Automatic inter-state exchange of data:

Safeguarding data protection and fundamental rights

Giuseppe Busia

Secretary General of the Italian Data Protection Authority

Article 29 Working Party1

The Article 29 Working Party

Independent European advisory body on data protection and privacy set up under Article 29 ofDirective 95/46/EC

Brings together representatives of data protection authorities of the European Union and arepresentative of the Commission

Its main tasks (Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC) are: to examine any question covering the application of the national measures adopted under

the two Directives in order to contribute to the uniform application of such measures; to give the Commission an opinion on the level of protection in the Community and in third

countries; to advise the Commission on any proposed amendment of the Directives, on any additional

or specific measures to safeguard data protection rights and on any other proposedCommunity measures affecting such rights and freedoms;

to give an opinion on codes of conduct drawn up at Community level; to make recommendations on all matters relating to the protection of persons with regard to

the processing of personal data in the Community

Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 2

Reconciling interests: fight to tax evasion and fundamental rights

The legitimate fight against tax evasion should be pursued with full respect forindividuals’ fundamental rights, namely the right to private life and the protection ofpersonal data as required by European and International legal instruments:

Treaty on the Functioning of the European Union: Article 16

Charter of Fundamental Rights (Articles 7 and 8)

European Convention on Human Rights: Article 8

Convention for the Protection of Individuals with regard to Automatic processing of Personal Data - Convention 108/1981

OECD Privacy Guidelines

Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 3

CRS: challenges for data protection

Personal data related to a large amount of individuals

Exponential increase of the risks inherent to the data

Automatic exchange (on annual basis)

Need for a clear definition of the purpose

Need for necessity and proportionality

Need for transparency and data subjects’ rights

Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 4

CJEU Data Retention Judgment

CJEU Judgment of 8 April 2014 (Case C-293/12 and C-594/12) declared the Data Retention Directive to be invalid. The Court found that the Directive:

entails a wide-ranging and particularly serious interference with the fundamental rights toprivacy and to the protection of personal data;

fails to sufficiently circumscribe such interference to ensure that it is limited to what is strictlynecessary for the purpose of fighting ‘serious crime’, thereby leaving it too open for MemberStates to decide on the scope of data retention;

fails to define the guarantees surrounding data retention, i.e. objective criteria to determine theretention periods, appropriate technical and organisational security measures and conditions forthe access and use of the data by competent national authorities.

Consequences for automatic processing of data:National legislators, authorities and institutions should be aware of the principles stated by the CJEU,which apply a fortiori to those processing operations designed to monitor behaviors which do nothave a criminal connotation, also in view of avoiding the negative consequences of furtherinvalidations.

Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 5

Data Protection principles (1) Legal basis: Multilateral/bilateral agreements should contain substantive data protection provisions (not a

mere reference to DP tools). Moreover, national procedures (involvement of Parliament, DPA) should berespected to create adequate, clear and foreseable legal basis (Article 6a of Directive 95/46)

Data transfers: Transfers from the EU to third countries are only allowed if said third countries ensure anadequate level of protection (Article 25 of Directive 95/46). Legitimate transfers may also take place if basedon the specific legal basis foreseen by Article 26 (e.g. the transfer is necessary on important public interestgrounds, provided that such an interest is clearly defined and overrides the data subject’s right to privacy).WP29 Opinion (WP114): repeated, mass or structural transfers of personal data should be governed byappropriate agreements which should be legally binding and fully take into account the data protectionsafeguards.

Purpose limitation: Any inter-state agreeement should clearly identify the purposes for which data arecollected and validly used (Article 6b of Directive 95/46). What’s «tax evasion»? (legal acts, illegal acts,serious financial crimes?)

Necessity and proportionality: Need to prove the necessity of the processing and that the required data arethe mininum necessary for attaining the purpose (Article 6c of Directive 95/46)

Data Retention: Any decision to retain data must be subject to appropriate differentiation, limitations,exceptions (see Data Retention Judgment). Need to define appropriate data retention timing (Article 6e ofDirective 95/46)

Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014

6

Data Protection principles (2)

Transparency: Clear information should leave data subjects in a position to understand what is happening totheir personal data and how to exercise their rights. Any restriction or exemption to transparency rulesshould be limited and justified, respecting the strict criteria of Article 13 of Directive 95/46

Data subjects’ rights: Appropriate mechanisms for an easy exercise of rights (any restriction should belimited and justified: article 13 of Directive 95/46)

Controllership: Data controllers (and data processors) should be clearly identified. A correct allocation ofcontrollership is a crucial step to ensure compliance and data subjects’ rights (Article 2d and 2e of Directive95/46). Controllers should choose processors providing sufficient guarantees (Article 17.3 of Directive 95/46)

Onward transfers: Data controllers should ensure guarantees for onward transfers in particular ensuringthat data are not used for other purposes without appropriate safeguards

Security measures: Strict security measures to avoid accidental or unlawful destruction or unauthoriseddisclosure/access and other unlawful form of processing (Article 17.1 of Directive 95/46)

Privacy impact assessment: Members states should consider to implement an agreed Privacy ImpactAssessment to ensure that DP safeguards are addressed, and a consistent standard is applied for thepractical implementation of CRS

Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 7