Data Protection / EU Counter-Terrorism policy


Published on

Presentation by Katarzyna Cuadrat-Grzybowska on the occasion of the Hearing on EU Counter-Terrorism policy held at the EESC premises on 9 February 2011.

Published in: News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 02/03/11 introduction to general frame work and principles: interlinked issues, difficult to separate give an umbrella presentation of the international and EU legal framework we will present specific issues of the single instruments, in a complex environment (multilevel, stratified/dispersed legal instruments) questions at the end
  • Explanation of structure: 02/03/11
  • A broad concept (Resolution, adopted by the Parliamentary Assembly of the Council of Europe, already in 1970): "The right to privacy consists essentially in the right to live one's own life with a minimum of interference. It concerns private, family and home life, physical and moral integrity, honour and reputation, avoidance of being placed in a false light, non-revelation of irrelevant and embarrassing facts, unauthorised publication of private photographs, protection against misuse of private communications, protection from disclosure of information given or received by the individual confidentially.” Privacy is in that sense a private sphere exempted from disclosure, which allows the individual to remain in a feeling of control over himself and the surrounding environment close to him. According to (extensive) case law of the European Court of Human Rights, privacy extends to the workplace. It thus follows that the reputation and the professional integrity of an individual forms an integral part of the notion of privacy. Warren and Brandeis (end 19 th century) 02/03/11
  • Art 16 TFEU: Everyone has the right to the protection of personal data concerning them. The value of fundamental right will be reinforced: EU Charter will have a binding value + EU Accession to the ECHR Specificities in the Police and Judicial cooperation. D eclarations: (No. 20) Data protection rules that may have direct implications for national security should take in due account the specific characteristics of the matter (No. 21) Specific data protection rules in police and judicial cooperation may prove necessary because of the specific nature of these fields 02/03/11
  • - Lawfulness: collection and processing should be according to the law: provided for by law or activities under a public assignment No data shall be collected for undefined purposes (need to know) Interconnection of files held for different purposes and or online access only on case-by-case basis and subject to clear legal provision (principle 5.6 Rec) Storage: (in particular, conclusion of an inquiry, final judicial decision – acquittal; rehabilitation, principle 7.1 rec 87(15)) Data quality Accuracy and different categories of data: As far as possible, the different categories of data stored should be distinguished in accordance with their degree of accuracy or reliability and, in particular, data based on facts should be distinguished from data based on opinions or personal assessments. (principle 3.2) Routine quality checks and before transmission As far as possible, the quality of data should be verified at the latest at the time of their communication. As far as possible, in all communications of data, judicial decisions, as well as decisions not to prosecute, should be indicated and data based on opinions or personal assessments checked at source before being communicated and their degree of accuracy or reliability indicated. (principle 5.5) Crucial element, especially when data are processed far from their origin and are continuously exchanged in broad networks (the police file is no longer on the desk of the policeman who knows the case, hard data and soft data), both for citizens and for work of law enforcement authorities 02/03/11
  • Information: individuals should be informed (principle 2.2) Security: appropriate measures should be taken against accidental or unauthorized destruction or loss, or unauthorized access, alteration, dissemination Right of access: individuals shall be enabled to have confirmation about whether personal data relating to them are processed and to have communication of such data in an intelligible form Rectification or erasure, when data are processed contrary to the provisions There should be a possibility of remedy (conv 108) or appeal to supervisory authority (rec 87)15 Exceptions: provided by law, necessary measure to meet a public interest or to protect the data subject or the freedoms of others In rec 87(15) specific examples are made with regard to police sector (information may be deferred insofar as the object of the police investigation is likely to be prejudiced, access as well and should in principle be motivated in writing) 02/03/11
  • Adequacy Contractual guarantees for data 02/03/11
  • 02/03/11
  • Data Protection / EU Counter-Terrorism policy

