Tag Archives: Protection of privacy

Data protection in the electronic communications sector

Leave a reply

Data protection in the electronic communications sector

Outline of the Community (European Union) legislation about Data protection in the electronic communications sector

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Internal market > Single market for services

Data protection in the electronic communications sector

Document or Iniciative

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [See amending acts].

Summary

Directive 2002/58/EC forms part of the “Telecoms Package”, a new legislative framework designed to regulate the electronic communications sector and amend the existing regulations governing the telecommunications sector. The “Telecoms Package” includes four other Directives on the general framework, access and interconnection, authorisation and licensing and the universal service. The “Telecoms Package” was amended in December 2009 by the two Directives “Better law-making” and “Citizens’ rights”, as well as by the establishment of a body of European regulators for electronic communications (BEREC).

This Directive principally concerns the processing of personal data relating to the delivery of communications services.

Processing security

The provider of an electronic communications service must protect the security of its services by:

  • ensuring personal data is accessed by authorised persons only;
  • protecting personal data from being destroyed, lost or accidentally altered;
  • ensuring the implementation of a security policy on the processing of personal data.

In the case of an infringement of personal data, the service provider must inform the person concerned, as well as the National Regulatory Authority (NRA).

Confidentiality of communications

The Directive reiterates the basic principle that Member States must, through national legislation, ensure the confidentiality of communications made over a public electronic communications network. They must in particular prohibit the listening into, tapping and storage of communications by persons other than users without the consent of the users concerned. The subscriber or user who stores their information must first be informed of the purposes of the processing of their data. They have the option to withdraw their consent on the processing of traffic data.

Data retention

The Directive determines that traffic data and location data must be erased or made anonymous when they are no longer required for the conveyance of a communication or for billing, except if the subscriber has given their consent for another use. On the sensitive issue of data retention, the Directive stipulates that Member States may withdraw the protection of data only to allow criminal investigations or to safeguard national security, defence and public security. Such action may be taken only where it constitutes a “necessary, appropriate and proportionate measure within a democratic society”.

In order to ensure the availability of communication data for the purpose of investigation, detection and prosecution of criminal offences, the Directive lays down provisions for the retention of data.

Unsolicited communications (“spamming”)

The Directive takes an “opt-in” approach to unsolicited commercial electronic communications, i.e. users must have given their prior consent before such communications are addressed to them. This opt-in system also covers SMS text messages and other electronic messages received on any fixed or mobile terminal. However, exceptions are provided.

Cookies

The Directive states that users must give their consent for information to be stored on their terminal equipment, or that access to such information may be obtained. In order to do this, users must receive clear and comprehensive information about the purpose of the storage or access. These provisions protect the private life of users from malicious software, such as viruses or spyware, but also apply to cookies.

Cookies are hidden information exchanged between an Internet user and a web server, and are stored in a file on the user’s hard disk. Their original purpose was to retain information between sessions. They are also a useful and much decried tool for monitoring a net surfer’s activity.

The Directive encourages the use of methods, which are as user-friendly as possible, see effective technical tools.

Public directories

European citizens must give prior consent in order for their telephone numbers (landline or mobile), e-mail addresses and postal addresses to appear in public directories.

Controls

Member States must implement a system of penalties, including legal sanctions in the case of infringements to the provisions of this Directive, and ensure that the national competent authorities have at their disposal the necessary powers and resources to monitor and control compliance with the national provisions adopted during the transposition of this Directive.

References

Act Entry into force Deadline for transposition in the Member States Official Journal

Directive 2002/58/EC

30.07.2002

31.10.2003

OJ L 201 of 31.07.2002
Amending act(s) Entry into force Deadline for transposition in the Member States Official Journal

Directive 2006/24/EC

3.5.2006

15.9.2007

OJ L 105 of 13.04.2006

Directive 2009/136/EC

19.12.2009

25.5.2011

OJ L 337 of 18.12.2009

Related Acts

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Official Journal L 281/31 of 23.11.95].
This Directive is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU.

