Transcript La gestione della privacy nella informatizzazione del

E.commerce and Personal Data Protection
according to EU and Italian
Laws and Regulations
Giorgio Corno
Avvocato - Solicitor
IBLS GLOBAL E-COMMERCE SUMMIT 2006
Costa Mesa - California (USA),
March 16 – 17, 2006
Aim of this presentation
Description of EU regulations concerning
• protection of natural and legal persons with regard to
the personal data processing, as well
• free movement of data on Internet
Reference shall be made also to Italian acts which
transposed the EU Acts
Part I
Right to privacy
Fundamental Rights and Freedoms
• Rights of personal status:
– inviolable
– absolute (protected erga omnes)
– cannot be waived
– indefeasibility
• Protected either by criminal or civil
regulations
Right to privacy
• Among the rights of a personal status, right to:
– privacy, as right to be let alone
– personal identity
– personal data protection
• Right to privacy concerns the intimacy of private and family life
against other people’s interferences
• It differs from protection of honor, dignity, reputation and image
• It has to be balance with right of information of the community (when
leading public interest)
Information and personal data
Information = economic and strategic relevance
Information includes personal data
Relevance of personal data processing
Need for a high level of protection for:
a), fundamental rights and freedoms, as well as for
dignity, particularly with regard to confidentiality,
personal identity;
b) right to personal data protection
International laws regulations
– Article 12 of the Universal Declaration of Human Rights of
10 December 1948;
– Article 17 of the International Covenant on Civil and
Political Rights of 16 December 1966;
– Article 8 of the Convention for the Protection of Human
Rights and Fundamental Freedoms of 4 November 1950;
– Convention for the protection of individuals with regard to
automatic processing of personal data of 28 January 1981
and recommendations adopted by the Council of Europe
– Enforcement of the Convention of Schengen Agreement
dated 14 June 1985 for the gradual abolition of controls at
the common frontiers (paragraphs n. 126 - 130)
European laws and regulations
– Treaty establishing a Constitution for Europe, par. II – 68 (2004);
– Treaty Of Nice Amending The Treaty On European Union, The
Treaties Establishing The European Communities And Certain Related
Acts (2001/C 80/01 ), par. 7-8;
– Treaty of European Union: article 6 (respect for human rights and
fundamental freedoms in the EU)
– EC Treaty: Article 286
– European Convention on Human Rights and Fundamental Freedoms:
• Articles 7 (respect for private and family life) and
• 8 (protection of personal data)
– Council of Europe Convention for the Protection of Individuals with
regard to Automatic Processing of Personal Data
European Union Directives
• Directive n.95/46/EC of the European Parliament and of the
Council of 24 October 1995 (“General Directive”) concerns
the processing of personal data and the free movement of such
data within the Community
• Directive 97/66/EC of the European Parliament and of the
Council of 15 December 1997 concerning specific rules for
processing of personal data and the protection of privacy in the
telecommunications sector.
• Directive n. 2002/58/EC of the of 12 July 2002, on the
processing of personal data and the protection of private life in
the electronic communication sector (“E-Privacy Directive”):
It repealed Directive 97/66/EC
Italian Data Protection Laws and Regulations
A) Primary sources
– Law n. 675 dated 31 December 1996, effective since 8 May
1997, as well as by subsequent regulations transposed in
Italy General Directive and its amendments
– Act n. 196 dated 30 June 2003, effective since 1 January
2004, which approved the Personal Data Protection Code:
• Harmonized all the previous regulations on personal data
processing
• Transposed in Italy Directive 2002/58/EC
B) Secondary sources:
– Deontological and good behavior codes (paragraph n. 12
of Decree n. 196/2003):
• subscribed by the Guarantee Authority
• published by the Official Gazette.
Part II
Personal Data Processing
Personal data. Definition
Any information relating to natural or legal person, bodies or
associations that are or can be identified, even indirectly, by
reference to any other information including a personal
identification number
Personal data:
• may identify a person
• sensitive (or semi-sensitive)
• judicial
Personal Data Processing
Any operation or set of operations concerning collection (for
example: e-mail address collection), recording (for example:
recording on a carrier in order to use these data in the future, for
determined, define and legitimate purposes), organization, keeping,
interrogation, elaboration, modification, selection, retrieval,
comparison, utilization, blocking, interconnection,
communication, dissemination, erasure and destruction of
data, whether the latter are contained or not in a data bank
It can be done by electronical data processing instruments or
not.
