On Thursday the 28th of June the Greens/EFA Group organised a hearing in the European Parliament on ‘data protection for the digital age’ -a recording of this event is available here.
The Rapporteur on the proposed General Data Protection Regulation (COM(2012)0011), German MEP Jan Philipp Albrecht, mentioned during his introduction that his office intends to update the indicative calendar on their website
Panel I - The Right to be Forgotten, or How to Exercise User Rights?
Joris van Hoboken, of the University of Amsterdam, noted that the proposed Regulation is ambivalent regarding the media exception, and expressed the need for clarification in the Articles.
In light of this, Peter Hustinx, the European Data Protection Supervisor (EDPS), also remarked that exemption for journalists is too restrictive in the proposed Regulation and pointed to the diverse application across Member States of the notion of ‘journalistic activities’ in Article 9 of the current Data Protection Directive (95/46/EC ) and the Satamedia Case (C-73/07).
Anna Fielder, from Privacy International, considers that Recital 24 of the proposed Regulation leaves too much room for IP addresses not to be considered as personal data. With regards to this, Fiedler referred to a leaked document from the Working Party on Information Exchange and Data Protection (DAPIX) of the Council of the European Union wherein the UK proposes to amend Recital 23 as follows:
“To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used either by the controller or by any other person to identify the individual, unless this would involve a disproportionate effort in terms of time or technical or financial resources.”
More background on the leaked document of the DAPIX can be found here and here.
Panel 2 – Code as Law? Technological Approaches and Privacy-Driven Technology Development
Seda Gürses, from the KU Leuven, pointed out in her presentation the need to for an integrated approach to data protection, one which takes into account the 1) technological, 2) organisational and 3) user centric perspective. Gürses also emphasised that Privacy by Design can only be as strong as the principles of the Regulation.
Alain Pannetrat, of the French data protection authority (DPA), the CNIL, and the Article 29 Data Protection Working Party (Art. 29 WP), started by pointing out to the recent Art. 29 WP opinion on cookie consent exemption.
Next to this, Pannetrat questioned if the U.S. vision of ‘Do-Not-Track’ (DNT) is compatible with the EU vision of ‘Do-Not-Cookie. He also expressed his hopes that DNT will not be watered down to ‘Do-Not-Target’, as the current World Wide Web Consortium (W3C) draft allows exceptions for tracking (e.g. research/market analytics; security; product improvements; etc.).
Regarding Privacy by Design, Pannetrat remarked the need for 1) an industry defined framework, 2) a consultation framework by DPAs and 3) incentives to apply the framework.
Rigo Wenning, Legal Counsel and Privacy Activity Lead at the W3C, from his side gave a brief update on the progress of DNT, as the W3C Tracking Protection Working Group met last week in Seattle. The discussion on how to implement DNT is still ongoing, as participants of the working group meeting discussed the DNT response header. He also remarked that there’s a lack of representation from European consumer groups in the DNT effort, and that for now the Art. 29 WP is taking up the role to protect European consumers.
In the end, Wennig made a plea to regulators not to require something that’s technically impossible or exceedingly hard to achieve.
Rosa Barcelo, from DG CONNECT, noted on Privacy by Design that her DG sees a lot of merit in Article 23 of the proposed Regulation. On the question of the relationship between e-Privacy Directive (2002/58/EC) and the proposed Regulation, Barcelo remarked that for the time being there’s no disconnect between both, but if this would be the case in the end, than the Directive would be amened.
Panel 3 – Police Data Sharing & Access to Corporate Databases
Franziska Boehm, of the University of Luxembourg, remarked that while there’s a proposal for a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities (COM(2012)0010) the previous Council Framework Decision (2008/977/JHA) still hasn’t been transposed by each Member State.
While Boehm considers that the scope of the proposed Directive is still broader than the Framework Decision, she believes there are some negative effect. As, for example, there are no legal consequences for non-compliance nor regulation for law enforcement access to non-law enforcement data.
Therefore, she believes that the Directive should be the minimum, and that there’s a way ahead, as she sees an opportunity to lean from past experience by looking a the case law of the European Court of Human Rights (ECtHR) and national courts and from existing solutions within Member States.
Caspar Bowden, independent privacy advocate, considers that as the Foreign Intelligence Surveillance (FISA) Amendment Act 2008 1881(a) covers the application of remote computing services, that it would allow for U.S. cloud providers to be forced secretly to allows the National Security Agency (NSA) inside their data centre and/or to put back-doors in software for purely political mass-surveillance.
Katarzyna Szymielewicz, of the Panoptykon Foundation, focussed on the implementation of the Data Retention Directive (2006/24/EC), as she noted that there’s a need for safeguards at the level of:
- external supervision over law enforcement;
- limitations and judicial oversight over access to data;
- limiting possibilities to reuse data collected for commercial purposes; and,
- citizen’s rights.