Contribution of the Federal Government to the European ...

0 downloads 206 Views 70KB Size Report
Jan 5, 2011 - Moreover, it is easier to implement a directive within the existing national .... of “social networks”
Berlin, 5 January 2011

Contribution of the Federal Government to the European Commission’s consultation on the comprehensive approach to personal data protection in the European Union The Federal Government welcomes the European Commission’s consultation procedure on its “comprehensive approach to personal data protection” of 4 November 2010. The Federal Government would like to draw special attention to the following points concerning the aims and outline of the comprehensive approach: ¾ The Federal Government is committed to modernising data protection at EU level and ensuring a high level of data protection in the EU. Modernising the legal framework governing data protection is a complex project, given the manifold ¾

¾ ¾

¾

¾

challenges we are facing. It is essential for the Federal Government that the European Commission should choose a directive in this context, rather than a regulation. Member States need some room for manoeuvre on data protection in order to accommodate long-standing legal traditions and to set their own priorities in their national legislation. Moreover, it is easier to implement a directive within the existing national regulatory framework. Like Directive 95/46/EC, the new legal instrument should be open to further development and neutral with regard to technology. The new legislative act should provide a way for Member States to reconcile the concept of “complete independence” for data protection supervision with their constitutional traditions. The Federal Government welcomes the Commission’s plan to simplify the procedures for notifying the supervisory authority under Articles 18, 19 and 21 of the Directive. In many Member States, Article 18 creates an administrative burden which is not accompanied by an equivalent improvement in data protection. The Federal Government favours updating the provisions on international data transfers. In addition, it would be desirable if the European Commission 1

Berlin, 5 January 2011

¾

¾ ¾

¾

followed the development of US data protection legislation based on safe-harbour principles, focusing in particular on ensuring an appropriate level of data protection. The new legal instrument will therefore need to reasonably differentiate between the general area and the area of police and judicial cooperation. The aims of increasing transparency and reinforcing the rights of individuals are to be welcomed. They should be implemented in police and judicial cooperation taking into account the specifics of each area. The Federal Government is in favour of including a general principle of “privacy by design” in the new legislative act. The Federal Government considers profiling an increasing trend in the digital world and supports relevant legislation. In this context, the terms “profile” and “profiling” must be exactly defined. The Federal Government is in favour of strengthening self-regulation, in particular as regards the Internet.

Further details are discussed in the following comments issued by the Federal Government on 26 July 2010.

2

Berlin, 5 January 2011

Comment of the Federal Government dated 26 July 2010 on reviewing the data protection regulatory framework at EU level The Federal Government endorses the European Commission’s plans to develop a strong data protection strategy within the European Union and for its relations to third countries. State-of-the-art data protection is a priority in today’s information society. Maintaining a high level of data protection in the EU should therefore continue to be our common goal. At the same time, data protection provisions must be clear and easy to understand. To achieve this, we should carefully analyse whether existing legal instruments are necessary and useful for the future and consider adopting new provisions as needed. Experience with the EC Data Protection Directive should be evaluated systematically and impartially. Innovative responses to new questions must be found. Consultations and results reflected in the Framework Decision on the protection of personal data in the areas of police and judicial cooperation should also be taken into consideration. The Federal Government will dedicate itself to this important task. The Federal Government would like to thank the Commission for giving Member States the opportunity to provide input before a new legislative act is drafted.

A General I. When revising the legal framework for data protection, a directive should be preferred over a regulation. It should give EU Member States sufficient leeway to maintain their legal traditions and established body of law. It is the Federal Government’s belief that this can be ensured only by a directive. The Federal Government further believes that uniform minimum standards of data protection should be ensured in Member States, thus further harmonisation of data protection provisions at EU level is desirable.

3

Berlin, 5 January 2011

II. We should thoroughly examine which areas need (additional) regulation and whether existing provisions are effective and easy to understand. Possible new provisions should allow for future developments and not favour a specific technology.

III. Discussions on new challenges as regards data protection on the Internet frequently touch upon the intersection of various policy areas. It is advisable to embed these discussions within a broader interdisciplinary context. With this in mind, the Federal Ministry of the Interior discussed the future of German Internet policy with representatives from civil society, industry, research and administration during four consultations in early 2010. Discussions focused on the issues of data protection and data security. The results of these consultations were summarised in 14 theses. For example, the government should ensure the free expression on the Internet and strike a balance between conflicting rights of private individuals. Self-regulation, personal responsibility and the right to control one’s own data should be strengthened. The government should adopt legislation to support data security – without stifling innovation and new developments on the Internet – and intervene in Internet services and applications, if necessary. Government powers of intervention to prevent threats and fight crime on the Internet should be in line with conventional principles. When taking sovereign action, the government should concentrate on measures which can be effectively implemented in the digital world. The complete list of theses may be found at www.bmi.bund.de. They have been reviewed by citizens through an online consultation (www.ekonsultation.de/netzpolitik).

