130 likes | 442 Views
Data Protection Principles as Basic Foundation for Data Protection in EU/EEA. Introduction to Data Protection Theory Seminar - AFIN 02. 02. 2006 Stephen K. Karanja Researcher AFIN. Protection of Personal Data in EU and EEA. Main Data Protection Laws
E N D
Data Protection Principles as Basic Foundation for Data Protection in EU/EEA Introduction to Data Protection Theory Seminar - AFIN 02. 02. 2006 Stephen K. Karanja Researcher AFIN
Protection of Personal Data in EU and EEA • Main Data Protection Laws • EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data • National data protection laws. • Norwegian Personal Data Act 2000
What are Data protection Principles? • Abstractions from rules • Good practices • Safeguards • ECHR & case law
Basic Principles • Fairly and Lawful • Minimality • Purpose Specification • Data Quality • Data Security • Sensitivity • Individual Participation -------------------------------------------------------- • Disclosure Limitation • Transfer of Data to Third Countries • Supervision
Fairly and Lawful Principle • Art. 6 (1)(a) Directive & §11(a) PDA personal data must be processed fairly and lawfully • Most important • What does Fairly Mean? • Conform to laid down rules and procedures • Sensitive and take account of data subjects interests and reasonable expectations – proportionality and balance • Transparency – not secret – no deception • What does Lawful Mean? • Legality principle– permitted by law or authorised • Done with lawful justification or excuse (legitimate) - Article 7 Directive & §8 & 9 PDA • Article 8(2) ECHR & case law • Transparency
Minimality Principle • Art. 6(1)(e) & § 28 PDA • Necessary – personal data collected should be limited to what is necessary to achieve the purposes for which the data are gathered and further processed • What is necessary? • Art. 7 & 8 Directive • §8 & 9 PDA • Art. 8 (2) ECHR case law – “a pressing social need” i.e. proportionate to the legitimate aim pursued. Incal v. Turkey (1998) 29 EHRR 449 §57 • SAS Braathens request for fingerprints of passengers • Non-excessiveness, proportionality (to the purpose) Art. 6 (1)(c) Directive & § 11(d) PDA • Data erasure and anonymity § 11(e), 27 & 28 PDA
Purpose Specification Principle • Art. 6(1)(b) Directive & §11(b) PDA • Personal data shall be processed for specified, lawful/legitimate purposes and not processed in ways that are incompatible with those purposes. • Specified, defined or stated purpose • Lawful/legitimate purpose - proportionality • Further processing not incompatible with original purpose • Transparency • Exceptions • Art. 9 Directive - freedom expression: Journalistic, artistic & literary purposes and expression • §11 para. 2 PDA – historical, statistical or scientific purposes
Data Quality • Personal data should be valid with respect to what they are intended to describe, and relevant and complete with respect to the purpose for which they are intended to be processed. - Art. 6 (1)(c)(d) Directive & §11(d)(e) PDA • Adequacy • Relevancy • Non-excessiveness • Accuracy • Up to datedness • Completeness • Rectification (supplement) and erasure or blocking
Data Security • Data are not destroyed accidentally and not subject to unauthorised access, alteration, destruction or disclosure - Art. 17 Directive & § 13 PDA • Implement appropriate technical and organisational measures • Securing technical equipment and networks • Contracts where processing is carried out on behalf of the controller • Accessibility
Sensitivity Principle • Limits the processing of certain types of data which are regarded as especially sensitive for data subject and requires specific safeguards as compared with other personal data - Art. 8 Directive & § 9 PDA • What is sensitive data? • Art. 8 (1) Directive & § 2 (8) PDA – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life. • Data relating to criminal act – a person has been suspected of, charged with, indicted or convicted of a criminal act. • Exemptions • Art. 8 (2) Directive & § 9 PDA • Personal Identity Numbers or other identification numbers or identifier of general application • § 12 PDA – can only be used where objective need for certain identification and necessary to achieve such identification • Data Inspectorate may require the use of PIN in order to ensure that the personal data are of adequate quality.
Individual Participation • A set of data subject’s rights. The rights are designed to enable data subjects to have a degree of control and participate in the processing of their personal data • Balance of power • Self-determination or individual control principle • The rights • Right of access Art. 12 Directive & § 18 PDA • Right to information regarding automated decisions ( Art. 15 Directive & § 22 PDA) • Right to object Art. 14 Directive • Adversary affect the data subject • Direct marketing • Right to rectification, erasure and blocking • Obligation to notify or provide information • When data are collected from the data subject • When data are collected from other persons • In connection to with the use of personal profiles § 21 PDA • Right to demand manual processing § 25 PDA
Exemptions • Rights are not always absolute. Exemptions allow processing of personal data where State or societal interests may override individual interests i.e. protection of fundamental values in a democratic society • Mitigate conflict or balance competing interests • General • Art. 3(2) • Art. 9 Directive • Art. 13 Directive & § 22 PDA • Limitations – provided for by legislative measure and must be necessary. • Interpretation Art. 8 (2) ECHR • ECJ case of Österrechicher Rundfunk et al 20 May 2003 joined cases C-465/00, C-139/01 &C-139/01 • Specific • Sensitive data