EU Data Protection

On 18th October 2016, ISC will organize a seminar which will examine the impact of the EU’s General Data Protection Regulation (GDPR) on the operation of R&D and science and on collaborative research in the EU and with its global partners. The seminar will also explore how the planned European Cloud Initiative will deal with the implications of the GDPR. Further information and registration are available at:

www.iscintelligence.com/event.php

The growing globalisation of data flows, via social networks, cloud computing, search engines, location-based services, etc, increases the risk that people can lose control of their own data. According to Article 8 of the Charter of Fundamental Rights of the European Union, "protection of personal data" is upheld under the following claims:

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.

Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.

Therefore, common EU rules have been established to ensure that personal data enjoys a high standard of protection everywhere in the EU. However, the EU's current data protection laws date from 1995, before the Internet came into widespread use, and does not cover data processed for law enforcement purposes. Today, 250 million people use the Internet daily in Europe.

A revision of this directive is in progress which aims to put people in control of their personal data, build trust in social media and online shopping and upgrade the protection of data processed by police and judicial authorities.The new rules will update existing legal principles and apply them to the new online environment, so as to ensure effective protection of the fundamental right to data protection and improve certainty as to the law for companies.

The new rules will also replace the current patchwork of national laws with a single set of rules, which should make it easier for companies to move across the EU while at the same time strengthening citizens' rights.

The EU also created the position of European Data Protection Supervisor (EDPS) in 2001. The responsibility of the EDPS is to make sure that all EU institutions and bodies respect people’s right to privacy when processing their personal data.

EU Data Protection

The EU's General Data Protection Regulation

ISC will on 18 October 2016 organize a seminar which will examine the impact of the EU’s General Data Protection Regulation (GDPR) on the operation of R&D and science and on collaborative research in the EU and with its global partners. The seminar will also explore how the planned European Cloud Initiative will deal with the implications of the GDPR.

The GDPR entered into force on 24 May 2016 and will apply from 25 May 2018. The regulation is aimed at empowering the citizens as owners of personal data, as well as establishing legal certainty for business based on clear and uniform rules. The GDPR will apply to all organizations in and outside the EU that deal with the personal data of EU individuals. Science-based and research organizations will need to take advantage of the two-year transition period up to 25 May 2018 to prepare for a significant increase in their data protection responsibilities and advance their privacy compliance programmes.

More information is available at:http://www.iscintelligence.com/event.php?id=308

The following inforation pertains tot  he period up to the COmmission's proposal foe the GPPR

The growing globalisation of data flows, via social networks, cloud computing, search engines, location-based services, etc, increases the risk that people can lose control of their own data. According to Article 8 of the Charter of Fundamental Rights of the European Union, "protection of personal data" is upheld under the following claims:

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.

Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.

Therefore, common EU rules have been established to ensure that personal data enjoys a high standard of protection everywhere in the EU. However, the EU's current data protection laws date from 1995, before the Internet came into widespread use, and does not cover data processed for law enforcement purposes. Today, 250 million people use the Internet daily in Europe.

A revision of this directive is in progress which aims to put people in control of their personal data, build trust in social media and online shopping and upgrade the protection of data processed by police and judicial authorities.The new rules will update existing legal principles and apply them to the new online environment, so as to ensure effective protection of the fundamental right to data protection and improve certainty as to the law for companies.

The new rules will also replace the current patchwork of national laws with a single set of rules, which should make it easier for companies to move across the EU while at the same time strengthening citizens' rights.

The EU also created the position of European Data Protection Supervisor (EDPS) in 2001. The responsibility of the EDPS is to make sure that all EU institutions and bodies respect people’s right to privacy when processing their personal data.

1995 Data Protection Directive

The 1995 Directive on Data Protection was adopted to guarantee privacy rights of data subjects and ensure the free flow of personal data within the European Union, although it is set to be replaced by a regulation which seeks to adapt the rules to the new challenges brought by globalisation and new technologies.

The directive defines the conditions under which personal data can be legally collected and used, whether by automated or non-automated means. The directive confers on individuals the right to a judicial remedy on violation of nationally defined data protection rights and compensation for any resulting damage.   

Regulation (EC) No 45/2001 sets similar rules to ensure the protection of personal data by European Union institutions and bodies.

