Beyond Data Protection – published today!

Dan Manolescu is glad to announce his contribution to the Beyond Data Protection book, published by Springer and available to the public from today, January 31, 2013. You could find Dan’s contribution under the “Data Protection Enforcement: The European Experience – Case Law” chapter.

 This book provides practical approach to address data protection issues in businesses and daily life. It also compares, contrasts and substantiates the different principles and approaches in Asia, Europe and America  and recommends leading best practices to practitioners and stakeholders based on divergent of technologies involved.

​I strongly recommend you to purchase this book considering the excellent material and contribution of several top scholars in the privacy and data protection fields.

You could find  more info about this book here.

This great opportunity would not have been possible without the tremendous work of Noriswadi Ismail, an excellent data protection and privacy scholar and practitioner. He is also the Mastermind behind Quotient Consulting, a boutique firm, which focuses on array of data protection and privacy consulting services such as: Data Diagnosis, Privacy Impact Assessment, Data Protection & Privacy Strategy, Training, Data Protection & Privacy Certification, Public & Private Consultations

In addition, Philipp Fischer’s contribution to this book is remarkable. Philipp is also an outstanding data protection and privacy scholar and professional and he is the CEO of SuiGeneris Consulting, which provides privacy and data security practice, data-use business models and how data flows generate profits. He has extensive underlying subject matter experience at the interface between information security requirements, data protection & – privacy law and economics; especially in information security, quality management, consumer protection, intellectual property, software programming and risk assessment. That enables him to provide strategic business consulting on all aspects of information policy, including privacy, information security and records management.

Last but not least, E-Crime Expert signed  strategic partnerships with Quotient Consulting (with subsidiary in London, UK), and withSuiGeneris Consulting (based in Munich, Germany).

 If you have additional questions, please contact us: dan@e-crimeexpert.com

Transfer mechanisms of personal data from EU to third countries

This Article explains the concept of transferring personal data from EU to third countries, what those third countries mean, the principles for making such transfers legitimate and the derogations from these principles, and last but not least, the transfer mechanisms of personal data to third countries.

Considering the legal requirements of the Directive 95/46/EC, Article 25
… the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if… the third country in question ensures an adequate level of protection…this Article provides three legal mechanisms for such transfers:

-Standard Contractual Clauses – for single Organizations or entities

–Binding Corporate Rules – for multinational Organizations or entities

-Safe Harbor Agreement principles – for Organizations or entities located in the U.S.

The Article provides Organizations or entities with all current available mechanisms for data transfer from the European Union to third countries, regardless if those Organizations are independent-single entities or multinational ones.

This Article was written by Dan Manolescu. If interested, you could read the full Article published by InfoSec Institute here.

If you would like to find out more about InfoSec, you could visit this page here.

Dan Manolescu is now a frequent contributer for InfoSec Institute.

If you have any questions please contact us at: dan@e-crimeexpert.com

Data protection glossary (part 3)

This is the last post of a series brought you by E-Crime Expert, that aims to make the readers and data subject familiar to the most common terminology in order to better understand and protect their personal data and privacy.

You could read the first post here and the second post here.

(R) Reliability (Information Security)

Reliability is the property of consistent intended behavior and results.

Residual Risk (Information Security)

Residual risks are the risks that remain after risk treatment or, in other words, after protective measures were introduced.

Right of rectification

Anyone can have incorrect data relating to him rectified free of charge, and have other data erased if they are irrelevant, incomplete or prohibited, or have the use of those data prohibited. If the controller does not react, the data subject may address the Commission, which will attempt to mediate. The data subject may also submit a complaint to the judicial police.

Right to object

You may always object to the use of your data, provided that you have serious reasons for this. You cannot object to a data processing operation that is required by a law or a regulatory provision, or that is necessary to perform a contract you have entered into. However, you always have the right to object to the illegitimate use of your data and can always object free of charge and without justification if your data are processed for direct marketing purposes.

To object you have to send a dated and signed request, including a document proving your identity (for example a copy of your identity card) to the controller by letter or by fax (a request by e-mail is only accepted with an electronic signature). The request can also be submitted on the spot. The controller then has one month to reply. If he fails to do so or if his reply is not convincing, you can address the Commission, which will try to mediate. You can also take your case to court.

