Personal data (European Directive)

From Saferpedia

Personal data refers to any personal information. Collection, processing and storage of personal data brought to user's attention explicitly.

Personal data Directive is a European Union Directive regulating processing personal data inside European Union. This an important component of European Union regarding private life and human rights. The Directive entered in force in 1995.

Contents 1 Context 2 Content 2.1 Purpose 2.2 Principles 2.2.1 Transparency 2.2.2 Legitimate purpose 2.2.3 Proportionality 2.3 Supervisory Authority and the public register of processing operations 2.4 Personal data transfer to third countries

Context

The area of laws regarding right to private life is very developed in Europe. All European Union member states signed the European Convention on Human Rights. The eighth article in the Convention provides the right to respect private individual and family life, correspondence and domicile, under certain restrictions. The European Court of Human Rights gave this article a very open interpretation in case law. In 1981 the People Protection Convention negotiated within the European Council the situation regarding automatic processing of personal data. This Convention obliges signatories to adopt laws regarding automatic processing of personal data. Many countries adopted such laws properly.

In 1980 in an effort to create a data protection system the Cooperation and Economic Development Organization made recommendations on guidelines to regulate private life protection and trans-border personal data flow.

The seven principle regulating Cooperation and Economic Development Organization's recommendations were:

1. Notification - people must be notified when their personal data are collected;
2. Purpose - data has to be used only for declared purposes and for no other purposes;
3. Consent - data must not be divulged without targeted person's consent;
4. Security - collected data must be kept safe against potential abuses;
5. Disclosure - targeted people must be notified regarding to who does the collection;
6. Access - targeted people must have access to their data and be able to edit them;
7. Responsibility - targeted people must have the possibility to keep collected data and collectors data so they may check if the above principles are respected.

However, Cooperation and Economic Development Organization's guidelines were not put together and privacy laws regarding personal data were different all over Europe. However the seven principles were included in European Union Directive.

European Commission realized that differences in data protection legislation in EU member states stops the free flow of data in EU area. Therefore European Commission decided to harmonize regulations regarding data protection and proposed the Directive regarding personal data protection.

Content

The Directive regulates processing personal data, whether or not processing is automated.

Purpose

Personal data are defined as "any information regarding an identified person or naturally identifiable"; an identifiable person is a person that may be identified, directly or indirectly, especially by reference to an identification number or one or more specific factors to its physical, physiological, psychological, economic, cultural or social identity (art. 2 a).

This definition intends to cover a very wide range. Data are personal data when a person is able to make the connection between data and another person even id the person holding the data can't make this connection. For example, personal data are: address, credit card number, statements, criminal record, etc.

The notion of processing is any "operation or set of operations done over personal data whether or not automated like collecting, registering, organizing storage, adapting or combining, blocking, deleting or destroying."(art. 2 b).

Laws regarding personal data protection are applicable not just in case the operator is located inside the EU but whenever the operator uses the equipment in the EU to process data (art. 4).

Principles

Personal data should not be processed unless there are met certain conditions. These conditions are divided in three categories: transparency, legitimate purpose and proportionality.

Transparency

Targeted people have the right to be informed when their personal data are processed. Operators must supply name, address, processing purpose, data receivers and all other information required to ensure a fair processing.

Data may be processed in one of the following situations according to art. 7:

1. When the targeted person gave its consent;
2. If the processing is required for a contract;
3. If the processing is required to respect a legal obligation;
4. When the processing is necessary to protect targeted person's vital interests;
5. When the processing is necessary to realize a task of public interest or to exercise public authority or a third party which data are communicated to;
6. Processing is necessary to realize legitimate interests pursued by operator, by a third person or a third party which data are communicated to, except the case this interest won't prejudice the interest for fundamental rights and freedom of targeted person.

Legitimate purpose

Personal data may be processed only for specific and legitimate purposes and can't be processed in an ways incompatible with these purposes(art. 6b).

Proportionality

Personal data may be processed only if they are adequate, pertinent and not excessive in report to their collecting purposes. Data must be exact and if necessary updated; all reasonable measures must be taken to ensure that inexact or incomplete data are later processed, corrected or deleted. Data must not be stored in a form that allows identifying targeted persons longer than is necessary. EU member states must establish appropriate safeguards for personal data stored for longer time periods for historical, statistical or scientific purposes (art. 6).

When sensitive personal data are processed (religious belief, politic opinions, health opinions, sexual orientation, race, past organizations membership) are applied additional restrictions (art. 8).

Targeted person may oppose at any time to its personal data processing for direct marketing (art. 14).

Supervisory Authority and the public register of processing operations

Each member state must establish a supervisory authority, an independent body to monitor the level of data protection in the state, to advise the Government on administrative measures and regulations and to commence legal proceedings where the legislation for the protection of personal data has been breached (art. 28.

The operator must notify the supervisory authority, before starting data processing. The notification must contain at least the following information:

1. Name and address of the operator and its representative, if there is one;
2. Purpose or purposes of publishing;
3. A description of the category or categories of targeted persons and data or categories of data relating to them;
4. Recipients or categories of recipients to whom data may be disclosed;
5. Proposals for transfers of data to third countries;
6. A general description of measures taken to ensure security of processing.

These information are stored in a public registry.

Personal data transfer to third countries

In European Union third countries is a term used for countries outside EU. Personal data may be transferred to third countries if that country offers a high level of protection.

Article 29 from the Directive created "Work Group of people's protection regarding personal data processing" known as "Work Group of 29th article". The Work Group offers advice regarding protection level in EU and third countries.

The work group negotiated with US representatives about personal data protection and as a result it was the Safe Harbor principles. According to critics Safe Harbor principles don't provide an adequate level of protection because contains fewer obligations for the operator and allows certain rights to those who draw up contracts.

In July 2007 was signed an agreement with US and EU called "PNR - Passenger Name Record".

In February 2008, Jonathan Faull, EU Commission chief for internal affairs, complained about US bilateral policy regarding PNR.

US signed in February 2008 a Memorandum Of Understanding (MOU)with the Czech Republic in exchange of a Visa Waiver system, without prior consultation in Brussels.

Tensions between Washington and Brussels are mainly caused by a lower level of data protection in the US, especially that strangers don't benefit from 1974 USA Privacy. Other countries have addressed the MOU, like: Great Britain, Estonia, Germany, Greece.

This term is in development.
Contribute on developing this term.