Tag Archives: the right to data portability

CNIL just published the results of their GDPR public consultation: what’s in store for DPOs and data portability? (Part I)

Gabriela Zanfir Fortuna

The French Data Protection Authority, CNIL, made public this week the report of the public consultation it held between 16 and 19 July 2016 among professionals about the General Data Protection Regulation (GDPR). The public consultation gathered 540 replies from 225 contributors.

The main issues the CNIL focused on in the consultation were four:

  • the data protection officer;
  • the right to data portability;
  • the data protection impact assessments;
  • the certification mechanism.

These are also the four themes in the action plan of the Article 29 Working Party for 2016.

This post (Part I) will summarise the results and action plan for the first two themes, while the last two will be dealt with in a second post (Part II). [Disclaimer: all quotations are translated from French].

1) On the data protection officer

According to Article 37 GDPR, both the controller and the processor must designate a data protection officer where the processing is carried out by a public authority (1)(a), where their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale (1)(b) and where their core activities consist of processing sensitive data on a large scale (1)(c).

The report reveals that there are many more questions than answers or opinions about how Article 37 should be applied in practice. In fact, most of the contributions are questions from the contributors (see pages 2 to 4). They raise interesting points, such as:

  • What is considered to be a conflict of interest – who will not be able to be appointed?
  • Should the DPO be appointed before May 2018 (when GDPR becomes applicable)?
  • Will the CNIL validate the mandatory or the optional designation of a DPO?
  • Which will exactly be the role of the DPO in the initiative for and in the drafting of the data protection impact assessments?
  • Which are the internal consequences if the recommendations of the DPO are not respected?
  • Is it possible that the DPO becomes liable under Criminal law for how he/she monitors compliance with the GDPR?
  • Should the DPO be in charge of keeping the register of processing operations and Should the register be communicated to the public?
  • Should only the contact details of the DPO be published, or also his/her identity?
  • Must the obligations in the GDPR be applied also for the appointment of the DPO that is made voluntarily (outside the three scenarios in Article37(1))?
  • Can a DPO be, in fact, a team? Can a DPO be a legal person?
  • Are there any special conditions with regard to the DPO for small and medium enterprises?

The CNIL underlines that for this topic an important contribution was brought by large professional associations during discussions, in addition to the large number of replies received online.

In fact, according to the report, the CNIL acknowledges “the big expectations of professional associations  and federations to receive clarifications with regard to the function of the DPO, as they want to prepare as soon as possible and in a sustainable way for the new obligations” (p. 5).

As for future steps, the CNIL recalls that the Article 29 Working Party will publish Guidelines to help controllers in a practical manner, according to the 2016 action plan. (There’s not much left of 2016, so hopefully we’ll see the Guidelines soon!). The CNIL announces they will also launch some national communication campaigns and they will intensify the training sessions and workshops with the current CILs (Correspondants Informatique et Libertés – a role similar to that of a DPO).

2) On the right to data portability


Article 20 GDPR provides that the data subject has the right to receive a copy of their data in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller only if the processing is based on consent or on a contract.

First, the CNIL notes that there was “a very strong participation of the private sector submitting opinions or queries regarding the right to data portability, being interesting especially about the field of application of the new right, the expenses its application will require and about its consequences on competition” (p. 6).

According to the report, the right to data portability it’s perceived as an instrument that allows regaining the trust of persons about processing of their personal data, bringing more transparency and more control over the processing operation (p. 6).

On another hand, the organisations that replied to the public consultation are concerned about the additional investments they will need to make to implement this right. They are also concerned about (p. 6):

  • “the risk of creating an imbalance in competition between European and American companies, as European companies are directly under the obligation to comply with this right, whereas American companies may try to circumvent the rules”. My comment here would be that they should not be concerned about that, because if they target the same European public to offer services, American companies will also be under a direct obligation to comply with this right.
  • “the immediate cost of implementing this right (for instance, the development of automatic means to extract data from databases), which cannot be charged to the individuals, but which will be a part of the management costs and will increase the costs for the services”.
  • “the level of responsibility if the data are mishandled or if the data handed over to the person are not up to date”.

The respondents to the public consultation seem to be a good resource for technical options to use in terms of the format needed to transfer data. Respondents argued in favor of open source formats, which will make reusing the data easier and which will be cheaper compared to proprietary solutions. Another suggested solution is the development of Application Program Interfaces (APIs) based on open standards, without a specific licence key. This way the persons will be able to use the tools of their choice.

One of the needs that emerged from the consultation was to clarify whether the data that are subject to the right to portability must be raw data, or whether transferring a “summary” of the data would suffice. Another question was whether the data could be asked for by a competing company, with a mandate from the data subject. There were also questions regarding the interplay of the right to data portability and the right of access, or asking how could data security be ensured for the transfer of the “ported” data.

In the concluding part, the CNIL acknowledges that two trends could already be seen within the replies: on the one hand, companies tend to want to limit as much as possible the applicability of the right to data portability, while on the other hand, the representatives of the civil society are looking to encourage persons to take their data in their own hands and to reinvent their use (p. 10).