Risk (Information Security)

A risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization (for example a virus deleting a file). It is measured in terms of a combination of the probability of an event and its consequence.

A risk is characterized by two factors: the probability that an incident will occur and the gravity of the potential direct consequences and the indirect impact.

The risk can also depend on time: the situation can become worse after an incident if adjusting measures are not taken in time (for instance a software glitch infecting a database, spyware retrieving passwords, encrypted codes or pin numbers). That way, an innocent incident can have disastrous consequences.

Risk Management (Information Security)

Risk management identifies the most important risks and distinguishes between the risks that have to be taken care of and acceptable risks. It uses security resources that deal with the dangers for personal data according to a scale of priorities. The risk management process constitutes a cycle that is repeated depending on the particular characteristics of the systems and the identified risks. Risk management results in final processes and an updated security policy, and often also in adaptations to the organization and its procedures in order to better take into account possible new risks, as well as the measures that have been taken.

(S) Safe Harbor Principles

In consultation with the European Commission, the American Department of Commerce elaborated the Safe Harbor Principles, intended to facilitate the transfer of personal data from the European Union to theUnited States. If companies make a statement to the American Department of Commerce agreeing with these principles and declaring they are prepared to respect them (meaning, among other things, that the American Federal Trade Commission can check whether theyr respect these principles), they are considered as companies ensuring adequate safeguards for data protection.

Security measures (Information Security)

Security measures, also called “protective measures” or “security controls”, are procedures or decisions that limit risks. Security measures can be effective in several ways: by lessening possible dangers, correcting vulnerabilities or limiting the possible direct consequences or indirect impact. It is also possible to work with time: if incidents are traced better and sooner, action can be taken before the situation gets any worse.

Sensitive data

Certain personal data are more sensitive than others. An individual’s name and address are rather innocent data, but this does not hold true for his political opinions, sexual preferences or judicial past. The Privacy Law regulates registration and use of those sensitive data more strictly in comparison with other personal data.

Sensitive data relate to race, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, suspicions, persecutions and criminal or administrative convictions. In principle, processing such data is prohibited.

Standard Contractual Clauses

For persons wishing to transfer data outside the European Community, the European Commission has elaborated standard contractual clauses, which allow for a data transfer meeting the European legal conditions for data protection (article 25 ff of Directive 95/46/EC). In other words, the parties signing these contracts are considered as parties ensuring adequate safeguards for the protection of privacy.

(T) Threat (Information Security)

A threat is any unexpected event that can damage one of the enterprise’s assets and therefore prejudice personal data protection.

There are environmental threats (fire), technical threats (system failures) or human threats.
Human threats can be accidental (mistakes, forgetfulness, unadapted procedures) or intentional (harmful intent, intrusion, theft), internal (dissemination of information) or external (espionage).

(U) Unambiguous, free and informed consent

Consent is understood:

• to have been freely given. In other words, the data subject was not pressurised to say “yes”;
• to be specific, meaning that the consent relates to a well-defined processing operation;
• to be informed. The data subject has received all useful information about the planned processing.

It is not necessary for the consent to be given in writing, but oral consent does create problems with the burden of proof in case of difficulties.

(V) Vulnerability (Information Security)

Vulnerability is the weakest link of an asset or a group of assets that can be exploited by one or more imminent dangers (developer’s mistake, wrong installation). In most cases vulnerability is due to the fact that an asset is not sufficiently protected, rather than to the asset itself.

Vulnerability in itself is not harmful to the organization. Only when an imminent danger can accidentally use the vulnerability and possible special circumstances, a damaging incident can occur.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Are you used to this terminology? Do you find it useful?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Data protection glossary (part 2)

After over a month when E-Crime Expert presented the most important Case Law and Rulings on the applicability of both Directive 95/46 (private sector) and Regulation 45/2001 (public sector) to the processing of personal data, today’s post will bring more useful information: A Glossary of the most common terms from the Directive 95/46.

The information will be delivered during three blog posts and  aims to make the readers and data subject aware of the most common terminology in order to better understand and protect their personal data and privacy.

You could read the first post here.

(F) Further processing

A further processing operation, as defined in the implementing decree of 13 February 2001, involves personal data initially collected for an explicit purpose and re-used at a later time for historical, statistical or scientific purposes that are incompatible with the initial purpose. In other words, these processing operations constitute a specific form of secondary data collection.

