Annex. I. Strengthening the basic right to data protection and strengthening the rights of the individual

Transcription

1 Annex Comments on the consultation regarding the Communication A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final I. Strengthening the basic right to data protection and strengthening the rights of the individual 1. Germany s federal and state data protection commissioners welcome the European Commission s guiding principle for the reform of EU data protection law: fully applying the fundamental right to the protection of personal data under Article 8 of the EU Charter of Fundamental Rights. 2. We also welcome the European Commission s ideas for improving the rights of the individual. As proposed in the Communication, these include introducing a general principle of transparency; introducing specific obligations for data controllers on the type of information to be provided to data subjects; improving modalities for exercising rights to access, correction, deletion or blocking of data on the Internet by electronic means; introducing a right to be forgotten ; introducing the principle of Privacy by Design; and introducing certification schemes for privacy-compliant processes, technologies and products. II. Greater legal protection on the Internet and protection against profiling 3. The federal and state data protection commissioners believe that the existing EU legal framework must be revised, especially in view of the Internet and increasing threats to privacy rights posed by new types of data processing, such as profiling or the unwanted forwarding of data, such as addresses from the contact information of third parties. 4. The Communication does not sufficiently address the issue of profiling. The federal and state data protection commissioners find the following measures to be necessary to protect individuals against unlawful profiling: Profiling should be allowed only on a concrete legal basis which is sensitive to the special threat potential of profiling, or on the basis of the data subject s informed consent. Effective consent requires comprehensive information about the range and origin of linked data, the purpose of the profile and how it will be used, the controller and planned date of deletion. Consent must be voluntary and revocable at any time. If consent is withdrawn, the profile must be immediately deleted, also by those controllers to which it has been transmitted. 1322/2011 ZUSTELL- UND LIEFERANSCHRIFT VERKEHRSANBINDUNG Husarenstraße 30, Bonn Straßenbahn 61, Finanzministerium

2 SEITE 2 VON 6 5. At EU level, the conditions under which data may be processed for the purpose of profiling, for example in the context of sensitive data as referred to in Article 8 of the Data Protection Directive (95/46), could be regulated (see also IV). In doing so, the conditions of technical data protection, such as rendering anonymous and using aliases, as well as data protection in general should be taken into account. A legal definition of profiling covering different kinds of profiles, such as behavioural, user or movement profiles, is also needed. III. Applicability of national law 6. A central issue in revising the directive relates to the applicability of national law as referred to in Article 4 of Directive 95/46. The federal and state data protection commissioners agree with the aim described in the Communication of providing for the same level of data protection for data subjects in the EU even when their personal data are processed outside the EU. 7. Because leading Internet service providers based in third countries do not currently consider themselves bound by European law, in order to apply EU and national law more effectively a criterion needs to be added which extends further than the criteria of establishment and equipment referred to in Article 4 of Directive 95/46. This (additional) criterion for matters related to third countries could, for example, be the targeted provision of a commercial or other information society service to persons residing or established in the relevant Member State. This kind of service-related criterion would cover all online products and services including social networks targeted at users in EU Member States; the criterion of residence or establishment would keep the scope of national law from extending to non-national matters. IV. Special categories of personal data (sensitive data) 8. The federal and state data protection commissioners also favour revising Article 8 of Directive 95/46 on special categories of personal data. This provision should not only be revised to include additional categories of data (such as genetic data), but also be thoroughly reworked in order to cover future developments of new data. Genetic and biometric data which have become available in this form only within the past few years are unanimously regarded as especially sensitive. Future technological and scientific developments are likely to lead to new types of data which will not be covered by a data catalogue frozen at the current state of knowledge. 9. To ensure greater flexibility, therefore, the future legislation should avoid conclusive lists of particular data categories subject to a general prohibition on processing which can be limited by extensive exceptions, which the Member States may also implement differently. Instead, we suggest including a general definition of the term sensitive data which is oriented on Recital 33, first clause, of Directive 95/46 ( data which are capable by their nature of infringing fundamental freedoms or privacy ) and mentioning specific types of data only as examples. This definition should be accompanied by

3 SEITE 3 VON 6 the additional criterion of the data processing context. In the interest of a common understanding among the Member States, legal definitions of data categories specifically referred to should be provided. 10. This approach would also cover those categories of data, the processing of which may be extremely intrusive depending on the context. This applies for example to new data processing phenomena such as profiling or facial recognition services on the Internet; it also applies to government measures such as retention of telecommunications data for possible future use. Because such data can reveal information extending to the most personal sphere, their processing should be allowed only for reasons of substantial public interest or to protect vital interests of the data subject or other persons and only under special conditions of data security. V. Form of the future EU legal framework 11. The future legal framework must not lower existing standards in the Member States to a "lowest common denominator", and it must certainly not lead to more bureaucracy in certain areas, such as notification requirements (see VI below). The federal and state data protection commissioners believe that a directive would be the most effective way of achieving this aim in view of the established traditions and legal standards in the Member States and the EU s limited legislative competence on national data processing in the public sector. VI. Corporate data protection officials 12. The greater degree of harmony sought by the European Commission must not lead to restrictions of procedures tried and tested in the Member States. For example, Germany must not be forced to give up data protection inspections which corporate data protection officials have conducted successfully for years. 13. This two-track system of in-house inspections conducted by corporate data protection officials and external inspections by government data protection authorities has proved effective. Corporate data protection officials provide companies with valuable expertise for the increasingly complex requirements of data protection. Data protection officials therefore play an important role in companies data protection compliance and serve as contact persons for the company leadership, for staff, supervisory authorities and data subjects. 14. The federal and state data protection commissioners therefore welcome the European Commission s proposal to require the appointment of an independent data protection official, as long as this also entails the possibility of simplifying or even doing away entirely with the notification requirements in Articles 18 and 19 of Directive 95/46. VII. Data protection in the areas of police and criminal justice