IV. The wording of the new legislative act on data protection should be easier to understand than Directive 95/46/EC. If the structure and terminology is too sophisticated, data protection law as a whole is difficult to understand. This may also affect implementation. 4

Berlin, 5 January 2011

V. For the Federal Government it is less relevant whether the field of police and law enforcement is included in the general legislation or governed by a separate legal instrument. Including this area would have the advantage that deviating provisions in the field of police and law enforcement would be more transparent because they would not be in separate legislation. However, a general legislative act would have to take the specifics of this area, e.g. confidentiality during covert operations, into account. The Federal Government does not consider it necessary to exclude Europol and Eurojust from consideration. The modernisation aims of “more transparency”, “more influence for persons concerned” and “more effective data protection supervision” are applicable to the field of police und judicial cooperation only to a limited extent. The new legal instrument will therefore need to reasonably differentiate between the general area and the area of police and judicial cooperation. The end of the implementation period of Framework Decision 2008/977/JHA (on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters) coincides with the announced presentation of a new legislative act on data protection. Therefore, the EU Commission should inform Member States about its considerations at the earliest opportunity to avoid inconsistencies between the Commission’s work and national efforts to implement the Framework Decision.

B Questionnaire of the European Commission The Federal Government responds as follows to the European Commission questionnaire developed in the framework of the stakeholders’ consultation on 29 June 2010: 1. The principle of data minimisation is already enshrined in the EC Data Protection Directive, e.g. Article 6(1)(c) specifies that personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. A dedicated provision such as Section 3a of the 5

Berlin, 5 January 2011

Federal Data Protection Act in Germany would underline and clarify the significance of this principle. Moreover, it would allow the principle to be applied to a period before data processing, e.g. to the design and selection of data processing systems. This is therefore an aspect of “privacy by design”. However, in a dedicated provision the principle of data minimisation should be expressed as a requirement because an obligation (entailing sanctions) could hardly be implemented in practice and would produce great legal uncertainty given the broad range of possible data processing applications. 2. Profiling is a major trend in the “digital world”, also given the growing importance of “social networks” and integrated Internet businesses. Therefore, the Federal Governments is in favour of provisions on profiling. However, discussions in the Council of Europe on a recommendation for profiling showed that the terms “profile” and “profiling” must be exactly defined and that provisions must be sharply differentiated to be effective. In particular, they must cover the various situations where profiling is used. 3. The effects of extending categories of sensitive data must be thoroughly examined. The stricter criteria for dealing with sensitive data should not require numerous new legal permissions to maintain the necessary and desired data processing applications. The sensitivity of data depends on the context in which they are processed. Therefore, the list of sensitive data should be extended only to include all those data which are sensitive in (almost) all conceivable situations of data processing. On the list created by the European Commission this would apply to biometric and genetic data. 4. The Federal Government is not averse to discussions on greater protection of personal data of minors. According to Article 1 of the UN Convention on the Rights of the Child (CRC) a child means every human being below the age of eighteen years. Article 16 CRC protects the privacy of children below the age of 18 years. As a result, age limits do not necessarily need to be harmonised. A possible graduated protection system should take into account the minors’ individual need for protection. For example, data protection law for police and law enforcement authorities defines a child as a minor below the age of 14 years (age of criminal responsibility; cf. for