(I) Impact (Information Security)

The consequences of an incident on one or more assets constitute the impact (for instance personal data who are no longer accurate).

In information security usually a difference is made between direct consequences (damage to the information system, such as file modifications, changes in the accessibility of confidential data or an inappropriate system shutdown) and the indirect impact (the damage the organization or third parties have incurred, such as abuse of confidential information, wrong decisions as a result of incorrect data).

There is not always an immediate relation between an incident’s direct consequences and its indirect impact on an organization or on third parties: the loss of fundamental data can have enormous consequences for the person involved whereas a system that was erased completely can already be restored with a good back-up.

Incident (Information Security)

An incident is an unexpected or unwanted event that can have serious consequences.
An information security incident is any unexpected event that might cause a compromise of an organization’s activities or information security (system malfunction or overload, human error, software or hardware malfunction). An incident in itself is not good nor bad.

Integrity (Information Security)

Integrity covers two different aspects: information integrity, and system and process integrity.
Information integrity means that information cannot be changed or destroyed intentionally or unintentionally.
System or process integrity means that the desired function is fully achieved according to expectations. Without an authorized intervention it is not possible to make intentional or unintentional changes.

Intermediary organization

An intermediary organization is defined as any natural person, legal person, un-associated organization or public authority encoding personal data, other than the controller of the processing of non-encoded data.

(L) Legitimate interest

An interest is called legitimate when the controller’s interest in processing the data overrides the registered person’s interest in not processing the data. In case of doubt, the Commission or a judge will decide whose interest has the highest priority.

(M) Management System (Information Security)

There are several models for management systems regarding information security (ISMS – Information Security Management System). The best-known system is based on a PDCA structure (Plan-Do-Check-Act) and permanently improves security. This permanent improvement is linked to changing factors, for example modifications in the organization and related risks, changes in the information system, technological novelties, both for operational systems and security rules.

Manual filing system

A manual filing system is a structured set of personal data that are accessible according to certain criteria, the yellow pages on paper for example.

(N) Non-repudiation (Information Security)

Non-repudiation is the ability to prove that an operation or event has taken place, so that it cannot be repudiated later. For e-mails, for example, non-repudiation is used to guarantee that the recipient cannot deny that he received the message, and that the sender cannot deny that he sent is.

Notification

A notification is an action carried out by the controller to inform the Commission that he will be processing data. A notification is not intended to request permission or authorization, but only to notify a processing operation. The notification mainly consists of a description of the data processing operation.

(O) Opt in

In this system, you give somebody your prior consent to send you commercial messages. The opt-in system is valid for all forms of communication and allows you to give your free, specific and informed consent, as required by the Privacy Law.
The opt-in system is mainly used when somebody regularly wants to send a massive number of e-mails, for example a newsletter, electronic magazines, promotional offers. You can register by filling in your e-mail address on a specific online form. The idea behind the opt in is to know in advance exactly what you are registering for, so that there are no unpleasant surprises afterwards.

Opt out

As opposed to opt in, the opt-out system allows you to object to any data processing operation with a view to direct marketing, as required by the Privacy Law.
This involves receiving an unwanted message containing the possibility to unsubscribe in order to stop receiving messages. This system is only authorised provided that the sender obtained your (e-mail) address directly from you while purchasing a product or service from him, that this (e-mail) address is only used to offer similar products or services the sender delivers himself, and that you are given the possibility to object easily and free of charge when you give the sender your e-mail address. In addition to this system, the direct marketing sector has organized the Robinson lists.

(P) Personal data

Personal data reveal information about an identified or identifiable natural person (called the “data subject” in the Privacy Law). In other words, personal data are all data allowing for the identification of an individual.

Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, …

They do not only include data having to do with individuals’ privacy, but also data having to do with an individual’s professional or public life.

Only data about a natural (physical) person are taken into account, excluding data about a legal person or an association (civil or commercial corporations or non-profit organizations).

Processing personal data

Processing personal data is defined as any operation or set of operations performed on personal data. These operations are extremely varied and relate, among others, to the collection, storage, use, modification, disclosure of the data.

