Difference between revisions of "Privacy: Legal European Framework"
Jump to navigation
Jump to search
m (Created page with '==Data Protection related European legislation and initiatives== with some accents on RFID * European Convention for Human Rights (ECHR), 1953: ** Art 8: right to private li…') |
m (Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen) |
||
(15 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
with some accents on [[RFID]] |
with some accents on [[RFID]] |
||
− | * European Convention for Human Rights (ECHR), 1953: |
+ | * '''European Convention for Human Rights (ECHR)''', 1953: |
− | ** Art 8: right to private life |
+ | ** '''Art 8''': right to private life |
** by Lisbon Treaty: EU is now also member of it, not only the MS (Member States). |
** by Lisbon Treaty: EU is now also member of it, not only the MS (Member States). |
||
− | * OECD Organization for Economic Cooperation & Development published in 1980: |
+ | * '''OECD''' Organization for Economic Cooperation & Development published in 1980: |
− | ** ''Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data'' |
+ | ** ''Recommendations of the Council Concerning '''Guidelines''' Governing the Protection of Privacy and Trans-Border Flows of Personal Data'' |
− | * ''The Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data'' (Convention 108), 1981 |
+ | * ''The Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data'' ('''Convention 108'''), 1981 |
− | * ''Data Protection'' Directive (95/46/EC) & Regulation (EC) Nr. 45/2001 (~same as directive but for EU bodies) |
+ | * '''''Data Protection'' Directive (95/46/EC) & Regulation (EC) Nr. 45/2001''' (~same as directive but for EU bodies) |
− | * ''ePrivacy'' Directive (2002/58/EC) |
+ | * '''''ePrivacy'' Directive (2002/58/EC)''' |
** replaces 97/66/EC |
** replaces 97/66/EC |
||
** amended by 2009/136/EC, see below |
** amended by 2009/136/EC, see below |
||
− | * ''Data Retention'' Directive (2006/24/EC) |
+ | * '''''Data Retention'' Directive (2006/24/EC)''' |
** MS can choose mandatory retention between 6 to 24 months |
** MS can choose mandatory retention between 6 to 24 months |
||
** to be implemented by 15/9/2007 (internet 15/3/2009) but still some MS fail |
** to be implemented by 15/9/2007 (internet 15/3/2009) but still some MS fail |
||
** Romania constitutional court declared it unconstitutional (8/10/2009) <> privacy rights & secrecy of correspondence |
** Romania constitutional court declared it unconstitutional (8/10/2009) <> privacy rights & secrecy of correspondence |
||
+ | ** German High Court rejected the transposition law (2/3/2010): The court said the law went far beyond the requirements of the EU directive. |
||
− | * Framework decision 2008/977/JHA of the Council |
+ | * '''Framework decision 2008/977/JHA''' of the Council |
** data protection for police & judicial cooperation in criminal matters (only cross-border) |
** data protection for police & judicial cooperation in criminal matters (only cross-border) |
||
** former third pillar |
** former third pillar |
||
* 31st annual International conference of data protection and privacy commissioners |
* 31st annual International conference of data protection and privacy commissioners |
||
− | ** The ''Madrid Privacy Declaration'', 3 November 2009, by Civil Society |
+ | ** The '''''Madrid Privacy Declaration''''', 3 November 2009, by Civil Society |
*** Urges for a data breach legal framework |
*** Urges for a data breach legal framework |
||
*** Recommends research on PETs (Privacy Enhancing Technique) such as anonymization |
*** Recommends research on PETs (Privacy Enhancing Technique) such as anonymization |
||
*** Calls for moratorium on development of new systems of mass surveillance such as facial recognition, whole body scanners, biometric identifiers and '''embedded RFID tags''' |
*** Calls for moratorium on development of new systems of mass surveillance such as facial recognition, whole body scanners, biometric identifiers and '''embedded RFID tags''' |
||
− | ** The ''Madrid Resolution'', 5 November 2009 |
+ | ** The '''''Madrid Resolution''''', 5 November 2009 |
− | *** ''Joint proposal for a draft of international standards on the protection of privacy with regards to the processing of personal data'' |
+ | *** '''''Joint proposal for a draft of international standards on the protection of privacy with regards to the processing of personal data''''' |
*** Largely similar to main principles & rights of 95/46/EC + accountability principle |
*** Largely similar to main principles & rights of 95/46/EC + accountability principle |
||
− | * Directive 2009/136/EC, 25 November 2009, to be transposed before May 2011 |
