![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
Following proposals to consider revising the Data Protection Directive 95/46/EC (DPD) in 2011, have the changes addressed the main areas of concern that have been the focus of much discussion? The areas of concern include the application of the Directive in the online age, particularly to social networking sites and cloud computing; the minimum/maximum standard approach by the EU Member States to data protection; the relevance and application of the data protection principles. These are some of the issues that were considered in the recent Art. 29 Working Party's Opinion on the Future of Privacy. The article will use this as a starting point of discussion to identify the extent to which impending proposals to revise the Data Protection Directive are closely aligned with the Opinion and consider the recent European Commission Communication (6/2010) on the comprehensive approach to personal data protection in the European Union. According to the Art. 29 Working Party, the level of data protection in the EU can benefit from a better application of the existing data protection principles in practice. This paper will attempt to address some of the difficult questions and consider the challenges to implementing the changes introduced by forthcoming revisions to the DPD.
Keywords:
Acknowledgements
Any errors and omissions remain with the author. The author would like to thank the participants of the Cyberlaw Stream of the Society for Legal Scholars, September 2011 for their feedback.
Notes
Proposals to revise the European Data Protection Directive are anticipated in early 2012.See Data Guidance. EU: Privacy proposal to amend EU Directive to be issued end of January 2011 available at http://www.dataguidance.com/news.asp?id=1655, dated 11 November 2011 and EUROPA. Stronger data protection rules at EU level: EU-Justice Commissioner Viviane Reding and German Consumer Protection Minister Ilse Aigner join forces available at http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&type=HTML, dated 7 November 2011.
The Art. 29 Working Party. The Future of privacy (WP 168) adopted 1 December 2009 available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf.
See European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions: a comprehensive approach on personal data protection in the European Union, COM(2010) 609 available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0609:FIN:EN:PDF, dated 4 November 2011.
See European Commission. Report from the Commission. First report on the implementation of the Data Protection Directive COM/2003/0265 final available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52003DC0265:EN:HTML, last accessed 29 August 2011.
Ibid.
See Seipel, P. 2001. Sweden. In Nordic data protection law, ed. P. Blume. Copenhagen: DJOF Publishing, pp. 115–151.
See PRIVIREAL: UK Data Protection at http://www.privireal.org/content/dp/uk.php and Lloyd, I. Information Technology Law, 4th ed. 2004. Oxford: Oxford University Press, p.104.
C-101/01 Lindqvist [2004] 1 C.M.L.R. 20
To the author's knowledge, the misuse-oriented approach has not been adopted by other Member States, but discussion has centred on the current data protection model which adopts a ‘processing’ model. For background information, see Palme, J. Swedish attempts to regulate the internet available at http://people.dsv.su.se/~jpalme/society/swedish-attempts.html, last accessed 29 August 2011 and Seipel, P. In Nordic data protection law, ed. P. Blume, pp. 115-151; Őman, S. 2004. Implementing data protection in law. In IT Law, ed. P. Wahlgren, pp. 389–403 at http://www.sorenoman.se/Implementing.pdf; Klang, M. 2003. Technology, speech, law and ignorance: The state of free speech in Sweden. Hertfordshire Law Journal 1, no. 2: 48–63.
This is not an exhaustive list but a glance at the recommended references demonstrates the significance of this case and likely implications on data protection online. See Lloyd, I. Information technology law, 4th ed., pp. 97–98; Kuner, C. 2010. Data protection law and international jurisdiction on the internet: Part 2. International Journal of Information Law and Technology 227–247; Leith, P. 2006. The socio-legal context of privacy. International Journal of Law in Context 2, no. 2: 105–136; Wong, R. 2009. A conceptual analysis of a data controller. Communications Law 14, no. 5: 142–149.
Ibid.
C-275/06 Productores de Música de España (Promusicae) v Telefónica de España SAU [2008] ECR I-271.
C-557/07 LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v Tele2 Telecommunication GmbH, [2009] ECR I-01227.
C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy (Satamedia) [2008] ECR I-09831.
Art. 29 Working Party. Opinion 4/2007 on the concept of personal data, WP 136, dated 20 June 2007 available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf, adopted on 20 June 2011.
