260 likes | 437 Views
COMNET – Legal Frameworks for ICT Regulating Privacy. David Cauchi Information and Data Protection Commissioner. COMNET 2011 - MALTA - 02.06.2011. 1 Legal Framework and Supervision 2 Role of the Commissioner 3 Recent Developments 4 Conclusive Remarks.
E N D
COMNET – Legal Frameworks for ICT Regulating Privacy David CauchiInformation and Data Protection Commissioner COMNET 2011 - MALTA - 02.06.2011
1 Legal Framework and Supervision 2 Role of the Commissioner 3 Recent Developments 4 Conclusive Remarks
Legal Framework and Supervision European Level • European Convention of Human Rights – Art 8 • Convention ETS No. 108 • EU Directives 95/46/EC, 2002/58/EC and 2006/24/EC • Recommendation 87 (15) regulating the use of personal data in the Police Sector • Framework Decision 2008/977/JHA regulating the exchange of personal data in the context of Police and Judicial Cooperation • Specific Instruments establishing EU Large-Scale Information Systems (e.g. Europol, Schengen)
Legal Framework and Supervision National Level • European Convention Act Cap.319 of the Laws of Malta • Convention ETS No. 108 - ratified in February 2003 • The Data Protection Act Cap. 440 transposes Dir 95/46/EC • LN 16 of 2003 transposes Dir 2002/58/EC and subsequently Directive 2006/24/EC • LN 142 of 2004 applying to data processing by the Police and the new LN 198 of 2011 implementing Council framework decision on Police and Judicial Cooperation
Legal Framework and Supervision Supervision Model • European Data Protection Supervisor (EDPS) is responsible for processing by Community Institutions • Specialised supervision by Joint Supervisory Authorities (JSAs) for Europol, Schengen, Eurojust and Customs, and EDPS Coordinated Supervision Groups for Eurodac and Customs • JSAs and EDPS centrally coordinate and harmonise supervision carried out by the respective National Data Protection Authorities • The Article 29 Working Party advises the Commission on data protection issues falling under Directive 95/46EC • The Working Party for Police and Justice monitors and advises on data protection issues in the area of Police and Judicial Cooperation • National Data Protection Authorities are competent for data processing within their jurisdiction
Role of the Commissioner • The Commissioner is the sole National Supervisory Authority. • The Commissioner regulates both the private and public sector. • The Commissioner enjoys independence similar to that of a judge.
Role of the Commissioner The Commissioner is responsible for the independent supervision of the data processing, including processing of law enforcement agencies by: - ensuring compliance with the relevant instruments (Conventions/ Decisions) and data protection legislation; - ensuring that the citizen’s right of access, rectification and blocking is being respected; - where there is refusal of such right, receiving and deciding an appeal by the data subject; - carrying out such verifications and inspections as may be required.
Role of the Commissioner Independence The Data Protection Commissioner – • is appointed by the Prime Minister after having consulted the Leader of the Opposition; • holds office for a period of 5 years and is eligible for reappointment on the expiration of his term of office; • can only be removed by a motion of the Prime Minister upon an address of the House of Representatives supported by the votes of not less than two-thirds of all the members;
Role of the Commissioner Independence • may not hold any other office of profit; Article 37 of Act amended in December 2003; • takes oath of office before the Attorney General to carry out duties without fear or favour; • is not subject to the direction or control of any other person or authority.
Role of the Commissioner Independence • The Commissioner has a distinct legal personality and is capable of – - entering into contracts; - acquiring, holding and disposing of any kind of property for the purposes of his functions; - suing and being sued; - doing all such transactions as are incidental or conducive to the exercise of his functions.
Role of the Commissioner Independence • Funding voted by the House of Representatives in the general estimates as a subvention. • Notification fees and fines deriving from administrative penalties accrue to the Office.
Role of the Commissioner • Functions • The functions of the Data Protection Commissioner include: • to require the notification of processing operations and to keep a public register of such operations; • to exercise control and verification of whether the processing is carried out fairly and lawfully; • to intervene where a data subject is not allowed right of access by a data controller; • to verify the lawful processing of personal data falling under Article 13 of the Directive (secrecy, national security, etc.) - at the request of the data subject;
Role of the Commissioner • Functions • to receive reports, claims and complaints by data subjects taking remedial action where necessary; • to encourage the drawing up of codes of conduct by the various sectors; • to bring to the knowledge of the general public the provisions of the Act and to give advice to any person where it is required; • to advise Government on any legislative measures in relation to his functions; and • to collaborate with supervisory authorities of other countries.
