Difference between revisions of "Privacy: Legal European Framework"

From YobiWiki
Jump to navigation Jump to search
m (Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen)
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
with some accents on [[RFID]]
 
with some accents on [[RFID]]
   
* European Convention for Human Rights (ECHR), 1953:
+
* '''European Convention for Human Rights (ECHR)''', 1953:
** Art 8: right to private life
+
** '''Art 8''': right to private life
 
** by Lisbon Treaty: EU is now also member of it, not only the MS (Member States).
 
** by Lisbon Treaty: EU is now also member of it, not only the MS (Member States).
* OECD Organization for Economic Cooperation & Development published in 1980:
+
* '''OECD''' Organization for Economic Cooperation & Development published in 1980:
** ''Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data''
+
** ''Recommendations of the Council Concerning '''Guidelines''' Governing the Protection of Privacy and Trans-Border Flows of Personal Data''
* ''The Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data'' (Convention 108), 1981
+
* ''The Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data'' ('''Convention 108'''), 1981
* ''Data Protection'' Directive (95/46/EC) & Regulation (EC) Nr. 45/2001 (~same as directive but for EU bodies)
+
* '''''Data Protection'' Directive (95/46/EC) & Regulation (EC) Nr. 45/2001''' (~same as directive but for EU bodies)
* ''ePrivacy'' Directive (2002/58/EC)
+
* '''''ePrivacy'' Directive (2002/58/EC)'''
 
** replaces 97/66/EC
 
** replaces 97/66/EC
 
** amended by 2009/136/EC, see below
 
** amended by 2009/136/EC, see below
* ''Data Retention'' Directive (2006/24/EC)
+
* '''''Data Retention'' Directive (2006/24/EC)'''
 
** MS can choose mandatory retention between 6 to 24 months
 
** MS can choose mandatory retention between 6 to 24 months
 
** to be implemented by 15/9/2007 (internet 15/3/2009) but still some MS fail
 
** to be implemented by 15/9/2007 (internet 15/3/2009) but still some MS fail
 
** Romania constitutional court declared it unconstitutional (8/10/2009) <> privacy rights & secrecy of correspondence
 
** Romania constitutional court declared it unconstitutional (8/10/2009) <> privacy rights & secrecy of correspondence
  +
** German High Court rejected the transposition law (2/3/2010): The court said the law went far beyond the requirements of the EU directive.
* Framework decision 2008/977/JHA of the Council
+
* '''Framework decision 2008/977/JHA''' of the Council
 
** data protection for police & judicial cooperation in criminal matters (only cross-border)
 
** data protection for police & judicial cooperation in criminal matters (only cross-border)
 
** former third pillar
 
** former third pillar
 
* 31st annual International conference of data protection and privacy commissioners
 
* 31st annual International conference of data protection and privacy commissioners
** The ''Madrid Privacy Declaration'', 3 November 2009, by Civil Society
+
** The '''''Madrid Privacy Declaration''''', 3 November 2009, by Civil Society
 
*** Urges for a data breach legal framework
 
*** Urges for a data breach legal framework
 
*** Recommends research on PETs (Privacy Enhancing Technique) such as anonymization
 
*** Recommends research on PETs (Privacy Enhancing Technique) such as anonymization
 
*** Calls for moratorium on development of new systems of mass surveillance such as facial recognition, whole body scanners, biometric identifiers and '''embedded RFID tags'''
 
*** Calls for moratorium on development of new systems of mass surveillance such as facial recognition, whole body scanners, biometric identifiers and '''embedded RFID tags'''
** The ''Madrid Resolution'', 5 November 2009
+
** The '''''Madrid Resolution''''', 5 November 2009
*** ''Joint proposal for a draft of international standards on the protection of privacy with regards to the processing of personal data''
+
*** '''''Joint proposal for a draft of international standards on the protection of privacy with regards to the processing of personal data'''''
 
*** Largely similar to main principles & rights of 95/46/EC + accountability principle
 
*** Largely similar to main principles & rights of 95/46/EC + accountability principle
* Directive 2009/136/EC, 25 November 2009, to be transposed before May 2011
+
* '''Directive 2009/136/EC''', 25 November 2009, to be transposed before May 2011
** modifying among others the ePrivacy directive 2002/58/EC
+
** amending, among others, the ePrivacy directive 2002/58/EC
 
*** urges for a data breach principle regardless of the sector, or the type, of data concerned (recital 59)
 
*** urges for a data breach principle regardless of the sector, or the type, of data concerned (recital 59)
 
*** mentions the directive is applicable also '''to RFID''' ''when such devices are connected to publicly available electronic communications networks or make use of electronic communication services as a basic infrastructure'' (recital 56)
 