According to the report, the Technology Subgroup of the Article 29 Working Party is currently drafting guidelines with regard to the right to data portability. “They will clarify the field of application of this right, taking into account all the questions raised by the participants to the consultation, and they will also details ways to reply to portability requests”, according to the report (p. 10).


Find what you’re reading useful? Consider supporting pdpecho.

Click HERE for Part II of this post.

The rights of the person regarding personal data protection – PhD thesis summary

(After three years of intense work in a field  not popular at all in Romanian legal research, I have finally done it 🙂 The public defense of the thesis is scheduled for November 30, 2013, at the University of Craiova. The thesis is in Romanian. The pdf version of the Summary is temporarily available here.)


Personal data protection is the subject of an intense global debate, triggered by the extraordinary development of Information Technology (IT), the ever growing capacity of its products to store, process data and of their inter-connectivity. The debate is especially triggered by the way its products are used.

Personal data protection emerged as a regulatory field in the 1970s in Western and Northern Europe, as well as in the United States of America. It developed with an alert rhythm, presenting alongside its development the characteristics of a global regulatory phenomenon.

Romania enacted its first data protection law as late as 2001, as a consequence of its pre-accession obligations to join the European Union (EU). In spite of the long lack of preoccupation towards personal data protection, currently this field is also regulated in the Civil Code, under the section dedicated to personality rights – more precisely in Article 77, which specifically refers to the protection of personal data.

This thesis fills in the lacunae in the Romanian legal literature with regard to personal data protection, characterizing the right to personal data protection as a subjective right (droit subjectif) and making an exhaustive critique of the rights of the data subject to directly control data processing, which are analyzed as prerogatives of the general data protection right.

Therefore, the main question this thesis answers is: “What are the roles of the ‘control’ rights of the data subject in data protection law and how do they become effective, having regard to the complex system of norms which regulate them?”

Part I of the thesis establishes the main coordinates of a general theory of personal data protection. A one-dimensional theoretical foundation of this field is absent in the Romanian legal literature, while in the foreign legal literature the main fundamental theoretical preoccupation seems to be the differentiation between personal data protection and the protection of private life. To achieve this goal, the endeavor within Part 1 is divided in two chapters, the first one characterizing data protection as a regulatory field and the second one theorizing the right to personal data protection as a droit subjectif civil (subjective right).

The first chapter represents a historical misce an scéne, which is multi-dimensional from a territorial point of view, and contextual with regard to the data protection regulations. There are three main ideas which emerge from this analysis.   

First, it is underlined that the emergence of technologies to store and process information imposed the necessity of a juridical mechanism to protect individual freedom in relation to storing and processing personal information.

Second, this mechanism has been enacted relatively simultaneously in the 1970s and the beginning of the 1980s in Western democracies, having similar forms and principles. This led to the theories regarding the global convergence of data protection norms.

Finally, even though legal writers have identified until now several generations of data protection regulations, in fact the only substantial difference between the content of these regulations in different moments in time is the development from multiple dispersed norms with a common purpose – data protection, to the recognition and enactment of a subjective right to data protection.

With regard to the particularities of the Romanian data protection system presented in this chapter, the analysis of the transposition in the Romanian legal system of data protection norms can be remarked, starting with the substantiation of their necessity and underlying the differences between the transposition law (Law no. 667/2001) and Directive 95/46 for the protection of the individual with regard to data processing. These differences can lead in certain cases to the conclusion that transposition errors exist. For instance, such is the case with the broader understanding provided in the Romanian law for the lawful grounds of data processing.

The detailed provisions regarding informational privacy contained in the new Civil Code (NCC), as well as the concern showed strictly for personal data protection (Art. 77 NCC), are an indication of the fact that Romania has a modern civil code. It is built to support the individual in front of the digital age challenges, on one hand, and with regard to the interferences in her private life, on the other hand.  As it was already underlined in the legal literature, “certainly, this regulation will greatly contribute to the civilization of some inter-human interactions which are in great suffering in these rough times we are passing through, but also to holding back the uncontrolled zeal of authorities, which, under different pretexts, disregard rights such as the right to private life or dignity”[1].

However, in the near future, the existing rules regarding personal data protection – which have a broad material scope, will be put aside from the national legal system by the new EU Data Protection Regulation and the new EU data protection directive in criminal matters, which are currently under legislative debate in the European Parliament and the European Council (as long as they will be contrary to the new EU legislation).

Chapter 2, starting from the droit objectif of data protection, substantializes the existence of data protection in informational self-determination, which is further grounded in free will. The chapter continues with the transition from the identification of an interest which can be protected by data protection provisions to theorizing the right to personal data protection as droit subjectif.

Therefore, the classical elements of the droit subjectif are identified with regard to the right to personal data protection and detailed – the subject (titulaire) of the right, the object, and the content of the right, while its legal protection will be comprehensively studied in Part III of the thesis.

