Data Protection and the Internet – New Challenges The reform of the data protection legal framework – current developments Roberto Lattanzi Italian Data Protection Authority
COM(2012) 11. Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regards to the processing of personal data and on the free movement of such data (General Data Protection Regulation- GDPR) Repealing Directive 95/46/EC COM(2012) 10. Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data Repealing Framework Decision 977/2008/JHA
Why a Reform of the data protection legal framework? update the legal framework to the techno-scientific changes and developments, ensuring its effectiveness (internet – ECJ Case C-101/01 Bodil Lindqvist; biometric and genetic data) lack of full harmonisation among the EU Member States (potentially) hampering the development of the single (efficient) market: need to reduce fragmentation and administrative burdens (e.g. notification) Lisbon Treaty: data protection as a fundamental right in all EU policy fields (also in the context of law enforcement)
The state of the art – COD - Ordinary legislative procedure (ex-codecision procedure)– The (draft) Regulation EC Proposal 1st reading EP 1st reading Council Working Party on Information Exchange and Data Protection DAPIX LIBE Commitee – amendments Council position on EP amendments Council agrees on EP amendments – Act is adopted 3rd Reading and conciliation procedure Adoption 2nd read. EP Opinions (mandatory): EESC / CoR Amendments Council’s position 2° reading Council Rejection – Act is not adopted Opinions (opt.) : EDPS art.29 WG Gennaio 2012Febbraio 2013 December 2013 Jan. 2012Feb EP EU Council June 2013
WP Art. 29 Opinion 01/2012 on the data protection reform proposals - WP 191 ( ) Opinion 08/2012 providing further input on the data protection reform discussions WP 199 ( ) Working Document 01/ Input on the proposed implementing acts WP 200 ( ) See also Opinion 04/2012 on Cookie Consent Exemption WP 194 ( ) Opinion 05/2012 on Cloud Computing WP 196 ( )EDPS Opinion of 7 March 2012 on the data protection reform package Additional EDPS Comments of 15 March 2013 on the Data Protection Reform Package See also Opinion of 16 November 2012 on the Commission's Communication on "Unleashing the potential of Cloud Computing in Europe"
Main innovations (1) Extension of the scope of EU data protection law (Art. 3): EU law is applicable to controllers established in third countries (also) when offering goods and services to individuals in the EU or monitoring of their behaviour (extension clearly related to the “internet reality”) New definitions (among others, genetic data, biometric data, personal data breach, main establishment, group of undertakings, binding corporate rules) & additions to existing definitions in Directive 95/46 (Art. 4) Confirmation of the well established data protection principles and their fine tuning: Privacy by design and by default (art. 22, art. 23), data minimisation principle and personal data breach notification (art. 31 and 32) «Old» and «new» rights of the data subject : the right to oblivion (Art. 11 ff. – Right to be forgotten and to erasure, art. 17: also on the Internet) and the right to data portability (Art. 18)
Data controller accountability’s tools: (Mandatory v. Optional) «Data Protection Officer» ( (a) the processing is carried out by a public authority or body; or (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects ) (art. 35 ff.) centralised approach on protecting data protection and privacy (mainly relying on DPAs) vs. decentralised approach (mainly relying in DPO spreading awareness and knowledge among private or public companies). The GDPR is going towards an integrated approach DPO as data protection expert (within the DC), (first) contact point within the DC for data subjects (e.g in case of complaint handling) and “bridge” between the DC and the DPA (consulting and cooperating with the competent DPA). A tool to ensure, in an independent manner (functional autonomy), the internal application of the national provisions DPO’s tasks in 3 steps: a) AUDIT ; b) DIAGNOSTIC (legal analysis and evaluation of the data processing); c) Internal RECOMMENDATIONS/PRESCRIPTIONS Data Protection Impact Assessment (art. 33 ff.) Main innovations (2)
DPAs (art ) – Independence (see ECJ Case C-518/07 Commission v. Germany; ECJ (Grand Chamber), 16 October 2012 (Case C ‑ 614/10) Commission v. Austria), functions, powers, resources; one-stop-shop principle (art. 51) Cooperation among DPAs (mutual assistance – art 55; Joint operations of supervisory authorities, such as joint investigative tasks, joint enforcement measures and other joint operations – art. 56 and Consistency mechanism: BCR, CCS) Sanctions : European Administrative sanctions - up to EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover (art. 78 ff.) Main innovations (3)
The so called «horizontal» issues Choice of the legal instrument: regulation v. directive (problem solved or open issue?) (effective) Enforceability Executing and delegated acts & EC powers (also «veto») Administrative burdens risk based approach (?) SMEs “During the discussion, there was a large consensus that in order to reduce the administrative burden and more generally the compliance costs on companies, a more risk-based approach should be followed. In this sense, the Council instructed the competent preparatory bodies to continue to work on concrete proposals to implement a strengthened risk-based approach in the text of the draft regulation” (3207th Council of the EU meeting, Justice and Home Affairs, Brussels, 6 and 7 December 2012). «Flexibility» for the public sector (room for a new fragmentation?) Main criticalities (1)
(Possible) lack of harmonisation due to the lawfulness principle or concerning given (wide) sectors, e.g. the «workplace privacy» issue: (Article 82 (1) recognizes to Member States the possibility to “adopt by law specific rules regulating the processing of employees' personal data in the employment context” (see Protection of Personal Data in Work-related Relations, STUDY, LIBE, 2013, 66 ff. : “patchwork of national rules.”) Scope of application of the GDPR (anonymous data, pseudonymous data, which remain personal data; personal or household activity; need of clarification of the notion of “main establishment” to reduce risk of abuses and ensure that the concept of a “one stop-shop” for companies is effective ) “uncertainty as regards rights and obligation in borderline issues, for instance where commercial data is accessed by law enforcement authorities for law enforcement purposes and transfers between authorities that are responsible for law enforcement and those that are not” (Albrecht report). DPAs & EDPB (financial, technical and human) resources for DPAs cooperation among DPAs (e.g. cross border investigation, standardised procedural rules) Coordination among DPAs (e.g. conducting joint actions) and with the EDPB, preserving at the same time (all involved) DPAs’ independence (lead DPA): need to address the case of possible divergences between DPAs and/or the EDPB Main criticalities (2)
European Commission – Justice – Data Protection page: protection/index_en.htm
For the Irish Presidency (and the Council) no single part of the Regulation can be considered agreed until the text of the whole Regulation is agreed (May 31, 2013, the Justice and Home Affairs Council of the European Union) Vote postponed at the LIBE Committee Risk of a race to the bottom, notwithstanding the (declared) preservation of the existing protection level & guarantees More tasks to the DPAs? For sure, and an encreased need of cooperation/coordination between them the European Data Protection Board in search of a role (up to now: Art. 29 Working Party) Applicable law and judicial redress Impact on the national legislation of the field: two / three years for implementing measures, if necessary
Many thanks Grazie!