Opinion about thedraft privacy regulation of the EC

Frank RobbenGeneral manager eHealth-platformWillebroekkaai 38B-1000 BrusselsE-mail: Frank.Robben@ehealth.fgov.beWebsite eHealth-platform: https://www.ehealth.fgov.bePersonal website: www.law.kuleuven.be/icri/frobben

223/01/2013

About me general manager of the Belgian Crossroads Bank for Social Security

since 1991• responsible for the organisation of secure personal data exchange

between 3.000 social security institutions with a good balance between privacy and information security on one hand and effective and efficient social protection on the other

• best practice awards from UN, EPSA and foreign DPA

general manager of the Belgian eHealth Platform since 2008• responsible for the organisation of secure personal health data

exchange between 100.000 health care institutions and health care providers with a good balance between privacy and information security on the one hand and effective and efficient health care on the other

life time achievement award for information security from LSEC, the most important Belgian association for information security

member of the Belgian DPA since 1991

323/01/2013

Regulation: no suitable legal instrument

need for an adequate balance between fundamental rights, a.o.• right to privacy and information security• right to health and effective and efficient health care

adequate balance is not universal• depends on historical and cultural differences• can be attained in several ways: different mixes of

- structural measures- organisational measures- legal measures

423/01/2013

Regulation: no suitable legal instrument

most suitable legal instrument in this respect• not a regulation that implements a unique balance throughout the

whole European Union• but a directive that contains common goals and principles, and

permits Member States to attain adequate balances accepted by their citizens

523/01/2013

Proposal for a regulation the “one stop shop” has primarily advantages for

companies having activities in several Member States (because they do not have to deal anymore with the several laws of several Member States), but not for the citizen

does not install a powerful European DPA that deals with privacy and information security issues of multinational companies

is too complex, too detailed and too unclear (too vague concepts, too much interpretation possibilities)

does not seem to respect the principle of subsidiarity

623/01/2013

Proposal for a regulation delegates too many decisions to the European

Commission without any democratic control

implies huge supplementary costs for data controllers, especially PME’s and government institutions• to maintain documentation of all processing operations• enormous information duty• to conduct a data protection impact assessment for more risky

processing• to notify any personal data breach to the DPA without undue

delay

creates huge problems for DPA’s• interpretation problems• resource problems

723/01/2013

Proposal for a regulation denial of the principle of the separation of powers

limits unnecessarily the possibility for Member States to attain balances between the right to privacy and other fundamental rights that match with the historical and cultural specificities, e.g.• field of application of specific rules for health data• information duties• authorisation of exchange of personal data by the DPA instead

of explicit consent of the data subject

will, at the end, not be favourable for data subjects either: more theoretical rights, but real execution of rights will be more difficult

823/01/2013

Proposal limitation of the European legal framework to basic

objectives and principles that foster confidence of citizens in ICT rather than a very extensive regulation primarily in the economic interest of multinational companies

adaptation of the actual directive to the ICT-evolution

no increase of costs and administrative burden for governments, PME’s and DPA’s

if a regulation is necessary for multinational companies• limitation of the field of application to those companies• installation of a powerful European DPA that deals with those

companies

Th@nk you !

Any questions ?