A significant contribution of Chapter 2 to data protection theory is the contextualization of the role of consent in the protection of personal data. According to it, the focus in data protection law should be removed from consent and placed upon the suitable safeguards of the data subject, such as the rights to control data processing, purpose limitation and accountability mechanisms. All of these safeguards are regulated with the purpose to create a complex system of protection of the data subject. These three types of safeguards are identified as being the prerogatives within the content of the right to personal data protection.

It was showed that, ultimately, the philosophy of data protection could be summarized: every person should have the right not to be subject to data processing, unless it is made on one of the recognized legal grounds (which are identified as being part of the meta-content of the right to personal data protection), and it is subject to suitable safeguards (which are identified as prerogatives within the content of the right to personal data protection). As the consent of the data subject is merely one of several legal grounds enshrined in data protection law, it was argued that the importance of consent in this field must be hierarchized bellow the necessity to clarify and detail the “suitable safeguards”. This is a consequence of coordinating the prerogatives of the right to personal data protection with the right’s object, an object which has a procedural nature and which represents an aggregation of mechanisms as normative instruments for transparency.

Therefore, it is further argued that the right to personal data protection is a non-pecuniary subjective right (droit subjectif), substantialized with the purpose to protect the interests of the person in the context of the Information Society. Its structure is complex, and its essence is rather procedural. It is showed, nevertheless, that all the classical elements of the droit subjectif have correspondents in the provision of the right to personal data protection.

The rights of the data subject which facilitate the informational self-determination, named in this thesis “control rights”, are systemized in Part II, following the structure of the European Commission’s proposal for a General Data Protection Regulation, which divides the rights into three categories: information and access rights, rectification and erasure rights, as well as the right to object (to data processing in general, and also to automated decisions taken on the basis of profiling).

According to one of the data protection principles, the data subject enjoys the possibility of directly participating to the processing of her data, and influencing it. This principle is known as the data subject participation and control principle. Along with seven other principles – fair and lawful processing, data minimization, purpose specification, data quality, disclosure limitations, information security and sensitivity principles, it plays an important part for the lawful processing of private data, having regard to the ultimate purpose of the protection of personal liberties. The rights of the data subject – right to information, right to access, right to rectification, right to objection, right not to be subject of an automated decision based on profiling, the proposed right to be forgotten and right to data portability (which are regulated in the draft data protection regulation), are normative expressions of the data subject participation and control principle with regard to data processing.

Authors, like Poullet, consider that the express provision of these subjective rights of the data subject in Convention 108 of the Council of Europe (with regard to personal data protection; adopted in 1981) marks the second generation of data protection laws and allows the data subject to control the use of her informational image and to assess the reasons of its utilization. It must be mentioned that, contrary to this opinion, most of the data protection laws enforced in Europe in the ‘70s have had regard to the fact that “the stream of personal data primarily flows from the weak actors to the strong”[2], guaranteeing from the beginning a set of rights of the data subject: the right to information and access, the right to rectification and the right to erasure. This set of rights has evolved within the national laws, being further regulated in detail by EU Directive 95/46 on the protection of individuals with regard to the processing of personal data.

Within the chapters of Part II, the content of each subjective right expressly enshrined in data protection law is conceptually grounded and its current provision is also analyzed from the point of view of the evolution of its normative history. The rights of the data subject are studied having regard firstly to Romanian law, and subsequently to the EU directives regulating in the field of data protection and the legislative proposals from the EU data protection reform package – the General Data Protection Regulation (GDPR) and the directive of data protection in criminal matters, which are currently in the process of being adopted. The case-law of the European Court of Human Rights in Strasbourg under Article 8 (respect for private life) of the European Convention of Human Rights will also be taken into account, especially with regard to the right to access. The necessity of such a comprehensive approach on the rights of the data subject is evident in the multi-layered legal system of a Member State of the EU.

Chapter 3 details the right to inform and the right to access the personal data being processed. The protection of personal data would lack efficiency if data subjects would not be able to acknowledge the existence of the processing, its context, and would not know what particular data are processed, how are they used and who has access to them. The two rights are the expression of a transparency principle, but a two-dimensional transparency, respectively transparency managed by the data controller and exclusively opposable to the data subject.

Informational self-determination has as starting point this kind of transparency. If the data subject does not know that her data are being processed and stored in certain databases, then it would be impossible for her to exercise any of the prerogatives which follow from legally guaranteeing the right to the protection of private data.

On the other hand, in the legal literature it was also underlined, with regard to data access, that “this right consistently constitutes a significant burden, both administratively and financially, to data controllers”[3].

The right to information and the right to access are enshrined in the first data protection laws, starting with the Bundesdatenschutzgesetz – the German federal law adopted in 1977, followed by Loi relatif a l’informatique, aux fichiers et aux libertes, adopted in France in 1978, the Data Protection Act, adopted in 1984 by the British Parliament, and the Wet Perssonregistraties, adopted in 1989 in The Netherlands. Initially, the distinction between the two rights is not clear, the French law being the only one which differentiates them. Both the German and the British law enshrine similar prerogatives to both of the rights, one under the right to information, and the other under the right to access.

