Technology– the Data Protection Challenge
Billy HawkesData Protection Commissioner
HEAnet ConferenceKilkenny, 13 November 2009
Ubiquitous Technology• Part of daily life• Increased reliance – especially on
Information Technology• The Internet - Major Benefits
What would we do without search engines? What would teenagers do without social
networking/Instant Messaging?• The Future “Technology of Things”?
New Technologies
• Geo-location• RFID (Radio Frequency
IDentification)• Biometrics • DNA
Lots of Personal Data ….• Increased commercial and State gathering
of personal information and “data mining”• Temptation to present Privacy as an
obstacle rather than an entitlement But• Increasing appreciation that privacy
protection is good customer service and a “bottom line” issue
Technology and Data Protection• Data Protection Law developed in response
to proliferation of Information Technology• Recognition that capacity to process and link
personal information could be a threat to privacy
• Data Protection Law originally applied only to electronic processing of personal information
EU & Irish Legislation• Data Protection
Directive 95/46/EC
• Electronic Privacy Directive 2002/58/EC
• EUROPOL etc• Police & Justice Decision 2008/977/JHA
• Data Protection Acts 1988 & 2003
• EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008)
• Corresponding Acts
• (to be transposed)
The Data Protection Rules1. Fair obtaining &
processing• Consent
2. Specified purpose3. No disclosure
• unless “compatible”
4. Safe and secure
5. Accurate, up-to-date6. Relevant, not
excessive7. Retention period8. Right of access
Data Protection & e-government• Drive for more customer-friendly public
services, with maximum e-delivery• Data sharing within government: how far?• Convenience & efficiency V Privacy• Govt working on framework for Identity
Management and Privacy
Privacy & State Security• Shifting balance in “post 9-11” world• Data Retention, CCTV, Data Sharing,
Border Controls – “Surveillance Society”? • Proposed Compulsory biometric ID Card
for non-nationals; towards National Identity Card?
• Intensified police/immigration cooperation
Things go Wrong …..
• Jobs.ie• Blood Transfusion Service• Garda/Social & Family Affairs/Revenue• TK Maxx • UK: HMRC (Revenue), HSBC Bank
Eurobarometer 2008
Individual (DS) Concern about Data Protection
EU Average%
Ireland %
Concerned 63.8 70.5
Not Concerned 34.8 28.2
Don’t know / no answer 1.4 1.3
Eurobarometer 2008Organisations View of Necessity of Data Protection Law Requirements
EU Average%
Ireland%
Tend to agree on necessity 91 99
Tend to disagree 6 0
Don’t know / No answer 3 0
Eurobarometer 2008Anti-Terrorism Phone Call Monitoring: Individual (DS) View EU Average
%Ireland
%
No 25.2 50.3
Yes, but only people who are suspected of terrorist activities 34.6 21.8
Yes, but even suspected terrorists should only be monitored under the supervision of a judge or with equivalent safeguards
21.2 14.6
Yes, in all cases 15.9 11.4
Don’t know / No answer 3 1.8
Eurbarometer 2008Anti-Terrorism Internet Monitoring: Individual (DS) View EU Average
&Ireland
%
No 18.9 31.3
Yes, but only people who are suspected of terrorist activities 31.7 23.2
Yes, but even suspected terrorists should only be monitored under the supervision of a judge or with equivalent safeguards
17.8 17.1
Yes, in all cases 24.8 25.9
Don’t know / No answer 6.9 2.5
Eurobarometer 2008Organisations’ Use of Enhanced Security for Internet-transferred Data
EU Average%
Ireland%
Yes 67 88
No 32 11
Don’t know / No answer 2 2
Change Happening: Data Security• Consensus on need for Action
More Data Breach Reports Public Pressure for action
• Department of Finance Guidelines for Public Service
• Working Group on possible need for change in Irish Legislation
• Data Breach reporting obligation in new EU ePrivacy Directive Commitment to broader EU measure?
Change Happening: Ireland
• More emphasis on enforcement of data protection law Successful prosecutions for “Spam” Greater use of audit powers (including “dawn
raids” where necessary)
• Focus on “big picture” as well as individual complaints
Lisbon Treaty Article 16 Treaty on the Functioning of the Union• 1. Everyone has the right to the protection of personal data
concerning them.• 2. The European Parliament and the Council, acting in
accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.
• Compliance with these rules shall be subject to the control of independent authorities. …..
“Stockholm Programme” • EU Commission Communication “An area of
Freedom, Security and Justice serving the Citizen” (June 09) The Union must establish a comprehensive
personal data protection scheme covering all areas of EU competence
The Union must be a driving force behind the development and promotion of international standards for personal data protection and in the conclusion of appropriate bilateral or multilateral instruments. (Work with USA quoted approvingly)
Future Change: EU Legal Framework • Study commissioned by UK Information
Commissioner (“Rand Report”) discussed By European DPAs in April 09 Study acknowledged strengths of EU system but
declared it “not fit for purpose”• EU Commission Data Protection Conference,
May 2009 • Public Consultation on the legal framework for
the protection of the fundamental right for the protection of personal data – launched July, finishes December 09
• Revised horizontal Directive 2012?
Future Change: Towards International DP Standards?• EU: Making Binding Corporate Rules work; more
“adequacy” decisions?• APEC (Asia-Pacific): Privacy Principles, Pathfinder• ISO: New draft Privacy Standard • International DP Conference: Draft Standards
approved at November (Madrid) Conference• Private Sector: IAPP (certification/training);
“Accountability” Project
Protecting Privacy – How?• Empowering Individuals (e.g. Electoral
Register ‘opt-out’; Phone etc ‘opt-out’; Access Right)
• Law and the Courts• Role of the Market & self-regulation• International data flows - Towards
international principles?
Privacy and Technology• Tension – manageable?• Privacy by Design – Privacy
Enhancing Technologies• Work with Industry• Security Breach Legislation?• How to control State (mis-) use?
Thank You
• www.dataprotection.ie
Top Related