690 likes | 961 Views
E.commerce and Personal Data Protection according to EU and Italian Laws and Regulations. Giorgio Corno Avvocato - Solicitor IBLS GLOBAL E-COMMERCE SUMMIT 2006 Costa Mesa - California (USA), March 16 – 17, 2006. Description of EU regulations concerning
E N D
E.commerce and Personal Data Protection according to EU and Italian Laws and Regulations Giorgio Corno Avvocato - Solicitor IBLS GLOBAL E-COMMERCE SUMMIT 2006Costa Mesa - California (USA), March 16 – 17, 2006
Description of EU regulations concerning protection of natural and legal persons with regard to the personal data processing, as well free movement of data on Internet Reference shall be made also to Italian acts which transposed the EU Acts Aim of this presentation
Rights of personal status: inviolable absolute (protected erga omnes) cannot be waived indefeasibility Protected either by criminal or civil regulations Fundamental Rights and Freedoms
Among the rights of a personal status, right to: privacy, as right to be let alone personal identity personal data protection Right to privacy concerns the intimacy of private and family life against other people’s interferences It differs from protection of honor, dignity, reputation and image It has to be balance with right of information of the community (when leading public interest) Right to privacy
Information = economic and strategic relevance Information includes personal data Relevance of personal data processing Need for a high level of protection for: a), fundamental rights and freedoms, as well as for dignity, particularly with regard to confidentiality, personal identity; b) right to personal data protection Information and personal data
Article 12 of the Universal Declaration of Human Rights of 10 December 1948; Article 17 of the International Covenant on Civil and Political Rights of 16 December 1966; Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms of 4 November 1950; Convention for the protection of individuals with regard to automatic processing of personal data of 28 January 1981 and recommendations adopted by the Council of Europe Enforcement of the Convention of Schengen Agreement dated 14 June 1985 for the gradual abolition of controls at the common frontiers (paragraphs n. 126 - 130) International laws regulations
Treaty establishing a Constitution for Europe, par. II – 68 (2004); Treaty Of Nice Amending The Treaty On European Union, The Treaties Establishing The European Communities And Certain Related Acts(2001/C 80/01 ), par. 7-8; Treaty of European Union: article 6 (respect for human rights and fundamental freedoms in the EU) EC Treaty: Article 286 European Convention on Human Rights and Fundamental Freedoms: Articles 7 (respect for private and family life) and 8 (protection of personal data) Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data European laws and regulations
Directive n.95/46/EC of the European Parliament and of the Council of 24 October 1995 (“General Directive”) concerns the processing of personal data and the free movement of such data within the Community Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning specific rules for processing of personal data and the protection of privacy in the telecommunications sector. Directive n. 2002/58/EC of the of 12 July 2002, on the processing of personal data and the protection of private life in the electronic communication sector (“E-Privacy Directive”): It repealed Directive 97/66/EC European Union Directives
A) Primary sources Law n. 675 dated 31 December 1996, effective since 8 May 1997, as well as by subsequent regulations transposed in Italy General Directive and its amendments Act n. 196 dated 30 June 2003, effective since 1 January 2004, which approved the Personal Data Protection Code: Harmonized all the previous regulations on personal data processing Transposed in Italy Directive 2002/58/EC B) Secondary sources: Deontological and good behavior codes (paragraph n. 12 of Decree n. 196/2003): subscribed by the Guarantee Authority published by the Official Gazette. Italian Data Protection Laws and Regulations
Personal data. Definition • Any information relating to natural or legal person, bodies or associations that are or can be identified, even indirectly, by reference to any other information including a personal identification number • Personal data: • may identify a person • sensitive (or semi-sensitive) • judicial
Any operation or set of operations concerning collection (for example: e-mail address collection), recording (for example: recording on a carrier in order to use these data in the future, for determined, define and legitimate purposes), organization, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, blocking, interconnection, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a data bank It can be done by electronical data processing instruments or not. Personal Data Processing
Data subjects. Any natural or legal person, body or association that is the subjects of personal data Data subject’s rights: - to access personal data - other rights: * obtaining of data and placing at interested party’s disposal * no right of copying acts/documents which contain personal data * right to timely confirmation Exercise of rights by the data subject
Data controller • Notion: • Any natural or legal person, public administration and other body, association or entity that is competent – also jointly with another data controller – to specific purposes and methods of the processing of personal data and the relevant means, including security matters • Legal person, public administrative agency or other body, association or entity: the data controller shall be either the entity as a whole or the department or the peripheral unit having fully autonomous decision-making powers in respect of purposes and mechanisms of processing operations, also related to security matters
Obligations: information to data subjects consent collection notification to the committee of protection of Privacy (Autorità Garante per il Trattamento dei Dati Personali (“Garante”), if compulsory authorization from the Garante communications to the Garante according to paragraph 39 security measures adoption designation of data controller and of the persons in charge of the processing instructions to data controller and to the persons in charge of the processing security Data Controller (2)