A few examples:

• a hotel offering the possibility of online bookings processes data when registering the customer’s name, the dates of his stay and his credit card number.
• a municipality transmitting the names of persons requesting a building permit to a contractor who wants to send them publicity, also processes data.

The law applies as soon as the data are processed, even partially, using automatic means. Automatic means include all information technologies, computer technology, telematics, telecommunication networks (the Internet).

For example, the Privacy Law is applied to:

• a company’s computerized database containing customer or supplier data;
• the electronic list of transactions on a bank account;
• the computerized file of a company’s members of staff or of the children enrolled in a school;
• etc.

The Privacy Law also applies, however, as soon as one processing operation is carried out using automatic means. For example:

• a temporary employment agency keeping applicants’ hand-written curricula vitae but sending them to employers by fax, has to observe the rules in the Privacy Law for all operations it performs on the curricula vitae (such as storing, filing or sending them).

If data are not processed using automatic means (for example on paper or on microfiche) the Law still has to be observed if the data are included or will be included in a manual filing system that can be accessed according to specific criteria (for example people’s names in alphabetical order).

Processor

This is any natural person, legal person, un-associated organization or public authority processing data on behalf of the controller, not including individuals who are under the direct authority of the controller and who have been authorized to process the data).

Public register

The public register is a list of notifications of personal data processing operations notified to the Commission. Anyone can consult this list, for example via the Internet.

Purposes: historical, statistical or scientific

• historical research involves the processing of personal data with a view to the analysis of an earlier event or in order to make that analysis possible. This is possibly but not necessarily also a processing operation with a scientific purpose (in other words, a genealogist can appeal to this provision);
• statistical purposes are achieved through any action with a view to collecting and processing personal data when this is necessary for statistical surveys or to produce a statistical result;
• scientific research involves establishing patterns, rules of conduct and causal relations exceeding all individuals they relate to.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Are you used to this terminology? Do you find it useful?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Data protection glossary (part 1)

After over a month when E-Crime Expert presented the most important Case Law and Rulings on the applicability of both Directive 95/46 (private sector) and Regulation 45/2001 (public sector) to the processing of personal data, today’s post will bring more useful information: A Glossary of the most common terms from the Directive 95/46.

The information will be delivered during three blog posts and  aims to make the readers and data subject aware of the most common terminology in order to better understand and protect their personal data and privacy.

(A) Accountability (Information Security)

Accountability is the property that ensures that the actions of an entity may be traced uniquely to the entity.
Accountability guarantees that all operations carried out by persons, systems or processes can be identified (identification) and that the trace to the author and the operation is kept (traceability).

Anonymous data

Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.

Article 29 Working Party

The Article 29 Data Protection Working Party is an independent European advisory body. The Working Party’s mission is to ensure the uniform application of Directive 95/46/EC, providing opinions and making recommendations or drafting working documents that are all available on the Internet. The Article 29 Working Party’s members are representatives of the different national data protection authorities, the European Data Protection Supervisor and representatives of the European Commission.

Assets (Information Security)

An organization’s assets (patrimony, property or possessions) are everything that is of value to it or, in other words, everything that makes the organization more valuable or everything that would diminish the organization’s value or efficiency in case of loss.

In the context of personal data protection, personal data and all necessary resources to process them correctly are considered as assets:
• material possessions housing the data (buildings, machines, IT supplies, etc.);
• the software necessary for the data processing (applications and programmes, operating systems, etc.);
• the information used in the data processing operations, which can be stored in various forms: in the database, on a paper carrier, etc.;
• infrastructure (the basic services necessary for the organization to achieve its objective; electrical energy, lighting, communication, transport, lifts, etc.);
• staff (the organization’s employees, temporary staff, etc.);
• intangibles (reputation, brand image, ethical values, etc.);
• the financial resources necessary for the organization to function properly.

Authenticity (Information Security)

Authenticity is the property that ensures that the identity of a subject or resource is the one claimed.
Authenticity appies to persons (users), but also to any other entity (applications, processes, systems, etc.). It is an identification, i.e. recognition of a name indicating an entity without the slightest doubt.