Role of the Commissioner • Power of Investigation • To enable investigation the Commissioner has the right to - • - access personal data being processed; • - obtain information and documentation on the processing of personal data and its security; • - enter and search any premises with the same powers as are vested in the executive police. • Inspections may also be carried out at Law Enforcement Authorities subject to the Commissioner’s written authorisation. The outcome is reported directly and solely to the Commissioner.
Role of the Commissioner • Power of Intervention • The Commissioner may order – • rectification where data is unlawfully processed; • a data controller tostop processingpersonal data (except for storage): - when rectification is not effected; - when sufficient information cannot be obtained following an access request; or • - if the urgency of the matter so requires.
Role of the Commissioner • Power of Intervention • The Commissioner has also the power to issue a notice for erasure. • The notice may be appealed to the Court of Appeal within 15 days. • The notice becomes effective: - after 15 days if no appeal is lodged; or - after the Court of Appeal affirms the erasure order, in case of an appeal.
Role of the Commissioner Power to Engage in Legal Proceedings • The Commissioner may institute proceedings in a Court of law and may appear before the Appeals Tribunal and the Court of Appeal. • Similarly any person aggrieved by a decision of the Commissioner may appeal to the Data Protection Appeals Tribunal - • in writing; • within 30 days from notification of the decision; • on any of the following grounds - • - a material error concerning the facts; • - a material procedural error; • - an error of law; • - some material illegality, including unreasonableness or lack of proportionality.
Role of the Commissioner • Power to Engage in Legal Proceedings • Recourse to the Court of Appeal shall also lie to a party or to the Commissioner where they feel aggrieved from a decision of the Tribunal - • within 30 days from the decision; and • only on a question of law.
Role of the Commissioner • Power to Engage in Legal Proceedings The Commissioner shall commence proceedings against any person who - • provides untrue information to data subjects or to the Commissioner; • processes personal data in contravention of the criteria required to process - - sensitive personal data; - data relating to criminal records or security measures; • illegally transfers personal data to a third country; • omits to give notification as required by law or provides untrue information in such notification.
Role of the Commissioner • Power of Enforcement • Penalties following court proceedings • On conviction a person may be liable to: • - a fine not exceeding €23,290; • - imprisonment for a term not exceeding six months; or • - both such fine and imprisonment.
Role of the Commissioner • Power of Enforcement • Administrative fines may be imposed by the Commissioner by an order in writing to the data controller, where - - personal data is processed in an unlawful manner; - appropriate security measures are not in place; - a person does not comply with a lawful request relevant to an investigation by the Commissioner. • An administrative fine shall not exceed €23,290 for each violation, and €2,329 for each day during which a violation continues.
Recent Developments • The processing of data is widespread and facilitated by the use of internet and social network sites; • Common trends nowadays include internet profiling, behavioural and location based advertising; • Information is becoming increasingly exposed and vulnerable leading to Security Breaches, Hacking or other unlawful action; • Initiatives at EU level aimed towards facilitating information processing or exchange to enhance security and justice; • EU-US Agreement on the sharing of information on financial transactions via SWIFT to investigate funding of terrorism (TFTP agreement); • EU Plans aimed to centralise or converge existing systems; • Privacy challenges constantly on the increase.
Recent Developments HOW IS EU REACTING??? • The entry of Lisbon Treaty (fall of 3-Pillar Structure) and constant technological developments have urged the EU Commission to reconsider the Data Protection Legal Framework • EU is currently revising such framework with the intention to create a comprehensive and simplified legal structure applicable to all data protection aspects including law enforcement and which strengthens data subject’s rights and remedies; • Major changes in the e-Privacy framework include the mandatory notification of security breaches and the requirement to obtain consent when processing data by means of tracking cookies;
Conclusive Remarks • Information has become a fundamental tool for private and public sector entities; • Data Protection rights should be safeguarded; • Close collaboration between all stakeholders such as the Industry, Law Enforcement Agencies and the Commissioner to ensure effective data protection; • Education and awareness are the fundamentals to create a relationship of mutual trust.
Conclusive Remarks CREATING THE RIGHT BALANCE BETWEEN DATA SUBJECT Need or Obligation for Data Processing Data Protection Principles and Rights
Contact Details Thank you! Office of the Information and Data Protection Commissioner Tel: (+356) 2328 7100 E-Mail: idpc.info@gov.mt Portal:www.idpc.gov.mt The Floor is now open for discussion