See decisions subsequent to Durant v FSA such as Common Service Agency v Scottish Information Commissioner [2008] UKHL 47. The latter case was concerned with the NHS's refusal of a FOI request for statistics about child leukaemia on the basis that this would infringe the relevant data protection laws if personal data were revealed. The House of Lords allowed the appeal on the basis that information was ‘held’ by the CSA and that it would not qualify as ‘personal data’ if no data could be identified as a result of barnardisation, a process to anonymise personal data. Furthermore, the House of Lords held that if barnardisation effectively anonymises the data, condition 6(1) Sch. 2 would be satisfied (processing necessary for the purposes of legitimate interests and not unwarranted by prejudice to the data subject).
See ICO, Personal Information Online – Code of Practice available at http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online.aspx, dated July 2010.
Ibid., at p. 10.
Ibid.
Art. 29 Working Party. The future of privacy, adopted on 1 December 2009, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf; See also Wong, R. 2011. The future of privacy. Computer Law and Security Review 27, no. 1: 53–57.
Wong, R. ‘The future of privacy’ n. 20.
Espiner, T. 2011. Facebook and Google ‘must follow’ EU privacy rules available at http://www.zdnet.co.uk/news/regulation/2011/03/17/facebook-and-google-must-follow-eu-privacy-rules-40092179/, dated 17 March 2011.
Art. 29 Working Party. Opinion 8/2010 on applicable law, WP 179 adopted on 16 December 2010 at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf.
Ibid., p. 13.
Ibid.
Ibid.
See Product Liability Directive 85/374/EEC available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31985L0374:EN:HTML.
This is available at http://europa.eu/legislation_summaries/justice_freedom_security/judicial_cooperation_in_civil_matters/l16027_en.htm .
This is available at http://europa.eu/legislation_summaries/justice_freedom_security/judicial_cooperation_in_civil_matters/l16027_en.htm .
See also Conflict of Laws.net, Rome II Regulation applicable in EU, dated 11 January 2009 available at http://conflictoflaws.net/2009/rome-ii-regulation-applicable-in-eu/ and Dickinson, A. 2010. The Rome II Regulation: the law applicable to non-contractual obligations. Oxford: Oxford University Press.
[2008] EWHC 1781.
Ibid., at para. 80.
See BBC News. Irish privacy watchdog calls for Facebook changes available at http://www.bbc.co.uk/news/technology-16289426, dated 21 December 2011. Details of the report can be found on the Irish Privacy Commissioner website at http://dataprotection.ie/viewdoc.asp?DocID=1182&m=f, dated 21 December 2011.
BBC News, Irish privacy, n. 34.
Ibid.
See European Commission. Commission decisions on the adequacy of the protection of personal data in third countries available at http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm. For an in-depth discussion, see also Kuner, C. 2010. Regulation of transborder data flows under data protection and privacy law: past, present and future. TILT Law and Technology Working Paper, No. 016/2010, October, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1689483.
See Art. 29 Working Party. Opinion on the draft Commission Decision on standard clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC, WP 161 adopted on 5 March 2009 available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp161_en.pdf and Model contracts for the transfer of personal data to third countries available at http://ec.europa.eu/justice/policies/privacy/modelcontracts/index_en.htm, last accessed 23 May 2011.
See European Commission. Commission's first report on the transposition of the Data Protection Directive available at http://ec.europa.eu/justice/policies/privacy/lawreport/report_en.htm, last accessed 23 May 2011.
See Schleswig-Holstein which has developed a number of projects dealing with protection of data online including the anonymity project at https://www.datenschutzzentrum.de/index.htm. For an extensive report into the economic benefits of PETS, the European Commission has recently published a report, which is available at http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf. July 2010.
European Commission, Communication from the commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions : A comprehensive approach on personal data protection in the European Union, COM(2010) 609, dated 4 November 2011.
See Edwards, L. and Brown, I. 2009. Data control and social networking: irreconcilable ideas. In Harboring data: Information security, law and the corporation, ed. A. Matwyshyn. Stanford, CA: Stanford University Press, pp. 202–227.
Outlaw news. Expert says ‘right to be forgotten’ could cause problems for publishers. Available at http://www.out-law.com/en/articles/2011/november/expert-says-right-to-be-forgotten-could-cause-problems-for-publishers/, dated 10 November 2011.
Ibid.
C-101/01. The latter part of the judgment at para. 100 (5) stated that when balancing between the freedom of expression and other rights with the rights conferred under the Data Protection Directive, it was for ‘the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order’ (emphasis added).
Outlaw news. ‘Unenforceable’ right to be forgotten should not be included in new EU Data law” available at http://www.out-law.com/en/articles/2011/november/unenforceable-right-to-be-forgotten-should-not-be-included-in-new-eu-data-laws-ico-says/, dated 17 November 2011.