Regulation 45/2001/EC of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [Official Journal L 8 of 12.01.2001]
This Regulation aims to protect personal data within EU institutions and bodies. The text provides for rules to ensure a high level of protection for personal data processed by the Community institutions and bodies and the creation of an independent supervisory body to monitor the application of these rules.

Cooperation in criminal matters: protection of personal data

Leave a reply

Cooperation in criminal matters: protection of personal data

Outline of the Community (European Union) legislation about Cooperation in criminal matters: protection of personal data

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Justice freedom and security > Police and customs cooperation

Cooperation in criminal matters: protection of personal data

Document or Iniciative

Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

Summary

This framework decision aims to protect the fundamental rights and freedoms of natural persons when their personal data are processed for the purposes of preventing, investigating, detecting or prosecuting a criminal offence or of executing a criminal penalty. It concerns personal data that are processed in part or entirely by automatic means, as well as personal data forming part of a filing system that are processed by non-automatic means.

Data processing

The competent authorities of Member States may collect personal data only for specified, explicit and legitimate purposes. The processing of these data is permitted only for the purposes for which they were collected. Processing for other purposes is allowed only under certain circumstances or when certain appropriate safeguards are in place.

In principle, personal data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or concerns his/her health or sex life may not be processed. Their processing may be allowed only if it is absolutely necessary and if appropriate safeguards have been established.

Inaccurate personal data must be rectified and updated or completed if possible. Once the data are no longer needed for the purposes they were collected, they must be erased, made anonymous or, in certain cases, blocked. The need to store personal data must be reviewed regularly, with time limits set for their erasure.

The competent authorities of Member States must verify that the personal data to be transmitted or made available are accurate, up to date and complete. In order to be able to verify that the processing of data is lawful and to ensure the integrity and security of the data, their transmissions must be logged or documented.

Data transmission

Personal data received from another Member State are to be processed only for the purposes for which they were transmitted. In certain cases however, they may be processed for other purposes, for example for the prevention, investigation, detection or prosecution of other criminal offences, the execution of other criminal penalties or the prevention of threats to public security. The receiving Member State must respect any specific restrictions to the exchanges of data provided for in the law of the transmitting Member State.

Under certain circumstances, the receiving Member State may transfer personal data to third countries or to international bodies. To this end, the Member State that first made the data available must provide its consent. Only in urgent cases may data be transferred without a prior consent. Personal data may also be transferred to private parties in Member States for exclusive purposes, provided that the competent authority of the Member State from where the data was received has given its consent.

Rights of data subjects

The data subject is to be kept informed of any collection or processing of personal data relating to him/her. However, when data have been transmitted from one Member State to another, the first may demand that the second does not divulge any information to the subject.

The data subject may request to receive a confirmation on whether data concerning him/her have been transmitted, who the recipients are, what data are being processed, as well as a confirmation that the necessary verifications of that data have been made. In certain cases, Member States may restrict the subject’s access to information. Any decision restricting access must be given in writing to the data subject, together with the factual and legal reasons thereof. The data subject must also be given advice on his/her right to appeal such a decision.

The data subject may demand that personal data relating to him/her be rectified, erased or blocked. Any refusal to that end must be given in writing, along with information on the right to lodge a complaint or seek a judicial remedy.

Any person may demand compensation for the damages s/he has suffered due to an unlawful processing of personal data or any other act that is not compatible with this framework decision. In case a data subject’s rights are breeched, s/he has the right to a judicial remedy.

Safeguarding data processing

The competent authorities must take the necessary security measures to protect personal data against any unlawful form of processing. This includes accidental loss, alteration and unauthorised disclosure of, as well as access to, personal data. In particular, specific measures need to be taken with regard to the automated processing of data.

National supervisory authorities in Member States monitor and advise on the application of this framework decision. To that end, they are granted investigative powers, effective powers of intervention, as well as the power to pursue legal proceedings. For any infringements of the provisions of this framework decision, Member States must establish effective, proportionate and dissuasive penalties.