+ | * '''Directive 2009/136/EC''', 25 November 2009, to be transposed before May 2011 |
− | ** |
+ | ** amending, among others, the ePrivacy directive 2002/58/EC |
*** urges for a data breach principle regardless of the sector, or the type, of data concerned (recital 59) |
*** urges for a data breach principle regardless of the sector, or the type, of data concerned (recital 59) |
||
*** mentions the directive is applicable also '''to RFID''' ''when such devices are connected to publicly available electronic communications networks or make use of electronic communication services as a basic infrastructure'' (recital 56) |
*** mentions the directive is applicable also '''to RFID''' ''when such devices are connected to publicly available electronic communications networks or make use of electronic communication services as a basic infrastructure'' (recital 56) |
||
Line 35: | Line 36: | ||
*** covers also accidental destruction/loss/deterioration, not only unauthorized disclosure/access |
*** covers also accidental destruction/loss/deterioration, not only unauthorized disclosure/access |
||
*** obligation without undue delay, to DPA, and to subjects if likely to adversely affect the personal data or privacy of a subject, unless security measures were properly implemented (=encryption) |
*** obligation without undue delay, to DPA, and to subjects if likely to adversely affect the personal data or privacy of a subject, unless security measures were properly implemented (=encryption) |
||
+ | ** covers spam, cookies, malwares & viruses |
||
− | ** spam |
||
− | * Treaty of Lisbon, entered into force on 1 december 2009 |
+ | * '''Treaty of Lisbon''', entered into force on 1 december 2009 |
− | ** Article 16 of the TFEU (Treaty on the Functioning of the European Union) |
+ | ** '''Article 16 of the TFEU''' (Treaty on the Functioning of the European Union) |
*** ''Everyone has the right to the protection of personal data concerning him'' |
*** ''Everyone has the right to the protection of personal data concerning him'' |
||
*** covers also justice/policy & EU bodies, only provisions are in Art 39 of the TEU (Treaty on the European Union): concerning CFSP (Common Foreign & Security Policy) |
*** covers also justice/policy & EU bodies, only provisions are in Art 39 of the TEU (Treaty on the European Union): concerning CFSP (Common Foreign & Security Policy) |
||
+ | *** was Art 286 in the former ''Treaty establishing the European Community'' |
||
− | ** Charter of Fundamental Rights of the European Union becomes binding (opt-out UK & Poland) |
+ | ** '''Charter of Fundamental Rights of the European Union''' becomes binding (opt-out UK & Poland) |
− | ** Art 8 on protection of personal data |
+ | ** '''Art 8''' on protection of personal data |
*** ''Everyone has the right to the protection of personal data concerning him'' |
*** ''Everyone has the right to the protection of personal data concerning him'' |
||
*** fairly, for specified purposes, on basis of consent or some legitimate basis |
*** fairly, for specified purposes, on basis of consent or some legitimate basis |
||
*** right of access, right of rectification |
*** right of access, right of rectification |
||
*** control by authority |
*** control by authority |
||
− | * Stockolm Program |
+ | * '''Stockolm Program''' |
− | + | ** sets framework 2010-2014 for cooperation in the area of justice & home affairs |
|
− | + | ** data protection principles are present |
|
− | * New Commission |
+ | * '''New Commission''' |
** now 2 commissioners for the former ''justice, freedom and security'' post: |
** now 2 commissioners for the former ''justice, freedom and security'' post: |
||
*** justice freedom & citizenship (Viviane Reding) |
*** justice freedom & citizenship (Viviane Reding) |
||
Line 55: | Line 57: | ||
** Commission consultation on 95/46/EC |
** Commission consultation on 95/46/EC |
||
*** general principles are still valid but we need clarification on consent, transparency and introduction of data breach & accountability principles |
*** general principles are still valid but we need clarification on consent, transparency and introduction of data breach & accountability principles |
||
+ | *** 1/12/2009 WP168 by Art.29 WP + WPPJ (Working Party on Police and Justice) publish a joint contribution to the consultation of the Commission on the legal framework for the fundamental right to protection of personal data: [http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp168_en.pdf The Future of Privacy (pdf)] |
||
+ | |||
+ | ==Data Protection related bodies== |
||
+ | * [http://ec.europa.eu/justice_home/fsj/privacy/eusupervisor/index_en.htm European Data Protection Supervisor] |
||
