Handbook on European Data Protection

Total Page:16

File Type:pdf, Size:1020Kb

Handbook on European Data Protection HANDBOOK Handbook on European data protection law © European Union Agency for Fundamental Rights, 2014 Council of Europe, 2014 The manuscript for this Handbook was completed in April 2014. Updates will become available in future on the FRA website at: fra.europa.eu, the Council of Europe website at coe.int/dataprotection, and on the European Court of Human Rights website under the Case-Law menu at: echr.coe.int. Reproduction is authorised, except for commercial purposes, provided the source is acknowledged. Europe Direct is a service to help you find answers to your questions about the European Union Freephone number (*): 00 800 6 7 8 9 10 11 (*) The information given is free, as are most calls (though some operators, phone boxes or hotels may charge you). Photo credit (cover & inside): © iStockphoto More information on the European Union is available on the Internet (http://europa.eu). Cataloguing data can be found at the end of this publication. Luxembourg: Publications Office of the European Union, 2014 ISBN 978-92-871-9934-8 (CoE) ISBN 978-92-9239-461-5 (FRA) doi:10.2811/69915 Printed in Belgium Printed on process chlorine-free recycled paper (PCF) This handbook was drafted in English. The Council of Europe (CoE) and the European Court of Human Rights (ECtHR) take no responsibility for the quality of the translations into other languages. The views expressed in this handbook do not bind the CoE and the ECtHR. The handbook refers to a selection of commentaries and manuals. The CoE and ECtHR take no responsibility for their content, nor does their inclusion on this list amount to any form of endorsement of these publications. Further publications are listed on the Internet pages of the ECtHR library at: echr.coe.int. Handbook on European data protection law Foreword This handbook on European data protection law is jointly prepared by the European Union Agency for Fundamental Rights (FRA) and the Council of Europe together with the Registry of the European Court of Human Rights. It is the third in a series of legal handbooks jointly prepared by FRA and the Council of Europe. In March 2011, a first handbook was published on European non-discrimination law and, in June 2013, a second one on European law relating to asylum, borders and immigration. We have decided to continue our cooperation on a highly topical subject which affects all of us every day, namely the protection of personal data. Europe enjoys one of the most protective systems in this sphere, which is based on Council of Europe Convention 108, European Union (EU) instruments, as well as the case law of the European Court of Human Rights (ECtHR) and of the Court of Justice of the European Union (CJEU). The aim of this handbook is to raise awareness and improve knowledge of data pro- tection rules in European Union and Council of Europe member states by serving as the main point of reference to which readers can turn. It is designed for non-special- ist legal professionals, judges, national data protection authorities and other persons working in the field of data protection. With the entry into force of the Treaty of Lisbon in December 2009, the Charter of Fundamental Rights of the EU became legally binding, and with this the right to the protection of personal data was elevated to the status of a separate fundamental right. A better understanding of Council of Europe Convention 108 and EU instru- ments, which paved the way for data protection in Europe, as well as of the CJEU and ECtHR case law, is crucial for the protection of this fundamental right. We would like to thank the Ludwig Boltzmann Institute of Human Rights for its con- tribution in drafting this handbook. We would also like to express our gratitude to the European Data Protection Supervisor’s office for its feedback during the drafting phase. We thank in particular the data protection unit of the European Commission during the preparation of this handbook. Philippe Boillat Morten Kjaerum Director General of Human Rights Director of the European Union Agency and Rule of Law Council of Europe for Fundamental Rights 3 Contents FOREWORD ........................................................................................................................................................................................................................... 3 ABBREVIATIONS AND ACRONYMS ......................................................................................................................................................... 9 HOW TO USE THIS HANDBOOK ................................................................................................................................................................ 11 1. CONTEXT AND BACKGROUND OF EUROPEAN DATA PROTECTION LAW ................................. 13 1.1. The right to data protection ....................................................................................................................................... 14 Key points ............................................................................................................................................................................................................... 14 1.1.1. The European Convention on Human Rights .................................................................................... 14 1.1.2. Council of Europe Convention 108 ............................................................................................................. 15 1.1.3. European Union data protection law ........................................................................................................ 17 1.2. Balancing rights ........................................................................................................................................................................ 21 Key point .................................................................................................................................................................................................................. 