The two rights appear under the guise of “possibilities” in Convention 108 of the Council of Europe, and as individual subjective rights within Directive 95/46, along with the right to object, the right to rectify data and the right not to be subject to decisions based on automated data processing. Articles 10, 11 and 12 of Directive 95/46 provide that every time personal information is collected, the data subjects must be informed about the details of the data processing and have the right to receive a copy of all the processed data. The three articles from Directive 95/46 have been transposed in Law no. 677/2001 on the protection of individuals with regard to the processing of personal data, in Articles 12 and 13, which are analyzed in detail in Chapter 3 from the point of view of their content and procedure for their adjudication.

The idea of a legal regime which would guarantee the access of individuals to their own information has appeared for the first time in the Romanian system, after the 1989 Revolution, with regard to the personal files created by the Securitate (the secret service of the former Romanian communist regime). Two years after Law no. 187/1999 – which guarantees the access to these files, was enforced, the transposition law of Directive 95/46 was adopted, in a system which, until then, had not recognized a social and legal necessity to protect personal data beyond the sensitive matter of accessing the files of the former Securitate. It must be underlined, nevertheless, that the right to access, according to Article 13 of the Law no. 677/2001, provides a considerably simplified procedure for accessing personal data than the procedure required by the National Council for the Study of the Securitate’s Archives. This raises the question of a national provision which does not comply with the harmonization standard established by a directive in its rationae materiae scope.

The provisions of Law no. 677/2001 with regard to the rights to information and access represent, to a high degree, a correct transposition of the provisions of Directive 95/46, including from the point of view of their exceptions and restrictions. The only inadvertence refers to the omission, in the case of the right to access, of the condition that access must be asked for “without constraint”. This condition, even though is provided in Article 12(1) of Directive 95/46, is not mentioned in the GDPR proposal. However, until the GDPR enters into force, Article 12 of Directive 95/46 can be invoked by the data subject as long as she considers that she was constrained to ask for access to the processed data.

Nevertheless, it must be underlined that Law no. 677/2001 has strengthened the protection of the two rights by adding compulsory details of the processing to be offered to the data subject, compared to the set of details required by Directive 95/46.

Chapter 4 analyzes the rights to intervene directly in the data processing operation. One may say that, after information and access, a second “step” towards informational self-determination allows the data subject to directly intervene in the data processing operations. The data subject has the right to obtain the rectification, update and even erasure of her processed private data. Without this second component of the prerogatives of the right to personal data protection, informational self-determination would remain utopian.

The Romanian data protection law regulates in Article 14 “the right to intervene upon the data”, the content of which enshrines the rectification, erasure, blocking and update of personal data. Directive 95/46 does not literally provide for a distinct right to intervention upon the data, but it regulates the erasure, blocking and rectification of data within Article 12 – “the right to access”. The solution of the Romanian legislature expresses the essence of these rights. They ultimately represent the possibility of the data subject to directly intervene in the process of data processing.

The possibility of the data subject to effectively and concretely intervene in the data processing has generated most of the controversies about the rights of the data subject as enshrined in the EU data protection reform package. The European Commission has introduced in the draft GDPR two new “interventional” rights – the right to be forgotten, which, in fact, represents the development of the right to erasure, and the right to data portability.

The intention to regulate these rights has generated two opposite opinions. On one hand, the European Commission is supported in its endeavor especially by the European Data Protection Supervisor, by the non-governmental organizations which promote the protection of human rights in the digital age and by most of the European academia in the field of law and technology. On the other hand, global IT companies, some of the governments of the EU member states, as well as part of the American law and technology academia have criticized the regulation of the two rights. Both perspectives are detailed in this chapter.

Both the supporters and the critics of the right to data portability and the right to be forgotten seem to omit the fact that incarnations of these rights already exist in the current data protection law in the European Union. This is one of the reasons why the rights to intervention were grouped in the same chapter of the thesis, to make it easier for the reader to compare the norms in the first data protection laws, the current legal framework and the proposed regulation and directive from the reform package.

Among the conclusions of the chapter, it can be underlined that, even though the right to be forgotten, technically, is the right to erasure which presupposes the existence of two correlative obligations, one of result – erasure of data, and one of best efforts – the information of third parties who had access to data about the erasure request, obligations which are opposable to data controllers on a quasi-global level, it represents much more: it protects the autonomy, liberty and identity of the individual in an over-digitalized world, not only in space, but also in the temporal dimension (which justifies the idea of “forgetfulness”).

With regard to the right to data portability, it is the exponent of a new generation of juridical concepts of the regulation of private life. One should admit that its functions are complex, effecting not only privacy, but also competition between service providers of the Information Society. Nevertheless, its regulation in a data protection normative act indicates that the fundamental role of data portability is to offer data subjects enhanced control over their informational self-determination.

The right to object to data processing and the right to object to automated decisions based on profiling are studied in Chapter 5.

The general right to object to data processing, as well as the rights of the data subject to object to decisions based on profiles represent the category of the rights of the data subject with the least clear content. This might happen because the two rights are not a part of the common body of provisions of the first data protection laws in Europe, unlike the two categories of rights studied above – “the rights to know” and the rights to directly intervene in the data processing operation.

