28 January 2014

EU and CoE Data Protection Frameworks

The 210pp Handbook on European data protection law [PDF] released today by the European Union Agency for Fundamental Rights and European Court of Human Rights is promoted as
the first comprehensive guide to Council of Europe and European Union law on data protection, taking into account the case law from the European Court of Human Rights and the Court of Justice of the European Union. It covers among other issues: data protection terminology; key principles and the rules of data protection law; data subjects’ rights and their enforcement; transborder data flow; data protection in the context of police and criminal justice; and other specific data protection laws. 
The Agency's report on Data Protection Remedies is noted here.

Key points from the Handbook are -
The right to data protection
  • Under Article 8 of the ECHR, a right to protection against the collection and use of personal data forms part of the right to respect for private and family life, home and correspondence. 
  • CoE Convention 108 is the first international legally binding instrument dealing explicitly with data protection. 
  • Under EU law, data protection was regulated for the first time by the Data Protection Directive. 
  • Under EU law, data protection has been acknowledged as a fundamental right.
Balancing rights
  • The right to data protection is not an absolute right; it must be balanced against other rights
Personal Data
  • Data are personal data if they relate to an identified or at least identifiable person, the data subject. 
  • A person is identifiable if additional information can be obtained without unreasonable effort, allowing the identification of the data subject by name. 
  • Authentication means proving that a certain person possesses a certain identity and/or is authorised to carry out certain activities. 
  • There are special categories of data, so-called sensitive data, listed in Convention 108 and in the Data Protection Directive, which require enhanced protection and, therefore, are subject to a special legal regime. 
  • Data are anonymised if they no longer contain any identifiers; they are pseudonymised if the identifiers are encrypted. 
  • In contrast to anonymised data, pseudonymised data are personal data.
Data processing
  • The term ‘processing’ refers primarily to automated processing. 
  • Under EU law, ‘processing’ refers additionally to manual processing in structured filing systems. 
  • Under CoE law, the meaning of ‘processing’ can be extended by domestic law to include manual processing. 
The users of personal data
  • Whoever decides to process personal data of others is a ‘controller’ under data protection law; if several persons take this decision together, they may be ‘joint controllers’. 
  • A ‘processor’ is a legally separate entity that processes personal data on behalf of a controller. 
  • A processor becomes a controller if he or she uses data for his or her own purposes, not following the instructions of a controller. Anybody who receives data from a controller is a ‘recipient’. 
  • A ‘third party’ is a natural or legal person who does not act under instructions of the controller (and is not the data subject). 
  • A ‘third party recipient’ is a person or entity that is legally separate from the controller, but receives personal data from the controller.
Consent
  • Consent as a legal basis for processing personal data must be free, informed and specific. 
  • Consent must have been given unambiguously. 
  • Consent may either be given explicitly or implied by acting in a way which leaves no doubt that the data subject agrees to the processing of his or her data. 
  • Processing sensitive data on the basis of consent requires explicit consent. 
  • Consent can be withdrawn at any time.
The principle of lawful processing
  • In order to understand the principle of lawful processing, one has to refer to conditions for lawful limitations of the right to data protection in light of Article 52(1) of the Charter and requirements of justified interference under Article 8 (2) ECHR. 
  • Accordingly, the processing of personal data is lawful only if it: is in accordance with the law; and pursues a legitimate purpose; and
is necessary in a democratic society in order to achieve the legitimate 
purpose.
The principle of purpose specification and limitation 
  • The purpose of processing data must be visibly defined before processing is started. 
  • Under EU law, the purpose of processing must be specifically documented; under CoE law, this question is left to domestic law. 
  • Processing for undefined purposes is not compliant with data protection law. 
  • Further use of data for another purpose needs an additional legal basis if the new purpose of processing is incompatible with the original one. 
  • Transfer of data to third parties is a new purpose needing an additional legal basis.
Data quality principles
  • The principles of data quality must be implemented by the controller in all processing operations. 
  • The principle of limited retention of data makes it necessary to delete data as soon as they are no longer needed for the purposes for which they were collected. 
  • Exemptions from the principle of limited retention must be set out by law and need special safeguards for the protection of data subjects.