(B) Binding Corporate Rules (BCRs)

BCRs are rules elaborated by multinationals for the international transfer of personal data within their corporate group. All entities and employees of the enterprise have to observe these rules. Binding Corporate Rules are considered as adequate safeguards for personal data protection after approval by the national data protection authorities. At European level the Article 29 Working Party has established a joint procedure for the different national authorities. At Belgian level the Federal Public Service of Justice has agreed on a protocol (only available in French and Dutch) with the Belgian DPA regarding the implementation of the national authorisation procedure.

(C) Confidentiality (Information Security)

Confidentiality is an information characteristic implying that information is not made available or disclosed to unauthorized persons, entities or processes.

The possibility to make only portions of information accessible has to be guaranteed as long as the information exists, i.e. during its collection, processing and disclosure.

In practice only persons exercising a function or professional activity justifying access to personal data will be authorized.

Controller

It is very important to know who has been designated as “controller” under the Privacy Law, as this is the person who has to comply with nearly all the duties imposed by this Law. In case of problems, this person is responsible.

The controller is also the most important contact for you as a data subject, but also for the authorities that are to check him.

He also determines the purposes and the resources for the data processing. The controller can be a natural (physical) person or a legal person, an un-associated organization or a public authority.

If a law, decree or ordinance prescribes the purpose and the resources for a particular data processing operation, this law, decree or ordinance will also specifically designate a controller.

(D) Daily Security Management (Information Security)

Daily security management consists of activities such as the administration of security rules, management of authorizations and the analysis of discovered incidents.

Data (anonymous)

Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.

Data (sensitive)

Certain personal data are more sensitive than others. An individual’s name and address are rather innocent data, but this does not hold true for his political opinions, sexual preferences or judicial past. The Privacy Law regulates registration and use of those sensitive data more strictly in comparison with other personal data.

Sensitive data relate to race, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, suspicions, persecutions and criminal or administrative convictions. In principle, processing such data is prohibited.

Data subject

We are all data subjects. For example, you disclose personal data as soon as you:

• fill in a form;
• place an order;
• book concert tickets;
• buy a train ticket;
• use a credit card;
• register for a course or in a sports club;
• are admitted to hospital;
• borrow a book from a public library or a DVD from a video rental shop.

The law does not make a distinction between Belgians and non-Belgians.

Disclaimer

A disclaimer is a general statement, describing the rights and obligations of all parties concerned, for example included in a privacy statement on a web site or in a contract.

(E) Encoded data

These are personal data that can only be related to an identified or identifiable person by means of a code.

European Economic Area

This is an association agreement between theMemberStatesof the European Union and the threeMemberStatesof the European Free Trade Association (EFTA): Iceland, Norwayand Liechtenstein.

Exemption from notification

Not all data processing operations have to be notified. Besides manual processing operations (for example on paper or on microfiche), a series of automatic processing operations are exempt from the duty of notification, which are listed in the implementing decree of 13 February 2001 and relate to some of the most frequent processing operations (for example personnel management, accounting, customer management, payroll management, …). This exemption from notification does not mean, however, that the other obligations in the Law do not have to be observed.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Are you used to this terminology? Do you find it useful?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: leak of personal data (information)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

T-259/03, Nikolaou v. Commission, 12.9.2007

Action for non-contractual liability based on acts and omissions of OLAF. OLAF had disclosed certain information about its investigation concerning the applicant: a leak of information to a journalist; its annual report with information about the investigation; and its press statement. Applicant had requested access to the file and the final case report.

Burden of proof for establishing non-contractual liability: Normal rule: The burden of proof is on the applicant to establish: i) Illegal action of an institution; ii) Damages; iii) Proof that damages were caused by the illegal action of the institution. However, burden of proof shifts to the institution when a fact giving rise to damages could have resulted from various causes, and the institution has not introduced any element of proof as to which was the true cause, even though it was best placed to do so. Court concluded OLAF staff member leaked information (including PD) to a journalist, which were published, and OLAF’s press release confirmed the veracity of facts (including PD) that had been mentioned in several press articles. PD definition: The information published in the press release was PD, since the DS was easily identifiable, under the circumstances. The fact that the applicant was not named did not protect her anonymity. Processing definition: 1. Leak (unauthorised transmission of PD to a journalist by someone inside OLAF) and 2. publication of press release each constitute processing of PD.