Comparing the material scope of the two rights, the general right to object is the expression of theoretical preoccupations, which are linked to the grounds of a fundamental right to informational self-determination, while the right of the person to object to decisions based on profiling is rather the response to practical and current concrete problems. The succinct characterization of profiling made in one of the subsections of this chapter shows the danger for individual liberty, lato sensu, on one hand, and for democratic societies, on the other hand. This danger is represented by profiling beyond any control.

Inspired by the first French data protection law of 1978, Directive 95/46 regulated a general right of the data subject to object to the processing, in exceptional circumstances, even if the processing complies with the law. The main condition for a successful objection request is the existence of “compelling legitimate grounds” in a particular situation.

The normative evolution of the general right to object is analyzed in the first section of the chapter, underlying the absence of this prerogative from the first data protection laws in Europe, and also from the data protection international legal instruments. Subsequently, the content of the right to object as regulated by Law no. 677/2001 is analyzed having regard to the correspondent provisions from Directive 95/46, followed by the development of this right in the EU data protection reform package.

One of the conclusions of Chapter 5 is that the Romanian legislator has extended significantly the material scope of the general right to object, compared to the provisions of Directive 95/46. Hence, while the directive limits the application of the right to object for the situations in which the processing is necessary for the performance of a task carried out in the public interest and the processing is necessary for the purposes of the legitimate interests pursued by the controller, the Romanian data protection law does not limit the application of the right depending on the lawful basis for data processing, which means that it is possible to object to the processing including when the data subject has consented to it, but also when the lawful ground for processing is a legal obligation of the controller.

The right of the data subject not to be subject to a decision based on automated processing is contextualized within the framework of an analysis of profiling as a phenomenon of the current economy. The prerogatives of the data subject against the arbitrary effects profiling can have on individuals are subsequently analyzed.

The analysis of the rights of the data subject reveals without doubt the existence of a general right to informational self-determination, guaranteed by the specific provisions of data protection. The data subject not only has the right to be informed about the existence of data processing operations and to know their details, but can also directly intervene on them by requiring the erasure, rectification or the updating of data. Moreover, she can object to the processing, even if it is lawful. In principle, the control of the data subject over her informational image is substantial.

However, its substance is diminished because of the limited material scope of certain rights and their exceptions and restrictions regulated in the data protection normative acts – all of which are being analyzed and exemplified in Part II of the paper. Perhaps the most diminishing factor of its substance comes from the passivity of the data subject. The data subject must effectively exercise their rights so that they will assure the control over their informational identity.

In this regard, Part III describes the ways in which the data subject can defend the rights enshrined in the wider content of the right to the protection of private data, by analyzing the simple civil actions to achieve this purpose, and the more complex action in civil liability, before the national courts.

Access to justice of the data subject to protect her rights has a special place in the Romanian data protection system, because it is regulated in the chapter dedicated to “the rights of the data subject in the context of data processing” (Chapter IV, Law no. 677/2001), at Article 18 – “the right to a judicial remedy”.

The data subject can protect the prerogatives of the content of the right to data protection by making recourse to criminal liability, liability resulting in contraventions or civil liability. The thesis aimed to analyze only the last two.

Civil remedies for data protection law breaches are of two types. First, the protection of the rights of the data subject can be done through civil actions in realization of the rights, a possibility which results from Article 18 of Law no. 677/2001. Second, if the data subject considers that she suffered damages resulting from the data protection law breaches, she can make use of a civil action in civil liability, according to Article 18(2) of Law no. 677/2001, which refers to any breach of the data protection law, not exclusively to breaches of the provisions of Chapter IV regarding the rights of the data subject.

Civil liability of data controllers and of data processors can be also invoked in court making use of the provisions of the new Civil Code: Article 1349 – the general clause for civil liability, corroborated with Article 253 – the clause for civil liability in the case of breach of non-pecuniary rights.

The liability resulting in contraventions of data controllers that do not comply with data protection law can be engaged on the basis of Articles 31-35 of the Law no. 677/2001, which regulates “contraventions and sanctions” in the field of data protection, but also on the basis of Article 13 of Law no. 506/2004 of personal data processing and the protection of private data in the electronic communications sector. A fundamental role in the application of sanctions in the field of data protection pertains to Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal – ANSPDPC (The National Authority for Supervising Personal Data Processing).

Finally, if we look upon personal data protection lato sensu and we corroborate it with the specific prerogatives of the right to the protection of private life, then we can conclude that criminal liability can also be engaged with regard to data controllers, according to Article 195 of the Criminal Code, which sanctions the crime of “violating the secret of correspondence”. As a matter of fact, Law no. 677/2001 refers to “crimes” in the chapter dedicated to sanctions, admitting that some characteristics of the regulated contraventions can be transformed in the content of a “crime”, but without specifically regulating such crimes sanctioned by penal law. This last aspect is not a part of the proposed scope of this thesis and will not be analyzed.

