Tag Archives: European Commission

Some end-of-the-year good news: People genuinely care about their privacy

Dear followers,

First, I would like to thank you for making this the most successful year in the 5 years life of pdpEcho (I would especially like to thank those who supported the blog and helped me cover, thus, the cost of renting the blog’s .com name). I started this blog when I was in my first year as a PhD student to gather all information I find interesting related to privacy and data protection. At that time I was trying to convince my classic “civilist” supervisor that data protection is also a matter of civil law. And that I could write a civil law thesis on this subject in Romanian, even though Romanian literature on it only counted one book title from 2004. In the five years that followed another book title was added to it and the blog and I grew together (be it at different paces).

In the recent months it offered me a way to keep myself connected to the field while transitioning from Brussels to the US. But most importantly it reminded me constantly that privacy is really not dead, as it has been claimed numerous times. I cared about it, people that daily found this blog cared about it and as long as we care about privacy, it will never die.

I am writing this end-of-the-year post with some very good news from Europe: you and I are not the only ones that care about privacy. A vast majority of Europeans also does. The European Commission published some days ago a Eurobarometer on ePrivacy, as a step towards the launch of the ePrivacy Directive reform later in January.

The results could not have been clearer:

More than nine in ten respondents said it is important that personal information (such as their pictures, contact lists, etc.) on their computer, smartphone or tablet can only be accessed with their permission, and that it is important that the confidentiality of their e-mails and online instant messaging is guaranteed (both 92%)” (source, p. 2).

“More than seven in ten think both of these aspects are very important. More than eight in ten (82%) also say it is important that tools for monitoring their activities online (such as cookies) can only be used with their permission (82%), with 56% of the opinion this is very important” (source, p. 2).

Overwhelming support for encryption

Remarkably, 90% of those asked agreed “they should be able to encrypt their messages and calls, so they can only be read by the recipient”. Almost as many (89%) agree the default settings of their browser should stop their information from being shared (source, p. 3).

Respondents thought it is unacceptable to have their online activities monitored in exchange for unrestricted access to a certain website (64%), or to pay in order not to be monitored when using a website (74%). Almost as many (71%) say it is unacceptable for companies to share information about them without their permission (71%), even if it helps companies provide new services they may like (source, p. 4).

You can find here the detailed report.

Therefore, there is serious cause to believe that our work and energy is well spent in this field.

The new year brings me several publishing projects that I am very much looking forward to, as well as two work projects on this side of the Atlantic. Nevertheless, I hope I will be able to keep up the work on pdpEcho, for which I hope to receive more feedback and even input from you.

In this note, I wish you all a Happy New Year, where all our fundamental rights will be valued and protected!

Gabriela

 

Advertisements

EU Commission’s leaked plan for the data economy: new rules for IoT liability and sharing “non-personal data”

It seems that it’s the season of EU leaks on internet and digital policy. One day after the draft new e-Privacy regulation was leaked (to Politico), another document appeared online (published by Euractiv) before its adoption and release – a Communication from the European Commission on “Building a European data economy”.

It announces at least two revisions of existing legal acts: the Database Copyright Directive (96/9) and the Product Liability Directive (85/374). New legislative measures may also be needed to achieve the objectives announced in the draft Communication. However, the Commission is not clear about this and leaves a lot of the decision-making for after the results of wide stakeholder and public consultations are processed.

The common thread of most of the policy areas covered by the Communication is “non-personal data”. The Commission starts from the premise that while the GDPR allows for the free movement of personal data within the EU, there are currently no common rules among Member States for sharing, accessing, transferring “non-personal data”. Moreover, the Commission notes that the number of national measures for data localisation is growing.

“The issue of the free movement of data concerns all types of data: enterprises and actors in the data economy deal with a mixture of personal and non-personal data, machine generated or created by individuals, and data flows and data sets regularly combine these different types of data”, according to the draft Communication.

And what is truly challenging is that “enterprises and actors in the data economy will be dealing with a mixture of personal and non-personal data; data flows and datasets will regularly combine both. Any policy measure must take account of this economic reality”.

If you are wondering what is meant by “non-personal data”, the draft Communication provides some guidance to understand what it refers to. For instance, the draft Communication mentions that “personal data can be turned into non-personal data through the process of anonymisation” and that “the bulk of machine-generated data are not personal data”. Therefore, anonymisation and de-identification techniques will gain even more importance.

While the GDPR covers how personal data are used in the EU, the proposals that will be made on the basis of this Communication envisage the use of all the other data.

So what does the Commission propose?

Several objectives are announced, most of them dealing with the free flow of and access to “non-personal data”, while another objective looks at reforming liability rules to accommodate algorithms, Artificial Intelligence and the Internet of Things.

