Data Protection and the Internet – New Challenges

The reform of the data protection legal framework – current developments

Roberto LattanziItalian Data Protection Authority

Reform of the data protection legal framework

25.01.2012. COM(2012) 11. Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regards to the processing of personal data and on the free movement of such data (General Data Protection Regulation-GDPR) Repealing Directive 95/46/EC

25.01.2012. COM(2012) 10. Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data Repealing Framework Decision 977/2008/JHA

25.01.2012

Why a Reform of the data protection legal framework?update the legal framework to the techno-

scientific changes and developments, ensuring its effectiveness (internet – ECJ Case C-101/01 Bodil Lindqvist; biometric and genetic data)

lack of full harmonisation among the EU Member States (potentially) hampering the development of the single (efficient) market: need to reduce fragmentation and administrative burdens (e.g. notification)

Lisbon Treaty: data protection as a fundamental right in all EU policy fields (also in the context of law enforcement)

Reform of the data protection legal framework

The state of the art – COD - Ordinary legislative procedure (ex-codecision procedure)– The (draft) Regulation

EC

P

rop

osa

l

1st reading EP

1st reading Council

Working Party on Information Exchange and Data ProtectionDAPIX

LIBE Commitee – amendments

Council position on EP amendments

Council agrees on EP amendments – Act is adopted

3rd Reading and conciliation procedure

Ad

op

tion

2nd read. EP

Opinions (mandatory): EESC / CoR

Amendments Council’s position

2° reading Council

Rejection – Act is not adopted

Opinions (opt.) : EDPS art.29 WG

Gennaio 2012 Febbraio 2013 December

2013 Jan. 2012 Feb. 2013

EP

EU Council

You are here

June 2013

Reform of the data protection legal framework

WP Art. 29 •Opinion 01/2012 on the data protection reform proposals - WP 191 (23.03.2012)•Opinion 08/2012 providing further input on the data protection reform discussions WP 199 (05.10.2012)•Working Document 01/2013 - Input on the proposed implementing acts WP 200 (22.01.2013)See also•Opinion 04/2012 on Cookie Consent Exemption WP 194 (07.06.2012)•Opinion 05/2012 on Cloud Computing WP 196 (01.07.2012)

EDPS•Opinion of 7 March 2012 on the data protection reform package•Additional EDPS Comments of 15 March 2013 on the Data Protection Reform Package

See also•Opinion of 16 November 2012 on the Commission's Communication on "Unleashing the potential of Cloud Computing in Europe"

Draft General Data Protection RegulationMain innovations (1)

• Extension of the scope of EU data protection law (Art. 3): EU law is applicable to controllers established in third countries (also) when offering goods and services to individuals in the EU or monitoring of their behaviour (extension clearly related to the “internet reality”)

• New definitions (among others, genetic data, biometric data, personal data breach, main establishment, group of undertakings, binding corporate rules) & additions to existing definitions in Directive 95/46 (Art. 4)

• Confirmation of the well established data protection principles and their fine tuning: Privacy by design and by default (art. 22, art. 23), data minimisation principle and personal data breach notification (art. 31 and 32)

• «Old» and «new» rights of the data subject : the right to oblivion (Art. 11 ff. – Right to be forgotten and to erasure, art. 17: also on the Internet) and the right to data portability (Art. 18)

Draft General Data Protection Regulation

• Data controller accountability’s tools:• (Mandatory v. Optional) «Data Protection Officer» ((a) the processing is

carried out by a public authority or body; or (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope

and/or their purposes, require regular and systematic monitoring of data subjects) (art. 35 ff.)• centralised approach on protecting data protection and privacy (mainly relying on

DPAs) vs. decentralised approach (mainly relying in DPO spreading awareness and knowledge among private or public companies). The GDPR is going towards an integrated approach

• DPO as data protection expert (within the DC), (first) contact point within the DC for data subjects (e.g in case of complaint handling) and “bridge” between the DC and the DPA (consulting and cooperating with the competent DPA). A tool to ensure, in an independent manner (functional autonomy), the internal application of the national provisions

• DPO’s tasks in 3 steps: a) AUDIT ; b) DIAGNOSTIC (legal analysis and evaluation of the data processing); c) Internal RECOMMENDATIONS/PRESCRIPTIONS

• Data Protection Impact Assessment (art. 33 ff.)