21 1.2.1. Freedom of expression ......................................................................................................................................... 22 1.2.2. Access to documents .............................................................................................................................................. 26 1.2.3. Freedom of the arts and sciences ............................................................................................................... 30 1.2.4. Protection of property ............................................................................................................................................ 31 2. DATA PROTECTION TERMINOLOGY ......................................................................................................................................... 35 2.1. Personal data ............................................................................................................................................................................... 36 Key points ............................................................................................................................................................................................................... 36 2.1.1. Main aspects of the concept of personal data ................................................................................ 36 2.1.2. Special categories of personal data ........................................................................................................... 43 2.1.3. Anonymised and pseudonymised data ................................................................................................ 44 2.2. Data processing ........................................................................................................................................................................ 46 Key points ............................................................................................................................................................................................................... 46 2.3. The users of personal data ......................................................................................................................................... 48 Key points ............................................................................................................................................................................................................... 48 2.3.1. Controllers and processors ................................................................................................................................. 49 2.3.2. Recipients and third parties ............................................................................................................................... 54 2.4. Consent ............................................................................................................................................................................................... 55 Key points ............................................................................................................................................................................................................... 55 2.4.1. The elements of valid consent ....................................................................................................................... 56 2.4.2. The right to withdraw consent at any time ......................................................................................
Recommended publications
  • Issues Paper on Cyber-Crime Affecting Personal Safety, Privacy and Reputation Including Cyber-Bullying (LRC IP 6-2014)
    Issues Paper on Cyber-crime affecting personal safety, privacy and reputation including cyber-bullying (LRC IP 6-2014) BACKGROUND TO THIS ISSUES PAPER AND THE QUESTIONS RAISED This Issues Paper forms part of the Commission’s Fourth Programme of Law Reform,1 which includes a project to review the law on cyber-crime affecting personal safety, privacy and reputation including cyber-bullying. The criminal law is important in this area, particularly as a deterrent, but civil remedies, including “take-down” orders, are also significant because victims of cyber-harassment need fast remedies once material has been posted online.2 The Commission seeks the views of interested parties on the following 5 issues. 1. Whether the harassment offence in section 10 of the Non-Fatal Offences Against the Person Act 1997 should be amended to incorporate a specific reference to cyber-harassment, including indirect cyber-harassment (the questions for which are on page 13); 2. Whether there should be an offence that involves a single serious interference, through cyber technology, with another person’s privacy (the questions for which are on page 23); 3. Whether current law on hate crime adequately addresses activity that uses cyber technology and social media (the questions for which are on page 26); 4. Whether current penalties for offences which can apply to cyber-harassment and related behaviour are adequate (the questions for which are on page 28); 5. The adequacy of civil law remedies to protect against cyber-harassment and to safeguard the right to privacy (the questions for which are on page 35); Cyber-harassment and other harmful cyber communications The emergence of cyber technology has transformed how we communicate with others.
    [Show full text]
  • Photographs in Public Places and Privacy