References

Act Entry into force Deadline for transposition in the Member States Official Journal

Framework Decision 2008/977/JHA

19.1.2009

27.11.2010

OJ L 350 of 30.12.2008

Personal data protection: a new strategy

Leave a reply

Personal data protection: a new strategy

Outline of the Community (European Union) legislation about Personal data protection: a new strategy

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Information society > Data protection copyright and related rights

Personal data protection: a new strategy

Document or Iniciative

Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions of 4 November 2010 – A comprehensive approach on personal data protection in the European Union [COM(2010) 609 final – Not published in the Official Journal].

Summary

Personal data comprises all information relating to an identified or identifiable person, either directly or indirectly.

This Communication proposes a new strategy for protecting personal data. It aims to revise the current legislative framework, specifically the Directive relating to the protection of personal data and the Directive relating to data protection in the electronic communications sector. As part of this revision, the Communication sets several objectives.

Objective 1: strengthening individuals’ rights

The right to personal data protection is a principle that follows from the Charter of Fundamental Rights of the European Union (EU). In order to protect this right, the European Commission wishes to develop a legal framework which takes into account the rapid growth of new technologies and social networks, in particular.

The Commission is considering introducing a general principle of transparent processing of personal data. To this end, it plans to draw up one or more EU standard forms of privacy information notices, and to implement a general obligation to notify personal data breaches.

It is also essential that individuals can exercise better control over their data, particularly when sending them online. To this end, the Commission wishes to improve the modalities for:

  • the right of access;
  • rectification;
  • erasure or blocking of data;
  • the ‘right to be forgotten’.

Objective 2: enhancing the internal market

There are currently divergences in how the Member States apply the Directive on the protection of personal data. The Commission therefore wishes to enhance the harmonisation of data protection rules at EU level.

Furthermore, still within the context of enhancing the internal market, the Commission also intends to reduce the administrative burden that data protection represents for enterprises. It therefore plans to harmonise the current notification system and to draw up a uniform EU-wide registration form. At the same time, certain modalities related to data processing must be more clearly defined through:

  • the appointment of an independent Data Protection Officer;
  • a data protection impact assessment;
  • promoting the use of Privacy Enhancing Technologies (PETs).

Objective 3: revising the data protection rules in the area of police and judicial cooperation

In the Stockholm Programme the Commission highlighted the need to have a comprehensive protection scheme. Currently, Framework Decision 2008/977/JHA establishes cooperation in criminal matters relating to personal data protection which applies only to the exchange of data between EU countries. The Commission is considering extending, in the future, the application of these rules to data exchanged at national level.

Objective 4: developing international data protection

Personal data from third countries can circulate through Member States if the Commission considers that the level of data protection guaranteed by a third country is adequate. However, the criteria which enable the level of protection to be determined have not yet been clearly defined. The current procedures for international data transfers therefore need to be defined, as do the legal instruments applicable in this field.

Furthermore, the Commission wishes to harmonise the clauses relating to personal data protection contained in the international agreements concluded by the EU with third countries. In this regard, the Commission plans to enhance its cooperation with third countries and follow up the development of international technical standards.

Objective 5: strengthening the institutional arrangement

The Commission wishes to strengthen the role and powers of the authorities responsible for data protection. They should benefit from the status of ‘complete independence’. It is also crucial that they improve their cooperation and coordination.

Furthermore, the Article 29 Working Party shall also contribute towards improving the activities of the national authorities by ensuring a more consistent application of the European data protection rules.

Context

A review of the current legal framework for data protection was launched during a conference in May 2009, followed by a public consultation. Following the consultation, the Commission shall present new legislative proposals in 2011.

This summary is for information only. It is not designed to interpret or replace the reference document, which remains the only binding legal text.

Protection of personal data

Leave a reply

Protection of personal data

Outline of the Community (European Union) legislation about Protection of personal data

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Information society > Data protection copyright and related rights

Protection of personal data

Document or Iniciative

European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Official Journal L 281 of 23.11.1995] [See amending acts].

Summary

This Directive applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non automated filing systems (traditional paper files).

It does not apply to the processing of data:

  • by a natural person in the course of purely personal or household activities;
  • in the course of an activity which falls outside the scope of Community law, such as operations concerning public security, defence or State security.

