Embed Size (px)
Citation preview
Requirements
on new data protection
regulations
and current changing needs
from the view of the EDPS
10/11/2015, Berlin
Wojciech Wiewiórowski
”ISSE 2015. Making Europe
a safer place to do business”
© M. Narojek for GIODO 2011
33
EDPS
The EDPS is an independent supervisory
authority devoted to protecting personal
data and privacy and promoting good
practice in the EU institutions and bodies.
A number of specific duties of the EDPS
are laid down in Regulation 45/2001. The
three main fields of work are
• Supervisory tasks
• Consultative tasks: to advise EU legislator
on proposals for new legislation as well as on
implementing measures. Technical
advances, notably in the IT sector, with an
impact on data protection are monitored.
• Cooperative tasks: involving work in close
collaboration with national data protection
authorities (Article 29 Working Party)
4
The role of European Data Protection Supervisor
• The European Data Protection Supervisor (EDPS) is the independent
supervisory authority for the processing of personal data by the EU
administration;
• Privacy and data protection are fundamental rights – see Articles 7 and
8 of the Charter of Fundamental Rights;
• Independent supervision is an integral part of the right to data protection –
see Article 16(2) TFEU and 8(3) Charter;
• What we do:
– monitoring and verifying compliance with Regulation (EC) 45/2001,
– giving advice to controllers,
– advising the co-legislators on new legislation,
– cooperating with Member States’ DPAs,
– handling complaints, conducting inspections
– Monitoring technological developments
– Promoting data protection aware design and development
5
Our objectives
I. Data protection goes digital
II. Forging global partnerships
III. Opening a new chapter for EU data protection
6
Reform of Data Protection Law in the European Union
• Directive 95/46/EC
on the protection of individuals
with regard to the processing of personal data
and on the free movement of such data
(Data Protection Directive),
OJ 1995 L 281
7
Reform of Data Protection Law
in the European Union
Communication from
the Commission to the European Parliament and
the Council -
”A comprehensive approach on personal data
protection
in the European Union”
8
Reform of Data Protection Law
in the European Union
9
Reform of Data Protection Law
in the European Union
COM(2012) 11/4 draft
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL
on the protection of individuals with regard to the processing of
personal data and on the free movement of such data
(General Data Protection Regulation)
10
Reform of Data Protection Law
in the European Union
COM(2012) 10 final
2012/0010 (COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the protection of individuals with regard to the processing of
personal data by competent authorities for the purposes of
prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties,
and the free movement of such data
11
Reform of Data Protection Law
in the European Union
Council
DAPIX Group - Working Party on Information Exchange and
Data Protection
Member States represented by governments:
Minister (usually Justice or Interior, but in PL – Digitisation)
Experts:
Some governments
invite Data Protection
Authority
Instruction:
Council of Ministers
•
12
Reform of Data Protection Law
in the European Union
European Parliament
The European Parliament voted the draft in plenary with 621 votes in favour, 10
against and 22 abstentions for the Regulation and 371 votes in favour, 276
against and 30 abstentions for the Directive).
"The message the European Parliament is sending is unequivocal: This reform is a
necessity, and now it is irreversible. Europe's directly elected parliamentarians have
listened to European citizens and European businesses and, with this vote, have
made clear that we need a uniform and strong European data protection law, which
will make life easier for business and strengthen the protection of our citizens," said
Vice-President Viviane Reding, the EU's Justice Commissioner. "Data Protection is
made in Europe. Strong data protection rules must be Europe's trade mark. Following
the U.S. data spying scandals, data protection is more than ever a competitive
advantage. I want to thank Mr Albrecht and Mr Droutsas for their committed and
tireless work on the data protection reform. Today's vote is the strongest signal that it
is time to deliver this reform for our citizens and our businesses.”
13
Reform of Data Protection Law
in the European UnionTrilogue
Discussion on final text by Council, Parliament and Commission
15
Reform of Data Protection Law
in the European Union
Norms derived from European law can be:
- directly binding
- directly applicable
- directly effective
vertically and/or horizontally
16
Reform of Data Protection Law in the European Union
1. Where a type of processing in particular using new
technologies, and taking into account the nature, scope,
context and purposes of the processing, is likely to result in
a high risk for the rights and freedoms of individuals, such
as discrimination, identity theft or fraud, financial loss,
damage to the reputation, unauthorised reversal of
pseudonymisation, loss of confidentiality of data protected
by professional secrecy or any other significant economic
or social disadvantage, the controller shall, prior to the
processing, carry out an assessment of the impact of the
envisaged processing operations on the protection of
personal data.
17
AdequacySuitability – is the measure suitable and adequate to the purposes to
be achieved
Necessity – is it necessary to use this kind of intervention in order to
achieve goal
Non-excessivness (proportionality senso stricto) – is not the measure
too intrusive
More on adequacy and consent: L.A.Bygrave, D.W.Schartum: Consent, Proportionality
and Collective Power [in:] S.Gutwirth, Y.Poullet, P.De Hert, C.de Tervangne, S.Nouwt
[ed.] Reinventing Data Protection, Springer 2009, p. 157
18
Big Data = Big Responsibility
19
EthicsWhile the law is a powerful element, it
cannot address the many nuanced
scenarios that arise in the digital market.
The EDPS calls upon organisations to be
accountable , to have a new ethical
approach to handling the personal data
they collect. By developing internal codes
and policies which safeguard human
dignity, organisations can self-police,
ensure their compliance with data
protection laws and demonstrate
a respect for the persons whose personal
data they use - just because
an organisation can piece together
a customer’s life from their data trail does
not mean it always should.
20
Privacy by Design
• Privacy by Design and Accountability:
• More robust anonymisation techniques will not, by
themselves, solve the challenges Big Data presents to
privacy. There is a need for additional solutions. Privacy
by Design and accountability are also important to help
alleviate the privacy challenges.
• Use of Big Data technologies should be based on the
seven principles of Privacy by Design. Privacy by Design
entails taking into account protection of privacy at all
stages of system development, in procedures and in
business practices.
22
International co-operation
of data protection authorities (DPAs)The IPEN initiative was founded in 2014. It supports the creation of
engineer groups working on (re)-usable building blocks, design
patterns and other tools for selected Internet use cases where privacy
is at stake. IPEN invites participants from different areas such as data
protection authorities, academia, open source and business
development, and other individuals who are committed to the finding
engineering solutions to privacy challenges. The objective of the work should be to integrate data
protection and privacy into all phases of the development process, from the requirements phase to
production, as it is most appropriate for the development model and the application environment.
It supports networking between engineer groups and existing initiatives for engineering
privacy into the Internet. This network facilitates exchange in order to coordinate work and avoid
duplication, in addition to discussing which privacy oriented use cases should be addressed with
priority.
IPEN is building a repository of relevant resources, making its findings and knowledge base
accessible to all participants, developers and privacy experts.
A core group takes care of collection and distribution of information, liaises with other relevant
initiatives, facilitates the dialogue on engineering solutions, and organises online and offline
events.