Lawfulness:

• Leak constitutes unlawful processing in violation of Article 5 of Reg. 45/2001 because it was not authorized by the DS, not necessary under the other sub-paragraphs and it did not result from a decision by OLAF. Even though OLAF has a margin of discretion on transmissions, here it was not exercised because leak is unauthorised transmission. OLAF is best placed to prove how the leak occurred and that the Director of OLAF did not violate his obligations under Article 8(3) of Reg. 1073/99.

In the absence of such proof, OLAF (Commission) must be held responsible. No concrete showing of an internal system of control to prevent leaks or information in question had been treated in a manner that would guarantee its confidentiality.

• Publication of press release was not lawful under Article 5(a) and (b) because public did not need to know the information published in the press release at the time of its publication, before the competent authorities had decided whether to undertake judicial, disciplinary or financial follow-up.

Damages for violation of DP rules: violation of Reg. 45/2001 qualifies as an illegal act of an institution conferring rights on an individual. Objective of Reg. is to confer such rights on DSs.

• A leak of PD is necessarily a grave and manifest violation. Director has margin of appreciation on prevention, but made no showing.

• OLAF gravely and manifestly exceeded the limits of its discretion in the application of Article 5(a) and (e), which was sufficient to engage the responsibility of the Community.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

This was the last case law analyzes from this series.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: the time limit of right to access

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-553/07, College van burgemeester en wethouders van Rotterdam v. Rijkeboer, 7.5.2009

Reference for preliminary ruling. Dutch law on PD held by local authorities provides that on request, Board of Aldermen must notify a DS within 4 weeks whether his PD have been disclosed to a purchaser or 3rd party during the preceding year. Data held by authority include basic data (name, dob, personal id no., ssn, local authority or registration, etc.) and data on transfers. Mr. R requested to be informed of all instances where data relating to him were transferred in preceding 2 years, content and recipients.

Question referred: whether, pursuant to Article 12(a) (right of access) of Directive 95/46, a DS’s right of access to information on the recipients of PD regarding him and on the content of the data communicated may be limited to a period of one year preceding the request.

Time limit on right of access: Right of access is necessary to enable DS to exercise other rights (rectification, blocking, erasure, and notify recipients of same; object to processing or request damages). The right must of necessity relate to the past, otherwise DS would not be in a position effectively to exercise his right to have data presumed unlawful or incorrect rectified, erased or blocked or to bring legal proceedings and obtain compensation for damages. MSs have some freedom of action in implementing the Directive, but it is not unlimited. Setting of time limit on right of access must allow DS to exercise his rights. It is for MSs to fix a time limit for storage of information on the recipients and the content of data disclosed, and to provide access to that information which constitutes a fair balance between the interest of the DS in exercising his rights and the burden on the controller to store that information. In present case, limiting storage of information on recipients and content to one year, while the basic data is stored much longer, does not constitute a fair balance, unless it can be shown that longer storage would constitute an excessive burden.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: Commission v. Germany (independent DPA)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-518/07, Commission v. Germany, 9.3.2010

Infringement action against Germany which transposed 2nd para. of Article 28(1) of Directive 95/46 (requirement for an independent DPA) by making the authorities responsible for monitoring PD processing outside the public sector in the different Lander subject to State oversight.

Requirement of complete independence of DPA: Independence normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure. There is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. The adjective “complete” implies a decision-making power independent of any direct or indirect external influence on the supervisory authority. The guarantee of independence of DPAs is intended to ensure the effectiveness and reliability of the supervision of compliance with DP provisions, to strengthen the protection of individuals and bodies affected by their decisions. DPAs must act impartially and must remain free from any external influence, including that of the State or Lander, and not of the influence only of the

supervised bodies. Independence precludes not only any influence exercised by supervised bodies, but also any directions or other external influence which could call into question performance of those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of PD.

