430 likes | 596 Views
PRIVACY AND SECURITY THE BELGIAN CASE 24-09-2008 CRDP (Centre de Recherche en Droit Public) Faculté de Droit Université de Montréal. INTRODUCTORY CONCEPTS. PRIVACY. Protection of privacy in European and national law. Right to privacy in European Law:
E N D
PRIVACY AND SECURITYTHE BELGIAN CASE24-09-2008CRDP (Centre de Recherche en Droit Public)Faculté de DroitUniversité de Montréal
INTRODUCTORY CONCEPTS PRIVACY Protection of privacy in European and national law Right to privacy in European Law: Article 8 §1 of the European Convention for the protection of Human Rights (ECHR): Right to respect for private and family life. Right to privacy in Belgian Constitution: Article 22 recognizes right to the respect of private and family life, except in the cases and conditions determined by law. Article 29 guarantees the secrecy of correspondence. Protection of personal data: EU Directive on Data Protection of 1995. Law on Protection of personal data of 1992. Amended in 1998 in order to comply with the European directive. Royal Decree of implementation of 2001.
INTRODUCTORY CONCEPTS PRIVACY International instruments European Convention for the protection of Human Rights and Fundamental Freedoms of 1950, ECHR. “Convention 108” or Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data of the 28th of January 1981. Guidelines of the OECD(1) governing The protection of Privacy and Transborder data flows of personal data (1)Organization for Economic and Cooperation Development
INTRODUCTORY CONCEPTS PRIVACY Violation of privacy test Article 8 §2 of the ECHR requires 3 cumulative conditions: the necessity of a legal basis legitimate aim National security. Public safety. Economic well being of the country. Prevention of disorder or crime. Protection of health and morals. Protection of rights and freedoms of others. “necessary in a democratic society” examination of the “necessary” and “proportional” character of the interference
INTRODUCTORY CONCEPTS PRIVACY The Privacy Commission Instituted by the Data Protection Law of 1992 Role: As Data Protection Authority, the Privacy Commission examines all the questions arising in the enforcement of the privacy principles contained in the Data protection Law, and in any law containing provisions relatives to the protection of privacy in the processing of personal data. Missions : Provides opinions and recommendations. Provides authorizations to process and communicate personal data. Receives and examines all the complaints relatives to protection of privacy and processing of personal data. Provides information and assistance to citizens, processor, public and private sector.
INTRODUCTORY CONCEPTS PRIVACY The Privacy Commission Investigative powers: Article 32 of the Data Protection Law: In examining complaints, the Commission may organize inspections. In these cases, the Commission’s agents: • Act as police officers. • Can obtain from the processor any useful document for the inquiry. • Can enter in any place, based on serious motive. • Reports infringements to judicial authorities. • Submits a case to civil courts.
INTRODUCTORY CONCEPTS NATIONAL SECURITY AND PUBLIC SAFETY External implications • 2000-2015 Strategic Plan of the Defence Ministry • National security is conceptualized in 3 main characters: • A proactive policy, which implies a preventive and active management of the threats. • Recourse to civil instrument, implies that economic or diplomatic aid may offer adequate responses to identified risks. • Multinational approach, which means that its adhesion to European Union guides Belgium in security matters.
INTRODUCTORY CONCEPTS NATIONAL SECURITY AND PUBLIC SAFETY Internal implications 2008-2011 National Security Plan of the Home Affairs Ministry identifies the main risks and threats: •Environmental criminality. • Cyber criminality. •Financial criminality. •Money Laundering. •Terrorism. •Human trafficking.
INTRODUCTORY CONCEPTS NATIONAL SECURITY AND PUBLIC SAFETY Right to security Not conceptualized as a legal principle. But often employed by elected representatives…
SECURITY v. PRIVACY GENERALITIES Exceptions to privacy right based on national security considerations Article 13 of the EU Directive on Data protection. Article 3 §4 of the Data protection Belgian Law, for the Intelligence and security agencies. Article 3 §5 of the Data protection Belgian Law, for the police services.
