Transcript Data Protection Conference 2009 “Personal data – more use, more protection?” European Commission, Brussels, 19-20 May 2009 PRESENTATION BY DOUWE KORFF Professor of International.

Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
PRESENTATION BY DOUWE KORFF
Professor of International Law
London Metropolitan University, London (UK)
[email protected]
WHAT DOES IT MEAN WHEN WE SAY THAT PROCESSING OF
PERSONAL DATA MUST BE:
“IN ACCORDANCE WITH THE LAW, NECESSARY,
PROPORTIONATE, AND APPROPRIATE IN A DEMOCRATIC
SOCIETY”?
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
European Convention on Human Rights
Article 8
Right to respect for private and family life
1
Everyone has the right to respect for his private and family life, his
home and his correspondence.
2There shall be no interference by a public authority with the exercise of this
right except such as is in accordance with the law and is necessary in a
democratic society in the interests of national security, public safety or the
economic well-being of the country, for the prevention of disorder or crime, for
the protection of health or morals, or for the protection of the rights and
freedoms of others.
This is a “typical” Convention right.
NB: In “typical” rights, the rights in the first paragraphs must be broadly
construed, and the restrictions in the second paragraph narrowly.
Thus, concepts such as “private life” and “personal data” must be given a wide
meaning (this was not done in the Durant case in the UK)
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
EU Charter Of Fundamental Rights
Article 7
Respect for private and family life
Everyone has the right to respect for his or her private and family life, home
and communications.
Article 8
Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or
her.
2. Such data must be processed fairly for specified purposes and on the basis
of the consent of the person concerned or some other legitimate basis laid
down by law. Everyone has the right of access to data which has been
collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent
authority.
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
EU Charter Of Fundamental Rights
Article 52
Scope of guaranteed rights
1.
Any limitation on the exercise of the rights and freedoms recognised by
this Charter must be provided for by law and respect the essence of
those rights and freedoms. Subject to the principle of proportionality,
limitations may be made only if they are necessary and genuinely
meet objectives of general interest recognised by the Union or the need
to protect the rights and freedoms of others.
I.e., the rights in the Charter follow the “typical” structure of ECHR rights
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
“IN ACCORDANCE WITH LAW” - European case-law (I):
The word “law” encompasses not only primary legislation, but also subsidiary
rules and judicial case-law etc. - BUT one must also examine the “quality of
the law”. Any legal rule that allows an interference with an individual right must
be “compatible with the rule of law” and, in particular, accessible (that usually
means, published) and sufficiently clear and precise to be “foreseeable” in its
application.
Laws cannot always be phrased with absolute precision, but they must
protect against “arbitrary interferences by public authorities” with the right
in question. To the extent that the law grants certain bodies a certain discretion
it must therefore also provide procedural protection against arbitrary use of
that discretion.
ECHR Cases: Sunday Times v UK (Judgment of 26 April 1979, para. 49);
recently: Copland v UK (Judgement of 3 April 2007)
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
“IN ACCORDANCE WITH LAW” - European case-law (II):
“The Court reiterates that it is as essential, in this context [taking and retaining
of DNA], as in telephone tapping, secret surveillance and covert intelligencegathering, to have clear, detailed rules governing the scope and application of
[such] measures, as well as minimum safeguards concerning, inter alia,
duration, storage, usage, access of third parties, procedures for preserving the
integrity and confidentiality of data and procedures for its destruction, thus
providing sufficient guarantees against the risk of abuse and arbitrariness.”
S & Marper v UK (Judgement of 4 December 2008), para. 99.
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
“NECESSARY AND PROPORTIONATE” - European case-law (I):
Whilst the adjective "necessary“ is not synonymous with "indispensable",
neither has it the flexibility of such expressions as "admissible", "ordinary",
"useful", "reasonable" or "desirable“; it implies the existence of a "pressing
social need“, and any interference must be proportionate to such a need.