State scrutiny in principle allows the government of the respective Land to influence the decision of the supervisory authority or cancel and replace those decisions. This is not consistent with principle of independence.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: data processing

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-73/07, Tietosuojavaltuutettu [Finnish DP ombudsman] v. Satakunnan

Markkinaporssi Oy and Satamedia Oy, 16.12.2008

Reference for preliminary ruling. Defendant 1 (a) collected public PD (name of persons whose income exceeds threshold, amount of earned and unearned income, wealth tax levied) from Finnish tax authorities and (b) published extracts in regional newspaper each year. Newspaper says PD can be removed on request without charge. Defendant 1 also (c) transferred the data on CD ROM to Defendant 2 (owned by same shareholders) which (d) disseminated them by text messaging system. Contracted with mobile telephony company to send text messages allowing users to receive information published in the newspaper; PD removed on request. Questions referred: (1) whether collection, publication, transfer of CD ROM and text messages constitutes processing of PD; (2) whether it is processing for solely journalistic purposes within Article 9 of Directive 95/46; (3) whether Article 17 and principles of Directive 95/46 preclude publication of data collected for journalistic purposes and its onward transfer for commercial purposes; (4) whether PD that has already been published in the media is

outside scope of Directive 95/46.

Processing: All 4 types of activities constitute processing.

Scope: Only two exceptions to scope, set forth in Article 3(2). First indent: security and criminal law=activities of the state. Second indent: processing by a natural person in course of a purely personal or household activity, concerns activities in course of private or family life of individuals. Activities (c) and (d) are activities of private companies, not within the scope of Article 3(2). A general derogation from application of directive in respect of published information would largely deprive directive of its effect. Thus activities (a) and (b) also not within scope of Article 3(2).

Processing for solely journalistic purposes: Article 1 of Directive indicates that objective is that MSs should, while permitting free flow of PD, protect the fundamental rights and freedoms of natural persons and, in particular, their right to privacy, with respect to processing of their PD. That objective can only be pursued by reconciling those fundamental rights with fundamental right to freedom of expression. Article 9’s objective is to reconcile the two rights. MSs required to provide derogations in relation to protection of PD, solely for journalistic purposes or artistic or literary expression, which fall within fundamental right to freedom of expression, insofar as necessary for reconciliation of the 2 rights. To take account of the importance of the right of freedom of expression in every democratic society, it is necessary to interpret notions of freedom, such as journalism, broadly. Derogations must apply only insofar as strictly necessary.

Fact that publication is done for profit making purposes does not preclude publication from being considered as “solely for journalistic purposes.” Medium used is not determinative of whether “solely for journalistic purposes.” Thus activities may be classified as “journalistic” if their sole object is the disclosure to the public of information, opinions or ideas, irrespective of the medium used to transmit them.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: Huber v. Germany (deletion of personal data)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-524/06, Huber v. Germany, 16.12.2008

Reference for preliminary ruling. Huber, an Austrian national who is resident in Germany, requested the deletion of PD relating to him (name, date and place of birth, nationality, marital status, sex, entries and exits from Germany, residence status, particulars of passports, statements as to domicile, reference numbers) in the German Central Register of Foreign Nationals (AZR). Bundesamt assists public authorities responsible for application of law related to foreign nationals and asylum. Used for statistical purposes and by security and police services and judicial authorities re prosecution an investigation of criminal activities. Germany rejected the request.

Question submitted wrt DP: Is processing of PD of Austrian national in AZR compatible with the requirement of necessity under Article 7(e) of Directive 95/46?

Scope of Directive 95/46: Article 3(2) exclude from scope of Directive 95/46 processing of PD concerning public security, defence, criminal law activities. Thus, in this case, only processing for purpose relating to right of residence and for statistical purposes fall within scope of 95/46.

Necessity requirement: In light of intention that Directive 95/46 is intended to ensure an equivalent level of DP in all MSs, to ensure a high level of protection in the Community, concept of necessity in Article 7(e) cannot have a meaning which varies between MSs.

Thus, it is a concept which has its own independent meaning in Community law, and must be interpreted in manner which fully reflects the objective of Directive 95/46.

Under Community law, right of free movement of a MS national is not unconditional, but may be subject to limitations and conditions imposed by treaty and implementing rules.

Legislation provides that a MS may require certain documents to be provided to determine the conditions of entitlement to right of residence. Thus, it is necessary for a MS to have relevant particulars and documents available to it in order to ascertain whether a right of residence in its territory exists. Use of a register to support authorities responsible for application of legislation on right of residence is, in principle, legitimate.

However, register must not contain any information other than what is necessary for that purpose, and must be kept up to date. Access must be restricted to the responsible authorities. Central register could be necessary if contributes to more effective application of that legislation. National court should decide whether these conditions are satisfied.

Only anonymous information is required for statistical purposes.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.