SECURITY v. PRIVACY GENERALITIES Right to privacy and terrorists attacks conjuncture Mainly: Transfer of PNR Data toward US. Introduction of the biometric features in passports Affair SWIFT Data retention directive of 2006.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework Distinction between: information retained by police services (1) information retained by Intelligence and security agencies (2)
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework • 1 - Information retained by police services • Article 3 §5 of the Data Protection Law provides an exception to the application of some data protection principles for the processing of personal data by administrative and judicial police services, when acting in the framework of their missions. • Main provisions not applicable: • •Data subject information. • •Right of access. • •Right of rectification.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 1 - Information retained by police services Article 44-1 of the Law on the function of police of 1992: in the framework of their missions of administrative and judicial police, police services can collect and process personal data “presenting a concrete interest”. Article 44-4: institutes the National General Data Bank (NGDB), held by the federal police.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 1 - Information retained by police services a - Collection of data Application of the principles enshrined in the Data Protection Law. b - communication of data : •To judicial authorities. •To Belgian or foreign police services. •To permanent committees P (police) and R (renseignements), which have a general competence of control over the police and intelligence agencies. •To intelligence and security agencies. •To Interpol and Europol. c - Data retention and destruction Should have been detailed in a Royal Decree of implementation. Transitory regime applies different rules of retention according to the data.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 1 - Information retained by police services d - Organ of control, said “Organe de contrôle” •Under the authority of the Justice and Interior Affairs Ministers. •Presided by a federal magistrate. Missions: Controls the processing of personal data by the police services, in particular: The respect for the rules of access to the NGDB. The respect for the rules of transmission to the NGDB. Investigative powers: Unlimited access to information contained in the NGDB. Unlimited access to police offices.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 2 - Information retained by Intelligence and security agencies Article 3 §4 of the Data protection law provides an exception to the application of many data protection principles for the processing of personal data by Intelligence and security agencies and its organ of control, the Committee “R”. Main provisions not applicable: •Particular protection of sensitive data. •Data subject information. •Right of access by individuals. •Right to opposition. •Obligation of notification. Enforceable principles: •Data quality principles: principle of loyal processing and collection for legitimate and specific purposes. •Proportionality principle. •Legal basis necessity.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 2 - Information retained by intelligence and security services Law on Intelligence and security services of 1998, Article 13: “in the framework of their missions, (intelligence and security agencies) can collect, receive and process any information and personal data that may be useful for the execution of their missions”. a - Collection of personal data •Public sources: judicial authorities and any public agents. •Private sources, on request. •Human sources.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 2 - Information retained by Intelligence and security agencies b - communication of data • To Chiefs ministers. • To judicial and administrative authorities. •To police services. •To any other instances or competent persons involved in a national/public safety mission. c - Data retention and destruction Information no available.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 2 - Information retained by intelligence and security agencies d - Organ of control: “Committee R” 18th of July 1991 Law creates the “Committee R”, which controls the Intelligence and security agencies. •Presided by a magistrate. •Comprising an investigation service. •Subject to a very high level of “secrecy”. Role Controls the respect for the rights guaranteed to the persons in the Constitution and Law by the intelligence and security agencies.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 3 - Indirect access for individuals • Article 13 of the Data Protection Law provides that right of rectification and access is exercised through the Privacy Commission. • Access conditions: • Data subject identity. • Main reasons why the individual thinks to be filed by security agencies.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 3 - Indirect access for individuals • • Concerning a processing of personal data managed by police services, the Commission exercises: • The right of access. • The right of rectification or destruction, if necessary. • • Concerning a processing of personal data by intelligence and security agencies, the Commission: • Can only make recommendations.
SECURITY v. PRIVACY GENERALITIES Information pertaining to national securityLegal framework 3 - Indirect access for individuals Communication to the data subject The Commission communicates that “necessary verifications” have been done Except when the processing of personal data managed by a police service concerned an identity control, the Commission determinates with the police service involved, which information can be communicated to the data subject.
SECURITY v. PRIVACY GENERALITIES Personal data held by the private sectorLegal framework • General legislation:Data protection Law of 1992 • Specific Legislations • Article 31 bis of the Data Protection Law states that specific Committees must be instituted to control and provide authorization relating to processing and communication of data, subject to specific legislation. • 6 specific legislations/Committees: • Law of 1983 on the National Register. • Law of 1990 on the Social Security Network. • Law of 2003 on the “Banque Carrefour des entreprises”. • Law of 2005 “Phenix”, which concerns data retained by the judicial authority. • Law of 1962 on Public Statistics. • Law of 1992 on Data protection which creates a special committee in charge of the control of data flows within the federal administration.