The fair processing principle
  • Fair processing means transparency of processing, especially vis-à-vis data subjects. 
  • Controllers must inform data subjects before processing their data, at least about the purpose of processing and about the identity and address of the controller. 
  • Unless specifically permitted by law, there must be no secret and covert processing of personal data. 
  • Data subjects have the right to access their data wherever they are processed.
The principle of accountability
  • Accountability requires the active implementation of measures by controllers to promote and safeguard data protection in their processing activities. 
  • Controllers are responsible for the compliance of their processing operations with data protection law. 
  • Controllers should be able at any time to demonstrate compliance with data protection provisions to data subjects, to the general public and to supervisory authorities. 
Rules on lawful processing
  • Personal data may be lawfully processed if: the processing is based on the consent of the data subject; or vital interests of data subjects require the processing of their data; or legitimate interests of others are the reason for processing, but only as long as they are not overridden by interests in protecting the fundamental rights of the data subjects. 
  • Lawful processing of sensitive personal data is subject to a special, stricter regime.
Rules on security of processing
  • The rules on security of processing imply an obligation of the controller and the processor to implement appropriate technical and organisational measures in order to prevent any unauthorised interference with data processing operations. 
  • The necessary level of data security is determined by: 
the security features available in the market for any particular type of processing; and the costs; and the sensitivity of the data processed. 
  • The secure processing of data is further safeguarded by the general duty on all persons, controllers or processors, to ensure that data remain confidential.
Rules on transparency of processing 
  • Before starting to process personal data, the controller must, at the very least, inform the data subjects about the identity of the controller and the purpose of the data processing, unless the data subject already has this information. 
  • Where the data are collected from third parties, the obligation to provide information does not apply if: the data processing is provided for by law; or provision of information proves impossible or would involve a disproportionate effort. 
  • Before starting to process personal data, the controller must, additionally: notify the supervisory authority of the intended processing operations; or have the processing internally documented by an independent personal data protection official, if national law provides for such proceedings.
Rules on promoting compliance
  • Developing the principle of accountability, the Data Protection Directive mentions several instruments for promoting compliance: prior checking of intended processing operations by the national supervisory authority; personal data protection officials who shall provide the controller with special expertise in the field of data protection; codes of conduct specifying the existing data protection rules for application in a branch of society, especially of business. 
  • CoE law proposes similar instruments for promoting compliance in its Profiling Recommendation.
The rights of data subjects
  • Everyone shall have the right under national law to request from any controller information as to whether the controller is processing his or her data. 
  • Data subjects shall have the right under national law to: access their own data from any controller who processes such data; have their data rectified (or blocked, as appropriate) by the controller processing their data, if the data are inaccurate; have their data deleted or blocked, as appropriate, by the controller if the controller is processing their data illegally. 
  • Additionally, data subjects shall have the right to object to controllers about: automated decisions (made using personal data processed solely by automatic means); the processing of their data if it leads to disproportionate results; the use of their data for direct marketing purposes. Independent supervision
Independent Supervision
  • In order to ensure effective data protection, independent supervisory authorities must be established under national law. 
  • National supervisory authorities must act with complete independence, which must be guaranteed by the founding law and reflected in the specific organisational structure of the supervisory authority. 
  • Supervisory authorities have specific tasks, among others, to: monitor and promote data protection at the national level; advise data subjects and controllers as well as the government and the public at large; hear complaints and assist the data subject with alleged violations of data protection rights; supervise controllers and processors; intervene if necessary by warning, admonishing or even fining controllers and processors, ordering data to be rectified, blocked or deleted, imposing a ban on processing; refer matters to court.
Remedies and sanctions
  • According to Convention 108 as well as the Data Protection Directive, national law must set out appropriate remedies and sanctions against infringements of the right to data protection. The right to an effective remedy requires, under EU law that national law set out judicial remedies against infringements of data protection rights, irrespective of the possibility of approaching a supervisory authority. Sanctions must be set out by national law that are effective, equivalent, proportionate and dissuasive.      
  • Before turning to the courts, one must first approach a controller. Whether or not it is also mandatory to approach a supervisory authority before applying to a court, is left to regulation by national law. 
