Download - Identity management, privacy and data protection...Identity management, privacy and personal data protection Studio Legale Finocchiaro Identity management and personal data • Personal

Prof. Avv. Giusella Finocchiaro University of Bologna

Studio Legale Finocchiaro

www.studiolegalefinocchiaro.it www.blogstudiolegalefinocchiaro.it

Identity management, privacy and personal data protection


Identity management and personal data

• Personal data collected during the identification and authentication processes

• Storage of such personal data

Charter of fundamental rights in the European Union

• Right to be left alone (art. 7)

• Right to control on personal data (art. 8)


The European general data protection Regulation (1/2)

• Regulation on the protection of individuals with regard to the processing of personal data and on

the free movement of such data


The European general data protection Regulation (2/2)

• Proposal presented by the European Commission on 25 January 2012

• Council adopted the position on the European Regulation on 8 April 2016 (first reading)

• European Parliament approved the Council position with no amendments on 14 April 2016 (second reading)

• Will enter into force in 2018


The impact on the current legal scenario

• Directive 95/46/EC on the processing of personal data of 24 October 1995 will be repealed

• From a Directive to a Regulation


The European Regulation Fundamental principles (1/2)

• Personal data collected for specified, explicit and legitimate purposes

• not further processing in a manner that is incompatible with those purposes


The European Regulation Fundamental principles (2/2)

• Information to the data subject

• Consent of the data subject

• Public Administration processes personal data for purposes connected to the performance of its tasks


The European Regulation Security measures

• Processing and storage security measures provided for

• Notification of a personal data breach to the supervisory authority and to the data subject


The European Court of Justice’s decisions


Google Spain (1/2)

• Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (Case C-131/12)


Google Spain (2/2)

• European law is applicable to the service provider

• Data subject can take legal actions against the service provider

• Obligation to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages published by third parties


Facebook (1/2)

• Maximillian Schrems v Data Protection Commissioner (Case C-362/14)


Facebook (2/2)

• European law is applicable to European subjects’ personal data

• Article 3 of the European general data protection Regulation drafted according to this principle


Policy implications

• Invalidation of the Safe Harbor

• Transmission of data: consent or pre-approved rules

• U.S.A.- Europe Privacy shield currently under negotiation


Economic value of personal data

• Big data

• “Anonymisation” processes


Personal data protection and open issues

• What is anonymous under European general data protection Regulation?

• Information that does not relate to

• identified or identifiable natural person or

• personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable


The end

www.studiolegalefinocchiaro.it www.blogstudiolegalefinocchiaro.it