SECURITY v. PRIVACY GENERALITIES Personal data held by the private sectorLegal framework Disclosure of Information by private sector 1. To police services Article 26 bis Code of Criminal Procedure: Police services have an “autonomous power” to start an investigation. In this framework, police officers may ask to private sector disclosure of personal data, but in accordance with the Data Protection Law, private sector does not have any obligation to disclose the information. When acting under the orders of magistrates, in the framework of a judicial investigation, Police can require from the private sector the disclosure of personal data and private sector have the obligation to furnish it.
SECURITY v. PRIVACY GENERALITIES Personal data held by the private sectorLegal framework Disclosure of Information by private sector 1. To Intelligence and security agencies Article 16 of the Intelligence and security agencies Law of 1998 states : “Intelligence and security agencies can ask personal data, when necessary to their missions, to any private organism or private person”. But, according to the Data Protection Law, it is far from being clear that private sector has the obligation to disclose personal data to the said agencies…
SECURITY v. PRIVACY SPECIFIC ISSUES Data mining • From the Public sector • Mainly through the National General Data Bank, which is divided in 4 books: • •Judicial police information book. • •Administrative police information book. • •Circulation information book. • •Data Protection book. • Conditions of data mining by security authorities should have been detailed in a Royal decree of Implementation, not yet published. • Applies a transitory regime, defined in the “directive MFO3” of the 14th of June 2002, completed by an intern circular unpublished.
SECURITY v. PRIVACY SPECIFIC ISSUES Data mining From the Public sector a. Conditions of access: •Be part of the Police services. Distinction between two profiles : basic and advanced, which doe not give right to the same access, •Necessity to justify a “need” to consult the NGDB, Every consultation of the NGDB by police officers is recorded in order to help the organ of control in his work. b. Conditions of transmission of data to the NGDB Police services collect, process and transmit to the NGDB any information presenting a “concrete interest” for their missions,
SECURITY v. PRIVACY SPECIFIC ISSUES Wiretapping Telecommunications wiretapping Article 90ter Code of Criminal Procedure. 3 conditions: • It must be ordered by a “juge d’instruction”. • For limited purposes = it serves to determine offences enumerated in the list attached to article 90ter. • As a subsidiary means of inquiry = there is no other efficient means of inquiry.
SECURITY v. PRIVACY SPECIFIC ISSUES Wiretapping Internet monitoring Federal level : the FCCU (Federal Computer Crime Unit), whose mission is to fight against cybercriminality, to protect the virtual society against new kinds of criminality. It is assisted, at the reginal level, by RCCU (Regional Computer Crime Units). It receives denunciations relating to cybercriminal acts, mainly paedophilia on internet and exercises Internet monitoring.
SECURITY v. PRIVACY SPECIFIC ISSUES Wiretapping • Internet monitoring • If the FCCU finds out a criminal offence: • • If Belgium is competent, it advertises the judicial authorities. • • If the offence falls under a foreign competence, it advertises the foreign police services through Interpol. • If the FCCU finds out an administrative offence, or information relative to criminal investigation: • • It informs and communicates the information to the competent authority.
SECURITY v. PRIVACY SPECIFIC ISSUES Biometry EU Council Regulation on biometric features in passports and travel document of 2004 With the aim to improve travel documents security, biometric features are integrated in passports. These identifiers comprise: • Facial image. • Fingerprints. EU Council Regulation proposal for uniform visa with biometric identification of 2003 In the framework of the establishment of the Visa Information System (VIS), the proposal aims the introduction of biometric identifiers: • Facial image. •Fingerprints.
SECURITY v. PRIVACY SPECIFIC ISSUES Traffic data retention 1 - Current regime a- Categories of data to be retained Article 126 of the 13th of June 2005 Law on electronic communications: • “operators record and retain traffic data and identification data” b - Consultation conditions For the prosecution and repression of criminal offences. For the repression of spiteful calls to emergency services. For the investigation of person’s identity, who would have spitefully used an electronic communications network. c - Periods of retention Between 12 months minimum and 36 months maximum.