6

Berlin, 5 January 2011

example Section 31 of the Federal Criminal Police Office Act, BKAG). This is something each Member State should regulate on its own responsibility. 5. The Directive already specifies various conditions for collecting personal data if they are not directly collected from the data subject, e.g. special information in Article 11. This information is only a minimum standard (“at least”). Against this background, the Federal Government suggests examining whether Member States have had different experiences and which further information is useful according to Member States as well as harmonising the list of information even further. 6. A clear distinction should be made between the terms “right to be forgotten” and “right of deletion”. German law already provides for the possibility to ask for the deletion of statements made on the Internet and to prohibit the publishing of personal data. As regards the “right to be forgotten“, the relevant requirements would have to be clearly defined, and it would have to be specified against whom the right may be enforced. In addition, exceptions would have to be defined, and it would have to be examined whether this right should be enshrined in a legislative act which – like the Data Protection Directive – would exclude personal and family activities of natural persons. Finally, consideration should be given to the technical implementation of such provisions. The Federal Government is very interested in the idea of an “expiry date for data” but again technical implementation seems to be a great challenge. 7. The fundamental right of data ownership exists in various forms in different national legal systems. In Germany, the protection of personal data is protected by law through the individual’s right of control of his/her own data allowing interventions only within the limits set by the constitution. Therefore, the Federal Government does not see the need to introduce a “property right over personal data”. It is more important to ensure a high level of data protection by creating relevant framework conditions at European level. 8. The Federal Government supports efforts to facilitate greater “data portability” on the Internet. In this respect, business models of service providers, existing technical systems and legitimate interests of stakeholders and competent bodies must be taken into account. Users need sufficient control of their online data for a sovereign and responsible use of the Internet. Currently, this is often not the case 7

Berlin, 5 January 2011

because some services depend on a specific platform, or because there is no possibility for individuals to take their data with them when moving from one social network to the other. However, a right to retrieve personal data in all cases might go too far. A differentiated approach would be preferable. 9. The Federal Government objects to introducing a requirement for explicit consent in all cases. However, it might be useful to strengthen explicit consent in certain areas. A carefully differentiated approach is necessary. Given the complex data processing applications on the Internet and a growing division of labour, the effectiveness of the concept of consent of the data subject (Art. 2(h)) should be reviewed. In particular, the data subject frequently lacks the necessary information to make a free and informed decision. Transparency of data processing as a prerequisite of and not a substitute for consent must be maintained also under these circumstances, e.g. by adapting information obligations. 10. Data subjects should be able to exercise their rights, in particular the right of information, both online and offline. 11. As a rule, access to one’s own data should be free of charge. However, situations may arise where a fee may be imposed, e.g. according to the Federal Data Protection Act in private industry if the data subject can provide this information to a third party for economic purposes. However, the fee must not exceed the costs incurred by providing the information. In addition, when charging a fee for data access, data subjects should have the possibility to access the information in person and free of charge, e.g. by viewing the data on site. Moreover, a fee should not be charged in certain situations, e.g. if the information reveals that data are incorrect or stored without permission and have to be corrected or deleted. Other rights exercised by data subjects should also be free of charge. For example, according to German law data must be corrected if they are incorrect or deleted if storage is not permitted or no longer necessary for a certain purpose. Data controllers must comply with data protection law. They should not be able to refuse correction, deletion or blocking of data by stating that the data subject did not pay the required fee.

8

Berlin, 5 January 2011

12. If precise deadlines are adopted at European level they should satisfy the broad range of data processing applications in practice. 13. There seems to be no need for specific safeguards for the protection of personal data of data subjects with a professional or special official secrecy obligation in the legal profession. As regards the medical profession the protection of personal data processed by data subjects with secrecy obligations is ensured by specific safeguards under national legislation. 14. The Federal Government supports the approach to make data processing more transparent and easier for data subjects to understand. The principle of transparency is already enshrined in various articles of the Directive. Making this principle explicit can underline its significance. Transparency may be ensured, but not exclusively, by improving the information for data subjects. In this respect, please refer to the Federal Government’s answer to question 5. Greater harmonisation of information for data subjects is required. At the same time, the information should not become too long and unclear by including further mandatory components, which would hinder understanding and the willingness to read the information and thus cause less transparency. 15. The Federal Government recognises the need to increase data subjects’ general awareness of their rights. However, this goes beyond legislation so that Member States should take their own measures. 16. The Federal Government objects to an explicit obligation for supervisory authorities to promote awareness campaigns. Member States and supervisory authorities should be allowed to choose their own approach. 17. The Federal Government does not see a need to further clarify the existing legal framework on the processing of personal data related to health. Observing the subsidiarity principle, national provisions should continue to apply given the individual situation in each Member State. In this context it should be noted that necessary processing of personal data related to health is required to ensure the functioning of health-care and social security systems, in particular health insurance. The Federal

