1 international standards on data protection & privacy artemi rallo lombarte director agencia...
TRANSCRIPT
1www.privacyconference2009.org
INTERNATIONAL STANDARDS
on data protection & privacy
Artemi Rallo LombarteArtemi Rallo LombarteDirectorDirectorAgencia Española de Protección de DatosAgencia Española de Protección de Datos
2www.privacyconference2009.org
There are different regional approaches to privacy and data protection all around the world:
Directive 95/46/EC OECD Guidelines on the Protection of Privacy APEC Privacy Framework Convention 108 of the Council of Europe…
It entails
State of Play
Less protection for
individuals
More complexity for
business
3www.privacyconference2009.org
The 30th International Conference of Data Protection and Privacy Commissioners adopted unanimously a draft resolution proposed by Switzerland and Spain that…
supports the efforts of the Council of Europe, and the action taken within OECD, APEC...;
mandates “the establishment of a working group (…), to draft and submit to its closed session a Joint Proposal for setting international standards on privacy and personal data protection”.
International Standards
4www.privacyconference2009.org
The adopted resolution also set the main criteria for the drafting process:
To elaborate a set of principles and rights aimed to achieve the maximum degree of international acceptance, ensuring at once a high level of protection.
To formulate the essential guarantees for better international transfers of data.
To examine the role of self-regulation. To obtain the broadest institutional and social
consensus.
Criteria to be followed
5www.privacyconference2009.org
Launched the drafting process Academics: Prf. Poullet, Benyekhlef, Cottier, Korff… DPA: CA, CH, CZ, DE, ES, FR, IE, NL, PT, SI, UK + EDPS Industry: Accenture, Google, Intel, ISO, Oracle… International Organizations: CoE, OECD, UE NGO: EDRi, FPF, Privacy International… Professional associations: EPON, IAPP Public bodies: FTC, DHS
Set up the major guidelines of the Joint Proposal and the working methodology
First step: Barcelona meeting
6www.privacyconference2009.org
The first version was structured in 6 parts
General provisions (purpose, definitions, scope)
Basic principles
Legitimacy for processing
Rights of the data subject
Security
Compliance and monitoring
1st Draft Version
7www.privacyconference2009.org
We have received reactions: DPAs
America: CA, MX, UYAsia: HKEurope: CH, CY, CZ, DE, ES, HR, IE, IT, PT + EDPS + UEOceania: AU, NZ
IndustryAccenture, Atradius, Bird & Bird, CIPP, Écija, FFW, Garrigues, HP-EDS, Hunton & Williams, Microsoft, Procter & Gamble…
Academics, Judges, NGOs…
1st Draft Version
8www.privacyconference2009.org
At this moment, we have just sent to the members of the Working Group a new draft version.
We look forward for receiving all your remarks, in order to include them in the third draft version, which will be discussed next 11 June in Bilbao.
The final draft should result of this meeting
2nd Draft Version
9www.privacyconference2009.org
To clarify the role of the Document…as a way for facilitating international data flows
To review the controller/processor notions
The “responsible person” decides on the existence of the processing.
To consider the definition of filing system…an obsolete concept?
To reduce bureaucratic requirements…that in practice do not improve data protection
Some Main Innovations
10www.privacyconference2009.org
To set an accountability principle…that imposes duties on the responsible person
To adapt the concept of sensitive data…because every country has a different culture
To promote international data transfers…if the recipient offers a similar level of protection to that provided by the International Standards
To inform individuals of security breaches
…when they could be seriously impaired
Some Main Innovations
11www.privacyconference2009.org
Some Main Innovations
To broaden the Supervisory Authority idea
…that, for instance, may be an arbitration institution or a consumer authority.
To enhance international co-operation…among supervisory authorities, including coordinated enforcement actions.
To encourage proactive measures…as a way for reducing liability in case of infraction
To analyze the relevant law…on the Internet age.
12www.privacyconference2009.org
The final draft proposal will be submitted to the 31st Privacy Conference, that is being organized by the Agencia.
If approved, the next step has to be defined: towards a binding instrument?
31st Privacy Conference
13www.privacyconference2009.org
www.privacyconference2009.org