SECURITY v. PRIVACY SPECIFIC ISSUES Traffic data retention • 2 - Future regime: EU Directive on Data Retention, 2006 • a - Categories of Data to be retained: • • Identification data of the source and destination of a communication. • • Date, time, duration of a communication. • • Type of communication. • • Identification data of the user’s communication equipment. • • Localisation data of the mobile communication equipment. • b - Consultations conditions • For the prevention, repression and prosecution of criminal offences, • in particular organized crime and terrorism. • c - Periods of retention • Between 6 months minimum and 24 months maximum.
SECURITY v. PRIVACY SPECIFIC ISSUES Traffic data retention • 3 - Transposition in Belgian Law • Review of the article 126 of the Law on electronic communications currently in debate. • According to the Privacy Commission, the actual project of law goes beyond the directive concerning: • The categories of persons subject to the retention obligation. • The conditions of retention. • The categories of data to be retained.
SECURITY v. PRIVACY SPECIFIC ISSUES Video surveillance • Law on Videosurveillance of 2007 governs use and installation of cameras in : • •Public sector : such as in stadiums, publics parks, streets, et cet… • •Private sector : in shops, supermarkets, in the entrance of a private building etc…
SECURITY v. PRIVACY SPECIFIC ISSUES Video surveillance • Authorization regime • In opened places : • Positive opinion of the Communal Council. • Positive opinion of the Local Chief police after a “security and efficiency assessment”. • Notification to the Privacy Commission. • In closed places, accessible to public or no: • Notifications to the Local Chief police. • Notification to the Privacy Commission. • In closed places, none accessible to public, and intended exclusively to domestic and personal purposes: • None authorization and notification.
SECURITY v. PRIVACY SPECIFIC ISSUES Globalization and the circulation of Information • Transfer of personal data • EU Data Protection Directive provides a common standard concerning transfer of personal data, often referred as the regime of the “first pillar”: • Between member States of the EU : • • Principle of free movement of data, under the standard protection of the EU Directive on Data Protection. • Toward third countries : • • Article 25: if the country of destination ensures an “adequate level of protection”, the transfer can take place, otherwise the transfer is prohibited.
SECURITY v. PRIVACY SPECIFIC ISSUES Globalization and the circulation of Information Sharing of information for law enforcement purpose International provisions: “Convention 108” or Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data of the 28th of January 1981. Additional Protocol of the 8th of November 2001. Recommendation n° R (87) 15 of the Committee of Ministries of the Council of Europe regulating the use of personal data in the police sector
SECURITY v. PRIVACY SPECIFIC ISSUES Globalization and the circulation of Information Sharing of information for law enforcement purpose Between Member States and European organisms As a Member State of the EU and participant state to cooperation agreements, Belgium shares information for Law enforcement purpose in several legal frameworks: - Europol. - Eurojust. - Prüm Treaty. - Shengen Agreement. This system traduces the sector-specific approach of the EU in this matter and by the way, the absence of common standard.
SECURITY v. PRIVACY SPECIFIC ISSUES Globalization and the circulation of Information • Sharing of information for law enforcement purpose • With third countries and organizations • Directly : Belgium can decide to share and transfer police information with foreign enforcement authorities (Art 44-1 of the Law on the function of Police). • Through Europol. Europol has over the years concluded numerous “operational agreements” (including the exchange of personal data) and “strategic agreements” (not including the exchange of personal data) with several third countries and organizations. • In absence of a common standard regulating the sharing of information for law enforcement purpose with third countries, Europol has developed a system of self-regulation.
SECURITY v. PRIVACY SPECIFIC ISSUES Globalization and the circulation of Information Sharing of information for law enforcement purpose Toward the principle of availability Proposal for a Council Framework Decision of 12 October 2005 on the exchange of information under the principle of availability. The proposal would require Member States to "ensure that information shall be provided to equivalent competent authorities of other Member States and Europol, in so far as these authorities need this information to fulfil their lawful tasks for the prevention, detection or investigation of criminal offences."
SECURITY v. PRIVACY SPECIFIC ISSUES Globalization and the circulation of Information • Sharing of information for law enforcement purpose • Toward a common standard of protection in EU? • Proposal for a Council Framework Decision of 4 October 2005 on the processing and protection of personal data in the framework of police and judicial cooperation in criminal matters. • Toward common principles between EU and US? See the EU-US High Level Contact Group report on information sharing and privacy and personal data protection of May 2008, which identifies the common principles and their scope and recommends the adoption of a binding international instrument.