Data subjects.
Any natural or legal person, body or association that is
the subjects of personal data
Data subject’s rights:
- to access personal data
- other rights:
* obtaining of data and placing at interested party’s disposal
* no right of copying acts/documents which contain personal
data
* right to timely confirmation
Exercise of rights by the data subject
Data controller
Notion:
• Any natural or legal person, public administration and other body,
association or entity that is competent – also jointly with another data
controller – to specific purposes and methods of the processing of
personal data and the relevant means, including security matters
• Legal person, public administrative agency or other body, association
or entity: the data controller shall be either the entity as a whole or the
department or the peripheral unit having fully autonomous decisionmaking powers in respect of purposes and mechanisms of processing
operations, also related to security matters
Data Controller (2)
Obligations:
•
•
•
•
•
•
•
•
•
information to data subjects
consent collection
notification to the committee of protection of Privacy (Autorità
Garante per il Trattamento dei Dati Personali (“Garante”), if
compulsory
authorization from the Garante
communications to the Garante according to paragraph 39
security measures adoption
designation of data controller and of the persons in charge of the
processing
instructions to data controller and to the persons in charge of the
processing
security
Data Processor
Notion: natural or legal person, public administration and other
body, association or entity that processes personal data on the
controller’s behalf
Obligations: information to data subjects, observance of
instructions analytically given in writing by the data controller
(including security matters), designation of the persons in
charge of the processing, instructions to the persons in charge of
the processing
Appointment: optional, by the data controller
Persons in charge of the processing
Notion: “Natural person that have been authorized, in writing, by the data
controller or processor to carry out processing operations”
Designation:
• in writing;
• it punctually identifies the allowed processing ambit
• it shall be also fulfilled if a natural person is entrusted with the task of
directing a department, on a documentary basis, whereby the scope of
the processing operations that may be performed by the staff working
in said department has been specified in writing
Personal Data Processing. General principles
Personal data shall be processed lawfully and
fairly. Consequently:
•
•
purpose of processing: clearly defined by the
data controller;
processing must take place on legitimate
grounds such as consent, contract, law or
balance of interests
Personal Data Processing. Purposes of data
processing
Personal data shall be:
• collected for specified, explicit and
legitimate purposes and
• not further processed in a way incompatible
with those purposes.
Further processing of data for historical, statistical or scientific purposes shall
not be considered as incompatible provided that Member States provide
appropriate safeguards
Personal Data Features
Personal data need shall be:
• adequate, relevant and not excessive in relation to
the purposes for which they are collected and/or
further processed
• accurate and, where necessary, kept up to date; data
which are inaccurate or incomplete shall be erased
or rectified;
• kept in a form which permits data subjects’
identification for no longer than is necessary for the
purposes for which the data were collected or for
which they are further processed.
Information to Data subjects
Minimum information to be provided to the data
subject in cases when data
– collected directly from him from a third party or
from other sources, such as internet public spaces
(public directories, newsgroups or chat-rooms); or
– disclosed to third parties
Information to Data subjects (2)
• Essential information:
– identity of the controller and of his representative;
– purpose of data processing, except where the data subject
has already this information; or
• Further information (when necessary having regard
to the specific circumstances in which data are
collected, to guarantee fair processing in respect of
the data subject):
– recipient of the data,
– consent obligation and
– existence of access and rectification rights
Information to Data subjects (3)
Article 29 Data Protection Working Party:
information provided to data subjects:
• use of language and layout easily
understandable;
• multi-layered format for data subject notices;
• Legal acceptance of short notices, within a
multi-layered structure that, in its totality,
offers compliance to the legal requirements
Data Subjects’ Consent
Personal data processed only if data subject agrees to
processing of personal data as a whole or to one or
more of the operations thereof relating to him
being processed
Consent:
• Free and specific
• Documented in writing (given in writing for
sensitive data)
• provided by the data subject with the required
information
Consent of Data Subjects (2)
Consent shall not be required for certain processing. Among
them:
• Necessary:
– to comply with an obligation imposed by a law, regulations or
Community legislation;
– To comply the performance of obligations resulting from a contract
to which the data subject is a party, or else in order to comply with
specific requests made by the data subject prior to entering into a
contract;
• Concerns data taken from public registers, lists, documents
or records that are publicly available, without prejudice to
the limitations and modalities laid down by laws,
regulations and Community legislation with regard to their
disclosure and publicity.
