180 likes | 294 Views
Privacy, TBDF and E.U: Beyond the frontiers. Yves Poullet Prof. at the Univ. of Namur, Director of the CRID St John’s CBA Conference August 15, 2006. I. Preliminary considerations: From art. 8 ECHR to TBDF (1). Council of Europe Approach
E N D
Privacy, TBDF and E.U: Beyond the frontiers Yves Poullet Prof. at the Univ. of Namur, Director of the CRID St John’s CBA Conference August 15, 2006
I. Preliminary considerations: From art. 8 ECHR to TBDF (1) • Council of Europe Approach • Nature of the Right to Privacy: Privacy constitutes under art. 8 ECHR a fundamental H. Right, even if not absolute ( see al.2 of the article) • Scope : Convention is a « living instrument » « one way street »( Tyrer, 1978/ Selmouni, 1999 : « It will no lead to a lowering of standards ») : from Privacy-intimacy to privacy-autonomy…From protection of only Sensitive Data to all Data (Rotaru, 1999) – • Effectiveness: Human Rights must be « practical and effective » and must not be kept as theoretical and illusory (Airey, 1979)
From art. 8 ECHR to TBDF(2) • Primary Role of the State : The State is the ultimate guarantor of H. Rights and Freedoms: « the State has a positive obligation to ensure that everyone within its jurisdiction enjoys in full, and without being able to waive them, the rights and freedom guaranteed by the Convention. » (Refah, 2003)
From art. 8 ECHR to TBDF(3) • EU Approach: • ECHR has to be considered as a « constitutional instrument of EU public order »( Loizidou, ECJ,1995) • ECHR has the priority vis-à-vis any other international or national norms ( Matthews, ECJ, 1999) • Towards a constitutional recognizance of the Data Protection as Human Right apart from Privacy ( art. 8 of the HR Charter 2000) to be enforced both internally than externally vis-à-vis third countries : 4 main principles : • all personal data are covered; • Use of personal data is limited to legitimate purposes; • Data subjects’ right to access; • DPA proeminent role for ensuring the DP principles’ respect
From art. 8 ECHR to TBDF(4) • Consequences : The need for E.U. to intervene in TBDF : a preliminary distinction. • The problem of traditional TBDF : from Europe to third countries ( Dir. 95/46 ) and the Linqvist case • A person located in Europe exports data to a third country : the articles 25 and 26 of the EU. Directive 95/46 (56) Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations; (57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited; » ( Recitals of the EU directive) • A person located in Europe puts on his web site certain data (the Linqvist case): Are the articles 25 and 26 applicable ?
From art. 8 ECHR to TBDF • The new problems created by the global nature of the Internet infrastructure: New privacy risks created by persons located outside of Europe : From Echelon to the directive 2002/58
II. The Directive 95/46 (1) • The basic principle: the Directive is applicable if « the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State;… » (art.4 1.a)) • Exception: ‘art.4 1.c) : « the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State,… » ( obligation then to designate a representative established in the territory of that Member State) / Ambiguous meaning of this provision : either referrence to art. 25 and ff., either cases of at distance usage of automated processing apart from controllers outside of EU ( cookies, spyware, etc.)
The Directive 95/46 (2) • Provisions on TBDF : « Transfers » are forbidden except if an « adequate » protection is offered by the recipient located in third country. • « Adequate » does not mean « equivalent » • Case by case approach • No EU imperialism as regards the means of protection ( self-regulation is acceptable( See : Safe Harbor and BCR) • Functional approach and risk oriented • Double approach as regards both the content and the effectiveness : See the so-called « methodology paper » ( Art. 29 WG, WP n° 12 (1998)) • Content Principles : Security/access/proportionality/ … • Effectiveness Principles : D.S. Assistance/Independant authority/ proportionate and dissuasive sanctions
The Directive 95/46 (3) • Adequacy might be met through different ways: • Through the regulatory (at the broadest sense) environment : art. 25. 2. + possible intervention of the EU Commission ( US safe Harbor/ Argentina/Schweiz/ currently : Japan, Israël, India,…). • Due to the specific source or content of the TBDF : art. 26.1 • Through appropriate contractual measures (EU Commission Decision C/2001/497/EC; C/2004/5271) between sender and recipient • Through Binding Corporate Rules in case of Multinational Companies ( Art. 29 W.P., Doc WP 108 (April 14, 2005)
The Directive 95/46 (4) • Some findings about the EU TBD Flows legal regime under the Dir. 95/46 • Great suppleness…with the risk of discrimination between third countries • Extraterritorial impacts but no extraterritorial application of the EU regime • Diversity of implementation as regards the control of the adequate protection ( See Report on Directive’s implementation (2003) even if efforts are undertaken by the art. 29 W.P. and the Commission • Lack of an « unique locket »
The Directive 95/46 (5) • Are art. 25 and ff. applicable to web services: the Linqvist Case ( ECJ. Nov.6, 2003) ? • The case : Set-up of a swedish parochian web site with personal data including sensitive ones • Court’s position : No transfer/ Weak arguments • Transfer means active transmission towards third countries and not consultation from abroad ? ( is this distinction between « pull » and « push » of certain value considering the technology ?) • If there is a transfer it is anyway operated by the hosting service and not by the web site creator ( R: Hosting service is just a sub-contractor) • Transfer would be in the context of the www considered as the general rule ( R: Exceptions (art. 26) are available and interventions are possible).
