eu data protection and privacy rights sofia, 13-14 … - copy.pdfi. coe and eu data protection law...

EU Data Protection and Privacy RightsSofia, 13-14 June 2019

Synergies related to data protection between CoE and EU on selected aspects

Teresa Quintel

[AD/2019/04]

With financial support from the Justice

Programme of the European Union

Content

I. CoE and EU Data Protection Law

II. Changes under the new Regimes

III. Specific Rules for the Processing ofPersonal Data in the Law EnforcementContext

IV. Case Law on Law Enforcement Access toPersonal Data

EJTN 14 June 2019 [email protected]

I. CoE and EU Data protection law

EJTN 14 June 2019

[email protected]

Council of Europe European Union

ECHR Article 8 EU Charter Articles 7 and 8

Convention 108 Directive 95/46/EC

Recommendation (15)87 Framework Decision 2008/977/JHA

Modernised Convention 108 GDPR

Guide on Police Processing Directive (EU)2016/680

Convention 108

4

• CoE instrument, but the ‘Global Data Protection Convention’

• Only binding International Data Protection Treaty

• To be distinguished from the ECHR

• Global Standards for Data Protection

• 47 CoE Members + 7 non-European Membersare Party to the Convention

• Possibility for the EU to accede the Convention


Content




II. Changes under the new Regimes: Modernised Convention 108

•Maintains the Convention’s provisions at principle-level

•Aims to ensure consistency and compatibility with otherdata protection legal frameworks

•Maintains technologically neutral provisions

•Reaffirms the Convention’s potential as a universalstandard


Convention 108+ and GDPR

• Convention 108 seen as the ‘mother’ of the GDPR

• On 18 May 2018 the Committee of Ministers of the CoEadopted an amendment protocol to update Convention 108

→to avoid contradictions with GDPR standards

• The Modernised Convention includes most of the importantGDPR innovations

• But does not include all of the GDPR pieces

→the Convention is held much more general

• Recital 105 GDPR→ Adequacy Finding under the GDPR

• Convention 108 Accession will in particular be taken intoaccount for assessing the Adequacy of a Third Country


II. Changes under the new Regimes: Modernised Convention 108

• Changes in scope

→no processing activities can be excluded from the scope of the newConvention

• Parties must demonstrate effectiveness of implementation

→may be evaluated by the Convention Committee

• Catalogue of sensitive data has been extended

→genetic and biometric data

→data on trade union membership and ethnic origin

• Intruduction of data breach notification to DPAs

• New rights for data subjects

• Supervisory authorities and Cooperation →new powers andincreased cooperation


The main innovations under the Modernised Convention

• proportionality

• accountability

• privacy by design

• obligation to notify data breaches

• transparency of data processing

• additional safeguards for the data subject

• possibility for International organisations to accede to the modernised Convention


Scope of GDPR and theModernised Convention 108• The scope of the GDPR (Articles 2 and 3)

• Competence of the EU

• Chapter 2 of Title V of the TEU

• Purely personal or household activity

• Directive(EU)2016/680

• Regulation (EU)2018/1725

• Convention 108+ as International Treaty that isaccessible to non-CoE Members

• Covers areas where the EU has no competence

• Has been complemented by Recommendationsand Guidelines


Convention 108 and EU Data Protection Standards

• Data Protection Principles

• Lawfulness of Processing

• Specific Conditions for Consent

• Special Categories of Personal Data

• Data Subject Rights

• Obligations for Controllers

• →Transparency, Accountability, Data Protection by Design

• Controllers/Processors →responsibility

• Remedies

• Supervisory Authorities and Cooperation


II. Changes under the new Regimes: GDPR

• Data Protection as Fundamental Right

• New Rights for Data Subjects

• Additional Obligations for Controllers and Processors

• Risk-Based Approach

• Privacy by Design and by Default

• New Security Obligations

• Supervision

• Cooperation between DPAs

• Enforcement


Content



III. Specific rules for the Processing of Personal Data in the Law Enforcement Context


III. CoE Police Guidelines

• Adopted on 15 February 2018 to provide clear guidance and toupdate the ‘insufficiently detailed’ Recommendation (87)15

• Endorses the relevance of the Principles enshrined inRecommendation (87)15

• Gives orientations for practical situations the police may face

• Balance between the objectives of general public interest, and therespect for the rights of individuals to privacy and data protection

• Purpose Limitation to what is necessary and proportionate for theprevention, investigation and prosecution of a criminal offence

• Data security, accuracy, accountability, human intervention inpredictive analysis and ethical considerations for processing

• Recognition of the need to carry out proper DPIAs before usingnew technologies


Directive (EU)2016/680‘Law Enforcement Directive’

• Repealed a Framework Decision from 2008

→now applicable to all ‘domestic‘ processing of personal data

• Recognizes the needed flexibility for competent authorities in theperformance of their tasks

→different transparency requirements and restriction of rights

• Material and Personal Scope

→Both personal and material scope must be satisfied

• Regulation vs Directive

→minimum harmonization

→definitions may differ in the Member States

• Only one legal basis

→where processing is necessary for the prevention, investigation, detection orprosecution of criminal offences or the execution of criminal penalties

• Grey zones in terms of application?

→GDPR, ‘national security‘


Distinct features of the Directive[compared to the GDPR]

• Particularities in terms of principles

• Data minimization and purpose limitation

• Subsequent processing vs. Further processing

• Categorization of data and Quality of data

• Restrictions of data subject rights

• Notification of data subjects

• Indirect data subject rights

• Other obligations→major improvements

• Logging, DPIAs, Prior Consultation, DP by Design, Notification of data breaches, mandatory DPOs

• Powers of the National Supervisory Authorities


Similarities between theLaw Enforcement Directive and the Police Guide

• Openness to the operational needs of the police

• More flexible rules for the processing of personal datain the law enforcement context

• Specific conditions regarding the limitation of datasubject rights

• Conditions for the subsequent use of data

• Processing of special categories of data

• New processing techniques require a DPIA

• Both recognize the necessity for direct cooperationwith service providers

• Rules on international transfers, also to private bodies


Transfers of personal data to third countries and international organizations under the Directive

• The architecture of Chapter V on internationaltransfers is the same as under the GDPR, but thelogic applied to such transfers under the Directive isdifferent

• Cascading System under the Directive

• Novelty: ‘asymmetrical transfers‘ under Article 39 ofthe Directive

• Direct data exchanges between private actors andlaw enforcement actors

• Only in very exceptional cases, where it is strictlynecessary for the fulfilment of the tasks of police


Content


II. Changes under the new frameworks

III. Specific rules for the Processing of Personal Data in the Law Enforcement Context

IV. Case Law on Law Enforcement Access toPersonal Data


IV. Access to Personal Data by Law Enforcement

• Digital Rights Ireland (2014)

• Schrems (2015)

• Tele2/Watson (2016)

• Opinion 1/15 (2017)

• Ministerio Fiscal (2018)

• Privacy International →Case no. C-623/17


With financial support from the Justice

Programme of the European Union

Thank you!

eu data protection and privacy rights sofia, 13-14 … - copy.pdfi. coe and eu data protection law...

Documents