Data Processor • Notion: natural or legal person, public administration and other body, association or entity that processes personal data on the controller’s behalf • Obligations: information to data subjects, observance of instructions analytically given in writing by the data controller (including security matters), designation of the persons in charge of the processing, instructions to the persons in charge of the processing • Appointment: optional, by the data controller
Personsin charge of the processing • Notion: “Natural person that have been authorized, in writing, by the data controller or processor to carry out processing operations” • Designation: • in writing; • it punctually identifies the allowed processing ambit • it shall be also fulfilled if a natural person is entrusted with the task of directing a department, on a documentary basis, whereby the scope of the processing operations that may be performed by the staff working in said department has been specified in writing
Personal data shall be processed lawfully and fairly. Consequently: purpose of processing: clearly defined by the data controller; processing must take place on legitimate grounds such as consent, contract, law or balance of interests Personal Data Processing. General principles
Personal data shall be: collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards Personal Data Processing. Purposes of data processing
Personal data need shall be: adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed accurate and, where necessary, kept up to date; data which are inaccurate or incomplete shall be erased or rectified; kept in a form which permits data subjects’ identification for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Personal Data Features
Minimum information to be provided to the data subject in cases when data collected directly from him from a third party or from other sources, such as internet public spaces (public directories, newsgroups or chat-rooms); or disclosed to third parties Information to Data subjects
Essential information: identity of the controller and of his representative; purpose of data processing, except where the data subject has already this information; or Further information (when necessary having regard to the specific circumstances in which data are collected, to guarantee fair processing in respect of the data subject): recipient of the data, consent obligation and existence of access and rectification rights Information to Data subjects (2)
Article 29 Data Protection Working Party: information provided to data subjects: use of language and layout easily understandable; multi-layered format for data subject notices; Legal acceptance of short notices, within a multi-layered structure that, in its totality, offers compliance to the legal requirements Information to Data subjects (3)
Personal data processed only if data subject agrees to processing of personal data as a whole or to one or more of the operations thereofrelating to him being processed Consent: Free and specific Documented in writing (given in writing for sensitive data) provided by the data subject with the required information Data Subjects’ Consent
Consent shall not be required for certain processing. Among them: Necessary: to comply with an obligation imposed by a law, regulations or Community legislation; To comply the performance of obligations resulting from a contract to which the data subject is a party, or else in order to comply with specific requests made by the data subject prior to entering into a contract; Concerns data taken from public registers, lists, documents or records that are publicly available, without prejudice to the limitations and modalities laid down by laws, regulations and Community legislation with regard to their disclosure and publicity. Consent of Data Subjects (2)
Processor needs to adopt: Appropriate technical and organizational measures to protect personal data against: accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and all other unlawful forms of processing. Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Regard to the state of the art and the cost of their implementation Data security
Where processing is carried out on his behalf, the controller: must choose a processor providing sufficient guarantees in respect of: the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. Carrying out of processing by way of a processor must be governed by a contract or legal act: binding the processor to the controller and stipulating in particular that: (a) the processor shall act only on instructions from the controller; (b) - the security obligations, shall also be incumbent on the processor; Which, for the purposes of keeping proof, shall bein writing or in another equivalent form Data security (2)
Part IIIPersonal Data Processing on the InternetGeneral principles
Electronic communication: any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communication service through an electronic communication network Electronic communication networks: transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed Electronic communications services: service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services Electronic communications, networks, services
Directive 2002/21/EC of the of 7 March 2002 concerning a common regulatory framework for network and electronic communication services (so called “Framework directive”) Directive 2002/19/EC on access to and interconnection of electronic communication networks and associated facilities (so called “Access Directive”); Directive 2002/20/CE, on authorization of electronic communications networks and services (so-called “Authorisation Directive”); and Directive 2002/22/CE, on universal services and users’ rights relating to electronic communications networks and services (so-called “Universal Service Directive”). These directives were enacted in Italy through Act 1 August 2003, n. 259 (so called Electronic Communications Code) EU and Italian laws and regulations
Electronic communications widens the range of information concerning the way in which citizens conduct their daily lives. Information is easily collectable through publicly available electronic communications networks and services over the Internet. Need: for an equal level of protection of the fundamental rights and liberties of users of publicly available electronic communications services, in particular their private lives to face developments in the markets and technologies for electronic communications services Risks and needs of personal data processing and electronic communications.
