Requirements on new data protection regulations and current changing needs from the view of the EDPS 10/11/2015, Berlin Wojciech Wiewiórowski ISSE 2015. Making Europe a safer place to do business
M. Narojek for GIODO 2011
EDPS The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. A number of specific duties of the EDPS are laid down in Regulation 45/2001. The three main fields of work are Supervisory tasks Consultative tasks: to advise EU legislator on proposals for new legislation as well as on implementing measures. Technical advances, notably in the IT sector, with an impact on data protection are monitored. Cooperative tasks: involving work in close collaboration with national data protection authorities (Article 29 Working Party) 3
The role of European Data Protection Supervisor The European Data Protection Supervisor (EDPS) is the independent supervisory authority for the processing of personal data by the EU administration; Privacy and data protection are fundamental rights see Articles 7 and 8 of the Charter of Fundamental Rights; Independent supervision is an integral part of the right to data protection see Article 16(2) TFEU and 8(3) Charter; What we do: monitoring and verifying compliance with Regulation (EC) 45/2001, giving advice to controllers, advising the co-legislators on new legislation, cooperating with Member States DPAs, handling complaints, conducting inspections Monitoring technological developments Promoting data protection aware design and development 4
Our objectives I. Data protection goes digital II. Forging global partnerships III. Opening a new chapter for EU data protection 5
Reform of Data Protection Law in the European Union Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), OJ 1995 L 281 6
Reform of Data Protection Law in the European Union Communication from the Commission to the European Parliament and the Council - A comprehensive approach on personal data protection in the European Union 7
8 Reform of Data Protection Law in the European Union
Reform of Data Protection Law in the European Union COM(2012) 11/4 draft Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) 9
Reform of Data Protection Law in the European Union COM(2012) 10 final 2012/0010 (COD) Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data 10
Reform of Data Protection Law in the European Union Council DAPIX Group - Working Party on Information Exchange and Data Protection Member States represented by governments: Minister (usually Justice or Interior, but in PL Digitisation) Experts: Some governments invite Data Protection Authority Instruction: Council of Ministers 11
Reform of Data Protection Law in the European Union European Parliament The European Parliament voted the draft in plenary with 621 votes in favour, 10 against and 22 abstentions for the Regulation and 371 votes in favour, 276 against and 30 abstentions for the Directive). "The message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible. Europe's directly elected parliamentarians have listened to European citizens and European businesses and, with this vote, have made clear that we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens," said Vice-President Viviane Reding, the EU's Justice Commissioner. "Data Protection is made in Europe. Strong data protection rules must be Europe's trade mark. Following the U.S. data spying scandals, data protection is more than ever a competitive advantage. I want to thank Mr Albrecht and Mr Droutsas for their committed and tireless work on the data protection reform. Today's vote is the strongest signal that it is time to deliver this reform for our citizens and our businesses. 12
Reform of Data Protection Law in the European Union Trilogue Discussion on final text by Council, Parliament and Commission 13
Reform of Data Protection Law in the European Union Norms derived from European law can be: - directly binding - directly applicable - directly effective 15 vertically and/or horizontally
Reform of Data Protection Law in the European Union 1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, damage to the reputation, unauthorised reversal of pseudonymisation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 16
Adequacy Suitability is the measure suitable and adequate to the purposes to be achieved Necessity is it necessary to use this kind of intervention in order to achieve goal Non-excessivness (proportionality senso stricto) is not the measure too intrusive More on adequacy and consent: L.A.Bygrave, D.W.Schartum: Consent, Proportionality and Collective Power [in:] S.Gutwirth, Y.Poullet, P.De Hert, C.de Tervangne, S.Nouwt [ed.] Reinventing Data Protection, Springer 2009, p. 157 17
18 Big Data = Big Responsibility
Ethics While the law is a powerful element, it cannot address the many nuanced scenarios that arise in the digital market. The EDPS calls upon organisations to be accountable, to have a new ethical approach to handling the personal data they collect. By developing internal codes and policies which safeguard human dignity, organisations can self-police, ensure their compliance with data protection laws and demonstrate a respect for the persons whose personal data they use - just because an organisation can piece together a customer s life from their data trail does not mean it always should. 19
Privacy by Design Privacy by Design and Accountability: More robust anonymisation techniques will not, by themselves, solve the challenges Big Data presents to privacy. There is a need for additional solutions. Privacy by Design and accountability are also important to help alleviate the privacy challenges. Use of Big Data technologies should be based on the seven principles of Privacy by Design. Privacy by Design entails taking into account protection of privacy at all stages of system development, in procedures and in business practices. 20
Thank you for your attention! www.edps.europa.eu edps@edps.europa.eu @EU_EDPS
International co-operation of data protection authorities (DPAs) The IPEN initiative was founded in 2014. It supports the creation of engineer groups working on (re)-usable building blocks, design patterns and other tools for selected Internet use cases where privacy is at stake. IPEN invites participants from different areas such as data protection authorities, academia, open source and business development, and other individuals who are committed to the finding engineering solutions to privacy challenges. The objective of the work should be to integrate data protection and privacy into all phases of the development process, from the requirements phase to production, as it is most appropriate for the development model and the application environment. It supports networking between engineer groups and existing initiatives for engineering privacy into the Internet. This network facilitates exchange in order to coordinate work and avoid duplication, in addition to discussing which privacy oriented use cases should be addressed with priority. IPEN is building a repository of relevant resources, making its findings and knowledge base accessible to all participants, developers and privacy experts. A core group takes care of collection and distribution of information, liaises with other relevant initiatives, facilitates the dialogue on engineering solutions, and organises online and offline events. 22