Data Protection Principles as Basic Foundation for Data Protection in EU/EEA Introduction to Data Protection Theory Seminar - AFIN Stephen K. Karanja

Protection of Personal Data in EU and EEA Main Data Protection Laws –OECD guidelines on protection of privacy and transborder flows of personal data –Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (ETS No 108) of 1981 –EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data –National data protection laws. »Norwegian Personal Data Act (PDA) 2000

What are Data protection Principles? Abstractions from rules Good practices Safeguards –ECHR & case law Normative force Balancing Interests Influence new data protection laws Principles and Interests (Norwegian interest theory)

Basic Principles Fairly and Lawful Minimality Purpose Specification Data Quality Data Security Sensitivity Individual Participation –Constellation of rights Anonymity –Requirement for technological and organisational measures –Pseudonames Fully Automatic Decision Making Art. 15 Directive

Fairly and Lawful Principle Art. 6 (1)(a) Directive & §11(a) PDA personal data must be processed fairly and lawfully Most important principle What does Fairly Mean? –Conform to laid down rules and procedures –Sensitive and take account of data subjects interests and reasonable expectations – proportionality and balance –Transparency – not secret – no deception What does Lawful Mean? –Legality principle– permitted by law or authorised –Done with lawful justification or excuse (legitimate) - Article 7 Directive & §8 & 9 PDA –Article 8(2) ECHR & case law –Transparency Applies also to establishment of information systems

Minimality Principle Art. 6(1)(e) & § 28 PDA Necessary – personal data collected should be limited to what is necessary to achieve the purposes for which the data are gathered and further processed What is necessary? –Art. 7 & 8 Directive –§8 & 9 PDA –Art. 8 (2) ECHR case law – “a pressing social need” i.e. proportionate to the legitimate aim pursued. Incal v. Turkey (1998) 29 EHRR 449 §57 –SAS Braathens request for taking passenger’s fingerprints Non-excessiveness, proportionality (to the purpose) Art. 6 (1)(c) Directive & § 11(d) PDA Data erasure and anonymity § 11(e), 27 & 28 PDA

Purpose Specification Principle Art. 6(1)(b) Directive & §11(b) PDA Personal data shall be processed for specified, lawful/legitimate purposes and not processed in ways that are incompatible with those purposes. –Specified, defined or stated purpose –Lawful/legitimate purpose - proportionality –Further processing not incompatible with original purpose –Transparency Entails also acceptance by society

Data Quality Personal data should be valid with respect to what they are intended to describe, and relevant and complete with respect to the purpose for which they are intended to be processed. - Art. 6 (1)(c)(d) Directive & §11(d)(e) PDA Adequacy –Relevancy –Non-excessiveness Accuracy –Up to datedness –Completeness –Rectification (supplement) and erasure or blocking Data Controller should establish measures to ensure data quality

Data Security Ensure that data are not destroyed accidentally and not subject to unauthorised access, alteration, destruction or disclosure - Art. 17 Directive & § 13 PDA –Implement appropriate technical and organisational measures –Securing technical equipment and networks –Contracts where processing is carried out on behalf of the controller Accessibility

Sensitivity Principle Limits the processing of certain types of data which are regarded as especially sensitive for data subject and requires specific safeguards as compared with other personal data - Art. 8 Directive & § 9 PDA What is sensitive data? –Art. 8 (1) Directive & § 2 (8) PDA – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life. –Data relating to criminal act – a person has been suspected of, charged with, indicted or convicted of a criminal act. Exemptions –Art. 8 (2) Directive & § 9 PDA Personal Identity Numbers or other identification numbers or identifier of general application –§ 12 PDA – can only be used where objective need for certain identification and necessary to achieve such identification –Data Inspectorate may require the use of PIN in order to ensure that the personal data are of adequate quality. (Privacy Enhancing Technology)

Individual Participation A set of data subject’s rights. The rights are designed to enable data subjects to have a degree of control and participate in the processing of their personal data Balance of power Self-determination or individual control principle The rights –Right of access Art. 12 Directive & § 18 PDA –Right to rectification, erasure and blocking –Right to information regarding automated decisions ( Art. 15 Directive & § 22 PDA) –Right to object Art. 14 Directive »Adversary affect the data subject »Direct marketing –Obligation to notify or provide information »When data are collected from the data subject »When data are collected from other persons »In connection to with the use of personal profiles § 21 PDA –Right to demand manual processing § 25 PDA

Exemptions Rights are not always absolute. Exemptions allow processing of personal data where State or societal interests may override individual interests i.e. protection of fundamental values in a democratic society Mitigate conflict or balance competing interests General exceptions –Art. 3(2) –Art. 9 Directive –Art. 13 Directive & § 22 PDA »Limitations – provided for by legislative measure and must be necessary. Specific exceptions –Sensitive data

Conclusion The Principles dealt with here are the most fundamental but not all. They are not all reflected in all national laws. There are differences and emphasis. New principles may arise with the advancement of technology.