Directive 2002/58/EC (e-Privacy Directive) particularizes and complements Directive 95/46/EC (General Directive) for the purposes to ensure: an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and the free movement of such data and of electronic communication equipment and services in the Community Directive 2002/58/EC
principles of Directive 95/46/EC are kept as valid; particularized and complemented; legitimate interests of subscribers who are legal persons as well as natural persons are protected Other definitions, in additions to those of Directive 95/46/EC (ie users or subscribers) Principles of the General Directive which apply also to e-Privacy Directive
See above Information is always required in processing of e.mail as well as other personal data contained in: Web sites Terminal equipments Traffic Data Information to data subjects
Freely given specific and informed indication of the user's wishes: use of appropriate methods enabling it, including by ticking a box when visiting an Internet website. Not compatible with the definition of consent of General Directive: Implied consent to receive electronic communications where this would be done unless opposition is made (opt-out). Pre-tickled boxes on websites. Consent of Data Subjects
Providers of a publicly available electronic communication service should adopt: specific security measures suitable technical and organizational measures adequate in the light of the existing risk, in order to safeguard security of its services and integrity of traffic data, location data and electronic communications against any form of unauthorized utilization or access Data security and publicly available electronic communication service
where security of service or personal data makes it necessary to also take measures applying to the network: those measures taken jointly with the provider of the public communication network information to subscribers and, if possible, users concerning: any risk of a breach of network security all the possible remedies including an indication of the likely costs involved, when the risk lies outside the scope of measures to be taken by said provider Data security and publicly available electronic communication service (2)
Part IVPersonal Data Processing on the InternetSpecific issues
Collection directly from: a person with the view to electronic mailing or a third party to which the emails have been disclosed Data controller must inform the data subject of the collection purposes at the time of collecting the address shall receive the prior consent of the recipient before sending the message (so called opt-in principle). This rule is not valid for certain EU Members States Data subject shall have the right – at the time of collection and at all times thereafter – to object to this use of his / her data by electronic means. Collection of e-mail addresses
Collection in a public space on the Internet (Network by proper programs, or forum and newsgroup, or lists included in web pages or elsewhere) or Performance of other operation concerning personal data included in email collected therein: unfair; against the “purpose principle”; not necessary for the purposes of legitimate interests pursued by the controller Collection of e-mail addresses (2)
Meets requirements of Directive 95/66/2006. Provides identity and physical and electronic address of the controller and, when appointed, of the processor; Contains a clear statement of (a) the purposes of the processing for which the controller is collecting data via a site; (b) the obligatory or optional nature of the information to be provided; Mentions existence of and conditions for exercising the rights to consent or to object to the processing of personal data as well to access and to rectify and delete these data Information to Data Subjects visiting web sites
lists recipients or categories or recipients of the collected information; discloses if data processed for purposes other than providing the requested service; asks for opportunity to transmit data to countries outside the EU; provides name and address of the service or person responsible for answering questions; mentions the existence of automatic data collection procedures before using such a method to collect any data; Lists security measures guaranteeing the authenticity of the site, the integrity and confidentiality of the information transmitted Information to Data Subjects visiting web sites (2)
Languages: those used on the site and, in particular, of those places where personal data are to be collected. EU seal system for Internet sites according to common criteria of data protection assessment that could be determined at the Community level (Article 29 Data Protection Working Party)? Comparison with safe harbor program between US and EU Information to Data Subjects when visiting web sites (3)
Terminal equipment of users of electronic communications networks, as well as any information stored on such equipment are part of the private sphere of the users European Convention for the Protection of Human Rights and Fundamental Freedoms applies Terminal equipment and information stored therein
Can enter the user’s terminal without user’s knowledge in order to gain access to information, to store hidden information or to trace the user’s activities. Spyware, web bugs, hidden identifiers, cookies
Use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user allowed: only upon prior clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing if the user is offered the right to refuse such processing by the data controller (so called opt in principle) Any technical storage or access not prevented if: done for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or strictly necessary in order to provide an information society service explicitly requested by the subscriber or user (article 5, e-Privacy Directive) Terminal equipment and information stored therein.
Traffic data: any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service: kept only for the purpose of the transmission of a communication as soon as finished, they must be erased or made anonymous Processing of Traffic Data. General rule
A) traffic data may be kept for purposes of subscriber billing and interconnection payments or for other purposes Which data? Only necessary ones, ie. adequate, relevant and not excessive in relation to the billing and interconnection payments For how long? only up to the end of the period during which the bill may lawfully be challenged or payment pursued (article 123.2 of the Data Protection Code: not more than six months) Where the bill has been paid and is not being challenged, data should no longer be stored;. Where the bill has not been paid (or has been paid) and is being challenged, the data may be stored for a longer period, in order to enable disputes to be resolved. Processing of Traffic Data. Exceptions to the general rule
B) Traffic data may be kept for purpose of marketing electronic communications services or for the provision of value added services Provider of a publicly available electronic communications service may process traffic data to the extent and for the duration necessary for such services, if the subscriber or user to whom the data relate: gave his/her consent. have been be given the possibility to withdraw their consent for the processing of traffic data at any time Processing of Traffic Data. Exceptions (2)