Data protection and communitarian law (*)
Maria Angeles Chacon Sanchez
Abogado in Sevilla
First of all, I would like you to notice that the concern about privacy is not a new matter. More than 200 years ago, the French National Assembly declared that the privacy of letters was inviolable. But it was in 1970 when the first Law on data protection is found on a national level. It was approved in Germany.
Nowadays, a great number of norms exist, equally at an international (Number 108 1981 Council of Europe personal data Convention) and communitarian level (1950 European Convention for the Protection of Human Rights and Fundamental Freedoms; 2000 European Union Charter of Fundamental Rights; European Union Directives -Personal Data Protection Directive Telecommunications Sector Directive and Electronic communications Sector Directive), in order to assure data protection.
The European Union adopted its 1995 Data Protection Directive to harmonise national provisions in this field.
In 1997, the EU introduced Telecommunications Sector Directive in order to clarify data protection and privacy rules in this sector.
On 2002, Electronic communications Sector Directive replaced and updated 1997 Directive in the light of developments in the markets and technologies in this field.
But, doubtless, the most representative communitarian instrument is the 1995 Directive, which imposes that personal data must be processed fairly and lawfully, and collected for specified, explicit and legitimate purposes. They must also be adequate, relevant and not excessive, accurate and, where necessary, kept up to date; kept in a form which permits identification of data subjects.
Privacy and direct marketing
Once we have set the main provisions in this field, let’s talk about privacy and direct marketing in a practical way: any of us continually receive unsolicited e-mails or spam, so what can we do about it?
Under the 2002 Directive the use of automatic calling machines, e-mail, or even sms-messages for the purposes of direct marketing is not allowed but in respect of a person who has given their prior explicit consent, I mean, freely given, specific and informed.
The Directive makes an exception for companies who got an email address when selling someone a product or service, and allowing the customer to easily and free get off the lists that share the information.
Any of us, as a data subjects have important rights:
Under the 1995 Directive, you must be informed about the processing of the data and of the aim of the processing, and must have access to the data collected. You may oppose the processing of these data, for legitimate reasons, or may have them corrected if they are not accurate, and you have the right to object to the processing of your data for the purposes of direct marketing.
In addition, you could request your internet service provider to install mail filters or contact one of the all-volunteer associations to prevent junk e-mail write to your national supervisory authority.
According to the 1995 Directive, each Member State must provide one or more public authorities to ensure the proper application of the data protection law.
To contact the supervisory authority you can fill out a form, available from the internet as well (in Italy, at www.garanteprivacy.it) to make a complaint.
If this doesn’t lead to a satisfactory result, you may need to go to court. You may be entitled to compensation if you have suffered damages because of the violation to your rights.
We have to realise that throughout the internet, you might be distributing huge amounts of information that in your everyday life would consider private.
Though, as much as 72% of EU citizens had never heard of the tools designed to limit the collection of personal data when they use the Internet.
The 1995 Directive applies to the invisible collection of personal data on the Internet; for example, the "cookies" which are used to track the individual surfing habits. It may or may not be a privacy concern depending on how it is used.
The 2002 Directive provides that Member States must ensure that storing information or to gain access to information stored in the terminal equipment of a user is only allowed if he is provided with clear and comprehensive information about the purposes of the processing or he is offered the right to refuse such processing by the data controller.
However, there is no obligation when is necessary to transmit a communication or to provide an information service requested by the user.
Now I will suggest you some guidelines, which are not a solution for personal privacy management, but can raise some questions about it.
1. Acting carefully you may have more prevent something bad from happening.
2. Create separate email accounts for serious tasks and another for just surfing around.
3. Never ever reply to a spam message. Instead set up filters that remove the spam.
4. Use cryptographic techniques such as Pretty Good Privacy the well known free encryption system, when sending sensitive information by email so that it cannot be read by anyone except the intended recipient.
I think it would be interesting talking a bit about workplace privacy, considering that with the click of a mouse, we can now send thousands of pages of documents both inside and outside any organization.
There are some international regulation applied to workplace privacy (1996 ILO Code of practice on the protection of workers' personal data and 1989 Council of Europe’s Recommendation on the protection of personal data used for employment purposes, among others) but there is not Directive specifically applied to the employment context and national legislation is not usual, so we should pay attention to the role of the courts.
We can raise a question at this point: Can an employer monitor e-mail and Internet contents?
In the United Kingdom, employers are required to carry out an assessment to establish if any planned monitoring is a legitimate need.
A similar approach is adopted in France. However, both legislation and case law go further than in the United Kingdom and even the French Supreme Court has held that e-mails are considered to be “private communications”.
In Italy, the position is similar to France and employers cannot, as a general rule, monitor e-mail content/Internet usage.
In Germany, the monitoring of e-mail content is prohibited and subject to criminal prosecution.
Most data protection laws include restrictions on the transfer of information to third countries unless the information is protected in the destination country.
For example, the 1981 Council of Europe’s Convention places restrictions on the transborder flows of personal data. Similarly, 1995 Directive imposes an obligation on member States to ensure that any personal information relating to European citizens is protected by law when it is exported and processed outside Europe.
Determination of a third country’s system for protecting privacy is made by the European Commission: the level of protection in the receiving country must be “adequate”.
To protect the privacy of information transferred to countries that do not provide “adequate protection” are necessary bilateral agreements concerning the Data Protection Directive: like the 2000 EU-US Safe Harbor agreement, because the EU has designated, that the US is a nation with “inadequate” privacy laws, so it was illegal for European countries to send personal information to a recipient in the US.
Any EU organization can view the list of safe harbor organizations posted on the Department of Commerce’s website.
700 organizations, like major companies Bacardi, General Motors, Foot Locker or Pepsi, have notified the Department of Commerce that they adhere to the safe harbor framework.
Some of the
Information required for Safe Harbor Certification is:
-EU Countries that the Organization receive information from.
U.S. organizations subscribing to the safe harbor provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting those conditions or other conditions set out in Article 26 of the Directive. Since the safe harbor includes specific rules for sensitive information, such information may be included in transfers to safe harbor participants. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may impose special conditions for the handling of sensitive data.
Since corporations everywhere have little choice but to follow the EU regulations, many other countries have adopted EU privacy regime.
Alan Westin and privacy and data protection expert at a United States law school have said “In privacy Law, we went to sleep and the Europeans moved ahead”.
The idea that I would like to transmit is that Europeans now set the rules that Companies and even other countries all over the world have to follow, so we should have a high estimation of the importance of our Data Protection provisions.
Privacy and Data Protection Day, Cesena, 31 maggio 2005
Torna alla Home Page