    1. 1. Data protection EU Counter-terrorism policy Katarzyna Cuadrat-Grzybowska Legal Adviser to EDPS
    2. 2. Outline <ul><li>Role of EDPS (as adviser to EU institutions) </li></ul><ul><li>Right balance between security and data protection is needed </li></ul><ul><li>Security and data protection are compatible values </li></ul><ul><li>Data protection as the pre-condition for success of the CTP </li></ul>
    3. 3. The EDPS (I) <ul><li>Mission: </li></ul><ul><li>ensure the protection of people whose data are processed by the Community institutions and bodies (Regulation 45/2001) </li></ul><ul><li>give advise on new legislation having data protection implications (consultation) </li></ul>
    4. 4. EDPS Opinions <ul><li>Opinion of 24 November 2010 on the Communication from the Commission to the EP and the Council – “The EU Counter-terrorism Policy: main achievements and future challenges” </li></ul><ul><li>Opinion of 17 December 2010 on the Communication from the Commission and the Council – “EU Internal security Strategy in Action”: Five steps towards a more secure Europe” </li></ul><ul><li>Opinion of 30 September 2010 on the Communication from the Commission to the EP and the Council – “Overview of information management in the AFSJ” </li></ul><ul><li>Opinion of 22 June 2010 on a Proposal for a Council Decision on the conclusion of the Agreement between the EU and the US on the processing and transfer of Financial Messaging Data from the EU to ES for the purposes of the TFTP II </li></ul>
    5. 5. Needs in CTP <ul><li>Need for a transparent discussion </li></ul><ul><li>Need for a more comprehensive, inclusive and strategic approach </li></ul><ul><li>Need for a clear picture of what is in place (“information mapping” –first step) </li></ul><ul><li>Need for real assessment and evaluation (showing also deficiencies) </li></ul><ul><li>Need for data protection as an objective </li></ul>
    6. 6. EU Legal Framework <ul><ul><ul><li>The Lisbon Treaty and Data protection </li></ul></ul></ul><ul><ul><ul><li>Data protection as a Fundamental Right </li></ul></ul></ul><ul><ul><ul><li>A new general legal basis for data protection (Article 16 TFEU) </li></ul></ul></ul><ul><ul><li>Commission’s Communication of 4 November 2010 on a comprehensive approach </li></ul></ul><ul><ul><li>EDPS Opinion of 14 January 2010 </li></ul></ul><ul><ul><li>Proposal expected this year </li></ul></ul>
    7. 7. The Stockholm Programme <ul><li>Future of Area of Justice, Freedom and Security for 2010-2014 </li></ul><ul><li>Commission’s Communication of 10 June 2009 </li></ul><ul><li>EDPS’s Opinion of 10 July 2009 </li></ul><ul><li>Focus on the protection of fundamental rights </li></ul><ul><li>Data protection as the key element </li></ul>
    8. 8. Basic principles (I) <ul><li>Purpose limitation principle </li></ul><ul><ul><li>Explicit, legitimate, clear purpose, not processed for incompatible purposes </li></ul></ul><ul><ul><li>No data shall be collected for undefined purposes (need to know) </li></ul></ul><ul><li>Proportionality principle </li></ul><ul><ul><li>Adequate, not excessive, stored no longer than necessary </li></ul></ul><ul><li>Data quality </li></ul><ul><ul><li>Ensuring that data are accurate and up to date: different degree of accuracy and reliability, quality checks </li></ul></ul>
    9. 9. Basic principles (II) <ul><li>Transparency </li></ul><ul><ul><li>Transparency in data flows </li></ul></ul><ul><li>Security </li></ul><ul><ul><li>– Appropriate measures should be taken against accidental or unauthorized destruction or loss, or unauthorized access, alteration, dissemination </li></ul></ul><ul><li>Accountability on the body in charge of law enforcement activities </li></ul>
    10. 10. Exceptions <ul><ul><li>provided by law </li></ul></ul><ul><ul><li>necessary measure to meet a public interest </li></ul></ul><ul><ul><li>to protect the data subject or the freedoms of others </li></ul></ul>
    11. 11. Risks <ul><li>Risks derived from the objectives of ISS, IMS and CTP for individuals privacy </li></ul><ul><li>Risk of stigmatisation and discrimination </li></ul><ul><li>Preventive measures </li></ul><ul><li>Reliance on automated decision making based on data mining techniques (“false positives” and “false negatives”) </li></ul>
    12. 12. Notions applicable to CTP <ul><li>Privacy by design </li></ul><ul><li>Privacy and data protection impact assessment </li></ul><ul><li>Focus on data subject rights </li></ul><ul><li>Effective judicial remedies </li></ul>
    13. 13. <ul><li>Thanks for your attention! </li></ul><ul><li>Katarzyna Cuadrat-Grzybowska </li></ul><ul><li>[email_address] </li></ul>