Commission Proposal on a New Framework for Data Protection

On the 25th of January 2012, the Commission proposed a reform of the EU's 1995 data protection rules. The Commission´s initiative aims to enhance the rights of data subjects through greater control of their data, more transparency, and greater enforcement of European data protection rules. The Commission´s proposed regulation aims to replace the directive for the unification of data protection rules at EU level to increase legal certainty and reduce administrative costs for enterprises.   

The main changes proposed by the Commission:

• Directly applicable rules for all EU member states
• Required consent must be given explicitly (change from unambiguously) and not simply assumed
• Easier access to personal data and a right to data portability, allowing the transfer of personal data from one service provider to another
• Reinforcement of the ‘right to be forgotten’, which allows data subjects to obtain the erasure of their data if there are no legitimate grounds for detaining it
• More responsibility and accountability for data processors through the elimination of the costly notification of all data protection activities to a supervisory authority
• Introduction of the obligation by data controllers to notify the national supervisory authority of serious data breaches as soon as possible (under 24 hours if possible)
• Data controllers and subjects will only have to deal with a single national data protection authority (one-stop-shop)
• Data controllers outside the EU but active in the EU market are subject to EU data protection rules
• Stronger enforcement by independent national data protection authorities
• New directive for data protection rules applied to police and judicial cooperation in criminal matters

European Parliament Report, March 2014

The lead committee in the European Parliament working on the Draft Regulation was the Committee on Civil Liberties, Justice and Home Affairs (LIBE), headed by rapporteur Jan Philipp Albrecht.

Jan Phillip Albrecht’s report generally supports the aims of the Commission’s proposal, which are to establish a comprehensive approach to data protection, to strengthen online privacy rights, and to eliminate the fragmentation of 27 different national data protection laws which is costly for businesses. The report also reinforces certain elements of the Commission’s proposal, particularly on individual’s rights.

The Report’s main contributions:

• The rapporteur’s report states that the Regulation should cover the public and private sectors.
• On the One Stop Shop principle, the report suggests the creation of an independent EU Data Protection Agency to take binding decisions with respect to National Data Protection Agencies.
• Encouraging the use of pseudonymous and anonymous data by companies, the report reinforces the ‘explicit consent’ clause by adding the requirement to use clear and easily comprehensible language and excluding ‘default settings’ as a means of legitimately gathering consent. Moreover, the report reinforces the ‘right to be forgotten’ by introducing a provision for the ‘right to erasure’ (the right to erase one’s data if there are no legitimate grounds to retain it) requiring data controllers to request the erasure of the data by third parties.
• As for the geographic extension of regulation, the Report agrees with the Commission that all personal data collected and processed about EU residents fall under the jurisdiction, regardless of where the controller’s main establishment is geographically located, including outside the EU.
• On delegated acts, which allow the Commission to adopt more specific rules without going through the full legislative process, the report proposes a reduction of the number of delegated acts.
• On ‘legitimate interests’ exemption, just as in the Data Protection Directive, data can be processed if the ‘legitimate interests’ of the data controller do not override the fundamental rights of the data subject. However, the report adds that this justification may only be relied upon in ‘exceptional circumstances’, which means that businesses will have to publish their justification, selected from a list of legitimate cases.
• On data breaches notification, the report extends the time of notification from 24 hours to 72 hours.
• The report increases the amount of information that data controllers should give their data subjects, including the legitimate interests which override the data subject’s interests, a list of all the recipients of the data and not just categories of recipients, the data controller’s safeguards in case of data transferal outside the EU, and information about profiling and how to object to it.
• Whereas the Proposal envisages exceptions for SMEs, the report states that ‘all rules should apply to every data controller’.
• The Report proposes that the mandatory appointment of a Data Protection Officer should apply to entities that process data of more than 500 data subjects a year instead of entities with more than 250 employees. 

Future of Data Protection

While there is a strong will on the part of the Commission and most of the European Parliament Committees involved to reinforce individuals’ right to data protection through stronger clauses and greater enforcement, the European Parliament’s Industry, Research and Innovation Committee (ITRE), led by MEP Seán Kelly, and the Council have proposed a more flexible approach which takes the interests of SMEs into account and minimises burdensome and costly administrative procedures. The Commission is open to discussion on further flexibility where it does not undermine the objective to maintain a high level of personal data protection.