+ | * [http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm Commission's Justice & Home Affairs / Freedom, Security & Justice / Data Protection], includes a link to the national DPA |
||
+ | * [http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm Art. 29 Data Protection Working Party] |
||
+ | |||
==RFID-related== |
==RFID-related== |
||
+ | * Art. 29 WP105 (19/01/2005) [http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf ''Working document on data protection issues related to RFID technology'' (pdf)] |
||
+ | * Art. 29 WP111 (28/9/2005) [http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp111_en.pdf ''Results of the Public Consultation on Article 29 Working Document 105 on Data Protection Issues Related to RFID Technology'' (pdf)] |
||
+ | ** While consumers, security industry and universities all agree on the need for a kill command for consumer products at the exit of the shop, retailers and standard bodies for retailers strongly disagree |
||
+ | * 2006 public consultation of the Commission on RFID |
||
+ | * 2006 Study initiated by the European Parliament: [http://www.europarl.europa.eu/stoa/publications/studies/stoa182_en.pdf ''RFID and Identity management in everyday life'' (pdf)] |
||
+ | * Council Resolution of 22 March 2007 on a strategy for a secure Information society in Europe |
||
+ | * Commission decision 28 June 2007 setting up the Expert Group on Radio Frequency Identification (decision No 467/2007/EC) aka RFID-Stakeholders Group |
||
+ | * COM(2007)96 (15/3/2007) [http://eur-lex.europa.eu/LexUriServ/site/en/com/2007/com2007_0096en01.pdf ''Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on '''Radio Frequency Identification (RFID) in Europe: steps towards a policy framework''''' (pdf)], see also [http://ec.europa.eu/information_society/newsroom/cf/itemlongdetail.cfm?item_id=3247 here] |
||
+ | ** call for privacy by design, code of conduct, guidelines |
||
+ | ** towards Internet of Things & related databases |
||
+ | * [http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2007/07-12-20_RFID_EN.pdf Opinion of EDPS], December 2007, on above communication |
||
+ | ** 5 basic privacy and security issues |
||
+ | *** identification of the Data Subject as a risk (and problem of definition of personal data) |
||
+ | *** identification of the Data Controller(s) can be hard but needed to establish responsibilities |
||
+ | *** decreased meaning of the traditional distinction between the personal and public sphere |
||
+ | *** size and physical properties of RFID-tags |
||
+ | *** lack of transparency of the processing |
||
+ | ** self-regulation at first but need for guidance |
||
+ | ** opt-in principle, considered as already existing in the 95/46/EC but should be specified in self-regulatory instruments too |
||
+ | ** privacy by design |
||
+ | * COM(2008)594 (29/9/2008) Communication from the Commission [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2008:0594:FIN:EN:PDF Communication on future networks and the internet (pdf)] |
||
+ | * 2009/387/EC [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:122:0047:0051:EN:PDF Commission Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (pdf)] (copy [http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf here]) |
||
+ | ** invites MS to provide framework for privacy and data protection impact assessments to Art.29 WP within 12 months |
||
+ | ** creation of an RFID logo, mandatory for tags & readers |
||
+ | ** opt-in principle unless |
||
+ | *** evaluated as not a likely threat |
||
+ | *** retailers which are not operators (!! so opt-in drops if retailer is not equipped) |
||
+ | ** MS invited to take measures within 25 months, Commission will publish an evaluation of the implementation in three years |
||
+ | * COM(2009)278 (18/6/2009) Communication from the Commission [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0278:FIN:EN:PDF Internet of Things — An action plan for Europe (pdf)] |
||
+ | * [http://ec.europa.eu/information_society/policy/rfid/documents/participateinworkgroup.pdf Informal working group on the implementation of the RFID] |
||
+ | * [http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2010/10-03-19_Trust_Information_Society_EN.pdf Opinion of the European Data Protection Supervisor on Promoting Trust in the Information Society by Fostering Data Protection and Privacy], chapter VI |
||
+ | * [http://ec.europa.eu/information_society/policy/rfid/documents/d31031industrypia.pdf draft Privacy and Data Protection Impact Assessment (PIA) framework for RFID applications], 2010/03/31 |
||
+ | * [http://www.enisa.europa.eu/media/news-items/enisa-opinion-on-pia ENISA Opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications] |
||