The Directive 95/46 (6) • Are art. 25 and ff. applicable to web services: the Linqvist Case ( ECJ. Nov.6, 2003) ? • Need to work on the different exceptions (Art. 26.1.) • To Create of a web site is governed by the « freedom of expression » Human Right : how to concile freedom of expression and privacy ? • Duty of care as regards hosting provider and web site creators • Possibility of intervention by the public authority in case of major risks
III. The Directive 2002/58 (1) • A new context: Electronic and interactive communications means that the global infrastructure is as such the risk for its users and no more the specific operation of transfer by D.C established in EU countries • Consequence: the provisions of the Directive 2002/58 target all E.Communications service provided in EU without taking into account the nationality or the establishment of their providers • Extraterritoriality of the Directive…..
III. The Directive 2002/58 (2) • Examples: • Spamming carried out by companies located outside of the EU Community (art. 13) (quite interesting same assertion as regards the US Spam Act which set up a opt-out system); • Severe limitations as regards the use of electronic communications for gaining access to information stored in the Terminal equipment (art.5.3.); • Limit to the storage of traffic and location data (art. 6 and 9); • Duty of confidentiality (art.5.1) • Specifications as regards the terminal equipments and their privacy compliance (art.14).
III. The Directive 2002/58 (3) • Compliance with WTO rules ? Thinkings after the WTO App.Body in the Internet Gambling Case (1rst Internet Case • The Case : U.S v. Antiqua – Wire Act limits drastically the possibility for foreign web site providers to offer gambling services through the Internet and thus contradicts the GATS rules. • App.Body’s opinion : • Wire Act and the measures taken under this basis affect effectively cross-border supply of gambling services • These « measures » are necessary to protect public morals or to maintain public order… (Art. XIV of the GATS) « the public order exception may be invoked only where a genuine and sufficiently serious threat is posed to one of the fundamental interest of the Society »
III. The Directive 2002/58 (4) • The « necessity » of the Wire Act as « vital and important at the highest degree » due to the peculiarities of the remote supply of gambling services (virtual anonymity, low barriers to entry, no social control of the players, volume and speed of the operations…) • and no reasonable alternative might be found (discussion with Antigua is not a reasonable alternative)
Conclusions • Same reasoning than that followed in the WTO Gambling Case might be held as regards the EU « Privacy Protection» rules including those contained within the Directive 2002/58. • Furthermore, Privacy is expressly mentioned in Art. XIV of the GATS as a possible exception to the free cross-border market if no arbitrary or unjustifiable discrimination exists. • The characteristics of the global and interactive Internet network and the new associated risks for the privacy justify the EU position and its adoption of certain restrictive measures to guarantee the Internet users’ Privacy considered as a Human Right. • Finally as previously said under the ECHR case-law, it is the absolute duty of the EU M.S to ensure this right effectively in the new ICT context and to give the absolute priority to the EHCR vis-à-vis any other rules. • AND NOW WHAT WE NEED : GLOBAL PRIVACY RULES FOR A GLOBAL INFRASRUCTURE (WSIS, Tunis, 2005)
If you disagree or if you want to address to me complementary findings, please do not hesitate: • Yves.poullet@fundp.ac.be • http://www.crid.be