    [2009] 2 Journal of Media Law 159–171 Photographs in Public Places and Privacy Kirsty Hughes In the last few years, the European Court of Human Rights (‘the Court’) has considered a number of cases relating to photographs taken in public places, and it is now clear that the jurisprudence has evolved significantly since the early cases in which no protection was afforded to the privacy interests of those photographed. The most recent cases (Reklos and Davourlis v Greece and Egeland and Hanseid v Norway) have extended the protection afforded by Article 8 of the European Convention on Human Rights (ECHR) so that the right is engaged at the stage at which photographs are taken.1 The author argues that whilst this development was necessary, there are a number of problems with the Court’s approach and that further guidance from the Court is essential. THEORIES OF PRIVACY-RELATED INTERESTS To fully understand the significance of the Article 8 ECHR photography cases, one has to have some idea of how these cases relate to the protection of privacy. There are many different theories of privacy and privacy-related interests and it is beyond the scope and purpose of this commentary to examine the details of those theories here.2 However, it * Clare College, University of Cambridge. 1 (App No 1234/05) [2009] EMLR 16 and (App No 34438/04) [2009] ECHR 622, available on HUDOC. 2 The literature is extensive; a good starting point would be Ruth Gavison, ‘Privacy and the Limits of the Law’ (1980) 89(3) Yale Law Journal 421; Hyman Gross, ‘Privacy and Autonomy’
    [Show full text]
  • Surveillance by Intelligence Services: Services: Intelligence by Surveillance
    FREEDOMS FRA Surveillance by intelligence services – Volume II: field perspectives and legal update II: field perspectives – Volume services intelligence by Surveillance Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU Volume II: field perspectives and legal update This report addresses matters related to the respect for private and family life (Article 7), the protection of personal data (Article 8) and the right to an effective remedy and a fair trial (Article 47) falling under Titles II ‘Freedoms’ and VI ‘Justice’ of the Charter of Fundamental Rights of the European Union. Europe Direct is a service to help you find answers to your questions about the European Union Freephone number (*): 00 800 6 7 8 9 10 11 (*) The information given is free, as are most calls (though some operators, phone boxes or hotels may charge you). Photo (cover & inside): © Shutterstock More information on the European Union is available on the internet (http://europa.eu). Luxembourg: Publications Office of the European Union, 2017 FRA – print: ISBN 978-92-9491-766-9 doi:10.2811/15232 TK-04-17-696-EN-C FRA – web: ISBN 978-92-9491-765-2 doi:10.2811/792946 TK-04-17-696-EN-N © European Union Agency for Fundamental Rights, 2017 Reproduction is authorised provided the source is acknowledged. For any use or reproduction of photos or other material that is not under the European Union Agency for Fundamental Rights copyright, permission must be sought directly from the copyright holders. Printed by Imprimerie Centrale in Luxembourg Neither the European Union Agency for Fundamental Rights nor any person acting on behalf of the European Union Agency for Fundamental Rights is responsible for the use that might be made of the following information.
    [Show full text]
  • A Right That Should've Been: Protection of Personal Images On
    275 A RIGHT THAT SHOULD’VE BEEN: PROTECTION OF PERSONAL IMAGES ON THE INTERNET EUGENIA GEORGIADES “The right to the protection of one’s image is … one of the essential components of personal development.” Grand Chamber of the European Court of Human Rights ABSTRACT This paper provides an overview of the current legal protection of personal images that are uploaded and shared on social networks within an Australian context. The paper outlines the problems that arise with the uploading and sharing of personal images and considers the reasons why personal images ought to be protected. In considering the various areas of law that may offer protection for personal images such as copyright, contract, privacy and the tort of breach of confidence. The paper highlights that this protection is limited and leaves the people whose image is captured bereft of protection. The paper considers scholarship on the protection of image rights in the United States and suggests that Australian law ought to incorporate an image right. The paper also suggests that the law ought to protect image rights and allow users the right to control the use of their own image. In addition, the paper highlights that a right to be forgotten may provide users with a mechanism to control the use of their image when that image has been misused. Dr. Eugenia Georgiades, Assistant Professor Faculty of Law, Bond University, the author would like to thank Professor Brad Sherman, Professor Leanne Wiseman and Dr. Allan Ardill for their feedback. Volume 61 – Number 2 276 IDEA – The Law Review of the Franklin Pierce Center for Intellectual Property Abstract ..........................................................................
    [Show full text]
  • Tech Giants, Freedom of Expression and Privacy
    TECH GIANTS, FREEDOM OF EXPRESSION AND PRIVACY TECH GIANTS, FREEDOM OF EXPRESSION AND PRIVACY Rikke Frank Jørgensen & Marya Akhtar e-ISBN: 978-87-93893-77-1 © 2020 The Danish Institute for Human Rights Wilders Plads 8K DK-1403 Copenhagen K Phone +45 3269 8888 www.humanrights.dk Provided such reproduction is for non-commercial use, this publication, or parts of it, may be reproduced if author and source are quoted. At DIHR we aim to make our publications as accessible as possible. We use large font size, short (hyphen-free) lines, left-aligned text and strong contrast for maximum legibility. For further information about accessibility please click www.humanrights.dk/accessibility 2 CONTENT 1 EXECUTIVE SUMMARY ................................................................................... 5 2 INTRODUCTION ............................................................................................. 7 3 WHAT IS A TECH GIANT ................................................................................. 9 4 HUMAN RIGHTS PROTECTION ...................................................................... 11 4.1 THE UN ..................................................................................................... 11 4.1.1 binding rules.......................................................................................... 11 4.1.2 guidelines and recommendations .......................................................... 13 4.2 THE COUNCIL OF EUROPE AND THE EUROPEAN COURT OF HUMAN RIGHT ...........................................................................................................
