the role of privacy in the security landscape frank robben general manager crossroads bank for...

The role of privacyin the security landscape

Frank RobbenGeneral manager Crossroads Bank for Social SecurityCEO SmalsSint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected]: http://www.ksz.fgov.bePersonal website: http://www.law.kuleuven.ac.be/icri/frobben

mailto:[email protected]

http://www.ksz.fgov.be/

http://www.law.kuleuven.ac.be/icri/frobben

2 23/03/2007Frank Robben

Legal pillars of European Privacy Law

Treaty on the European Union, Title I - Common Provisions - Article F- the Union shall respect fundamental rights,

• as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms signed in Rome on 4 November 1950

• and as they result from the constitutional traditions common to the Member States, as general principles of Community law.

European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8- everyone has the right to respect for his private and family

life, his home and his correspondence. - there shall be no interference by a public authority with the

exercise of this right (exceptions: e.g. national security)


Legal pillars of European Privacy Law

Data protection directive - Directive 95/46/EC of the European Parliament and of the

Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Directive on privacy and electronic communications- Directive 2002/58/EC of the European Parliament and of the

Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector


European directive 95/46/EC

the two basic principles of the directive scope of application and exemptions key players national law applicable obligations of the controller rights of the data subject remedies, liability and sanctions transfer of personal data to third countries codes of conduct supervisory authorities, working parties and

committee conclusion


Two basic principles

equivalent and high protection of fundamental rights and freedoms of natural persons, in particular the right to privacy with respect to the processing of personal data within the EU

no restriction nor prohibition of the free flow of personal data between Member States for reasons connected with the protection of fundamental rights and freedoms


Scope of application processing

- any operation or set of operations, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

of personal data- any information- relating to an identified or identifiable

• an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

- natural person wholly or partly by automatic means or otherwise than by automatic means if the data (are intended

to) form part of a filing system- any structured set of personal data which are accessible according

to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis


Scope of application: exclusion

processing of personal data- in the course of an activity which falls outside the scope of

Community law- and in any case to processing operations concerning public

security, defence, State security and the activities of the State in areas of criminal law

- by a natural person, in the course of activities of a purely personal or household activity


Exemptions of some of the provisions

Member States shall provide for exemptions or derogations from the provisions concerning- the obligations of the controller- the rights of the data subject- the data transfer to third countries- the power of the supervisory authority

for the processing of personal data carried out solely for- journalistic purposes- the purpose of artistic or literary expression

if they are necessary to reconcile the right to privacy with the rules governing freedom of expression



Member States may adopt measures to restrict the scope of some obligations and rights when this is necessary to safeguard- national security, defence or public security- prevention, investigation, detection or prosecution of criminal

offences or of breaches of ethics for regulated professions- an important economic or financial interest of a Member

State or of the EU- a monitoring, inspection or regulatory function connected with

the exercise of public authority in some cases- the protection of the data subject or of the rights and

freedoms of others



Member States may restrict the rights of access, rectification, erasure and blocking- when data are processed solely for purposes of scientific

research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics

- where there is clearly no risk of breaching the privacy of the data subject

- providing adequate safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual


Key players

data subject- the natural person the personal data relate to

controller- the natural or legal person, public authority, agency or any

other body- which alone or jointly determines the purposes and means of

the processing of personal data

processor- any natural or legal person, public authority, agency or any

other body- which processes data on behalf of the controller- e.g. personnel, IT service providers, network operators, ...


National law applicable

the processing is carried out in the context of an establishment of a controller on its territory

the controller is not established on its territory, but in a place where its national law applies by virtue of international public law

the controller is not established on Community territory, but makes use of (automated) equipment for the processing of personal data situated on its territory, unless such equipment is used only for purposes of transit through the territory of the Community => controller must designate a representative established in the territory of that Member State

Each Member State applies its national law to the processing of personal data where


Obligations of the controller

principles relating to fair and lawful processing and data quality

criteria for making data processing legitimate

specific rules for processing of sensitive data

information to be given to the data subject

confidentiality and security of processing

notification of the processing of personal data


Fair and lawful processing and data quality

fair and lawful processing collection only for specified, explicit and legitimate

purposes no further processing in a way incompatible with those

purposes personal data must be adequate, relevant and not

excessive in relation to those purposes personal data must be accurate and kept up to date personal data must not be kept longer than necessary

for those purposes in a form which permits the identification of the data subject


Legitimacy of the processing

Processing of personal data is only legitimate in 6 cases unambiguous consent of the data subject (pre)contractual relationship with the data subject compliance of a legal obligation to which the controller

is subject protection of the vital interests of the data subject performance of a task of public interest or official

authority legitimate interests of the controller that prevail on the

interests for fundamental rights and freedoms of the data subject


Processing of sensitive data

processing of personal data revealing or concerning- racial or ethnic origin- political opinions- religious or philosophical beliefs- trade union membership- health- sexual life

is in principle prohibited


Processing of sensitive data Member States can provide that those sensitive data

may be processed in a limitative number of cases- explicit consent of the data subject- carrying out of obligations and specific rights of the controller

in the field of employment law- protection of vital interests of the data subject or another

person- processing related solely to members or contact persons by

a non-profit-seeking body with a political, philosophical or trade-union aim

- data are manifestly made public by the data subject- establishment, exercise of defence of legal claims- preventive medicine, medical diagnosis, provision of care or

treatment or management of health-care services, if the data are processed by a health professional

- other reasons of substantial public interest


Processing of sensitive data

data relating to offences, criminal convictions or security measures may only be processed under the control of official authorities or in execution of national provisions providing suitable specific safeguards

Member States have to determine the conditions under which a national identification number may be processed


Informing the data subject the controller or his representative must provide the

data subject a minimum of information- when obtaining personal data from the data subject- when undertaking the recording or envisaging a disclosure to

a third party of personal data that have not been obtained from the data subject

exceptions:- the data subject already has the information- informing the data subject in case of processing of data

obtained from another person• proves impossible, in particular for processing for statistical purposes or

purposes of historical or scientific research or• would involve disproportionate effort for the controller in particular for

processing for statistical purposes or purposes of historical or scientific research or

• is not necessary because the recording or disclosure is expressly laid down by law


Informing the data subject

information to be given- identity of the controller and his representative, if any- the purposes of the processing- any further information necessary to guarantee fair

processing in respect of the data subject such as• categories of processed data• (categories of) recipients• whether replies are obligatory or not, as well as the possible

consequences of failure to reply• the existence of rights of access and rectification


Confidentiality and security

no access to personal data except on instructions from the controller or if required by law

appropriate technical and organizational security measures- protection against

• accidental or unlawful destruction• accidental loss• alteration• unauthorized disclosure or access, in particular where the processing

involves the transmission of data over a network• all other forms of unlawful processing

- measures have to be appropriate• to the risks represented by the processing• and the nature of the data to be protected• having regard to the state of the art• and the cost of their implementation


Confidentiality and security

where processing is carried out by a processor- the controller has to choose a processor guaranteeing

sufficient technical and organizational security measures- the controller must ensure compliance of the processing with

the security measures- the carrying out of the processing must be governed by a

written contract or legal act stipulating in particular that• the processor shall act only on instructions from the controller• the security obligations shall also be incumbent on he processor


Recommendation Belgian Privacy Commission

see http://www.privacycommission.be/machtigingen/ referenciemaatregelen%20vs%2001.pdf

risk analysis taking into account- the nature of the processed data- the applicable legal requirements- the size of the organization- the importance and the complexity of the information systems- the extent of internal and external access to personal data- the probability and the impact of the several risks- the cost of the implementation of risk mitigating measures

http://www.privacycommission.be/machtigingen/referenciemaatregelen%20vs%2001.pdf






Recommendation Belgian Privacy Commission

11 types of measures- information security policy- information security officer- classification of information- minimal organizational measures and measures related to

staff- physical security- network security- access control- logging and investigation of logging- supervision, audit and maintenance- management of security incidents and continuity- documentation


Notification of automatic processing

the controller has to notify the supervisory authority before carrying out automatic processing operations intended to serve a single purpose or several related purposes

notification can be extended by Member States to non-automatic processing operations

minimal contents of the notification- name and address of the controller and of his representative- purpose(s) of the processing- categories of processed data and data subjects- (categories of) recipients- proposed data transfers to third countries- general description of the security measures



Member States may provide simplified notific ation or exemptions- for categories of processing operations which are unlikely,

taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects

- for controllers that have appointed a personal data protection officer in compliance with the national law

- for processing operations whose sole purpose is the keeping of a public register

- for processing operations relating to their members or contact persons performed by a non-profit-seeking body with a political, philosophical or trade-union aim



processing operations likely to present specific risks to the rights and freedoms of data subjects as determined by national law have to be examined prior to their start by- the supervisory authority in case of notification or- the personal data protection official

information contained in the notifications, possibly excepting the security measures, is stored in a public register kept by the supervisory authority

the controllers that are not subject to notification have to make available the same information, excepting the security measures, to any person on request


Rights of the data subject

right of privacy protection right of information

- access to the public register- in case of collection of data- in case of the recording or disclosure of data obtained

elsewhere

right of access right of rectification, erasure or blocking right to object right not to be subject to fully automated individual

decisions right of a judicial remedy


Right of access

the data subject has the right to obtain from the controller without constraint, at reasonable intervals and without excessive delay or expense- confirmation as whether or not data relating to him are being

processed- information at least about

• the purposes of the processing• the categories of data• the (categories of) recipients

- communication of the data and any available information as to their source

- knowledge of the logic in case of an automated processing intended to evaluate certain personal aspects relating to him


Right of rectification, erasure or blocking

the data subject has the right to obtain from the controller the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of the directive (e.g. incomplete or inaccurate data)

the controller has to notify any rectification, erasure or blocking to third parties to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort


Right to object

The data subject has the right to object in general to the processing of data relating to him

- at least where this processing is performed• for a task of public interest or official authority• for the purposes of legitimate interests of the controller that prevail on

the interests for fundamental rights and freedoms of the data subject

- based on compelling legitimate grounds relating to his particular situation

- national law may provide exceptions

in particular to the processing, disclosure or use of data relating to him for the purposes of direct marketing- on simple request- free of charge


Automated individual decisions

every person is granted the right not to be subject to a decision which produces legal effects for him or significantly effects him and which is based solely on the automated processing of data intended to evaluate certain personal aspects, such as his performance at work, creditworthiness, reliability, conduct, ...

derogations are possible- under certain circumstances, in the course of the entering

into or the performance of a contract or- by law providing measures to safeguard the data subject’s

legitimate interests


Remedies, liability and sanctions

remedies- administrative remedies, inter alia before an independent

supervisory authority- judicial remedies- for any breach of the rights guaranteed by the national law

applicable

liability- right to compensation from the controller for the damage

suffered as a result of an unlawful processing operation, unless the controller proves not to be responsible for the event giving rise to the damage

sanctions- penal sanctions- interdiction to process personal data


Data transfer to third countries transfer of personal data intended to be processed

may only take place to third countries ensuring an adequate level of protection

the adequacy of the level of protection shall be assessed in the light of all circumstances surrounding the data transfer, such as- the nature of the data- the purpose and duration of the proposed processing- the country of origin and of final destination- the law, professional rules and security measures in force in

the third country Member States and the Commission inform each

other of cases where they consider that a third country does not ensure an adequate level of protection


Data transfer to third countries

where the Commission finds that a third country ensures an adequate level of protection, Member States shall take the measures necessary to comply with the Commission's decision (e.g. Argentina, Canada, Switzerland)

where the Commission finds that a third country does not ensure an adequate level of protection, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question

if a problem of adequate protection in a third country exists, the Commission may enter into negotiations with that country in order to remedy the situation


Data transfer to third countries

a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection may that place in the following situations- unambiguous consent of the data subject- (pre)contractual relationship between the controller and the

data subject- (pre)contractual relationship between the controller and a

third party in the interest of the data subject- important public interest grounds (e.g. social security, tax, …)- establishment, exercise or defence of legal claims- protection of the vital interests of the data subject- public registers- adequate safeguards, e.g. resulting from contractual clauses


Specific case of the US

US uses a sectoral approach that relies on a mix of legislation, regulation and self-regulation

US is not being considered by the European Commission as a third country having an adequate protection