Data security
Processor needs to adopt:
• Appropriate technical and organizational measures to
protect personal data against:
– accidental or unlawful destruction or accidental loss,
– alteration, unauthorized disclosure or access, in particular where
the processing involves the transmission of data over a network,
and
– all other unlawful forms of processing.
• Such measures shall ensure a level of security appropriate
to the risks represented by the processing and the nature of
the data to be protected. Regard to the state of the art and
the cost of their implementation
Data security (2)
• Where processing is carried out on his behalf, the controller:
– must choose a processor providing sufficient guarantees in respect of:
• the technical security measures and
• organizational measures governing the processing to be carried out, and
– must ensure compliance with those measures.
• Carrying out of processing by way of a processor must be
governed by a contract or legal act:
– binding the processor to the controller and stipulating in particular that:
(a) the processor shall act only on instructions from the controller; (b) the security obligations, shall also be incumbent on the processor;
– Which, for the purposes of keeping proof, shall bein writing or in
another equivalent form
Part III
Personal Data Processing on the Internet
General principles
Electronic communications, networks, services
• Electronic communication: any information exchanged or conveyed
between a finite number of parties by means of a publicly available electronic
communication service through an electronic communication network
• Electronic communication networks: transmission systems and, where
applicable, switching or routing equipment and other resources which permit the
conveyance of signals by wire, by radio, by optical or by other electromagnetic means,
including satellite networks, fixed (circuit- and packet-switched, including Internet) and
mobile terrestrial networks, electricity cable systems, to the extent that they are used for
the purpose of transmitting signals, networks used for radio and television broadcasting,
and cable television networks, irrespective of the type of information conveyed
• Electronic communications services: service normally provided for
remuneration which consists wholly or mainly in the conveyance of signals on
electronic communications networks, including telecommunications services and
transmission services in networks used for broadcasting, but exclude services providing,
or exercising editorial control over, content transmitted using electronic communications
networks and services
EU and Italian laws and regulations
(a) Directive 2002/21/EC of the of 7 March 2002 concerning a
common regulatory framework for network and electronic
communication services (so called “Framework directive”)
(b) Directive 2002/19/EC on access to and interconnection of
electronic communication networks and associated facilities
(so called “Access Directive”);
(c) Directive 2002/20/CE, on authorization of electronic
communications networks and services (so-called
“Authorisation Directive”); and
(d) Directive 2002/22/CE, on universal services and users’ rights
relating to electronic communications networks and services
(so-called “Universal Service Directive”).
These directives were enacted in Italy through Act 1 August
2003, n. 259 (so called Electronic Communications Code)
Risks and needs of personal data processing
and electronic communications.
• Electronic communications widens the range of information
concerning the way in which citizens conduct their daily lives.
• Information is easily collectable through publicly available
electronic communications networks and services over the
Internet.
• Need:
– for an equal level of protection of the fundamental rights and liberties
of users of publicly available electronic communications services, in
particular their private lives
– to face developments in the markets and technologies for electronic
communications services
Directive 2002/58/EC
Directive 2002/58/EC (e-Privacy Directive)
particularizes and complements Directive 95/46/EC
(General Directive) for the purposes to ensure:
a) an equivalent level of protection of fundamental
rights and freedoms, and in particular the right to
privacy, with respect to the processing of personal
data in the electronic communication sector and
b) the free movement of such data and of electronic
communication equipment and services in the
Community
Principles of the General Directive
which apply also to e-Privacy Directive
• principles of Directive 95/46/EC are kept as
valid; particularized and complemented;
• legitimate interests of subscribers who are
legal persons as well as natural persons are
protected
• Other definitions, in additions to those of
Directive 95/46/EC (ie users or subscribers)
Information to data subjects
• See above
• Information is always required in processing of
e.mail as well as other personal data contained
in:
– Web sites
– Terminal equipments
– Traffic Data
Consent of Data Subjects
• Freely given specific and informed indication of the
user's wishes: use of appropriate methods enabling it,
including by ticking a box when visiting an Internet
website.
• Not compatible with the definition of consent of
General Directive:
– Implied consent to receive electronic communications
where this would be done unless opposition is made (optout).
– Pre-tickled boxes on websites.
Data security and publicly available electronic
communication service
Providers of a publicly available electronic
communication service should adopt:
– specific security measures
– suitable technical and organizational measures
adequate in the light of the existing risk, in order to
safeguard security of its services and integrity of traffic
data, location data and electronic communications
against any form of unauthorized utilization or access
Data security and publicly available electronic
communication service (2)
•
•
where security of service or personal data makes it
necessary to also take measures applying to the network:
those measures taken jointly with the provider of the
public communication network
information to subscribers and, if possible, users
concerning:
– any risk of a breach of network security
– all the possible remedies including an indication of the
likely costs involved, when the risk lies outside the
scope of measures to be taken by said provider
Part IV
Personal Data Processing on the Internet
Specific issues
Collection of e-mail addresses
Collection directly from:
(a) a person with the view to electronic mailing or
(b) a third party to which the emails have been disclosed
Data controller
(a) must inform the data subject of the collection purposes at the
time of collecting the address
(b) shall receive the prior consent of the recipient before sending the
message (so called opt-in principle). This rule is not valid for
certain EU Members States
Data subject shall have the right – at the time of collection and at all
times thereafter – to object to this use of his / her data by
electronic means.
Collection of e-mail addresses (2)
• Collection in a public space on the Internet (Network
by proper programs, or forum and newsgroup, or lists included
in web pages or elsewhere) or
• Performance of other operation concerning personal
data included in email collected therein:
unfair; against the “purpose principle”; not necessary
for the purposes of legitimate interests pursued by the
controller
Information to Data Subjects
visiting web sites
•
•
•
•
Meets requirements of Directive 95/66/2006.
Provides identity and physical and electronic address of
the controller and, when appointed, of the processor;
Contains a clear statement of (a) the purposes of the
processing for which the controller is collecting data via
a site; (b) the obligatory or optional nature of the
information to be provided;
Mentions existence of and conditions for exercising the
rights to consent or to object to the processing of personal
data as well to access and to rectify and delete these data
Information to Data Subjects
visiting web sites (2)
• lists recipients or categories or recipients of the collected
information;
• discloses if data processed for purposes other than providing
the requested service;
• asks for opportunity to transmit data to countries outside the
EU;
• provides name and address of the service or person responsible
for answering questions;
• mentions the existence of automatic data collection
procedures before using such a method to collect any data;
• Lists security measures guaranteeing the authenticity of the
site, the integrity and confidentiality of the information
transmitted
Information to Data Subjects
when visiting web sites (3)
• Languages: those used on the site and, in particular, of
those places where personal data are to be collected.
• EU seal system for Internet sites according to common
criteria of data protection assessment that could be
determined at the Community level (Article 29 Data
Protection Working Party)?
• Comparison with safe harbor program between US and
EU
Terminal equipment and
information stored therein
Terminal equipment of users of electronic
communications networks, as well as any
information stored on such equipment are part
of the private sphere of the users
 European Convention for the Protection of
Human Rights and Fundamental Freedoms
applies
Spyware, web bugs, hidden identifiers, cookies
Can enter the user’s terminal without user’s
knowledge in order to gain access to
information, to store hidden information or
to trace the user’s activities.
Terminal equipment and information stored therein.
– Use of electronic communications networks to store information or to
gain access to information stored in the terminal equipment of a
subscriber or user allowed:
• only upon prior clear and comprehensive information in accordance
with Directive 95/46/EC, inter alia about the purposes of the
processing
• if the user is offered the right to refuse such processing by the data
controller (so called opt in principle)
– Any technical storage or access not prevented if:
• done for the sole purpose of carrying out or facilitating the
transmission of a communication over an electronic
communications network, or
• strictly necessary in order to provide an information society service
explicitly requested by the subscriber or user
(article 5, e-Privacy Directive)
Processing of Traffic Data. General rule
Traffic data: any data processed for the purpose of the
conveyance of a communication on an electronic
communications network or for the billing thereof
Traffic data relating to subscribers and users processed
and stored by the provider of a public communications
network or publicly available electronic
communications service:
– kept only for the purpose of the transmission of a
communication
– as soon as finished, they must be erased or made
anonymous
Processing of Traffic Data. Exceptions to the general
rule
A) traffic data may be kept for purposes of subscriber
billing and interconnection payments or for other purposes
– Which data? Only necessary ones, ie. adequate, relevant and not
excessive in relation to the billing and interconnection payments
– For how long? only up to the end of the period during which the bill
may lawfully be challenged or payment pursued (article 123.2 of
the Data Protection Code: not more than six months)
• Where the bill has been paid and is not being challenged, data
should no longer be stored;.
• Where the bill has not been paid (or has been paid) and is being
challenged, the data may be stored for a longer period, in order
to enable disputes to be resolved.
Processing of Traffic Data. Exceptions (2)
B) Traffic data may be kept for purpose of marketing
electronic communications services or for the provision
of value added services
•
•
Provider of a publicly available electronic
communications service may process traffic data to the
extent and for the duration necessary for such services,
if the subscriber or user to whom the data relate:
gave his/her consent.
have been be given the possibility to withdraw their
consent for the processing of traffic data at any time
Processing of Traffic Data.
Information and consent required
•
Billing and interconnection payments or other
purposes:
–
Information to be provided to the the subscriber or user:
•
•
•
Which traffic data are processed?
Duration of such processing
Purposes of marketing electronic communications
services or provision of value added services:
–
–
Information to be provided
Consent to be previoously obtained
Processing of Traffic Data.
Information and consent required (2)
• Processing of traffic data:
– restricted to persons acting under the authority of providers of the
public communications networks and publicly available electronic
communications services
– handling billing or traffic management, customer enquiries, fraud
detection, marketing electronic communications services or providing a
value added service,
– restricted to what is necessary for the purposes of such activities
• Competent bodies may be informed of traffic data - with a
view to settling disputes, in particular interconnection or
billing disputes - in conformity with applicable legislation
Processing of Traffic Data for prevention,
investigation, detection and prosecution of criminal
offences, in particular organized crime
• European Parliament and of the Council adopted (february
2006) a new directive on the retention of data generated or
processed in connection with the provisions of publicly
available electronic communications services or of public
communications networks. This directive partially amends
Directive 2002/58/EC
• Objective: ensure that the data are available for the purpose of
investigation, detection and prosecution of serious crime
• Duration of retention: not less than six months and not more
than two years from the date of communication.
Unsolicited commercial communications (spam) and
direct marketing. EU Regulations
• Spam may be a threat for general performance of the
network; the email service in particular; and may trigger
the ESP inability to provide the email service itself.
• Several directives directed to the receivers’ protection
– distant sales
– electronic commerce
– Personal data protection
• Member States free to choose between the so-called opt-in
and opt-out system, in order to limit unsolicited direct
communications’
• Legitimate interests with regard to unsolicited
communications needs to be sufficiently protected
Subscribers with regard to subscribers who are :
– natural persons
– other than natural persons
Unsolicited commercial communications.
Data protection regulations
Direct marketing or sending of advertising materials, or else
for caddying out market surveys or interactive business
communication
A) Use of automated calling systems without human
intervention : allowed only with:
– user’s consent (so-called opt-in option).
– based on information which meets the requirements
of art. 10 of Directive 95/46/EC.
Unsolicited commercial communications.
Data protection regulations (2)
B) Means different from calling systems without human
intervention allowed when:
– information provided to the data subject, which meets the
requirements of art. 10 of Directive 95/46/EC.
– consent of the subscribers concerned (so-called opt in) or
respect of subscribers who do not wish to receive these
communications (so-called opt out). Based on the
information above
Unsolicited commercial communications.
Data protection regulations (3)
• Contact details for electronic mail supplied by a data subject in the context
of the sale of a product or service used for direct marketing of the
controller’s own products or services:
– data subject’s consent not required, on condition that
• the services are similar to those that have been the subject of the sale and
• the data subject, after being adequately informed, does not object to said use either
initially or in connection with subsequent communications.
– data subject shall be informed of the possibility to object to the processing at
any time, using simple means and free of charge, both at the time of collection
the data and when sending any communication for the purposes referred to in
this paragraph;
Unsolicited commercial communications.
Data protection regulations (4)
•
Practice of sending communications for the purposes of direct marketing
or sending advertising materials or else for carrying out market surveys
or interactive business communication or anyhow for promotional
purposes
–
–
by disguising or concealing the identity of the sender, or
without a valid address to which the data subject may send a request to
exercise the rights referred to in section 7
It shall be prohibited
•
Persistent breach of the provisions laid down in this Section, the Garante
per il Trattamento dei Dati Personali may also order the provider of
electronic communications services to implement
–
–
filtering procedures or
other practicable measures with regard to the electronic contact details for
electronic mail used for sending the communications.
Unsolicited commercial communications.
