Bart van der Sloot http://www.ivir.nl/medewerkers/vandersloot.html Data Protection 2.0 The proposal for a General Data Protection Regulation Bart van der Sloot http://www.ivir.nl/medewerkers/vandersloot.html
Overzicht Privacy and Data Protection Data Protection 1.0 Theses
(1) Privacy and Data Protection Charter of Fundamental Rights of the European Union Article 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications. 2. Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
(1) Privacy and data protection Domain Relations Background Character Privacy Primarily regards the private sphere Primarily regards vertical relationships (citizen – state) Rise of nation states Control on the use of power & duties of care Or….. Data Protection Regards both the private and the public sphere Primarily regards horizontal relationships (citizen -business) Technological developments
(2) Data protection 1.0 Data protection Directive (EU) > Wet bescherming persoonsgegevens (NL) No specific duties, but general standards of care Data collection, use and proecessing should be necessary and propotioniate, should have a clear and legitimate goal Technical and organisational measures Personal data should be correct, complete and up to date
(2) Data Protection 1.0 Only three marginal ‘subjective rights’ Right to acces Transparancy duty Right to rectification if data are not processed according to the data protection rules. Richt to object at least in the cases referred to in Article 7 (e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him Automated individual decisions which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him
(2) Data Protection 1.0 Only a marginal role for supervisory authority Limmited possibilities for remedies, liability and sanctions Notification requirement is mosly ignored Sector specific codes of conduct are very few and far between European collection of CBP’s, the Working Party 29, may only adopt non-binding advisory opinions
(3) Data protection 2.0 - General Data Protection Regulation Duties Accountability duty (Documentation, risk assessments, Data protection officer, privacy by design / by default) Reversal of the burden of proof for consent Verification duty for consent of children
(3) Data Protection 2.0 Rights Data portability Right to be forgotten Protection against profiling
(3) Data Protection 2.0 Enforcement Harmonization of the rules: Regulation Commission Working Party 29 Harmonization of enforcement: One stop shop Sanctions and liability widened
(4) Theses Companies are resourceful and technological developments rapidly succeed each other – specific rights and obligations will become obsolete quickly To require of citizens to protect their own personal data (through the use of their subjective rights) is unrealistic Governmental authorities should not to interfere in the freedom of contract between citizens and businesses