Privacy: Legal European Framework
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
with some accents on RFID
- European Convention for Human Rights (ECHR), 1953:
- Art 8: right to private life
- by Lisbon Treaty: EU is now also member of it, not only the MS (Member States).
- OECD Organization for Economic Cooperation & Development published in 1980:
- Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data
- The Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108), 1981
- Data Protection Directive (95/46/EC) & Regulation (EC) Nr. 45/2001 (~same as directive but for EU bodies)
- ePrivacy Directive (2002/58/EC)
- replaces 97/66/EC
- amended by 2009/136/EC, see below
- Data Retention Directive (2006/24/EC)
- MS can choose mandatory retention between 6 to 24 months
- to be implemented by 15/9/2007 (internet 15/3/2009) but still some MS fail
- Romania constitutional court declared it unconstitutional (8/10/2009) <> privacy rights & secrecy of correspondence
- German High Court rejected the transposition law (2/3/2010): The court said the law went far beyond the requirements of the EU directive.
- Framework decision 2008/977/JHA of the Council
- data protection for police & judicial cooperation in criminal matters (only cross-border)
- former third pillar
- 31st annual International conference of data protection and privacy commissioners
- The Madrid Privacy Declaration, 3 November 2009, by Civil Society
- Urges for a data breach legal framework
- Recommends research on PETs (Privacy Enhancing Technique) such as anonymization
- Calls for moratorium on development of new systems of mass surveillance such as facial recognition, whole body scanners, biometric identifiers and embedded RFID tags
- The Madrid Resolution, 5 November 2009
- Joint proposal for a draft of international standards on the protection of privacy with regards to the processing of personal data
- Largely similar to main principles & rights of 95/46/EC + accountability principle
- The Madrid Privacy Declaration, 3 November 2009, by Civil Society
- Directive 2009/136/EC, 25 November 2009, to be transposed before May 2011
- amending, among others, the ePrivacy directive 2002/58/EC
- urges for a data breach principle regardless of the sector, or the type, of data concerned (recital 59)
- mentions the directive is applicable also to RFID when such devices are connected to publicly available electronic communications networks or make use of electronic communication services as a basic infrastructure (recital 56)
- personal data breach notification principle
- if in connection with the provision of publicly available electronic communications service)
- covers also accidental destruction/loss/deterioration, not only unauthorized disclosure/access
- obligation without undue delay, to DPA, and to subjects if likely to adversely affect the personal data or privacy of a subject, unless security measures were properly implemented (=encryption)
- covers spam, cookies, malwares & viruses
- amending, among others, the ePrivacy directive 2002/58/EC
- Treaty of Lisbon, entered into force on 1 december 2009
- Article 16 of the TFEU (Treaty on the Functioning of the European Union)
- Everyone has the right to the protection of personal data concerning him
- covers also justice/policy & EU bodies, only provisions are in Art 39 of the TEU (Treaty on the European Union): concerning CFSP (Common Foreign & Security Policy)
- was Art 286 in the former Treaty establishing the European Community
- Charter of Fundamental Rights of the European Union becomes binding (opt-out UK & Poland)
- Art 8 on protection of personal data
- Everyone has the right to the protection of personal data concerning him
- fairly, for specified purposes, on basis of consent or some legitimate basis
- right of access, right of rectification
- control by authority
- Article 16 of the TFEU (Treaty on the Functioning of the European Union)
- Stockolm Program
- sets framework 2010-2014 for cooperation in the area of justice & home affairs
- data protection principles are present
- New Commission
- now 2 commissioners for the former justice, freedom and security post:
- justice freedom & citizenship (Viviane Reding)
- foreign affairs & security (Catherine Ashton)
- Commission consultation on 95/46/EC
- general principles are still valid but we need clarification on consent, transparency and introduction of data breach & accountability principles
- 1/12/2009 WP168 by Art.29 WP + WPPJ (Working Party on Police and Justice) publish a joint contribution to the consultation of the Commission on the legal framework for the fundamental right to protection of personal data: The Future of Privacy (pdf)
- now 2 commissioners for the former justice, freedom and security post:
- European Data Protection Supervisor
- Commission's Justice & Home Affairs / Freedom, Security & Justice / Data Protection, includes a link to the national DPA
- Art. 29 Data Protection Working Party
- Art. 29 WP105 (19/01/2005) Working document on data protection issues related to RFID technology (pdf)
- Art. 29 WP111 (28/9/2005) Results of the Public Consultation on Article 29 Working Document 105 on Data Protection Issues Related to RFID Technology (pdf)
- While consumers, security industry and universities all agree on the need for a kill command for consumer products at the exit of the shop, retailers and standard bodies for retailers strongly disagree
- 2006 public consultation of the Commission on RFID
- 2006 Study initiated by the European Parliament: RFID and Identity management in everyday life (pdf)
- Council Resolution of 22 March 2007 on a strategy for a secure Information society in Europe
- Commission decision 28 June 2007 setting up the Expert Group on Radio Frequency Identification (decision No 467/2007/EC) aka RFID-Stakeholders Group
- COM(2007)96 (15/3/2007) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Radio Frequency Identification (RFID) in Europe: steps towards a policy framework (pdf), see also here
- call for privacy by design, code of conduct, guidelines
- towards Internet of Things & related databases
- Opinion of EDPS, December 2007, on above communication
- 5 basic privacy and security issues
- identification of the Data Subject as a risk (and problem of definition of personal data)
- identification of the Data Controller(s) can be hard but needed to establish responsibilities
- decreased meaning of the traditional distinction between the personal and public sphere
- size and physical properties of RFID-tags
- lack of transparency of the processing
- self-regulation at first but need for guidance
- opt-in principle, considered as already existing in the 95/46/EC but should be specified in self-regulatory instruments too
- privacy by design
- 5 basic privacy and security issues
- COM(2008)594 (29/9/2008) Communication from the Commission Communication on future networks and the internet (pdf)
- 2009/387/EC Commission Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (pdf) (copy here)
- invites MS to provide framework for privacy and data protection impact assessments to Art.29 WP within 12 months
- creation of an RFID logo, mandatory for tags & readers
- opt-in principle unless
- evaluated as not a likely threat
- retailers which are not operators (!! so opt-in drops if retailer is not equipped)
- MS invited to take measures within 25 months, Commission will publish an evaluation of the implementation in three years
- COM(2009)278 (18/6/2009) Communication from the Commission Internet of Things — An action plan for Europe (pdf)
- Informal working group on the implementation of the RFID
- Opinion of the European Data Protection Supervisor on Promoting Trust in the Information Society by Fostering Data Protection and Privacy, chapter VI
- draft Privacy and Data Protection Impact Assessment (PIA) framework for RFID applications, 2010/03/31
- ENISA Opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications
See also
- RFID page of European Commission / Information Society
- The Global RFID Interoperability Forum for Standards (GRIFS) is a Support Action Project funded by the European Commission with the aim to improve collaboration and thereby to maximise the global interoperability of RFID standards.
- Protecting privacy in the digital age (pdf), by Viviane Reding
- German Federal Office for Information Security (BSI) technical guidelines for RFID, covering eTicketing in public transports, in events, via NFC and RFID for trade logistics