Transcript Data Protection and the Health Sector - Home - IIEA

Data Protection –
the Lisbon Effect
Billy Hawkes
Data Protection Commissioner
Institute of International and European
Affairs
Dublin, 17 September 2009
Presentation Outline
• Data Protection Now
• Data Protection under Lisbon
• Data Protection: Future Change
Treaties
• Article 286 EC Treaty


Community acts on the protection of individuals with regard to
the processing of personal data and the free movement of
such data shall apply to the institutions and bodies set up by,
or on the basis of, this Treaty.
independent supervisory body responsible for monitoring the
application of such Community acts to Community institutions
and bodies
• Article 30 (1) (b) EU Treaty

Processing of police data subject to appropriate provisions on
the protection of personal data
EU Charter of Fundamental
Rights: Article 8
• Protection of personal data
• 1. Everyone has the right to the protection of personal data
concerning him or her.
2. Such data must be processed fairly for specified purposes and
on the basis of the consent of the person concerned or some
other legitimate basis laid down by law. Everyone has the right of
access to data which has been collected concerning him or her,
and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an
independent authority.
EU Secondary Legislation
• Directive 95/46/EC Protection of Individuals
with regard to the Processing of Personal Data
and on the Free Movement of such Data
• Directive 2002/58/EC Privacy and Electronic
Communications
• Decision 2008/977/JHA Data Protection –
Police and Judicial Cooperation
• Specific Provisions in Title VI Bodies (Europol,
Eurojust etc)
EU & Irish Legislation
• Data Protection Directive
95/46/EC
• Electronic Privacy
Directive 2002/58/EC
• EUROPOL etc
• Police & Justice
Decision 2008/977/JHA
• Data Protection Acts
1988 & 2003
• EC Electronic Privacy
Regulations 2003 (SI
535/2003) and 2008
(SI 526/2008)
• Corresponding Acts
• (to be transposed)
Data Protection Now - Summary
• Limited recognition at Treaty level
• Article in Charter of Fundamental Rights
• Comprehensive “First Pillar” (Internal
Market) Regime
• Patchy “Third Pillar” (JHA) Protection
• Nothing for “Second Pillar” (CFSP)
Presentation Outline
• Data Protection Now
• Data Protection under Lisbon
• Data Protection: Future Change
Lisbon Treaty (1)
Article 16 Treaty on the Functioning of the Union
• 1. Everyone has the right to the protection of personal
data concerning them.
• 2. The European Parliament and the Council,
acting in accordance with the ordinary legislative
procedure, shall lay down the rules relating to the
protection of individuals with regard to the processing
of personal data by Union institutions, bodies, offices
and agencies, and by the Member States when
carrying out activities which fall within the scope of
Union law, and the rules relating to the free movement
of such data.
• Compliance with these rules shall be subject to the
control of independent authorities. …..
Lisbon Treaty(2)
Article 39 Treaty on European Union (CFSP)
• In accordance with Article 16 of the Treaty on the
Functioning of the European Union and by way of
derogation from paragraph 2 thereof, the Council
shall adopt a decision laying down the rules relating
to the protection of individuals with regard to the
processing of personal data by the Member States
when carrying out activities which fall within the scope
of this Chapter, and the rules relating to the free
movement of such data. Compliance with these rules
shall be subject to the control of independent
authorities.
Lisbon Treaty(3)
Declaration 20. Declaration on Article 16 of the
Treaty on the Functioning of the European Union
• The Conference declares that, whenever rules on
protection of personal data to be adopted on the basis
of Article 16 could have direct implications for
national security, due account will have to be taken
of the specific characteristics of the matter. It recalls
that the legislation presently applicable (see in
particular Directive 95/46/EC) includes specific
derogations in this regard.
Lisbon Treaty(4)
Declaration 21. Declaration on the protection of
personal data in the fields of judicial
cooperation in criminal matters and police
cooperation
• The Conference acknowledges that specific rules on
the protection of personal data and the free movement
of such data in the fields of judicial cooperation in
criminal matters and police cooperation based on
Article 16 of the Treaty on the Functioning of the
European Union may prove necessary because of the
specific nature of these fields.
Lisbon Treaty(5)
Protocol 21 On the position of the United
Kingdom and Ireland in respect of the Area of
Freedom, Security and Justice (Article 6a )
• The United Kingdom and Ireland shall not be bound by
the rules laid down on the basis of Article 16 of the
Treaty on the Functioning of the European Union which
relate to the processing of personal data by the
Member States when carrying out activities which fall
within the scope of Chapter 4 or Chapter 5 of Title V of
Part Three of that Treaty where the United Kingdom
and Ireland are not bound by the rules governing the
forms of judicial cooperation in criminal matters or
police cooperation which require compliance with the
provisions laid down on the basis of Article 16.
Data Protection post-Lisbon:
Summary
• Treaty Status (Article 16)
• Charter of Fundamental Rights (Article 8)
• Applicable across all areas of EU activity
Presentation Outline
• Data Protection Now
• Data Protection under Lisbon
• Data Protection: Future Change
Drivers of Change
• Growth of Personal Data holdings
• International Data Flows increasing exponentially


