Implementation of Personal Data Protection Strategy Kick-off Event Expert Workshop Presentation by Christof Tschohl Legal Researcher Ludwig Boltzmann Institute of Human Rights (BIM), Austria The Bridge between Technique and Law in Data Protection Matters

Data Protection and modern Information Technology The idea of Data Protection is not new!  No mere creation of modern information society and information technology ‣ Since the idea of a liberal society and freedom of citizens break through ‣ The first European Constitutions more than 150 years ago (common history) ‣ Sanctity of the Home and Secrecy of Letters  mandatory: based in law and just due to a judicial decree  New is the increasing dimension of the possible interference due to technology ‣ Use of modern technology is widespread and standard in modern society ‣ Improvement for the flow of information and therefore the democratic capacity ‣ But also bears a huge potential of control over citizens and society  EU Acquis contains both – Protection and Invasion for Privacy ‣ States` Margin of Appreciation within transformation – especially technical details

Legislation and the determination of technical means Legislation necessarily has to cover a wide range of possible circumstances  Legislation necessarily has to cover a wide range of possible circumstances ‣ Thus it has to be more cursory and can hardly catch every detailed question ‣ Law must be clear enough to determine what is allowed or not ‣ On the same time  sufficient range for the Single European Market ‣ Private Autonomy / Technology Neutrality / Free Flow of Information  The (nearly) boundless possibilities of technology vs. necessity of lawful limitations ‣ Technical development concentrates firstly to increase the possibilities and reduce the limitations ‣ “what is allowed is up to the management and the lawyers” ‣ Technical solutions necessarily have to deal with all details ‣ “it must not be understood by everyone, it just must work”  EU Acquis contains both – Protection and Threats for the information society ‣ States` Margin of Appreciation – especially in technical details

Similarities of the Disciplines Technique and Law  Both need to determine in substance the purpose and the scope of the “Application”  Technique is often just the “vehicle” to transpose the law  Both need to define the organisational environment and the procedures  Technique often just effects the procedural decisions of law or management  Both need to anticipate the non-conformance-scenarios  Necessary to define the process if it doesn’t work like it should  Finally both need to serve the Humans, and not the other way around !

The “Bridging”-Necessity and the Intersection Points Not every technique-relevant norm must contain detailed technical determination  Not every technique-relevant norm must contain detailed technical determination ‣ Like the technology does not need everywhere stick to legislative requirements ‣ We need to identify the „entry points“ where technology must be limited ‣ to keep the basic rule of law – principle effective  Legislation needs to understand the level of interference due to technology ‣ Means some kind of “Risk Assessment” on a more abstract level ‣ Where specific risks are identified  necessity for clear determination of the purposes which have to be accomplished by technical means ‣ No blanket delegation of the technical transposition

Example of a “Bridge-Norm” in Montenegrin PDPA Article 7 para 2 PDPA:  Article 7 para 2 PDPA: “ (…) If the processing of personal data is carried out by electronic means, the personal data filing system controller must ensure that the information system automatically records the recipients of personal data, data which were processed, legal grounds for the use of personal data, time of logging on to the system and time of logging out of the system.“  very modern and highly interesting approach! ‣ Technical terms likely need to be specified by law or regulation ‣ “carried out by electronic means”: ‣ Is hereof covered e.g. every which contains personal information? ‣ “information system automatically records”: ‣ Has the recording system to ensure on a technical level that this logging cannot be altered (revision security)?

Possible Ways to build the Bridge  Already in the process of legislation should be a sound communication between Lawyers and Engineers  By forming working groups which should seek for a good balance between people from both disciplines  Working groups need sufficient time and occasions for understanding each other  Stakeholders often need first to launch their interests, only workgroups on regular basis give enough room for understanding the “cracking points”  Achievements of such “Translation Work” should be documented and available  For the following praxis as well as further developments  Sustainability

Q & A Thank you for your attention! I am looking forward to your questions!

Component I: Harmonization of legislation with EU Data Protection standards Analysis of domestic Legislation regarding Personal Data Identifying regulations to be adjusted Action plan and formation of working groups Analysis of compliance with EU Acquis Register of filing systems and controllers Further Harmonization

Component II: Training on Data Protection Linked to Component I: Activities Manuals Revision of professional training plan Manuals for filing system controllers and citizens (Component I) Training for state authorities Training for public institutions Training for private sector