US Department of Commerce in consultation with the European Commission developed a “safe harbor” framework (see http://www.export.gov/safeharbor)

individual companies certifying to the “safe harbor” framework are considered as companies providing an adequate level of protection as defined by the European Data protection directive

http://www.export.gov/safeharbor

http://www.export.gov/safeharbor


Specific case of the US an organization that decides to participate in the safe

harbor must- comply with the safe harbor's requirements- self certify annually to the US Department of Commerce in

writing that it agrees to adhere to the safe harbor's requirements

- state in its published privacy policy statement that it adheres to the safe harbor

the US Department of Commerce maintains a publicly availbale list of all organizations that file self certification letters

to qualify for the safe harbor, an organization can- join a self-regulatory privacy program that adheres to the

safe harbor's requirements or- develop its own self regulatory privacy policy that conforms to

the safe harbor requirements


Codes of conduct

Member States and the EU shall encourage codes of conduct- intended to contribute to the proper implementation of the

principles of the directive- taking account of the specific features of the various sectors- elaborated by trade associations or other bodies representing

categories of controllers

possibility to submit codes of conduct- on the national level to the supervisory authority- on EU level to the Working Party


Supervisory authorities

each Member State has to appoint at least one independent public authority that monitors the application of the provisions adopted by the Member State pursuant to the directive

powers of the supervisory authorities:- advice and recommendations concerning administrative

measures or regulations- investigation- intervention (e.g. warning the controller, ordering the erasure

of data, imposing a ban on processing,…)- engaging in legal proceedings- claims handling- public report


Working Party composition:

- 1 representative of the supervisory authorities per Member State

- 1 representative of the supervisory authority of the EU- 1 representative of the EU Commission

tasks- giving an opinion about

• the application of national measures adopted under the directive in order to contribute to the uniform application of the measures

• the level of protection in the Community and third countries• proposed Community measures affecting rights and freedoms with

regard to the processing of personal data• codes of conduct drawn up at Community level

- recommending on all matters relating to the protection of persons with regard to the processing of personal data

- publishing an annual report to the Commission, the European Parliament and the Council


Committee

composition:- chaired by a representative of the Commission- representatives of the Member States

task- giving an opinion on the draft of measures to be taken by the

Commission- if these measures are not in accordance with the opinion of

the Committee, they are deferred for a period of three months and communicated to the Council

- the Council, acting by a qualified majority, may take a different decision within three months


An example: whistleblowing systems

fair and lawful processing- clear description of

• the procedures of reporting• the procedures of report handling• the possible consequences of pertinent and impertinent reports• the controller of the whistleblowing system

- no obligation to report- in principle no anonymous reporting- sufficiently precise reporting- only reporting of facts, no value judgements- designation of an independent person dedicated to handle

the reports confidentially• no communication of the identity of the informant without his consent• in principle no communication about the report towards other instances

than the data subject during the report handling


An example: whistleblowing systems

fair and lawful processing- limiting of the scope of the whistleblowing system

• only serious irregularities• whistleblowing schemes should only supplement organisation’s regular

information and reporting channels (e.g. normal hierarchic channels) where these would appear to be insufficient to detect and handle serious irregularities within the organisation

- only reporting by of concerning personnel of the company- reported information must be adequate, relevant and not

excessive in relation to the purposes of the whistleblowing system

- reported information must not be kept longer than necessary

transparency- obligation to provide adequate information about the

whistleblowing scheme, the related procedures and the possible consequences at collective and individual level


An example: whistleblowing systems security

- separate processing of data- guarantees related to integrity, authenticity, availability,

confidentiality and irregular erasure- auditability- no transfer of whistleblowing data to non-EU countries unless

adequate level protection and strictly required data subject rights of all persons concerned,

concerning the data relating to each of them- right of information- right of access to data- right of rectification- right of erasure

prior notification of the whistleblowing scheme to the Privacy Commission


More info

Belgian Privacy Commissionhttp://www.privacycommission.be

European Data protection working partyhttp://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm?refer=true&theme=blue

personal websitehttp://www.law.kuleuven.ac.be/icri/frobben

Crossroads Bank for Social Securityhttp://www.ksz.fgov.be

http://www.privacycommission.be/

http://www.privacycommission.be/

http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm?refer=true&theme=blue

http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm?refer=true&theme=blue





Th@nk you !

Any questions ?

Frank Robben

the role of privacy in the security landscape frank robben general manager crossroads bank for...

Documents

data n directive

n european convention

destruction n of personal

controller n rights

data subject n remedies

committee n conclusion

processing of personal

basic principles n equivalent