Free flow of and access to non-personal data

  • According to the draft Communication, any Member State action affecting data storage or processing should be guided by a ‘principle of free movement of data within the EU’.
  • Broader use of open, well-documented Application Programming Interfaces (APIs) could be considered, through technical guidance, including identification and spreading of best practice for companies and public sector bodies.
  • The Commission could issue guidance based on the Trade Secrets Directive, copyright legislation and the Database Directive on how data control rights should be addressed in contracts. The Commission intends to launch the review of the Database Directive in 2017.
  • Access for public interest purposes – public authorities could be granted access to data where this would be in the general interest and would considerably improve the functioning of the public sector, for example access for statistical offices to business data or the optimization of traffic management systems on the basis of real-time data from private vehicles.
  • Selling and acquiring databases could be regulated. “Access against remuneration”: a framework based on fair, non-discriminatory terms could be developed for data holders, such as manufacturers, service providers or other parties, to provide access to the data they hold against remuneration. The Communication is not clear whether this proposal could also cover personal data. In any case, on several occasions throughout the draft Communication, it is mentioned or implied that the GDPR takes precedence over any new rules that would impact the protection of personal data.
  • A data producer’s right to use and licence the use of data could be introduced; by “data producer”, COM understands “the owner or long-term user of the device”. This approach would “open the possibility for users to exploit their data and thereby contribute to unlocking machine-generated data”.
  • Developing further rights to data portability (building on the GDPR data portability right and on the proposed rules on contract for the supply of digital content, further rights to portability of non-personal data could be introduced). The initiatives for data portability would be accompanied by sector specific experiments on standards (which would involve a multi-stakeholder collaboration including standard setters, industry, the technical community, and public authorities).

Rethinking liability rules for the IoT and AI era

Even though Artificial Intelligence is not mentioned as such in the draft Communication, it is clear that the scenario of algorithms making decisions is also envisaged by the announced objective to reform product liability rules, alongside IoT. As the draft Communication recalls, currently, the Products Liability Directive establishes the principle of strict liability, i.e. liability without fault: where a defective product causes damage to a consumer, the manufacturers may be liable even without negligence or fault on their part. The current rules are only addressed to the producer, always require a defect and that the causality between the defect and the damage has to be proven.

The Commission proposed two approaches, which will be subject to consultation:

  • “Risk-generating or risk-management approaches: liability would be assigned to the market players generating a major risk for others and benefitting from the relevant device, product or service or to those which are best placed to minimize or avoid the realization of the risk.”
  • Voluntary or mandatory insurance schemes: they would compensate the parties who suffered the damage; this approach would need to provide legal protection to investments made by business while reassuring victims regarding fair compensation or appropriate insurance in case of damage.”

“Connected and automated driving” – used as test case

The Commission intends to test all the proposed legal solutions, after engaging in wide consultations, in a real life scenario and proposes “connected and automated driving” as the test case.

Finally, read all of these objectives and proposals having in mind that they come from a draft document that was leaked to Euractiv. It is possible that by the time of adoption and publication of this Communication (and there is no indication as to when it will be officially published) its content will be altered.

***

Find what you’re reading useful? Please consider supporting pdpecho.

Peter Hustinx expressed “serious concerns” in a letter to EU officials regarding the appointment of the new EDPS

The mandate of Peter Hustinx as European Data Protection Supervisor will end on January 16. Mr. Hustinx will thus finish his second five year term as EDPS, leaving behind a strong legacy. The question is: who will further take care of this legacy?

In a letter sent to EU officials and published on January 7, Mr. Hustinx expresses “serious concerns about the procedure for the selection and appointment of a new European Data Protection Supervisor and Assistant Supervisor”, because “at this stage, it is highly unlikely that the appointment of a new Supervisor and Assistant Supervisor will take place either before or shortly after this date (January 16)”.

According to Article 42(1) of Regulation 45/2001, “The European Parliament and the Council shall appoint by common accord the European Data Protection Supervisor for a term of five years, on the basis of a list drawn up by the Commission following a public call for candidates“.

Article 42(2) of the Regulation states that “The European Data Protection Supervisor shall be chosen from persons whose independence is beyond doubt and who are acknowledged as having the experience and skills required to perform the duties of European Data Protection Supervisor, for example because they belong or have belonged to the supervisory authorities referred to in Article 28 of Directive 95/46/EC“.

According to Pcworld.com, although the call for candidates went out last year, Commission spokesman Antony Gravili said that “the selection panel concluded that none of the candidates had the qualities that are needed for the job.”

Mr. Hustinx considers that this fact “opens the perspective of a period of uncertainty as to when the new team of Supervisors will be appointed”. 

He continues with the view that “This uncertainty and the possibly long delays that may be involved, as well as their different consequences, are likely to harm the effectiveness and the authority of the EDPS over the coming months. The EU is presently in a critical period for the fundamental rights of privacy and data protection, and a strong mandate is required to provide the authority to ensure that these fundamental rights are fully taken into account at EU level. In this respect, I would recall that the operation of a fully effective independent control authority is an essential feature of that right, as set out in Article 8 of the Charter and Article 16 of the Treaty”.

In this context, Mr. Hustinx sent the letter to Mr. Maros Sefcovic, vice-president of the European Commission, Mr. Juan Fernando Aguilar, Chairman of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs and to Ambassador Theodors N. Sotiropoulos, Permanent Representative of Greece (as Greece recently took over the 6 months presidency of the European Council), asking them “to take all the steps necessary to ensure that a new Supervisor and Assistant Supervisor will be appointed as soon as possible”.