+ | |||
+ | See also |
||
+ | * [http://ec.europa.eu/information_society/policy/rfid/index_en.htm RFID page of European Commission / Information Society] |
||
+ | ** its [http://ec.europa.eu/information_society/newsroom/cf/news.cfm?redirection=1&item_type=news&tpa_id=124 RFID news channel] |
||
+ | * [http://www.grifs-project.eu/ The Global RFID Interoperability Forum for Standards (GRIFS)] is a Support Action Project funded by the European Commission with the aim to improve collaboration and thereby to maximise the global interoperability of RFID standards. |
||
+ | * [http://ec.europa.eu/commission_barroso/reding/video/text/message_20090414.pdf Protecting privacy in the digital age (pdf)], by Viviane Reding |
||
+ | * [https://www.bsi.bund.de/ContentBSI/EN/publications/techguidelines/TR03126/BSITR03126.html German Federal Office for Information Security (BSI) technical guidelines for RFID], covering eTicketing in public transports, in events, via NFC and RFID for trade logistics |
Latest revision as of 21:37, 24 November 2010
with some accents on RFID
- European Convention for Human Rights (ECHR), 1953:
- Art 8: right to private life
- by Lisbon Treaty: EU is now also member of it, not only the MS (Member States).
- OECD Organization for Economic Cooperation & Development published in 1980:
- Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data
- The Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108), 1981
- Data Protection Directive (95/46/EC) & Regulation (EC) Nr. 45/2001 (~same as directive but for EU bodies)
- ePrivacy Directive (2002/58/EC)
- replaces 97/66/EC
- amended by 2009/136/EC, see below
- Data Retention Directive (2006/24/EC)
- MS can choose mandatory retention between 6 to 24 months
- to be implemented by 15/9/2007 (internet 15/3/2009) but still some MS fail
- Romania constitutional court declared it unconstitutional (8/10/2009) <> privacy rights & secrecy of correspondence
- German High Court rejected the transposition law (2/3/2010): The court said the law went far beyond the requirements of the EU directive.
- Framework decision 2008/977/JHA of the Council
- data protection for police & judicial cooperation in criminal matters (only cross-border)
- former third pillar
- 31st annual International conference of data protection and privacy commissioners
- The Madrid Privacy Declaration, 3 November 2009, by Civil Society
- Urges for a data breach legal framework
- Recommends research on PETs (Privacy Enhancing Technique) such as anonymization
- Calls for moratorium on development of new systems of mass surveillance such as facial recognition, whole body scanners, biometric identifiers and embedded RFID tags
- The Madrid Resolution, 5 November 2009
- Joint proposal for a draft of international standards on the protection of privacy with regards to the processing of personal data
- Largely similar to main principles & rights of 95/46/EC + accountability principle
- The Madrid Privacy Declaration, 3 November 2009, by Civil Society
- Directive 2009/136/EC, 25 November 2009, to be transposed before May 2011
- amending, among others, the ePrivacy directive 2002/58/EC
- urges for a data breach principle regardless of the sector, or the type, of data concerned (recital 59)
- mentions the directive is applicable also to RFID when such devices are connected to publicly available electronic communications networks or make use of electronic communication services as a basic infrastructure (recital 56)
- personal data breach notification principle
- if in connection with the provision of publicly available electronic communications service)
- covers also accidental destruction/loss/deterioration, not only unauthorized disclosure/access
- obligation without undue delay, to DPA, and to subjects if likely to adversely affect the personal data or privacy of a subject, unless security measures were properly implemented (=encryption)
- covers spam, cookies, malwares & viruses
- amending, among others, the ePrivacy directive 2002/58/EC
- Treaty of Lisbon, entered into force on 1 december 2009
- Article 16 of the TFEU (Treaty on the Functioning of the European Union)
- Everyone has the right to the protection of personal data concerning him
- covers also justice/policy & EU bodies, only provisions are in Art 39 of the TEU (Treaty on the European Union): concerning CFSP (Common Foreign & Security Policy)
- was Art 286 in the former Treaty establishing the European Community
- Charter of Fundamental Rights of the European Union becomes binding (opt-out UK & Poland)
- Art 8 on protection of personal data
- Everyone has the right to the protection of personal data concerning him
- fairly, for specified purposes, on basis of consent or some legitimate basis