*** mentions the directive is applicable also '''to RFID''' ''when such devices are connected to publicly available electronic communications networks or make use of electronic communication services as a basic infrastructure'' (recital 56)
Line 35: Line 36:
 
*** covers also accidental destruction/loss/deterioration, not only unauthorized disclosure/access
 
*** covers also accidental destruction/loss/deterioration, not only unauthorized disclosure/access
 
*** obligation without undue delay, to DPA, and to subjects if likely to adversely affect the personal data or privacy of a subject, unless security measures were properly implemented (=encryption)
 
*** obligation without undue delay, to DPA, and to subjects if likely to adversely affect the personal data or privacy of a subject, unless security measures were properly implemented (=encryption)
  +
** covers spam, cookies, malwares & viruses
** spam
 
* Treaty of Lisbon, entered into force on 1 december 2009
+
* '''Treaty of Lisbon''', entered into force on 1 december 2009
** Article 16 of the TFEU (Treaty on the Functioning of the European Union)
+
** '''Article 16 of the TFEU''' (Treaty on the Functioning of the European Union)
 
*** ''Everyone has the right to the protection of personal data concerning him''
 
*** ''Everyone has the right to the protection of personal data concerning him''
 
*** covers also justice/policy & EU bodies, only provisions are in Art 39 of the TEU (Treaty on the European Union): concerning CFSP (Common Foreign & Security Policy)
 
*** covers also justice/policy & EU bodies, only provisions are in Art 39 of the TEU (Treaty on the European Union): concerning CFSP (Common Foreign & Security Policy)
 
*** was Art 286 in the former ''Treaty establishing the European Community''
 
*** was Art 286 in the former ''Treaty establishing the European Community''
** Charter of Fundamental Rights of the European Union becomes binding (opt-out UK & Poland)
+
** '''Charter of Fundamental Rights of the European Union''' becomes binding (opt-out UK & Poland)
** Art 8 on protection of personal data
+
** '''Art 8''' on protection of personal data
 
*** ''Everyone has the right to the protection of personal data concerning him''
 
*** ''Everyone has the right to the protection of personal data concerning him''
 
*** fairly, for specified purposes, on basis of consent or some legitimate basis
 
*** fairly, for specified purposes, on basis of consent or some legitimate basis
 
*** right of access, right of rectification
 
*** right of access, right of rectification
 
*** control by authority
 
*** control by authority
* Stockolm Program
+
* '''Stockolm Program'''
 
** sets framework 2010-2014 for cooperation in the area of justice & home affairs
 
** sets framework 2010-2014 for cooperation in the area of justice & home affairs
 
** data protection principles are present
 
** data protection principles are present
* New Commission
+
* '''New Commission'''
 
** now 2 commissioners for the former ''justice, freedom and security'' post:
 
** now 2 commissioners for the former ''justice, freedom and security'' post:
 
*** justice freedom & citizenship (Viviane Reding)
 
*** justice freedom & citizenship (Viviane Reding)
Line 85: Line 86:
 
** privacy by design
 
** privacy by design
 
* COM(2008)594 (29/9/2008) Communication from the Commission [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2008:0594:FIN:EN:PDF Communication on future networks and the internet (pdf)]
 
* COM(2008)594 (29/9/2008) Communication from the Commission [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2008:0594:FIN:EN:PDF Communication on future networks and the internet (pdf)]
* 2009/387/EC [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:122:0047:0051:EN:PDF Commission Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (pdf)]
+
* 2009/387/EC [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:122:0047:0051:EN:PDF Commission Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (pdf)] (copy [http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf here])
 
** invites MS to provide framework for privacy and data protection impact assessments to Art.29 WP within 12 months
 
** invites MS to provide framework for privacy and data protection impact assessments to Art.29 WP within 12 months
 
** creation of an RFID logo, mandatory for tags & readers
 
** creation of an RFID logo, mandatory for tags & readers
Line 93: Line 94:
 
** MS invited to take measures within 25 months, Commission will publish an evaluation of the implementation in three years
 
** MS invited to take measures within 25 months, Commission will publish an evaluation of the implementation in three years
 
* COM(2009)278 (18/6/2009) Communication from the Commission [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0278:FIN:EN:PDF Internet of Things — An action plan for Europe (pdf)]
 