Even though there seems to be an inflation of legal procedures conferred to the data subject in order to guarantee her right to personal data protection, they are rarely utilized. According to preliminary data from a report of the Agency for Fundamental Rights of the European Union (“Data Protection: Redress Mechanisms and Their Use”) dedicated to redress mechanisms for damages caused by data protection law breaches in 16 member states of the EU, including Romania, data protection cases are few and dispersed among a variety of national courts and redress for damages caused by data protection law breaches is centered around Data Protection Authorities. These facts have several causes of a normative and institutional nature, but, at the same time, are justified by the attitude that the citizens of the EU, in general, and Romanians, in particular, have regarding personal data processing. According to the most recent Eurobarometer in this field (Eurobarometer No. 359), published in 2011, 33% of Europeans and 39% of Romanians “completely agree” that the disclosure of personal data is not a major problem, while 70% of Europeans and 61% of Romanians have complete trust that the national public authorities protect their personal data.

Chapter 6 analyzes the civil actions in realization of the rights which are available to data subjects, marking the distinction between the legal grounds for such actions, on one hand, and the legal grounds for judicial redress for the damages caused by the unlawful processing of personal data, on the other hand. A few practical uses of the actions in realization are also discussed. For instance, the confusion made by the Romanian judicial actors between the right to access personal data and the right to access information of public interest is highlighted (Section 3).

The Romanian legislator procedurally guarantees the protection of the prerogatives of the data subject with regard to data processing by regulating expressis verbis a “right to a judicial remedy”. The fact that judicial remedies against breaches of data protection law are regulated under the guise of a subjective right within Law no. 677/2001 makes the Romanian system of data protection to be prepared to effectively protect the data subject. However, it seems to be just “prepared”, as the effectiveness of the protection is influenced by several factors, such as the level of information of the data subject with regard to the dangers of unlawful data processing and the level of knowledge of the actors of the judicial system – magistrates and lawyers, about the mechanisms of protection of the data subject in the context of personal data processing, or the responsibility of data controllers with regard to the data processing operations they engage in. Having regard to all of these facts, the effectiveness of the protection of the rights of the data subject through civil actions is still awaited to manifest.

The right of the data subject to a judicial remedy confers to its titulaire all the premises for the adjudication of the right to personal data protection in Romanian law, establishing a rule of territorial competence, according to which the court of the domicile of the data subject is competent to decide on the civil actions for the protection of her rights provided for by Law no. 677/2001, and exempting the data subject to pay the special judicial fee for the introduction to Court of actions concerning data protection breaches.

The conditions to exercise civil actions for data breaches are analyzed in this chapter, by thoroughly looking into the provisions of Law no. 677/2001. This chapter also presents the argument that not only the rights of the data subject, understood stricto sensu – the right to access, to information, to object, and the right not to be the object to an individual decision based on automated profiling can be defended through civil actions in realization, but also any civil right correlative to any obligation of the data controller regulated by Law no. 677/2001.

One of the particularities underlined was the lack of “determined interest” for an action in realization of the right to be informed. Another one was the confusion between the right to access personal data and the right to access public information which often appears in the case-law of Romanian courts and which was tackled before the European Court of Human Rights in Strasbourg in Trăilescu case.

The passive capacity to stand trial is also analyzed for proceedings regarding the realization of rights of the data subject. Therefore, the concepts of data controller and data processor are analyzed. In this context, a test was proposed in order to establish the material scope of data protection provisions: “there is no data processing operation without a data controller and no data controller without a data processing operation”. This perspective alleviates the proof of the existence of a responsible legal or natural person for the fulfillment of obligations stemming from processing personal data, as it was showed in the case of search engines identified as data controllers which have to comply with their data protection legal obligations.

Regarding the passive capacity to stand trial in civil proceedings through which the rights of the data subject are protected, it was observed that in the special case of the action in realization of the right not to be the object of a decision based on automated data processing, having regard to the de facto elements of each case, it is possible for a third party to the data processing operation to have passive capacity to stand trial, considering that according to this right “decisions” taken on the ground of profiling can be revoked.

Chapter 7 is a radiography of civil liability for damages created by the breach of non-pecuniary rights, having regard on one hand that Article 18(2) of Law no. 677/2001 provides for the possibility of the data subject to bring a legal action to cover the damage suffered as a result of unlawful data processing, and on the other hand that the new Civil Code provides for a complex system of compensation for damages created by the breach of non-pecuniary rights.

It is argued that civil liability for this type of damage presents sufficient characteristics to support the conclusion that, starting with the entering into force of the new Civil Code, the legal regime of civil liability in Romanian civil law was enriched with an autonomous cause of action in the case of damage created by breach of non-pecuniary rights.

In this regard, it must first be acknowledged that the new Civil Code enshrines a specific provision for the compensation of pecuniary and non-pecuniary damages created by breach of non-pecuniary rights – Article 253(4). It represents an individualization of the general cause of action for civil liability in the new Civil Code – Article 1349.

Secondly, the regulation in the new Civil Code of a complex system of compensation for the damage caused by breach of non-pecuniary rights must be taken into account. This system entails ordinary and emergency non-pecuniary measures, but also pecuniary compensation.