Main innovations (2)

Draft General Data Protection Regulation

• DPAs (art. 46 - 54) – Independence (see ECJ Case C-518/07 Commission v. Germany; ECJ (Grand Chamber), 16 October 2012 (Case C‑614/10) Commission v. Austria), functions, powers, resources; one-stop-shop principle (art. 51)

Cooperation among DPAs (mutual assistance – art 55; Joint operations of supervisory authorities, such as joint investigative tasks, joint enforcement measures and other jointoperations – art. 56 and Consistency mechanism: BCR, CCS)

Sanctions : European Administrative sanctions - up to 1 000 000 EUR or, in case of anenterprise up to 2 % of its annual worldwide turnover (art. 78 ff.)

Main innovations (3)

Draft General Data Protection RegulationThe so called «horizontal» issues• Choice of the legal instrument: regulation v. directive (problem solved

or open issue?)

• (effective) Enforceability

• Executing and delegated acts & EC powers (also «veto»)

• Administrative burdens risk based approach (?) SMEs• “During the discussion, there was a large consensus that in order to reduce the

administrative burden and more generally the compliance costs on companies, a more risk-based approach should be followed. In this sense, the Council instructed the competent preparatory bodies to continue to work on concrete proposals to implement a strengthened risk-based approach in the text of the draft regulation” (3207th Council of the EU meeting, Justice and Home Affairs, Brussels, 6 and 7 December 2012).

• «Flexibility» for the public sector (room for a new fragmentation?)

Main criticalities (1)

Draft General Data Protection Regulation

• (Possible) lack of harmonisation due to the lawfulness principle or concerning given (wide) sectors, e.g. the «workplace privacy» issue: (Article 82 (1) recognizes to Member States the possibility to “adopt by law specific rules regulating the processing of employees' personal data in the employment context” (see Protection of Personal Data in Work-related Relations, STUDY, LIBE, 2013, 66 ff. : “patchwork of national rules.”)

• Scope of application of the GDPR (anonymous data, pseudonymous data, which remain personal data; personal or household activity; need of clarification of the notion of “main establishment” to reduce risk of abuses and ensure that the concept of a “one stop-shop” for companies is effective ) • “uncertainty as regards rights and obligation in borderline issues, for instance where

commercial data is accessed by law enforcement authorities for law enforcement purposes and transfers between authorities that are responsible for law enforcement and those that are not” (Albrecht report).

• DPAs & EDPB• (financial, technical and human) resources for DPAs• cooperation among DPAs (e.g. cross border investigation, standardised procedural rules)• Coordination among DPAs (e.g. conducting joint actions) and with the EDPB, preserving at

the same time (all involved) DPAs’ independence (lead DPA): need to address the case of possible divergences between DPAs and/or the EDPB

Main criticalities (2)

Useful materials & links

European Commission – Justice – Data Protection page: http://ec.europa.eu/justice/data-protection/index_en.htm

(No) Conclusions ?• For the Irish Presidency (and the Council) no single part of

the Regulation can be considered agreed until the text of the whole Regulation is agreed (May 31, 2013, the Justice and Home Affairs Council of the European Union)

• Vote postponed at the LIBE Committee • Risk of a race to the bottom, notwithstanding the (declared)

preservation of the existing protection level & guarantees• More tasks to the DPAs? For sure, and an encreased need of

cooperation/coordination between them the European Data Protection Board in search of a role (up to now: Art. 29 Working Party)

• Applicable law and judicial redress • Impact on the national legislation of the field: two / three

years for implementing measures, if necessary

Many thanks

Grazie!

http://www.garanteprivacy.itr.lattanzi@garanteprivacy.it