- right of access, right of rectification
- control by authority
- Article 16 of the TFEU (Treaty on the Functioning of the European Union)
- Stockolm Program
- sets framework 2010-2014 for cooperation in the area of justice & home affairs
- data protection principles are present
- New Commission
- now 2 commissioners for the former justice, freedom and security post:
- justice freedom & citizenship (Viviane Reding)
- foreign affairs & security (Catherine Ashton)
- Commission consultation on 95/46/EC
- general principles are still valid but we need clarification on consent, transparency and introduction of data breach & accountability principles
- 1/12/2009 WP168 by Art.29 WP + WPPJ (Working Party on Police and Justice) publish a joint contribution to the consultation of the Commission on the legal framework for the fundamental right to protection of personal data: The Future of Privacy (pdf)
- now 2 commissioners for the former justice, freedom and security post:
- European Data Protection Supervisor
- Commission's Justice & Home Affairs / Freedom, Security & Justice / Data Protection, includes a link to the national DPA
- Art. 29 Data Protection Working Party
- Art. 29 WP105 (19/01/2005) Working document on data protection issues related to RFID technology (pdf)
- Art. 29 WP111 (28/9/2005) Results of the Public Consultation on Article 29 Working Document 105 on Data Protection Issues Related to RFID Technology (pdf)
- While consumers, security industry and universities all agree on the need for a kill command for consumer products at the exit of the shop, retailers and standard bodies for retailers strongly disagree
- 2006 public consultation of the Commission on RFID
- 2006 Study initiated by the European Parliament: RFID and Identity management in everyday life (pdf)
- Council Resolution of 22 March 2007 on a strategy for a secure Information society in Europe
- Commission decision 28 June 2007 setting up the Expert Group on Radio Frequency Identification (decision No 467/2007/EC) aka RFID-Stakeholders Group
- COM(2007)96 (15/3/2007) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Radio Frequency Identification (RFID) in Europe: steps towards a policy framework (pdf), see also here
- call for privacy by design, code of conduct, guidelines
- towards Internet of Things & related databases
- Opinion of EDPS, December 2007, on above communication
- 5 basic privacy and security issues
- identification of the Data Subject as a risk (and problem of definition of personal data)
- identification of the Data Controller(s) can be hard but needed to establish responsibilities
- decreased meaning of the traditional distinction between the personal and public sphere
- size and physical properties of RFID-tags
- lack of transparency of the processing
- self-regulation at first but need for guidance
- opt-in principle, considered as already existing in the 95/46/EC but should be specified in self-regulatory instruments too
- privacy by design
- 5 basic privacy and security issues
- COM(2008)594 (29/9/2008) Communication from the Commission Communication on future networks and the internet (pdf)
- 2009/387/EC Commission Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (pdf) (copy here)
- invites MS to provide framework for privacy and data protection impact assessments to Art.29 WP within 12 months
- creation of an RFID logo, mandatory for tags & readers
- opt-in principle unless
- evaluated as not a likely threat
- retailers which are not operators (!! so opt-in drops if retailer is not equipped)
- MS invited to take measures within 25 months, Commission will publish an evaluation of the implementation in three years
- COM(2009)278 (18/6/2009) Communication from the Commission Internet of Things — An action plan for Europe (pdf)
- Informal working group on the implementation of the RFID
- Opinion of the European Data Protection Supervisor on Promoting Trust in the Information Society by Fostering Data Protection and Privacy, chapter VI
- draft Privacy and Data Protection Impact Assessment (PIA) framework for RFID applications, 2010/03/31
- ENISA Opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications
See also
- RFID page of European Commission / Information Society
- The Global RFID Interoperability Forum for Standards (GRIFS) is a Support Action Project funded by the European Commission with the aim to improve collaboration and thereby to maximise the global interoperability of RFID standards.
- Protecting privacy in the digital age (pdf), by Viviane Reding
- German Federal Office for Information Security (BSI) technical guidelines for RFID, covering eTicketing in public transports, in events, via NFC and RFID for trade logistics