9

Berlin, 5 January 2011

Government objects to introducing a specific provision on the use of personal data related to health, in particular by third parties for the purpose of making profit. 18. The Federal Government is in favour of specific rules for the processing of personal data in the employment sector. Since early 2009 there has been a very thorough discussion on the protection of employees’ personal data. In the first half of 2010 the Federal Government has prepared draft legislation including provisions on collecting, processing and using data before and after employment. The draft legislation also includes provisions on using telecommunications services at work and on the limited possibility of employee consent. 19. There is no need to clarify the terms “statistical data” and “data for scientific purposes”. The Federal Data Protection Act includes relevant provisions on conducting scientific research which have not posed any interpretation problems in practice. 20. The Federal Government supports the adoption of specific rules on video surveillance. The issue is governed by Section 6b of the Federal Data Protection Act (purposes: Section 6b(1) nos. 1 to 3). The draft legislation on the protection of employee data currently being discussed by the ministries includes a provision which takes into account the special conditions of an employment relationship. 21. It seems necessary to provide an appropriate balance between the protection of personal data and the need to process such data for journalistic purposes or for the purpose of artistic and literary expression. However, given the enormous range of possible cases it might not be possible or useful to adopt specific rules. In Germany, legal practice shows on the one hand that suitable provisions are available but on the other hand that each case must be examined individually. Member States should be responsible for striking a balance between the aforementioned rights. 22. See answer to question 10. 25. The protection of rights of dead persons is a general issue affecting all fundamental rights, not only data protection. Post mortem, German law protects the general right of human beings to dignity and the moral, personal and social value 10

Berlin, 5 January 2011

acquired by personal accomplishments (BVerfG, AfP 2008, 161 = NJW 2008, 1657). The scope of the post mortem privacy rights is not governed by German law but developed by legal practice. A European provision specifically for data protection would run the risk of being incomplete and possibly not in line with the Member States’ constitutions. 26. The Federal Government is in favour of strengthening self-regulation, in particular as regards the Internet (cf. comments on Internet policy under A III.). 27. The rights of data subjects are already clearly expressed in the Directive. However, the Federal Government suggests reviewing implementation in the Member States to assess whether certain provisions have been particularly successful and should be included in the Directive. 28. The Federal Government believes that when ensuring a high uniform standard of data protection in Member States, data protection provisions at EU level should be further harmonised. Germany would prefer a legal instrument which defines minimum standards at a high level of data protection but at the same time leaves sufficient scope for the established body of law in EU Member States. 29. The Federal Government is particularly committed to simplifying the notification procedures under Articles 18, 19 and 21 of the Directive. In many Member States, Article 18 causes an administrative burden which is not outweighed by improved data protection. The Federal Government supports in particular the approach of lifting the obligation to notify provided that a data protection officer (DPO) is appointed or that a Privacy Impact Assessment (PIA) is carried out, the results of which are published on the Internet and are thus easily available to data subjects. 30. The various approaches including notification obligations, prior checking, PIA and DPO should be coordinated to avoid duplication and unnecessary effort. 31. The Federal Government doubts that such a general obligation is necessary given the burden on the obliged parties. 32. Please refer to the answer to question 30. 11

Berlin, 5 January 2011

33. Please refer to the answer to question 30. 34. In Germany, the concept of a DPO (Sections 4f and 4g of the Federal Data Protection Act) has been successful. A balance must be found between the economic burden arising from the appointment of a DPO and the possibility to improve data protection, in particular with regard to small businesses. Therefore, the Federal Data Protection Act specifies thresholds for the obligation and the possibility to appoint a joint or external DPO. 35. See answer to question 29. We should consider whether the notification obligation can be lifted when such measures are taken. 36. The Federal Government is in favour of including a general principle of “privacy by design” in the new legislative act. In Germany, Section 3a of the Federal Data Protection Act is an initial step in this context. A detailed privacy-by-design rule for the Internet is included in Section 13 of the Telemedia Act. The paragraph of the Council of Europe draft recommendation on profiling should also be taken into account. European privacy-by-design provisions should not be too detailed to leave sufficient scope for different situations. 38. The Federal Government supports provisions on personal data breach notifications as required at European level by Article 4(3) of Directive 2002/58/EC in accordance with Article 2 no. 4 of Directive 2009/136/EC. As stated in recital 59 of Directive 2009/136/EC, the interest of users in being notified is clearly not limited to the electronic communications sector. Section 42a of the Federal Data Protection Act includes a general obligation of non-public bodies to immediately notify the responsible supervisory authority and the data subject when personal data have been compromised. This provision also applies to telemedia through Section 15a of the Telemedia Act and Section 93(3) of the Telecommunications Act. 39. The Federal Government does currently not see a need for harmonised criminal sanctions for a breach of the data protection rules. Member States should decide on sanctions as long as they ensure that breaches are effectively punished.