    [Show full text]
  • The Case for Legislating Toward a Privacy Right in India
    PRESERVING CONSTITUTIVE VALUES IN THE MODERN PANOPTICON: THE CASE FOR LEGISLATING TOWARD A PRIVACY RIGHT IN INDIA Ujwala Uppaluri & Varsha Shivanagowda* As on date, the only meaningful, if arguably broad, affirmation of a right to privacy has been in the context of the Supreme Court’s treatment of Art. 21 of the Constitution, which embodies the guarantee of a right to life and personal liberty. No substantial legislative measures granting and detailing a broad and general right of privacy presently exist in the Indian context, although some measures are scattered across context-specific legislation. Recent events have brought to light the need to operationalise these judicial observations through a legislative statement of the right fleshing out the field within which the sanctity of the private domain will be recognised and upheld. This paper seeks to explore the contours of the notion of a general right to privacy. It confronts the critiques of such a right and discusses the predominant working models in other major jurisdictions. In the result, it asserts the need for an umbrella legislation addressing the varied areas in which the right of the individual to privacy, against governmental incursion into private spaces as well as against other forms of intrusion by the media and other citizens, must accrue. I. INTRODUCTION Recent concens with privacy and autonomy issues in India have arisen with regard to the State’s role in collecting and aggregating private or personal information in the context of the work of the Unique Identification Authority of India (UIDAI)1 and the National Intelligence Grid (NATGRID).2 * 3rd and 2nd year students respectively, the W.B.
    [Show full text]
  • Data Protection Directive 95/46/EC to the Internet, 25 J. Marshall J
    The John Marshall Journal of Information Technology & Privacy Law Volume 25 Issue 2 Journal of Computer & Information Law Article 2 - Spring 2008 Spring 2008 All or Nothing: This is the Question? The Application of Article 3(2) Data Protection Directive 95/46/EC to the Internet, 25 J. Marshall J. Computer & Info. L. 241 (2008) Rebecca Wong Joseph Savirimuthu Follow this and additional works at: https://repository.law.uic.edu/jitpl Part of the Computer Law Commons, Internet Law Commons, Privacy Law Commons, and the Science and Technology Law Commons Recommended Citation Rebecca Wong & Joseph Savirimuthu, All or Nothing: This is the Question? The Application of Article 3(2) Data Protection Directive 95/46/EC to the Internet, 25 J. Marshall J. Computer & Info. L. 241 (2008) https://repository.law.uic.edu/jitpl/vol25/iss2/2 This Article is brought to you for free and open access by UIC Law Open Access Repository. It has been accepted for inclusion in The John Marshall Journal of Information Technology & Privacy Law by an authorized administrator of UIC Law Open Access Repository. For more information, please contact [email protected]. ALL OR NOTHING: THIS IS THE QUESTION? THE APPLICATION OF ARTICLE 3(2) DATA PROTECTION DIRECTIVE 95/46/ EC TO THE INTERNET REBECCA WONGt AND JOSEPH SAVIRIMUTHUtt I. INTRODUCTION The exponential growth of social networking Web sites, online per- sonal journals and the use of multimedia by individuals, raises impor- tant questions about the compatibility of Article 3(2) of the Data Protection Derivative 95/46/EC ("DPD") as applied to the internet.