Chains of processing – “cloud” computing
Remote access to personal data via Internet
• Data Breaches/Data Security
• State use of Personal Data


Sharing for efficiency
“Surveillance Society”
• Public Opinion
Change Happening: Data
Security
• Consensus on need for Action


More Data Breach Reports
Public Pressure for action
• Department of Finance Guidelines for Public Service
• Working Group on possible need for change in Irish
Legislation
• Data Breach reporting obligation in new EU ePrivacy
Directive

Commitment to broader EU measure?
Change Happening:
International Data Transfers
• Simplified Model Contract for transfer from EU
Data Controller to non-EU Data Processor
(imminent)
• EU Binding Corporate Rules

Permit transfers within multinational group from EU
to non-EU subsidiaries
• Accountability key underlying concept


New Guidelines
Mutual Recognition
• Once a DPA has approved a BCR, the majority of other EU
DPAs will automatically approve it
Change Happening: Ireland
• More emphasis on enforcement of data
protection law


Successful prosecutions for “Spam”
Greater use of audit powers (including “dawn raids”
where necessary)
• Focus on “big picture” as well as individual
complaints
“Stockholm Programme”
• EU Commission Communication “An area of
Freedom, Security and Justice serving the
Citizen” (June 09)


The Union must establish a comprehensive
personal data protection scheme covering all
areas of EU competence
The Union must be a driving force behind the
development and promotion of international
standards for personal data protection and in
the conclusion of appropriate bilateral or multilateral
instruments. (Work with USA quoted approvingly)
Future Change: EU Legal
Framework
• Study commissioned by UK Information Commissioner
(“Rand Report”) discussed By European DPAs in April
09

Study acknowledged strengths of EU system but declared it
“not fit for purpose”
• EU Commission Data Protection Conference, May 2009
• Public Consultation on the legal framework for the
protection of the fundamental right for the protection
of personal data – launched July, finishes December
09
• Revised horizontal Directive 2012?
Future Change: Towards
International DP Standards?
• EU: Making Binding Corporate Rules work; more
“adequacy” decisions?
• APEC (Asia-Pacific): Privacy Principles, Pathfinder
• ISO: New draft Privacy Standard
• International DP Conference: Draft Standards
to be approved at November (Madrid) Conference
• Private Sector: IAPP (certification/training);
“Accountability” Project
Future Change: Some Issues
• Accountability of Organisations

Challenge of responsible data handling rather than
compliance with prescriptive rules?
• Data Protection and new Technologies
• Data Protection and State activity
• Role of Data Protection Authorities


Being selective to be effective
More effective enforcement
Thank You
Further Guidance
• www.dataprotection.ie
• Data Protection Commissioner, Canal House,
Station Road, Portarlington, Co Laois
Tel. 1890-252231 (Lo-call), 057-8684800