12

Berlin, 5 January 2011

40. Yes. Special circumstances such as the interest of secrecy during police and law enforcement investigations require specific rules on personal data processing in this area. 41. Data subjects should have the right to access, rectify and delete (block) their own data. Limitations should be allowed only in individual cases (no exceptions for entire areas). It should be possible to have data deleted even if a request for information must be refused. The Federal Government has not yet reached consensus on implementing the notification obligation pursuant to Article 11 of the Directive. 42. These issues fall under criminal procedure and police law and should not be included in a new legislative act on data protection. Harmonising criminal procedure and police law is currently neither desired nor attainable. 43. The question is very broad. Whereas distinct regimes for different categories of data subjects are not necessary, special (individual) provisions should be adopted as necessary. To this end, the different use of the various categories in the Member States should be evaluated. 44. The current adequacy procedure can be maintained. 45. The provisions made in Article 4 of the Directive have proved useful. The Federal Government suggests examining how the Member States’ legislation to implement Article 4 differ and thus create obstacles and legal uncertainty for EU businesses operating across borders. With a view to technical developments, in particular of the Internet, we should consider adapting and specifying Art. 4(1)(c) of the Directive (“for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State”). In this context, special consideration should be given also to cross-border data protection in EU legal assistance in civil matters. There is a number of legislative acts which facilitate international legal assistance in civil and trade matters between Member States (e.g. Legal Aid Directive, EU Regulation on the taking of evidence, EU Regulation on service of documents). All of these legislative acts involve the transfer of personal data between government agencies in different Member States. However, not all of

13

Berlin, 5 January 2011

them include data protection provisions. It is unlikely that Article 4 can be or is applied to each cross-border case. Therefore, it is recommended to develop a standard data protection clause for international legal assistance, even if it only serves to clarify the existing level of protection. A starting point could be Article 22 of the EU Regulation on service of documents which expressly addresses data protection. This standard data protection clause is especially important because in the field of judicial cooperation in civil matters the EU’s Stockholm Programme also provides for legal assistance measures which require the exchange of data across borders within the EU. 46. Ultimately, it is important not only where the controller resides but in particular where data are processed. We should examine whether EU data protection law applies to all processing outside of the EU/EEA of personal data of a data subject residing in the EU. 47. The provisions on adequacy decisions should be simplified to encourage more decisions. In this respect, thoughts on content and a simple procedure could be helpful. The criteria for establishing the principle of adequacy in law should be defined more precisely. In this context, enforcing data protection law should also be taken into account. 48. The concept of Binding Corporate Rules (BCR) should play a more prominent role in the new legislative act than in the EC Data Protection Directive. Important requirements should be included, and a uniform, simple and time-effective procedure should be created, e.g. through procedures of mutual recognition. 49. The transfer of personal data between public authorities/administrations has a different constitutional basis than the transfer between subjects of private law. Therefore, the Federal Government doubts whether standard contract clauses are useful. 50. The current provision in Article 26(4) of the Directive stipulating that the Commission decides that certain standard contractual clauses offer sufficient safeguards has proved itself in practice. 14

Berlin, 5 January 2011

51. Yes. 52. Yes. 53. Yes. 54. The Federal Government suggests examining whether a responsible body and a clearly structured participation procedure including deadlines would be sufficient. 55. In Case C-518/07 the European Court of Justice recently specified the concept of “complete independence” of data protection authorities. Germany is now implementing the ruling in national law. It is currently not clear whether the concept of complete independence will require further specification when the ruling is implemented. 56. In Germany this is governed by Section 22(5), third sentence, of the Federal Data Protection Act. 57. The Federal Government does not see a need for this. The Directive leaves Member States sufficient scope if enforcement powers are effective. Germany has sufficient enforcement powers and measures. Given the concept of complete independence of supervisory authorities within the meaning of the European Court of Justice ruling on Case C-518/07, changing enforcement powers of supervisory authorities could cause serious problems with constitutional law. Therefore, the Federal Government will strongly object to any change which might aggravate these problems. 58. The Federal Government does not see a need for this. 59. The role of the Article 29 Working Party on Data Protection should not be changed.

15

Berlin, 5 January 2011

60. There may be a need to strengthen supervision over European agencies/authorities/systems which is currently carried out only as a secondary task (joint supervisory authorities).

16