    [Show full text]
  • A Comparative Study of the Brazilian and German Legal Frameworks
    Privacy and Surveillance in the Digital Age: a comparative study of the Brazilian and German legal frameworks An input to the workshop Pia ude ass sueillae: a multi-stakeholde iteatioal hallege to e held i the Internet Governance Forum, in João Pessoa, Brazil Privacy and Surveillance in the Digital Age: a comparative study of the Brazilian and German legal frameworks An input to the workshop Pia ude ass sueillae: a ulti-stakeholder iteatioal hallege to e held i the Iteet Goeae Fou, i João Pessoa, Brazil Center for Technology German Institute for International and Society of the Rio de and Security Affairs (SWP) Janeiro Law School of the Getulio Vargas Foundation (CTS/FGV) Anja Dahlmann Jamila Venturini Marcel Dickow Marilia Maciel November, 2015 2 INDEX ABOUT THE BRIEFING 4 BRAZIL 5 The protection of privacy 5 Law 9.296/1996 and the exceptions to the confidentiality of 7 communications Secrecy of data 10 Remedies for violations of privacy 10 The protection of personal data 11 The Freedom of Information Act and Marco Civil 13 Data retention 15 Intelligence activities 17 GERMANY 20 The Protection of Privacy 20 Restrictions of the Right to Privacy 20 Communications v. Data 21 Remedies for Violations of Privacy 22 The Protection of Personal Data in Germany 22 Data Retention 23 The Exchange of Data 24 Conclusions 25 3 ABOUT THE BRIEFING This iefig is a iput to the disussios that ill take plae i the sessio Privacy under mass surveillance: a multi-stakeholde iteatioal hallege to e held on November 9th in João Pessoa, Bazil, duig the Da )eo of the Iteet Goeae Fou.
    [Show full text]
  • Unzulässigkeit Der Datenübermittlung in Die USA (Cepstudie)
    cepStudie 26. Januar 2021 Unzulässigkeit der Datenübermittlung in die USA Das EuGH-Urteil „Schrems II“ und seine Folgen Anja Hoffmann © iStock Nach dem „Schrems II“-Urteil des EuGH dürfen Transfers personenbezogener Daten in die USA nicht mehr auf den „Pri- vacy-Shield“-Beschluss gestützt werden, weil die USA keinen ausreichenden Datenschutz bieten. Derzeit werden Da- tentransfers daher meist auf Standardvertragsklauseln gestützt, deren Nutzung grundsätzlich zulässig bleibt. Kernthesen Auch auf Standardvertragsklauseln und unternehmensinterne Datenschutzregelungen dürfen Datentransfers in die USA nicht gestützt werden, wenn die dortigen Datenempfänger den US-Überwachungsgesetzen unterliegen und Zugriff auf die Dateninhalte im Klartext haben. In diesen Fällen können auch ergänzende Datenschutzmaßnahmen Zugriffe der US-Behörden nicht wirksam verhin- dern. Insbesondere Transfers an Cloud-Dienste und Transfers innerhalb von Unternehmensgruppen in die USA sind daher in diesen Fällen rechtswidrig. Der Datenexporteur – oder die Aufsichtsbehörde – muss den Datentransfer stoppen. Weder ein reformierter „Privacy Shield“ noch die von der EU-Kommission im November 2020 vorgeschlagenen geän- derten Standardvertragsklauseln ändern etwas hieran, solange die USA ihre Überwachungsgesetze nicht auf das nach EU-Recht zulässige Maß begrenzen und EU-Bürgern keine wirksamen Rechtsbehelfe gewähren. Das Gleiche gilt für Datentransfers in andere Drittländer, soweit deren Überwachungsgesetze mit dem Datenschutz der EU kollidieren. Dies muss in jedem Einzelfall geprüft werden. II cepStudie Unzulässigkeit der Datenübermittlung in die USA Kernpunkte Zum „Schrems II“-Urteil des EuGH Transfers personenbezogener Daten aus der EU in die USA dürfen nicht länger auf den „Privacy- Shield“-Beschluss der EU-Kommission gestützt werden. Der Europäische Gerichtshof (EuGH) hat diesen Beschluss im „Schrems II“-Urteil zu Recht für ungültig erklärt, weil der „Privacy Shield“ kei- nen im Vergleich zur EU gleichwertigen Datenschutz bietet.