  • Data subjects may bring violations of data protection law, as a last resort and under certain conditions, before the ECtHR. 
  • In addition, the CJEU can be approached by data subjects, but only to a very limited extent.
Nature of transborder data flows
  • Transborder data flow is a transfer of personal data to a recipient who or which is subject to a foreign jurisdiction. 
Free data flows between Member States or between Contracting Parties
  • Transfer of personal data to another member state of the European Economic Area or to another Contracting Party to Convention must be free from restrictions
Free data flows to third countries
  • Transfer of personal data to third countries shall be free from restrictions under national data protection law, if: adequacy of data protection at the recipient has been ascertained; or it is necessary in the specific interests of the data subject or legitimate prevailing interests of others, especially important public interests. 
  • Adequacy of data protection in a third country means that the main principles of data protection have been effectively implemented in the national law of this country. 
  • Under EU law, the adequacy of data protection in a third country is assessed by the European Commission. 
  • Under CoE law, it is left to domestic law to regulate how adequacy is assessed. Restricted data flows to third countries 
Restricted data flows
  • Before exporting data to third countries not ensuring an adequate level of data protection, the controller must subject the intended data flow to examination by the supervisory authority. 
  • The controller who wants to export data must demonstrate two issues during this examination: that a legal basis exists for the data transfer to the recipient; and that measures are in place to safeguard adequate protection of the data at the recipient. 
  • Measures for establishing adequate data protection at the recipient may include: contractual stipulations between the data-exporting controller and the foreign data recipient; or binding corporate rules, usually applicable for data transfers within a multinational group of companies. 
  • Data transfers to foreign authorities can also be governed by a special international agreement.
CoE law on data protection in police and criminal justice matters
  • Convention 108 and the CoE Police Recommendation cover data protection across all areas of police work. 
  • The Cybercrime Convention (Budapest Convention) is a binding international legal instrument dealing with crimes committed against and by means of electronic networks.
EU law on data protection in police and criminal matters
  • At the EU level, data protection in the police and criminal justice sector is regulated only in the context of cross-border cooperation of police and judicial authorities. 
  • Special data protection regimes exist for the European Police Office (Europol) and the EU Judicial cooperation unit (Eurojust), which are EU bodies assisting and promoting cross-border law enforcement. 
  • Special data protection regimes also exist for the joint information systems which are established at the EU level for cross-border information exchange between the competent police and judicial authorities. Important examples are Schengen II, the Visa Information System (VIS) and Eurodac, a centralised system containing the fingerprint data of third-country nations applying for asylum in one of the EU Member States.
Electronic communications
  • Specific rules on data protection in the area of telecommunication, with particular reference to telephone services, are contained in the CoE Recommendation from _''(.      
  • The processing of personal data relating to the delivery of communications services at the EU level is regulated in the e-Privacy Directive. 
  • Confidentiality of electronic communications pertains not only to the content of a communication but also to traffic data, such as information about who communicated with whom, when and for how long, and location data, such as from where data were communicated. 
  • The Data Retention Directive obliges communication service providers to keep traffic data available, specifically for the purposes of fighting serious crime.
Employment data
  • Specific rules for data protection in employment relations are contained in the CoE Employment Data Recommendation. 
  • In the Data Protection Directive, employment relations are specifically referred to only in the context of the processing of sensitive data. 
  • The validity of consent, which must have been freely given, as a legal basis for processing data about employees may be doubtful, considering the economic imbalance between employer and employees. The circumstances of consenting must be assessed carefully.
Medical Data
  • Medical data are sensitive data and, therefore, enjoy specific protection.
Data processing for statistical purposes
  • Data collected for statistical purposes may not be used for any other purpose. 
  • Data collected legitimately for any purpose may be further used for statistical purposes, provided that national law prescribes adequate safeguards which are met by the users. For this purpose, particularly anonymisation or pseudonymisation before transmission to third parties should be envisaged.
Financial data
  • Although financial data are not sensitive data in the sense of Convention 108 or of the Data Protection Directive, their processing needs particular safeguards to ensure accuracy and data security. 
  • Electronic payment systems need built-in data protection, so-called privacy by design. 
  • Particular data protection problems arise in this area from the need to have appropriate mechanisms for authentication in place.