Given the European Union’s policy of support to SMEs, the ‘Think Small First’ principle, and Viviane Reding’s (Commissioner responsible for justice, fundamental rights and citizenship), public statements, it is likely that the Commission will attempt to facilitate the inclusion of amendments which minimise unnecessary costs for businesses where possible and without increasing the risk to data privacy. In parallel, the Council has instructed the DAPIX Working Party to devise more flexible rules which may reduce administrative costs for businesses where the risk to data privacy is low. The final Regulation will most likely imply fewer costs for businesses than the Draft Regulation, but the manner in which this will be achieved is yet to be determined.

Noting the European Parliament Industry Committee’s desire to extend and reinforce exemptions for SMEs, the Commission has expressed openness to further discussion on calibrating obligations to the needs and nature of SMEs yet has warned against the possible added complexity and red-tape associated with the Council’s proposed risk-based approach to obligations.

On the whole, the Commission has stated its desire to achieve an optimal balance of data subjects’ rights and minimal constraints for businesses.

The European Parliament voted on the amended data protection package on 12 March 2014 and would like to reach an agreement with the Council of the European Union by the end of 2014.

The Regulation will enter into force two years after it will have been adopted by the Council and the Parliament.

Global Challenges

In order to protect individuals’ privacy, technological, sociological and ethical dimensions of security need to be taken into consideration on a global scale. Key challenges for a policy framework include:

•  Education: Each citizen must be able to determine the releasability of their data for use by governments, business and other institutions. They must understand the potential impacts (positive and negative) of sharing their information. By educating citizens about the balance between sharing and privacy, both the interests of the individual and society can be advanced.  
• Trust and Anonymisation: Private information, such as citizen health records, can be anonymized (via redaction and/or aggregation) when shared as public health research data sources. The techniques for anonymisation and encryption, however, have been broken thus violating previous policy positions and trusts made by public officials. This serious erodes the trust between institutions and citizens. Clearly, research and development in new architectures and technologies to enforce anonymisation and encryption of data are critical.
•  Infrastructure and Standardization: A key area requiring international collaboration and engagement is standardization. The ability to achieve a balance between privacy and sharing will require standards in data formats, cryptological controls and automated policy enforcement. The sheer volume and velocity of data will require automated systems for adjudication of sharing across data system, member state and institutional boundaries.
• Policy: Technology is outpacing society in this area. Current policy and concomitant law must be actualisable: it must address actual systems and process rather than principles. A balance of privacy and sharing are in the interest of society and the individual citizen. A new political process might be necessary to re-pace policy and technology together as we move from net-centric to cloud-centric architectures in which physical boundaries are impossible to force on the web as data moves around the globe at digital speeds.

ISC and Data Protection

In the context of a staff briefing organised by ISC in US Congress in June 2012, Sean Kelly MEP discussed EU data protection with the Obama Administration.

Sean Kelly MEP has met with the US General Counsel of the Commerce Department, Cameron Kerry, on the increasingly important issue of online privacy, as co-author of the European Parliament's Data Protection report.

General Counsel Kerry, who was nominated to the post by President Barack Obama, and is also the brother of former US Presidential candidate John Kerry, met with Kelly at the Department of Commerce.

More information (http://www.siliconrepublic.com/enterprise/item/27613-irish-mep-to-discuss-eu-dat) 

ISC has been active on media and policy-maker engagement to raise awareness on the implications of the General Data Protection Regulation for health and science research.

On 28 January 2015, ISC and BBMRI-ERIC, one of the largest Health Research Infrastructures in Europe, organised a roundtable on data protection entitled ‘Data Protection for Health: Enabling Research for Health’, which aimed to address options to ensure that a balance is struck between the protection of personal data and facilitating scientific research which leads to advances and innovations in our data driven knowledge and economy. The views of medical researchers and patients on the impact of the data protection Regulation on scientific research were shared with other stakeholders, including Commission officials.

More information (http://www.iscintelligence.com/event.php?id=255)

On 22 April 2015, ISC and BBMRI-ERIC will coordinate a day of action around the General Data Protection Regulation entitled ‘Data for Health and Science’ on which a host of research organisations, patient organisations, and academics will engage with EU policy-makers on the General Data Protection Regulation to explain how scientific research can be best supported by the proposed legislation to achieve innovation and discoveries and in the case of health, how research and healthcare can be enabled to ensure optimal treatments and medicines for patients. This will include a seminar and a series of meetings between the participating organisations and EU policy-makers.

More information on the Day of Action (http://www.iscintelligence.com/event.php?id=261) and the seminar (http://www.iscintelligence.com/event.php?id=262)