    [Show full text]
  • Transatlantic Privacy Regulation: Conflict and Cooperation
    GW Law Faculty Publications & Other Works Faculty Scholarship 2015 Transatlantic Privacy Regulation: Conflict and Cooperation Francesca Bignami George Washington University Law School, [email protected] Giorgio Resta Università degli Studi di Roma Tre, Law Department Follow this and additional works at: https://scholarship.law.gwu.edu/faculty_publications Part of the Law Commons Recommended Citation Bignami, Francesca, Transatlantic Privacy Regulation: Conflict and Cooperation (2015). Law and Contemporary Problems, Vol. 78 (Fall 2015); GWU Law School Public Law Research Paper No. 2015-52; GWU Legal Studies Research Paper No. 2015-52. Available at SSRN: http://ssrn.com/abstract=2705601 This Article is brought to you for free and open access by the Faculty Scholarship at Scholarly Commons. It has been accepted for inclusion in GW Law Faculty Publications & Other Works by an authorized administrator of Scholarly Commons. For more information, please contact [email protected]. TRANSATLANTIC PRIVACY REGULATION: CONFLICT AND COOPERATION FRANCESCA BIGNAMI* GIORGIO RESTA** I INTRODUCTION Regulatory differences in the data privacy arena have been a recurring source of contention in transatlantic trade relations. In the 1990s, the focus was primarily on differences in the rules governing market actors. Over the past decade, however, the focus has expanded to include the public sector and the policies regulating the collection and use of personal data by government actors, particularly national security agencies. This article surveys the considerable history of transatlantic relations in the privacy area and the attempts that have been made to reconcile legal and policy differences in the interest of trade liberalization and police and national security cooperation.
    [Show full text]
  • The Failure to Define the Public Interest in Axel Springer AG V
    Boston College International and Comparative Law Review Volume 36 Article 5 Issue 3 Electronic Supplement 2-18-2014 Meaningful Journalism or "Infotainment"? The Failure to Define the Public nI terest in Axel Springer AG v. Germany Kathryn Manza Boston College Law School, [email protected] Follow this and additional works at: http://lawdigitalcommons.bc.edu/iclr Part of the Communications Law Commons, Comparative and Foreign Law Commons, Entertainment, Arts, and Sports Law Commons, First Amendment Commons, Human Rights Law Commons, and the International Law Commons Recommended Citation Kathryn Manza, Meaningful Journalism or "Infotainment"? The Failure to Define the Public Interest in Axel Springer AG v. Germany, 36 B.C. Int'l & Comp. L. Rev. E. Supp. 61 (2014), http://lawdigitalcommons.bc.edu/iclr/vol36/iss3/5 This Comments is brought to you for free and open access by the Law Journals at Digital Commons @ Boston College Law School. It has been accepted for inclusion in Boston College International and Comparative Law Review by an authorized editor of Digital Commons @ Boston College Law School. For more information, please contact [email protected]. MEANINGFUL JOURNALISM OR “INFOTAINMENT”? THE FAILURE TO DEFINE THE PUBLIC INTEREST IN AXEL SPRINGER AG v. GERMANY Kathryn Manza* Abstract: Although American courts provide wide discretion for freedom of the press, the Convention for the Protection of Human Rights and Fundamental Freedoms ensures that the right to privacy enjoys equal footing with freedom of expression in Europe. When navigating the grey areas between these two frequently opposing rights, the European Court of Human Rights allows private information about a public figure to be published only to the extent the information contributes to the public in- terest.
    [Show full text]
  • The Case for Legislating Toward a Privacy Right in India
    PRESERVING CONSTITUTIVE VALUES IN THE MODERN PANOPTICON: THE CASE FOR LEGISLATING TOWARD A PRIVACY RIGHT IN INDIA Ujwala Uppaluri & Varsha Shivanagowda* As on date, the only meaningful, if arguably broad, affirmation of a right to privacy has been in the context of the Supreme Court’s treatment of Art. 21 of the Constitution, which embodies the guarantee of a right to life and personal liberty. No substantial legislative measures granting and detailing a broad and general right of privacy presently exist in the Indian context, although some measures are scattered across context-specific legislation. Recent events have brought to light the need to operationalise these judicial observations through a legislative statement of the right fleshing out the field within which the sanctity of the private domain will be recognised and upheld. This paper seeks to explore the contours of the notion of a general right to privacy. It confronts the critiques of such a right and discusses the predominant working models in other major jurisdictions. In the result, it asserts the need for an umbrella legislation addressing the varied areas in which the right of the individual to privacy, against governmental incursion into private spaces as well as against other forms of intrusion by the media and other citizens, must accrue. I. INTRODUCTION Recent concens with privacy and autonomy issues in India have arisen with regard to the State’s role in collecting and aggregating private or personal information in the context of the work of the Unique Identification Authority of India (UIDAI)1 and the National Intelligence Grid (NATGRID).2 * 3rd and 2nd year students respectively, the W.B.
    [Show full text]