ECHR cases: Handyside v UK (Judgment of 7 December 1976, para. 48)
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
“NECESSARY AND PROPORTIONATE” - European case-law (II):
About the rules on the retention of DNA data by the police in the UK:
“[T]he Court is struck by the blanket and indiscriminate nature of the power of retention in
England and Wales. The material may be retained irrespective of the nature or gravity of
the offence with which the individual was originally suspected or of the age of the
suspected offender; fingerprints and samples may be taken – and retained – from a
person of any age, arrested in connection with a recordable offence, which includes
minor or non-imprisonable offences. The retention is not time-limited; the material is
retained indefinitely whatever the nature or seriousness of the offence of which the person
was suspected. Moreover, there exist only limited possibilities for an acquitted
individual to have the data removed from the nationwide database or the materials
destroyed; in particular, there is no provision for independent review of the justification for
the retention according to defined criteria, including such factors as the seriousness of
the offence, previous arrests, the strength of the suspicion against the person and any other
special circumstances.”
The DNA data retention regime in the UK was therefore not proportionate and failed to strike
a “fair balance” between the competing public and private interests.
(S. & Marper v. UK, Judgment [GC] of 8 December 2008, para. 119, emphases added)
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
“IN A DEMOCRATIC SOCIETY” - European case-law (I):
The words “in a democratic society” allow the Court to examine the
interference in a particular country in the light of what such a society requires.
The Court takes the standards set by the Council of Europe and its Member
States as the main measure. In practice, this means that the Court can look at
COE Conventions other than the ECHR (such as the Oviedo Convention on
Bio-Ethics), at COE PACE and COM Recommentations, and at law and
practice in the Member States. If there is a large measure of agreement on an
issue, as reflected in such other Conventions, Recommendations and/or State
practice, this will be a strong indication of what a “democratic society” requires.
The existence of and wide adherence to COE Convention 108, and the wide
application of the EC Directives on data protection, imply that compliance with
the standards set in these instruments is required in all “democratic states”.
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
“IN A DEMOCRATIC SOCIETY” - European case-law (II):
The question of necessity “in a democratic society” ties in with the question of
the so-called “margin of appreciation” accorded to States. If there is a large
measure of agreement on an issue, States will have a narrow margin of
appreciation, and the necessity of the interference will be strictly assessed with
reference to the common approach in the COE States.
For data protection, such agreement or commonality can be shown by the
adoption of common standards or guidelines by such bodies as the Article 29
Working Party, or the COE Steering Committee on Data Protection, etc.
The standards set by such bodies thus help to define how the general data
protection principles in the Directives (and the COE Convention) must be
applied; indeed failure to follow them suggests a violation of the ECHR.
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
Overall:
In spite of serious challenges:
•
Data protection is increasingly recognised as a fundamental human right –
both in its own terms (EU Charter of FR) and, under the ECHR, in the caselaw of the Eur Court HR and of the ECJ;
•
There is increasing clarification of the application of the vague, general
standards in the COE Convention and the EC Directives (WP29);
•
The common interpretations and guidance makes these more precise
standards also more binding.
Data Protection Conference 2009
“Personal data – more use, more protection?”
European Commission, Brussels, 19-20 May 2009
Presentation by Douwe Korff:
“In accordance with law, necessary, proportionate and appropriate in a democratic society”
Further reading:
•
Conference handout on “The standard approach under Articles 8-11
ECHR”
•
D Korff, The need to apply UK data protection law in accordance with
European law, Data Protection Law & Policy, May 2008
•
D Korff, Data protection law in practice in the EU, FEDMA/US-DMA,
2005, in particular chapter 1, section iii: Aims and Purposes: The
Directives’ ‘Constitutional’ Status.
•
Privacy and Law Enforcement (with Ian Brown), study for the UK
Information Commissioner, released on the Commissioner’s website in
September 2004 as “Striking the Right Balance: Respecting the Privacy
of Individuals and Protecting the Public from Crime”:
http://www.ico.gov.uk/upload/documents/library/corporate/research_an
d_reports/legal_framework.pdf