how this role is interpreted in terms of limitations in scope, working methods and
main orientations. The EDPS uses different instruments in order to exercise this role.
1) planning tool: Each year in December, the EDPS publishes an inventory of his priorities for the
coming year.
2) Public opinion. By issuing opinions on a regular basis, the EDPS establishes a consistent policy on
data protection issues. The opinions are addressed to those involved in the legislative negotiations,
but also published on the website as well as through the Official Journal of the EU.
3) The EDPS comments, which address data protection issues for instance in Commission
communications.
4) Intervenes in cases before the Court of Justice, the Court of First Instance and the Civil Service
Tribunal.
Function of Cooperation
Covers work on specific issues, as well as more structural collaboration together with other data protection authorities.
Aim of the EDPS: to promote consistency in the protection of
personal data.
The central forum for cooperation in the EU is the Article 29
Working Party. This is where the national data protection
authorities meet to exchange views on current issues, to discuss
a common interpretation of data protection legislation and to give
expert advice to the European Commission. The EDPS also
participates in the work to ensure good data protection in the
EU's third pillar,
Social Networking Technologies
Facebook:After a public backlash in the US, including more than 50,000 Facebook users' signatures on a protest petition, Facebook executives apologised and allowed an opt-out option on the programme.
the Directive doesn’t allow them to pick just one EU country and comply with its Data Protection laws. Directive 95/46 Recital 19 puts an onus on a Data Controller established in multiple territories to fulfill the obligations of all those states.
1) Is it subject to European law?
Legal Problem. Facebook Inc already has an
office in London. This also puts them within the
alternate definition of “establishment” ( in the
UK )
2) Case of Ireland
Other Social Networking Sites
MySpace and Friendster, as well as online dating sites like eHarmony.com, may require departing users to confirm their wishes several times — but in the end, they offer a delete option
Anonymous or Pseudonymous Users
Anonymous or pseudonymous users:
A different class of identifiers having similar
characteristics, IP addresses, was considered in
the Article 29 Working Party's Opinion 4/2007
on the Concept of Personal Data
Hellenic Data Protection Authority
The Art. 29 Working Party is deeply concerned about the development taking place in Greece after the resignation of the President and 5 members of the Hellenic Data Protection Authority
Problem of real independence
Conclusion
- Can Internet be auto-balanced?
- Greek Conseil d' Etat case-law
- theproblem is not theoretic; the problem is execution.
The legal frame can be easily amended, as soon as we
find the problem. But, really, who is able to catch the
illegals?