Thirdly, after analyzing the content of the express provision for compensation for damages created by breach of non-pecuniary rights in the new Civil Code, the significant legal literature on this matter and, especially, the case-law of Romanian courts [a significant part of this chapter being dedicated to the latter], the conclusions show a reconfiguration of the general conditions needed to trigger civil responsibility. They need to be subjected to a complex verification having regard to the case law of European Court of Human Rights and the Court of Justice of the European Union [if applicable] on fundamental rights, and also to the limits of non-pecuniary civil rights detailed in the new Civil Code.

In conclusion, civil liability for damage caused by breach of non-pecuniary rights has autonomous standing in the legal regime of civil liability in Romanian civil law, presenting numerous particularities.

Therefore, the autonomous legal ground which triggers the civil liability of data controllers must be applied and interpreted within the complex system of the entire civil liability mechanism of the Romanian civil law. This system, in the case of data protection, can be imagined as a Matryoshka doll. The smallest of the “dolls” is represented by the hypothesis enshrined in Article 18(2) of Law no. 677/2001, which is comprised by the hypothesis of civil liability for damages created by breach of non-pecuniary rights enshrined in Article 253(4) NCC, which is comprised by the general provision for civil liability, enshrined in Article 1349 NCC. As such, each hypothesis has its own individuality and independent existence. However, they can be used as a whole, this characteristic conferring uniqueness to the whole system and effectiveness in protecting the rights of the data subject and, ultimately, the right to personal data protection.

Considering that the right to personal data protection is a subjective non-pecuniary right, the dispositions in Articles 252-256 NCC are applicable to its protection, starting with the rules of a mixed system of compensation for the non-pecuniary damage, and finishing with the rules envisaging the revised test which triggers civil liability. The specialization of civil liability for damages caused by breach of unlawful data processing pursuant to Article 18(2) of Law no. 677/2001 has as a consequence the systemic application of data protection law, in order to establish whether there was indeed a breach.

Chapter 8 details the administrative means of protection of the civil rights of the data subject, introducing the National Authority for the Supervision of Personal Data Processing (NASPDP), its competences and procedures.

According to paragraph 62 of the Preamble of Directive 95/46, data protection authorities, in general, are fundamental for an effective data protection system. Their purpose is not solely to sanction breaches of the rights of the data subject, but also to be an integrated part in the system for the protection of personal data, having several roles: punitive, normative and consultative. This is why the creation of national data protection authorities was imposed by the EU as harmonization standard through Article 28 of Directive 95/46. According to Article 28(1) of the DPD, each Member State must have one or more public authorities responsible for monitoring the application within its territory of the data protection laws, which must act with complete independence in exercising the functions entrusted to them.

The minimum competences that a data protection authority must have, according to Article 28(3) of the directive, are the following: (i) investigative powers, (ii) effective powers of intervention, such as that of delivering opinions before processing operations are carried out, of ordering the blocking, erasure or destruction of data, (iii) the power to engage in legal proceedings where the national data protection provisions have been violated. To these, Article 28(2) DPD adds (iv) the competence to be a consultative body for administrative measures or regulations in the field of personal data protection.

The sanctions to be applied for violations of data protection law are decided by the Member States, without the Directive establishing a minimum level for the value of the sanctions or the type of legal responsibility to be engaged in the case of data protection law violations. According to a Fundamental Rights Agency report (“Data Protection in the European Union: The Role of Data Protection Authorities”, 2010), the transposition of such a general provision into national legal systems generated significant variations, which were also influenced by national laws in administrative and criminal law, both at the time of the entering into force of data protection law and at the time of their subsequent application.

Romania initially chose to confer the function of a data protection authority to the already existing Ombudsman, according to the first version of Law no. 677/2001. This option proved to be deficient, four years later the Parliament voting a special law for the creation of a new public authority – NASPDP.

The Romanian DPA enjoys efficient legal means to ensure an effective protection for the rights of the data subject, which are in accordance with EU law. However, the activity of the NASPDP does not often rise to the level of its competences and its fundamental role it has in the protection of the fundamental rights of the data subjects. The EU Fundamental Rights Agency remarked in the 2010 report on DPAs, with regard to the activity of the European data protection authorities, that “in many Member States, DPAs are not in a position to carry out the entirety of their tasks because of the limited economic and human resources available to them”, enumerating Romania to be among those states. Moreover, the Agency observes that in many states, such as Bulgaria, Denmark, Slovakia and Romania, “a gap exists between the protection of the right to privacy in theory, which may formally conform to the requirements of EU and international law, and its protection in the law in practice”.

As a conclusion of Part III, data subjects enjoy a multitude of legal means of protection for their rights with regard to personal data processing. In this entire system of protection, the data subjects themselves play the fundamental role, because as long as they will acknowledge the risks of unlawful processing of their private data by different data controllers, they will also realize that the initiative to protect their fundamental rights through the procedural rights contained within the right of personal data protection belongs to them. It is the only way in which this extremely detailed and well construed normative system will become effective.