The Directive aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when this processing is lawful. The guidelines relate to:

  • the quality of the data: personal data must be processed fairly and lawfully, and collected for specified, explicit and legitimate purposes. They must also be accurate and, where necessary, kept up to date;
  • the legitimacy of data processing: personal data may be processed only if the data subject has unambiguously given his/her consent or processing is necessary:
    1. for the performance of a contract to which the data subject is party or;
    2. for compliance with a legal obligation to which the controller is subject or;
    3. in order to protect the vital interests of the data subject or;
    4. for the performance of a task carried out in the public interest or;
    5. for the purposes of the legitimate interests pursued by the controller;
  • special categories of processing: it is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. This provision comes with certain qualifications concerning, for example, cases where processing is necessary to protect the vital interests of the data subject or for the purposes of preventive medicine and medical diagnosis;
  • information to be given to the data subject: the controller must provide the data subject from whom data are collected with certain information relating to himself/herself (the identity of the controller, the purposes of the processing, recipients of the data etc.);
  • the data subject’s right of access to data: every data subject should have the right to obtain from the controller:
    1. confirmation as to whether or not data relating to him/her are being processed and communication of the data undergoing processing;
    2. the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive in particular, either because of the incomplete or inaccurate nature of the data, and the notification of these changes to third parties to whom the data have been disclosed.
  • exemptions and restrictions: the scope of the principles relating to the quality of the data, information to be given to the data subject, right of access and the publicising of processing may be restricted in order to safeguard aspects such as national security, defence, public security, the prosecution of criminal offences, an important economic or financial interest of a Member State or of the European Union or the protection of the data subject;
  • the right to object to the processing of data: the data subject should have the right to object, on legitimate grounds, to the processing of data relating to him/her. He/she should also have the right to object, on request and free of charge, to the processing of personal data that the controller anticipates being processed for the purposes of direct marketing. He/she should finally be informed before personal data are disclosed to third parties for the purposes of direct marketing, and be expressly offered the right to object to such disclosures;
  • the confidentiality and security of processing: any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller. In addition, the controller must implement appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access;
  • the notification of processing to a supervisory authority: the controller must notify the national supervisory authority before carrying out any processing operation. Prior checks to determine specific risks to the rights and freedoms of data subjects are to be carried out by the supervisory authority following receipt of the notification. Measures are to be taken to ensure that processing operations are publicised and the supervisory authorities must keep a register of the processing operations notified.

Every person shall have the right to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question. In addition, any person who has suffered damage as a result of the unlawful processing of their personal data is entitled to receive compensation for the damage suffered.

Transfers of personal data from a Member State to a third country with an adequate level of protection are authorised. However, they may not be made to a third country which does not ensure this level of protection, except in the cases of the derogations listed.

The Directive aims to encourage the drawing up of national and Community codes of conduct intended to contribute to the proper implementation of the national and Community provisions.

Each Member State is to provide one or more independent public authorities responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to the Directive.

A Working Party on the Protection of Individuals with regard to the Processing of Personal Data is set up, composed of representatives of the national supervisory authorities, representatives of the supervisory authorities of the Community institutions and bodies, and a representative of the Commission.

References

Act Entry into force Deadline for transposition in the Member States Official Journal
Directive 95/46/EC

13.12.1995

24.10.1998

OJ L 281 of 23.11.1995
Amending act(s) Entry into force Deadline for transposition in the Member States Official Journal
Regulation (EC) No 1882/2003

20.11.2003

OJ L 284 of 31.10.2003

Successive amendments and corrections to Directive 95/46/EC have been incorporated in the basic text. This consolidated versionis for reference purpose only.

Related Acts

IMPLEMENTATION REPORT

Communication from the Commission to the European Parliament and the Council on the follow-up of the Work Programme for better implementation of the Data Protection Directive [COMM(2007) 87 final – Not published in the Official Journal].