 

See also

IAPP’s Angelique Carson published an informative piece about Mr. Hustinx’s legacy in December on privacyassociation.org, which I invite you to read HERE.

 

The European Parliament released its reports on the data protection reform package, proposing several changes

European Parliament rapporteurs presented yesterday, according to a press release of the European Commission, two draft reports on the reform of the EU’s data protection rules proposed by the European Commission just a year ago (see IP/12/46 and MEMO/12/41). In their reports, Jan-Philipp Albrecht, rapporteur for the proposed Data Protection Regulation for the Civil Liberties, Justice and Home Affairs Committee (LIBE) of the European Parliament, and, Dimitrios Droutsas, rapporteur for the proposed Data Protection Directive for the law enforcement sector, express their full support for a coherent and robust data protection framework with strong end enforceable rights for individuals. They also stress the need for a high level of protection for all data processing activities in the European Union to ensure more legal certainty, clarity and consistency.

Some of the key points of the rapporteurs’ reports include:

  • The need to replace the current 1995 Data Protection Directive with a directly applicable Regulation. A single set of rules on data protection, valid across the EU will remove unnecessary administrative requirements for companies and can save businesses around €2.3 billion a year.
  • The support in principle for the Commission’s proposal to have a “one-stop shop” for companies that operate in several EU countries and for consumers who want to complain against a company established in a country other than their own. To ensure consistency in the application of EU data protection rules, the European Parliament rapporteur wants to create a powerful and independent EU data protection agency entrusted with taking legally binding decisions vis-à-vis national data protection authorities.
  • Support for the strengthening of users’ rights: they encourage the use by companies of pseudonymous and anonymous data; they further propose strengthening the concept of explicit consent for data to be legally processed by asking companies to use clear and easily comprehensible language (also with regards to privacy policies); the ‘Albrecht-report’ proposes further reinforcing the “right to be forgotten” (the right to erase one’s data if there are no legitimate grounds to retain it) by asking companies which have transferred data to third parties without a legitimate legal basis to make sure these data are actually erased.
  • The European Parliament rapporteurs agree with the European Commission’s proposal that EU rules must apply if personal data of individuals in the EU is handled abroad by companies which are not established in the Union. According to the amendments proposed it would be sufficient that a company aims at offering its goods or services to individuals in the EU. An actual payment from the consumer to the company is not needed to trigger the application of the data protection regulation.
  • The European Parliament rapporteurs stress the need to have independent national data protection authorities which are well-equipped to better enforce the EU rules at home. The ‘Albrecht-report’ provides guidance as to the staffing and resourcing of these authorities and welcomes the Commission’s proposal to empower them to fine companies that violate EU data protection rules.
  • On the delegated acts foreseen in the Regulation (also known as ‘Commission empowerments’ or acts which ensure that if, in practice, more specific rules are necessary, they can be adopted without going through a long legislative process): the European Parliament rapporteur wants to drastically reduce the number of delegated acts by including, among others, more detailed provisions in the text of the Regulation itself. The European Commission has recently shown its openness to such an approach (see SPEECH/12/764).
  • On the Directive that will apply general data protection principles and rules to police and judicial cooperation in criminal matters, the rapporteur agrees with the Commission’s proposal to extend the rules to both domestic and cross-border transfers of data. The report also aims to strengthen data protection further by enhancing individuals’ rights, giving national data protection authorities greater and more harmonised enforcement powers and by obliging them to cooperate in cross-border cases.

The European Parliament’s LIBE Committee will discuss the draft reports on 10 January.

The European Commission will continue to work very closely with the rapporteurs of the European Parliament and with the Council to support the Parliament and the Irish EU Presidency in their endeavour to achieve a political agreement on the data protection reform by the end of the Irish Presidency.

See the entire press release: http://europa.eu/rapid/press-release_MEMO-13-4_en.htm

FAQs on referral of ACTA to the European Court of Justice

edri.org compiles an interesting set of FAQs regarding the referral the European Commission has made to the European Court of Justice on ACTA.

They answer questions like:

Why did the EC decide to opt for a referral?

How can the EC refer ACTA to the CJEU?

What are the questions that will be asked?

What would the referral not cover?

What are the possible outcomes?

How long will a ruling take?

Regarding this last one, edri.org says that “In general, the European Court of Justice rules within twelve to twenty-four months. However, some European law makers are hoping for a faster ruling. Much depends on the choices made by the Court and the scope of the questions asked”.

So we can expect some real answers to ACTA questions in quite a long time. But until CJEU will decide in a way or another, enjoy reading the edri answers, HERE.

Commission downplays Parliament EU-US data privacy concerns

EUObserver writes about how Justice Commissioner Viviane Reding has insisted that US authorities cannot override EU laws on data privacy, following concerns expressed by MEPs that certain US laws and legal subpoenas could force EU companies to disclose personal data to US law enforcement agencies.

In an oral question to the Commission, liberal MEPs drew attention to US legislation, including the Medicare Act and the Patriot Act, which, they said, could require the submission of personal data stored in Europe to the US authorities.

Read the rest here: http://euobserver.com/871/115299