In conclusion, the thesis showed that the rights of the data subject to control the processing of their private data; the right to be informed, the right to access, the right to rectification, the right to object to data processing and the right to object to automated individual decisions, are prerogatives within the content of the subjective right to the protection of personal data. The thesis also analyzed in detail the particularities of the transposition of these rights from Directive 95/46 in the Romanian legal system, the influence which the ECHR case-law has upon them, especially upon the right to access, and the way in which they will be regulated in the near future in the EU. The entire endeavor leads to the conclusion that individuals have sufficient legal instruments to protect their personality rights in the Information Society. For those rights to be effective, individuals themselves need to acknowledge the risks entailed by data processing and digital storage of personal data, and the existence of their rights and the means to exercise them.

[1] E. Chelaru, Drepturile personalităţii în reglementarea Noului Cod Civil, Revista Dreptul, nr. 10/2011, p. 61.

[2] S. Gutwirth, Privacy and the Information Age, Rownan & Littlefield Publishers, Inc., SUA, 2002, p. 85.

[3] P. Carey, Data Protection. A practical guide to UK and EU law, 3rd edition, Oxford University Press, 2009, p. 130.

GigaOm: Fear of lock-in dampens cloud adoption

Data portability — the ability to move your information between clouds (or in and out of clouds) with relative ease — is a key concern of companies considering a cloud move.

It’s become a truism to say that data is the new gold –but that doesn’t mean there are easy answers about where to store this gold. For now, many corporate customers will hold back on full cloud computing adoption until they’re convinced that they can move their data off a given cloud as easily as they put it there in the first place. Face it: fear of vendor lock-in is not limited to the on-premises IT world and it’s time enlightened vendors get this problem in hand.

The advent of cloud computing should make it easy to mix and match services from multiple vendors within a cloud and to let data flow in and out of parts of the clouds as needed. But that’s not necessarily the reality now.

“When you move to cloud, you should be increasing your choices, not decreasing them. You don’t buy three on-premises apps but you can use three services from three vendors in the cloud,” said Robert Jenkins, co-founder and CTO of Cloud Sigma, the Zurich-based cloud provider.

Bill Gerhardt, director of Cisco Systems’ internet solutions group’s service provider practice, agreed. “We need to sort out data portability. Customers ask: ‘If I give you all this data, how do I retrieve that data if I want to go somewhere else? Many cloud companies don’t have a clear exit route.”

Read the whole story HERE.

For the opinion that the right to data portability, in reality, hampers competition, see Peter P. Swire and Yanni Lagos, Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique, available HERE.

For the opinion that the right to data portability adds value both to privacy and competition, see G. Zanfir, The right to data portability in the context of the EU data protection reform, abstract available HERE, full text upon access, HERE.

Experts say the right to data portability is more competition-concerned than privacy-concerned. I disagree

Hogan Lovells recently submitted comments on the proposed EU Data protection regulation to the UK Ministry of Justice.

Among their conclusions there are some regarding the right to be forgotten and the right to data portability:

The right to data portability seems to be focused on a competition law objective, reducing switching costs between service providers, rather than a data protection objective.  It therefore exceeds the scope of Article 16 TFEU on which the proposed Regulation is based.

The Commission’s proposal no doubt has social media in mind.  But data portability would apply to all sectors of industry: banking, insurance, healthcare, telecommunications, etc.  The Community legislature has in the past introduced number portability for telecommunications operators, and some Member States have enacted specific provisions imposing portability in other industries (eg. the UK for the banking industry).

The Commission proposes an across-the-board portability obligation, but has not analysed the impact of that proposal, nor whether there are specific market failures warranting such an intrusive economic regulation.  If the Commission had done a market analysis, it would have found that even in the field of social networking, the market is evolving quickly and that regulation is no doubt premature.  Google + makes data portability a commercial argument to attract customers away from Facebook.  In other industries (eg. banking in certain Member States), data portability may be a good idea to increase competition, but a privacy regulation is the wrong vehicle to use to address this issue.

The creation of a right to data portability also raises the complex issue of whether a data subject has a property interest in his or her personal data.  Economists are divided on this controversial issue, and the Commission’s proposal goes too far down the road of recognizing a property right in personal data, where none has heretofore been recognized.

As one can easily see, all the conclusions are based on an economic or business analysis, even though the right to data portability is introduced in data protection legislation, which envisages basically “the person”. Only the natural person, to be more specific, and it does so taking into account two fundamental rights in the EU – the right to privacy and the right to data protection.

I would say that before excluding the possibility of such a right to be a part of the actual privacy and data protection sphere, one should analyze profoundly which are the implications of providing a person the right to move his or her collection of data from a service provider to another.

I am definitely not the first one to ever talk in history about a digital persona of the human being. Often, the data collected by some service providers become an expression of ones personality – like the reputation a seller or a buyer has on ebay. Why not enjoy the same reputation while using another similar service provider? Why not protect that personal data?

Or maybe data portability is the right which will make once and for all crystal clear the difference between privacy and data protection. After all, they are two separate rights. Which means they are not interchangeable. And instruments such data portability are more justified by the data protection philosophy than by the privacy one.