Data Protection: the economic value and the fundamental human rights perspectives
Did you think that the EU Data Protection legislation was drafted and proposed by the European Union’s Directorate General Justice (because of its Human Rights dimension)?Actually, it was not as the Directive 95/46/EC was drafted and proposed by the DIRECTORATE GENERAL FOR INTERNAL MARKET AND SERVICES DG MARKET.
Why? In order to find out please read bellow the rationals described in the Preamble of the Directive 95/46/EC:
The establishment and functioning of an internal market in which, in accordance with Article 7a of the European Union’s Treaty, the free movement of goods, persons, services and capital is ensured require not only that personal data should be able to flow freely from one Member State (MS) to another, but also that the fundamental rights of individuals should be safeguarded. In other words, there should be a proper balance between the free flow of personal data and the protection of fundamental human rights.
Furthermore, the economic and social integration resulting from the establishment and functioning of the internal market leads to a substantial increase in cross-border flows of personal data between all those involved in a private or public capacity in economic and social activity in the MemberStates and the exchange of personal data between undertakings in different Member States is considerable increasing. Also, the increase in scientific and technical cooperation and the new telecommunications networks in the Community necessitate and facilitate cross-border flows of personal data.
Considering the difference in levels of protection of the rights and freedoms of individuals (privacy), with regard to the processing of personal data afforded in the Member States, it could prevent the transmission of such data from the territory of one Member State to that of another Member State, which constitutes an obstacle to the pursuit of a number of economic activities at Community level, distort competition and diminishes the economic value of a such exchange of data.
Last but not least, in order to remove the obstacles for the flow of personal data, which is vital to the internal market, it is aimed to ensure that the cross-border flow of personal data is regulated in a consistent manner that is in keeping with the objective of the internal market.
Considering the above rationales as outlined in the Preamble of the Directive 95/46/EC, we can easily observe that the Data Protection legislation in the EU does not manly has a human rights dimension but an economic one as the Directive 95/46/EC was drafted and proposed by the DG Market and not by the DG Justice or DG Home, aiming to not only stop but to increase the free flow of data between the Member States by giving legal certainty to the EU citizens and providing a legal framework uniformly implemented among the MS.
The second part of this Blog Post continues with the Directive 95/46/EC human rights dimension by explaining data protection terminology, principles, rights of data subjects and data transfer mechanisms.
1) data protection terminology and definitions
- ‘personal data’ = any information relating to an identified or identifiable natural person (‘data subject’); and who can be identified:
- in particular by reference to an identification number
- or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
- ‘processing of personal data’ = any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as: collection,
- adaptation or alteration,
- disclosure by transmission,
- dissemination or otherwise making available,
- alignment or combination,
- blocking, erasure or destruction;
- ‘personal data filing system’ (‘filing system’) = any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
- ‘controller’ = the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;
- ‘processor’ = a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
- ‘third party’ = any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who (e.g. subcontractor), under the direct authority of the controller or the processor, are authorized to process the data;
- ‘recipient’ = a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not;
- ‘the data subject’s consent’ = any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
2) Principles related to data protection:
- fairly (data subjects informed) and
- lawfully (based on a legal act)
- collected for:
- legitimate purposes
- no further processed in a way incompatible with those purposes
- adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected
- the data subject has unambiguously given his consent
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- processing is necessary for compliance with a legal obligation to which the controller is subject
- processing is necessary in order to protect the vital interests of the data subject
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
3) Information to be given to the data subjects (fair processing)
- the identity of the controller and of his representative, if any;
- the purposes of the processing for which the data are intended;
- any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,
- the existence of the right of access to and the right to rectify the data concerning him
4) Rights of data subjects:
- Right of access
- Right to object
- Right to modification
- Right to deletion
- Those processing personal data shall provide that the controller or his representative, if any, must notify the supervisory authority (of a member states) before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.
6) Transfer mechanisms:
- Freely to Canada, Argentina, whole EU, etc BUT not to US (does not confer the same level of data protection as EU-because of the Patriot Act)
- Binding Corporate Rules (for US. Set of rules agreed by the EU Commission when transferring data outside EU)
- Safe Harbor Agreement (for US that certifies those part of this agreement comply with the EU data protection rules)
Any questions can be submitted to: firstname.lastname@example.org
Additional information can be found at: www.e-crimeexppert.com
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog