Data Protection & Privacy in the Information Age

COMNET – Legal Frameworks for ICTsMalta 2013

Dr Antonio GhioDr Jeanine Rizzo

The Right to Privacy Everything is

Information Protecting the information which belongs to ourselves Privacy as a Fundamental Human Right - Article 8 of ECHR Informational Self-Determination - the 1970 Law of Hesse The 1973 Law of Sweden

Data Protection Legislation

Technology affords the means to amass, correlate and manipulate personal information

The absence of legislative safeguards may allow abuse of this information

Safeguarding the individual’s right to privacy

Essential Features

Data Controlle

rs have obligations

Individuals

have rights

What is Personal Data?“Any Information relating

to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”

The ActorsData Subjects

“A person who alone or jointly with others determines the purposes and means of the processing of personal data”

“A natural person to whom the personal data relates”Data Controller

Data Processor“A person who processes personal data on behalf of a controller”

ProcessingAny operation or set of operations which is taken in regard to personal data, whether or not it occurs by automatic means

collectionrecordingorganizationstorageadaptati

onalterationretrieval

gathering

erasure

use

disclosure

dissemination

alignment

combination

blocking

destruction

Sensitive Personal DataPersonal data that reveals race or

ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life

Data Protection Principles- Fair And Lawful Processing

- In accordance with good practice

- Personal Data only collected for specific, explicitly stated and legitimate purposes- Not be processed for any purpose that is incompatible with that for which the information is collected- Processing adequate and relevant in relation to the purposes of processing- No more Personal Data is processed than is necessary and is not kept for a period longer than necessary- Correct and up to date

- All reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete or incorrect

Criteria for Processing

- when data subject has unambiguously given his consent- necessary for the performance of a contract

- necessary for compliance with a legal obligation of the controller- to protect the vital interests of the data subject

- necessary for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed

Consent

Processing always permitted if the data subject has given consent to the processing

General consent to any and all conceivable processing that the controller may wish to perform is not sufficientConsent need not normally be explicit. (If the data subject by way of his or her actions accepts certain processing, it is likely that the data subject will be deemed to have given consent)The data subject is normally entitled to revoke consent at any time

“Any freely given specific and informed indication of the wishes of the data subject by which he signifies his agreement to personal data relating to him being processed”

Privacy in the 21st Century

Is Privacy DEAD?

Google Streetview

iPhone Location Data

Biometrics

A law reflecting the past

Technology Neutrality?

Informational Self-

DeterminationApplying accepted principles within new technological frameworksApplying accepted data protection principles within new technological frameworks

Technological Neutrality

Legal Certainty

New Proposed DP Regulations

Right to be Forgotten

Grazzi!

antonio.ghio@fenlex.com