download report

Transcript PowerPoint-presentatie

Data Protection
Electronic Communications
Paul Van den Bulck
Lawyer at the Brussels Bar
Lecturer at the University of Strasbourg
Assistant at the University of Brussels
23 March 2004
[email protected]
Introduction & Overview
European Framework Data Protection
Directive 95/46 on protection of personal data
Particular: communication:
Directive 2002/58 on privacy and electronic
General & sector specific regulations
General: 95/46
Protection of personal data
General data protection
Specific 2002/58
Privacy & electronic
Specific obligations
(e.g., cookies, spam)
Online and offline
Public & private networks
Communication service
Public networks
1. General Protection: Directive 95/46
9 Principles of Data protection
Member States shall prohibit the processing of
 Sensitive data personal data revealing racial or ethnic origin,
political opinions, religious or philosophical
beliefs, trade-union membership, and the
processing of data concerning health or sex life.
Privacy Policy
 Collection of information
 Delivery of information
Processing of personal data
 personal data:
Information concerning a data subject
identifiable natural person
Direct or indirect
 Controller (EIC) or third party
IP address?
[email protected]?
Legal entity: SME?
operation performed upon personal data
In the EU? Quid question on Israël?
Data Protection Principles
Data must be:
fairly and lawfully processed;
processed for specified, detailed and legitimate purposes;
adequate, relevant and not excessive;
not kept longer than necessary;
processed in accordance with the data subject's rights;
Secure and remain confidential;
not transferred to countries without adequate protection (outside
Processing activities « must » be notified to the supervisory
Case study 1: Privacy Policy
Legally required?
The name and address of the controller and processor (contract)
Purposes of the processing activity
The kind of data processed: « sensitive data »
The means to collect and process data (cf. cookies)
Inform the data subject on his/her rights and the way he/she can
exercise them
The technical and organizational measures adopted to ensure
the secure and confidential character
Reference to general information on data protection legislation,
e.g., FAQ, or the contact details privacy officer ([email protected])
Case Study 2: collection of information
Processing « shall mean any operation …
whether or not by automatic means, such as
collection, recording, organization, storage,
disclosure by transmission, dissemination or
otherwise making available, etc. »
Means of collection:
 Data subject is aware,e.g., webform
 Data subject is not aware, e.g., spy ware
Case Study 3: disclosure of personal data
Broad an open notion of « processing » includes
« disclosure by transmission, dissemination or
otherwise making available »
Must be careful if you disclose personal
information in a newsletter or on your website,
e.g., personal contact details
Lindqvist case (Sweden –European Court of Justice (2003))
2. Sector Specific regulation
Directive 2002/58/EC on privacy and electronic
One of the Directives of the new « Telecom
Package »
Update of Directive 97/66 on privacy and
Articulation with general framework
Sector Specific regulation
« This Directive shall apply to the processing of personal data in
connection with the provision of publicly available electronic
communications services in public communications networks in
the Community. »
 Public networks: no private or corporate networks
 « Individual » communication: no broadcasting
Scope is not always very clear & distinction
sometimes too academic.
protection of the legitimate interests of subscribers who
are legal persons (SME).
Sector specific regulation
Contents: clarification of some principles
Cookies, spy ware
Security and confidentiality
Traffic & location data
Directories of subscribers , e.g., yellow pages
Sector Specific regulation
Pragmatic Approach and articulation:
Directive 95/46 applies to all networks
Obligations imposed by Directive 2002/58/EC, “covered” by
Directive 95/46/EC
Example: traffic data:
2002/58 (art 6)
95/46 (art 6 (e))
subscribers… must be erased or
made anonymous when it is no
longer needed for the purpose of
kept in a form which permits
identification of data subjects
for no longer than is necessary
for the purposes for which the
data were collected or for which
they are further processed.
[email protected]
I am the manager of a Belgium EIC and
to facilitate the navigation on my site, I consider
to install a cookies on the PC of the visitors.
This way, I can display my site in the official
language of their place of establishment (SME)
or residence (German, Dutch French).
« However, such devices, for instance so-called "cookies", can be a
legitimate and useful tool, for example, in analysing the effectiveness of
website design and advertising, and in verifying the identity of users
engaged in on-line transactions.
Where such devices, for instance cookies, are intended for a legitimate
purpose, such as to facilitate the provision of information society
services, their use should be allowed on condition that users are
provided with clear and precise information in accordance with
Directive 95/46/EC about the purposes of cookies or similar devices so
as to ensure that users are made aware of information being placed on
the terminal equipment they are using. Users should have the
opportunity to refuse to have a cookie or similar device stored on their
terminal equipment (recital 25 of Directive 2002/58/EC) »