Code of practice for direct marketing purposes
Art. 140 of the Data Privacy Code: Garante encourages
adoption of a code of conduct and professional
practice applying to the processing of personal data
that is performed to send advertising materials or for
direct selling purposes, or else to carry out market
surveys or commercial communication activities, by
also laying down simplified arrangements for a data
subject to indicate and highlight his / her objection to
receiving certain communications whenever the data
subject’s consent is not a prerequisite for the
processing.
E-mail screening services
• Internet Service Providers (“ISP”) and email service
providers (“ESP”):
– provide free web-based email services and related services
– most of them use filtering tools to protect networks and machines
against virus, for (a) filtering spam; (b) inspecting communications for
commercial reasons
• Compliance of such filtering tools with the existing
legislation:
– Constitutions of Member States;
– art. 8 of European Convention for the Protection of Human Rights and
Fundamental Freedoms (right to respect for private life and
correspondence; conditions under which restrictions of this right could
be acceptable)
E-mail screening services (2)
Compliance of such filtering tools with the
existing data protection legislation:
– art. 5 of e-Privacy Directive: listening, tapping, storage or
other kinds of interception or surveillance of
communications and the related traffic data by persons
other than users, are prohibited without the consent of the
users concerned, except when legally authorized to do so in
accordance with Article 15(1)”;
– art. 4 of the e-Privacy Directive: “The provider of a
publicly available electronic communications service must
take appropriate technical and organizational measures to
safeguard security of its services, if necessary in
conjunction with the provider of the public
communications network with respect to network security”.
E-mail screening services (3)
Article 29 Working Party opinion (February 2006): scanning
for the purposes of:
a) Safeguarding the security of services and / or the mere
performance of the service contract with their customers
•
Detecting virus
•
Filtering spam
b) Acquiring knowledge of the content and/or traffic data relating
to private communications
•
detecting any predetermined content
E-mail screening services for detecting virus
Content of emails and the attached annexes:
•
kept secret and
•
must not be disclosed to anyone but the addressee(s);
If a virus is found, the installed software must offer sufficient
guarantees regarding confidentiality
Virus scan carried out in the form of content scanning, should be set up
automatically and only for this purpose
E-mail screening services for filtering spam
Subscribers should be given the possibility to:
– opt out of scanning their emails for spam purposes,
– check emails deemed as spam and
– decide what kind of spam should be filtered out;
Filtering tools to be installed or configured either
• in the terminal equipment or in third party servers or
• in the provider’s email server and which enable them to control what they
want (or do not want) to receive, in order to reduce costs of downloading.
Previous information of subscribers
– for filtering both for the purposes of screening virus and spam, as part
of the service, as well as of the
– information of users / subscribers of measures they can take to protect
the security of their communications.
E-mail screening services detecting
any predetermined content
Processing must comply with various requirements of the
General Directive, and, among others:
a) the obligation to inform individuals about the processing of
their personal data (art. 10);
b) the principle according to which data must be processed fairly
and lawfully (art. 6.1 lett. a)
c) Consent of the users shall always be required.
Other e-mail related services
Software products and services aimed at tracking email opening.
Risk: anybody subscribing to it, shall allow to know if an email sent by
the subscriber
(a) has been read by the addressee;
(b) when it was read; (c) how many times it has been read (or at least
opened),
(c) if it has been transferred to others and
(d) to which email server, including its location.
Requirements of the General Directive, as well as of the e-Privacy
Directive shall be met:information about the data processing is
provided to the email recipients from whom the data is retrieved.
Secret processing should violate data protection principles requiring
loyalty and transparency in the collection of personal data
The Relevant Codes of Conduct and Professional Practice
to be enacted
Codes of conduct and professional practice to be enacted
according to
A) art. 133 of the Italian Data Protection Code concerning
Internet and electronic networks
B) Art. 140 of the Italian DPC on direct marketing
Conclusions
EU regulations concerning privacy need to be implemented to this extent:
• Quicker transposition of EU directives concerning processing of personal
data within member states
• Within the third pillar (Eurojust, Europol, SIS, etc) principles applied
differently from the first pillar. Therefore, harmonizing of the principles
within the EU, of their application and of the methods of ensuring respect
for the right to privacy in the context of processing personal data
• Transfer of data to Third States: need for agreements with third countries or
bodies concerning transfer
Thank you!
Avv. Giorgio Corno
Via Mameli 11 – 20035 Lissone (Milan – Italy)
Phone: ++39 039 2456792 – Fax: ++39 039 2458018
E-mail: legale@studiocorno – Web site: www.studiocorno.it