This Communication examines the work done under the Work Programme for improved implementation of the Directive on data protection contained in the First report on the implementation of Directive 95/46/EC. The Commission highlights the fact that this has improved, has all Member States have now transposed the Directive. It emphasises that the Directive should not undergo any amendments at present.

It also notes that:

  • it will continue in its cooperation with the Member States and, if necessary, will launch official infringement proceedings;
  • it will prepare an interpretative communication regarding certain provisions in the Directive;
  • it will continue its implementation of the Work Programme
  • it will present EU-level sectoral legislation if there are major technological developments in a specific area;
  • it will continue cooperating with its external partners, in particular the US.

Report from the Commission of 15 May 2003 [COM(2003) 265 final – Not published in the Official Journal]
First report on the implementation of the Data Protection Directive (95/46/EC)

The report takes stock of the consultations carried out by the Commission to evaluate Directive 95/46/EC with governments, institutions, business and consumer associations, and individual citizens. The results of the consultations show that few contributors advocated a revision of the Directive. Furthermore, after consulting the Member States, the Commission noted the fact that a majority of them and, also, of the national supervisory authorities, did not consider it necessary to amend the Directive at present.

Despite the delays and gaps in implementation, the Directive has fulfilled its principal objective of removing barriers to the free movement of personal data between the Member States. The Commission also believes that the objective of ensuring a high level of protection in the Community has been achieved since the Directive has set out some of the highest standards of data protection in the world.

Other Internal Market policy objectives have, however, been less well served. The divergences in data protection legislation are still too great between Member States, and these disparities prevent multinational organisations from developing pan-European policies on data protection. The Commission will therefore do what is required to remedy this situation whilst hoping, wherever possible, that it will not be necessary to proceed by way of formal action.

With regard to the general level of compliance with data protection law in the EU, there are three main problems:

  • an under-resourced enforcement effort;
  • very patchy compliance by data controllers;
  • an apparently low level of knowledge of their rights among data subjects, which may be at the root of the previous phenomenon.

In order to ensure the better implementation of the Data Protection Directive, the Commission has adopted a work programme comprising a number of actions which need to be taken between the adoption of this report and the end of 2004. These actions are made up of the following initiatives:

  • discussions with Member States and data protection authorities on the changes needed to bring national legislation fully in line with the requirements of the Directive;
  • association of the candidate countries with efforts to achieve a better and more uniform implementation of the Directive;
  • improving the notification of all legal acts transposing the Directive;
  • simplification of the conditions for international transfers of data;
  • promotion of privacy enhancing technologies;
  • promotion of self-regulation and European Codes of Conducts.

PRIVACY AND ELECTRONIC COMMUNICATIONS DIRECTIVE

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [Official Journal L 201 of 31.07.2002]

This Directive was adopted in 2002 at the same time as a new legislative framework designed to regulate the electronic communications sector. It contains provisions on a number of more or less sensitive topics, such as the Member States keeping connection data for the purposes of police surveillance (the retention of data), the sending of unsolicited e-mail, the use of cookies and the inclusion of personal data in public directories.

STANDARD CONTRACTUAL CLAUSES FOR THE TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries [Official Journal L 385 of 29.12.2004]

The European Commission has approved new standard contractual clauses which businesses can use to ensure adequate safeguards when personal data are transferred from the EU to third countries. These new clauses will be added to those which already exist under the Commission Decision of June 2001 (see below).

Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC [Official Journal L 181 of 04.07.2001]

This Decision sets out standard contractual clauses to ensure an adequate level of protection of personal data transferred from the EU to third countries. The Decision requires Member States to recognise that companies or bodies which use these standard clauses in contracts relating to the transfer of personal data to third countries ensure an “adequate level of protection” of the data.

PROTECTION OF DATA BY THE COMMUNITY INSTITUTIONS AND BODIES

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [Official Journal L8 of 12.01.2001].

This Regulation aims at ensuring the protection of personal data within the institutions and bodies of the European Union. To this end:

  • it includes provisions which guarantee a high level of protection of personal data processed by the Community institutions and bodies; and
  • it provides for the establishment of an independent supervisory body to monitor the application of these provisions.