* COM(2009)278 (18/6/2009) Communication from the Commission [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0278:FIN:EN:PDF Internet of Things — An action plan for Europe (pdf)]
  +
* [http://ec.europa.eu/information_society/policy/rfid/documents/participateinworkgroup.pdf Informal working group on the implementation of the RFID]
  +
* [http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2010/10-03-19_Trust_Information_Society_EN.pdf Opinion of the European Data Protection Supervisor on Promoting Trust in the Information Society by Fostering Data Protection and Privacy], chapter VI
  +
* [http://ec.europa.eu/information_society/policy/rfid/documents/d31031industrypia.pdf draft Privacy and Data Protection Impact Assessment (PIA) framework for RFID applications], 2010/03/31
  +
* [http://www.enisa.europa.eu/media/news-items/enisa-opinion-on-pia ENISA Opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications]
   
 
See also
 
See also

Latest revision as of 21:37, 24 November 2010

Data Protection related European legislation and initiatives

with some accents on RFID

  • European Convention for Human Rights (ECHR), 1953:
    • Art 8: right to private life
    • by Lisbon Treaty: EU is now also member of it, not only the MS (Member States).
  • OECD Organization for Economic Cooperation & Development published in 1980:
    • Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data
  • The Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108), 1981
  • Data Protection Directive (95/46/EC) & Regulation (EC) Nr. 45/2001 (~same as directive but for EU bodies)
  • ePrivacy Directive (2002/58/EC)
    • replaces 97/66/EC
    • amended by 2009/136/EC, see below
  • Data Retention Directive (2006/24/EC)
    • MS can choose mandatory retention between 6 to 24 months
    • to be implemented by 15/9/2007 (internet 15/3/2009) but still some MS fail
    • Romania constitutional court declared it unconstitutional (8/10/2009) <> privacy rights & secrecy of correspondence
    • German High Court rejected the transposition law (2/3/2010): The court said the law went far beyond the requirements of the EU directive.
  • Framework decision 2008/977/JHA of the Council
    • data protection for police & judicial cooperation in criminal matters (only cross-border)
    • former third pillar
  • 31st annual International conference of data protection and privacy commissioners
    • The Madrid Privacy Declaration, 3 November 2009, by Civil Society
      • Urges for a data breach legal framework
      • Recommends research on PETs (Privacy Enhancing Technique) such as anonymization
      • Calls for moratorium on development of new systems of mass surveillance such as facial recognition, whole body scanners, biometric identifiers and embedded RFID tags
    • The Madrid Resolution, 5 November 2009
      • Joint proposal for a draft of international standards on the protection of privacy with regards to the processing of personal data
      • Largely similar to main principles & rights of 95/46/EC + accountability principle
  • Directive 2009/136/EC, 25 November 2009, to be transposed before May 2011
    • amending, among others, the ePrivacy directive 2002/58/EC
      • urges for a data breach principle regardless of the sector, or the type, of data concerned (recital 59)
      • mentions the directive is applicable also to RFID when such devices are connected to publicly available electronic communications networks or make use of electronic communication services as a basic infrastructure (recital 56)
    • personal data breach notification principle
      • if in connection with the provision of publicly available electronic communications service)
      • covers also accidental destruction/loss/deterioration, not only unauthorized disclosure/access
      • obligation without undue delay, to DPA, and to subjects if likely to adversely affect the personal data or privacy of a subject, unless security measures were properly implemented (=encryption)
    • covers spam, cookies, malwares & viruses
  • Treaty of Lisbon, entered into force on 1 december 2009
    • Article 16 of the TFEU (Treaty on the Functioning of the European Union)
      • Everyone has the right to the protection of personal data concerning him
      • covers also justice/policy & EU bodies, only provisions are in Art 39 of the TEU (Treaty on the European Union): concerning CFSP (Common Foreign & Security Policy)
      • was Art 286 in the former Treaty establishing the European Community
    • Charter of Fundamental Rights of the European Union becomes binding (opt-out UK & Poland)
    • Art 8 on protection of personal data
      • Everyone has the right to the protection of personal data concerning him
      • fairly, for specified purposes, on basis of consent or some legitimate basis
      • right of access, right of rectification
      • control by authority
  • Stockolm Program
    • sets framework 2010-2014 for cooperation in the area of justice & home affairs
    • data protection principles are present
  • New Commission
    • now 2 commissioners for the former justice, freedom and security post:
      • justice freedom & citizenship (Viviane Reding)
      • foreign affairs & security (Catherine Ashton)
    • Commission consultation on 95/46/EC
      • general principles are still valid but we need clarification on consent, transparency and introduction of data breach & accountability principles
      • 1/12/2009 WP168 by Art.29 WP + WPPJ (Working Party on Police and Justice) publish a joint contribution to the consultation of the Commission on the legal framework for the fundamental right to protection of personal data: The Future of Privacy (pdf)

Data Protection related bodies

RFID-related

See also