Ibid.
For example, according to the latest statistics, Facebook has more than 800 million active users with more than 50% of active users logging on in any given day (see http://www.facebook.com/press/info.php?statistics). This is not to conclude that users' level of understanding and awareness of internet security is necessarily the same or higher, but is indicative of their use. The latest Eurostat release seems to indicate that 31% of users who used the internet in the 12 months prior to the survey had caught a computer virus or infection (see http://epp.eurostat.ec.europa.eu/cache/ITY_PUBLIC/4-07022011-AP/EN/4-07022011-AP-EN.PDF, dated 7 February 2011). See ICO. ‘Students concerned that information online might affect their careers’ at http://www.ico.gov.uk/news/latest_news/2011/students-concerned-that-information-online-might-affect-their-careers-26102011.aspx, dated 26 October 2011 available at http://www.ico.gov.uk/news/latest_news/2011/students-concerned-that-information-online-might-affect-their-careers-26102011.aspx (found that four out of ten students online (42%) are concerned that personal information available about them online might affect their future employment prospects). In the context of social networks, see also Kang, T. and Kagal, L. 2011. Enabling privacy-awareness in social networks. Available at http://dig.csail.mit.edu/2010/Papers/Privacy2010/tkang-rmp/paper.pdf, last accessed 19 November 2011.
Eurostat, op. cit. n. 47.
See McCullagh, K. Data sensitivity: resolving the conundrum. Available at http://www.bileta.ac.uk/Document%20Library/1/Data%20Sensitivity%20-%20resolving%20the%20conundrum.pdf, last accessed 19 November 2011. For more on the arguments on ‘sensitive data’ see Simitis, S. ‘Revisiting sensitive data’ at http://www.coe.int/t/dghl/standardsetting/dataprotection/Reports/Report_Simitis_1999.pdf, last accessed November 2011. Wong, R. 2007. Data protection online: Alternative approaches to sensitive data. Journal of International Commercial Law and Technology 2, no. 1: 9–16.
See s 55 of the UK DPA 1998 and s 77 Criminal Justice and Immigration Act 2008 where the ICO powers have been increased so that organisations that breach data security maybe fined up to £500K maximum. See Information Commissioner's Guidance about the issue of monetary penalties prepared and issued under s 55(1) of the Data Protection Act 1998 available at http://www.ico.gov.uk/for_organisations/guidance_index/data_protection_and_privacy_and_electronic_communications.aspx#monetary.
Whether Data Protection Officer role is similar to the German model is not yet clear. See also Privacy and Human Rights Report 2003 Federal Republic of Germany available at http://www.pi.greennet.org.uk/survey/phr2003/countries/germany.htm, last accessed 26 November 2011.
A good starting point into the discussion on cloud computing is a collection of essays in Gutwirth, S. et al., eds. 2011. Computers, privacy and data protection: an element of choice, 1st ed., New York: Springer, pp. 345–457. See also ENISA. 2009. Cloud computing risk assessment, dated 20 November 2009 available at http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment and NIST definition of cloud computing at http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf, dated September 2011 and NIST, Final version of NIST cloud computing definition published, dated 25 October 2011 available at http://www.nist.gov/itl/csd/cloud-102511.cfm.
Hon, W.K., Millard, C., and Walden, I. Who is responsible for ‘Personal Data’ in Cloud Computing. available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1783577; and Hon, W.K., Millard, C., and Walden, I. Who is responsible for ‘Personal Data’ in Cloud Computing?, Part 2, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1794130
Ibid.
See Arts. 12 ‘mere conduit’ defence; Art. 13 ‘caching’ and Art. 14 ‘hosting’ defences provided to ISPS, if they can satisfy the criteria laid down in each of these provisions within the Electronic Commerce Directive 2000/31/EC available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000L0031:en:NOT.
Dhillon, G. and Kolkowska, E. 2011. Can a cloud be really secure? A socratic dialogue. In Computers, privacy and data protection: an element of choice, eds S. Gutwirth et al., pp. 345–379.
Ibid., at p. 353.
Ibid., at p. 357.
See Poullet, Y., et al. 2011. Data protection in clouds. In Computers, privacy and data protection: an element of choice, S. Gutwirth et al., 1st ed., New York: Springer, pp. 377–409.
Ibid., at p. 378.