270 likes | 520 Views
Thomas Papaliagkas, LLM. Personal data protection in Internet. Greek Law. Law 2472/97: transposed the Directive 95/46/EC into internal Greek Law Law 3625/07: Forecoming amendments Law 3741/06: transposed the Directive 2002/58/EC into internal Greek Law. Community Law.
E N D
Thomas Papaliagkas, LLM Personal data protection in Internet
Greek Law • Law 2472/97: transposed the Directive 95/46/EC into internal Greek Law • Law 3625/07: Forecoming amendments • Law 3741/06: transposed the Directive 2002/58/EC into internal Greek Law
Community Law • The Directive 1995/46/EC is the main text upon personal data protection in European Union • The Directive 2002/58/EC particularises and complement Directive 95/46/EC protection of the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community
Main Definitions • 'Personal Data': "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly (Art. 2 para 1 α of Law 2472/97). May be made in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, as referred in the provision of Art. 1 para. 1 of the Directive 95/46/EC. • This definition is very broad, as long as "personal data" is any data through which anyone is able to link the information to a person
Main definitions • Processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (Art. 2 para 1 δ Law 2472/97)
Main definitions • "Controller": The natural or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (Art. 2 para 1 ζ Law 2472/97). • 'The data subject's consent': any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. • By any means, consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website.
Main definitions • 'sensitive personal data': include data related to tribe or nationality of the subject, politic views, religion and philosophical beliefs, taking part in political party or syndicate, health, social welfare and sexual life, to penal sentences, and to participating in any other person's unions like the above mentioned (Art. 2 para 1 γ Act 2742/97, as amended by the provision of Art. 8 para 3 of the Act 3625/2007).
Basic Principles • Principles • The main principles of both the Directive ant Greek Act are common. Generally, personal data processing is forbidden, except when certain conditions are met. • These conditions fall into three categories: transparency, legitimate purpose and proportionality.
Principle of Transparency • Data may be processed only under the following circumstances (art. 7): • 1) when the data subject has given his consent • 2) when the processing is necessary for the performance of or the entering into a contract • 3) when processing is necessary for compliance with a legal obligation • 4) when processing is necessary in order to protect the vital interests of the data subject • 5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data
Principle of Legitimate Purpose • Legitimate purpose • Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b) Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards.
Proportionality • Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. • The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (art. 6)
Principle of Legitimate Purpose • The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6) • When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply. (art. 8)
Supervisory Authority • Supervisory authority and the public register of processing operations • Each member state must set up a supervisory authority, an independent body that will monitor the data protection level in that member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. (art. 28) Individuals may lodge complaints about violations to the supervisory authority or in a court of law
Authority for Personal Data Protection • In all of Member States have been founded a supervisory authority, in a form of an independent body. The provisions of Art. 28 were implemented in Greek law by the provisions of Art. 15-20 of the Act. 2472/97. It is an independent body that monitors the data protection level in Greece, which is called (“Αρχή Δεδομένων Προσωπικού Χαρακτήρα” or “Authority for Personal Data”).
The European Data Protection Supervisor (EDPS) • According to the provisions of the Directive 95/46/EC an independent authority was founded, aiming to watch and guarantee personal data protection; this is the European Data Protection Supervisor (EDPS). • The EDPS has three main functions: supervision, consultation, and cooperation.
EDPS: Function of Supervision • various forms: • The bulk of it is presently based on notifications of processing operations presenting specific risks. These need to be prior checked by the EDPS. Based on the facts submitted to him, the EDPS will examine the processing of personal data in relation to Regulation 45/2001. In most cases, this exercise leads to a set of recommendations that the institution or body need to implement, so as to ensure compliance with data protection rules. • The EDPS also receives complaints from EU staff members as well as from other people who feel that their personal data have been mishandled by a Community institution or body. If a complaint is admissible, the EDPS usually carries out an inquiry. The findings are communicated to the complainant, and necessary measures are adopted.
EDPS: Supervision • The EDPS may also carry out inquiries on his own initiative. Inquiries and inspections are essential for a supervisory authority to have the means for fact-finding, following up of cases and monitoring of compliance in general. • n order to monitor compliance with Regulation 45/2001, the EDPS largely relies on the Data Protection Officers (DPOs) who are to be appointed in each institution/body. Apart from bilateral meetings and contacts with the DPOs, the EDPS also takes part in the regular meetings of the DPO network. • Since January 2004, the EDPS has ensured the supervision of the central unit of Eurodac, a database of fingerprints of applicants for asylum and immigrants found illegally in the EU.
EDPS Function of Consultation • The EDPS advises the EU institutions and bodies on data protection issues in a range of policy areas. His consultative role relates to proposals for new legislation as well as soft law instruments like communications that affect personal data protection in the EU. He also monitors new technologies that may have an impact on data protection.
EDPS Function of Consultation • 2007: priorities broaden, with increasing focus on other areas of Community law, such as electronic communications and information society as well as public health. • Examines the data protection and privacy impact of proposed new legislation. The Policy paper of 2005 elaborates how this role is interpreted in terms of limitations in scope, working methods and main orientations. The EDPS uses different instruments in order to exercise this role. • 1) planning tool: Each year in December, the EDPS publishes an inventory of his priorities for the coming year. • 2) Public opinion. By issuing opinions on a regular basis, the EDPS establishes a consistent policy on data protection issues. The opinions are addressed to those involved in the legislative negotiations, but also published on the website as well as through the Official Journal of the EU. • 3) The EDPS comments, which address data protection issues for instance in Commission communications. • 4) Intervenes in cases before the Court of Justice, the Court of First Instance and the Civil Service Tribunal.
Function of Cooperation • Covers work on specific issues, as well as more structural collaboration together with other data protection authorities. • Aim of the EDPS: to promote consistency in the protection of personal data. • The central forum for cooperation in the EU is the Article 29 Working Party. This is where the national data protection authorities meet to exchange views on current issues, to discuss a common interpretation of data protection legislation and to give expert advice to the European Commission. The EDPS also participates in the work to ensure good data protection in the EU's third pillar,
Social Networking Technologies • Facebook:After a public backlash in the US, including more than 50,000 Facebook users' signatures on a protest petition, Facebook executives apologised and allowed an opt-out option on the programme. • the Directive doesn’t allow them to pick just one EU country and comply with its Data Protection laws. Directive 95/46 Recital 19 puts an onus on a Data Controller established in multiple territories to fulfill the obligations of all those states.
Facebook • 1) Is it subject to European law? • Legal Problem. Facebook Inc already has an office in London. This also puts them within the alternate definition of “establishment” ( in the UK ) • 2) Case of Ireland
Other Social Networking Sites • MySpace and Friendster, as well as online dating sites like eHarmony.com, may require departing users to confirm their wishes several times — but in the end, they offer a delete option
Anonymous or Pseudonymous Users • Anonymous or pseudonymous users: • A different class of identifiers having similar characteristics, IP addresses, was considered in the Article 29 Working Party's Opinion 4/2007 on the Concept of Personal Data
Hellenic Data Protection Authority • The Art. 29 Working Party is deeply concerned about the development taking place in Greece after the resignation of the President and 5 members of the Hellenic Data Protection Authority • Problem of real independence
Conclusion • - Can Internet be auto-balanced? • - Greek Conseil d' Etat case-law • - theproblem is not theoretic; the problem is execution. The legal frame can be easily amended, as soon as we find the problem. But, really, who is able to catch the illegals?