4 SEITE 4 VON Given the fact that the Lisbon Treaty, in Article 16 of the Treaty on the Functioning of the European Union (TFEU), has abolished the previous pillar structure of the EU and introduced a new and comprehensive legal basis for the protection of personal data, the federal and state data protection commissioners welcome the Commission s intention to consider extending the application of the general data protection rules to the areas of police and judicial cooperation in criminal matters. 16. The federal and state data protection commissioners call on the European Commission to make sure that the principles of the future EU legal framework also apply consistently to international matters (EU-third country relations and Member State-third country relations). 17. We therefore welcome the European Commission s intention to align, in the long term, the existing various sector-specific rules adopted at EU level for police and judicial cooperation in criminal matters. However, it would be desirable if the alignment process could be initiated not in the long term, as stated in the Communication, but soon, in the course of revising the directive and could be promoted by the Commission by means of appropriate initiatives at EU level. 18. Another important issue is the future organization and legal anchoring of the supervisory and advisory bodies under data protection law in the former third pillar. Not only is European law on data processing by the police is not only an incoherent and confusing conglomeration of different data protection regimes, it has also created a complex conglomeration of different supervisory and advisory bodies. Without ensuring that an advisory body exists at European level for the former third pillar, the old pillar structure would thus be incompletely overcome. The federal and state data protection commissioners believe that this task should be performed in future by the Article 29 Working Party. 19. It is also necessary to enhance the efficiency of the supervisory activities of the joint supervisory bodies of Europol, Eurojust, SIS and ZIS. The European Commission announces in its Communication that in 2011 it will launch a consultation on this matter. Apart from any need for further consultation on this matter, we believe it would be preferable to combine supervisory activities for the various information systems and institutions within a single joint supervisory body. VIII. The global dimension of data protection 20. The federal and state data protection commissioners agree with the Commission that existing processes and instruments of international data transfer must be improved and better coordinated with each other. Just as in the former third pillar, it is necessary to ensure that all existing agreements of the EU and the Member States comply with the future legal framework. 21. Effective protection for the rights of individuals should be accompanied by the necessary possibilities for enforcement at international level. Because these do not currently

5 SEITE 5 VON 6 exist in fact, it is all the more important for the European Commission to work towards strengthening the International Standards adopted at the 2009 International Data Protection Conference in Madrid and towards concluding internationally binding data protection agreements in the medium term. Precisely in the EU s relations with the U.S., strengthening the Safe Harbor regime and concluding a viable data protection agreement in the area of criminal prosecution is especially important. Such an agreement should not be limited to administrative cooperation, but should provide for individually enforceable rights and should apply also to existing bilateral agreements of the Member States. IX. Binding Corporate Rules (BCRs) 22. Related to the review of existing procedures for international data transfer is the question of how binding legal instruments and Binding Corporate Rules (BCRs) can be improved and better coordinated. In its Communication, the European Commission refers to the Opinion of the Article 29 Data Protection Working Party and the Police and Justice Working Party of 1 December 2009 (WP 168). In Nos. 37 and 38 of this Opinion, the Article 29 Working Party favours provisions recognizing the BCRs as a suitable way to provide appropriate protection measures. This would make BCRs the equivalent of the contractual clauses referred to in Article 26 (2) of the Data Protection Directive, which the federal and state data protection commissioners favour. 23. In addition, a provision should be adopted which gives data-transferring bodies security about the acceptance of the decision on the recognition of BCRs in a Member State which may be reached in cooperation with two other Member States as partners from all other Member States. For this reason, formalizing the current procedure, which is based only on non-binding agreements between data protection authorities, should be considered. A suitably short period for objections under Article 26 (3) third sentence of the Data Protection Directive could be provided; after this period has elapsed, a lack of objection would be regarded as approval of concrete BCRs. Such an explicit provision on time limits for objections would simplify the EU-wide authorization process and would avoid conflicting decisions. 24. International data transfers could also be eased by giving the Commission the possibility to decide on standard BCRs. Like those based on standard contractual clauses, data transfers based on such standard BCRs would then require no authorization. This approach has been discussed for years in Germany in both data protection and industry circles. The European Commission has so far not pursued this approach, because unlike Article 26 (2), Article 26 (4) of the Data Protection Directive refers explicitly only to contractual clauses. 25. Globally active companies increasingly use intra-group agreements made up of elements from standard contractual clauses and from already authorized BCRs. These contracts (comparable in scope to BCRs) currently require formal and lengthy review

6 SEITE 6 VON 6 by every supervisory authority concerned in Europe to be recognized as ensuring an adequate level of protection. 26. To avoid conflicting decisions by the supervisory authorities and to speed up the process of authorizing intra-group agreements in Europe, it would be appropriate for mutual recognition to apply to them (like BCRs). The European Commission should have the possibility to decide on standard intra-group agreements as well as BCRs. X. Strengthening the data protection authorities 27. The federal and state data protection commissioners welcome the Commission s intention to strengthen and clarify the status and powers of the national data protection authorities and to fully implement the concept of complete independence.