EU Personal Data Protection in Policy and Practice [1st ed.] 978-94-6265-281-1, 978-94-6265-282-8

Table of contents :
Front Matter ....Pages i-xix
Introduction (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 1-16
The Netherlands (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 17-47
Germany (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 49-71
Sweden (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 73-89
United Kingdom (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 91-114
Ireland (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 115-136
France (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 137-151
Romania (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 153-174
Italy (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 175-193
Conclusions (Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, Simone van der Hof)....Pages 195-233
Back Matter ....Pages 235-249

Citation preview

Information Technology and Law Series

IT&LAW 29

EU Personal Data Protection in Policy and Practice Bart Custers Alan M. Sears Francien Dechesne Ilina Georgieva Tommaso Tani Simone van der Hof Foreword by Kenneth A. Bamberger and Deirdre K. Mulligan

Information Technology and Law Series Volume 29

Editor-in-chief Simone van der Hof, eLaw (Center for Law and Digital Technologies), Leiden University, Leiden, The Netherlands Series editors Bibi van den Berg, Institute for Security and Global Affairs (ISGA), Leiden University, The Hague, The Netherlands Gloria González Fuster, Law, Science, Technology & Society Studies (LSTS), Vrije Universiteit Brussel (VUB), Brussels, Belgium Eleni Kosta, Tilburg Institute for Law, Technology and Society (TILT), Tilburg University, Tilburg, The Netherlands Eva Lievens, Faculty of Law, Law & Technology, Ghent University, Ghent, Belgium Bendert Zevenbergen, Center for Information Technology Policy, Princeton University, Princeton, USA

More information about this series at http://www.springer.com/series/8857

Bart Custers Alan M. Sears Francien Dechesne Ilina Georgieva Tommaso Tani Simone van der Hof •

•

•

EU Personal Data Protection in Policy and Practice

123

Bart Custers Leiden Law School, eLaw (Center for Law and Digital Technologies) Leiden University Leiden, The Netherlands

Ilina Georgieva Leiden Law School, eLaw (Center for Law and Digital Technologies) Leiden University Leiden, The Netherlands

Alan M. Sears Leiden Law School, eLaw (Center for Law and Digital Technologies) Leiden University Leiden, The Netherlands

Tommaso Tani Leiden Law School, eLaw (Center for Law and Digital Technologies) Leiden University Leiden, The Netherlands

Francien Dechesne Leiden Law School, eLaw (Center for Law and Digital Technologies) Leiden University Leiden, The Netherlands

Simone van der Hof Leiden Law School, eLaw (Center for Law and Digital Technologies) Leiden University Leiden, The Netherlands

ISSN 1570-2782 ISSN 2215-1966 (electronic) Information Technology and Law Series ISBN 978-94-6265-281-1 ISBN 978-94-6265-282-8 (eBook) https://doi.org/10.1007/978-94-6265-282-8 Library of Congress Control Number: 2018962778 Published by T.M.C. ASSER PRESS, The Hague, The Netherlands www.asserpress.nl Produced and distributed for T.M.C. ASSER PRESS by Springer-Verlag Berlin Heidelberg Parts of this book are translations of Dutch-language texts in the report De bescherming van persoonsgegevens - Acht Europese landen vergeleken, published by Sdu Uitgevers, The Hague, The Netherlands, ISBN 9789012400862, 2017. © T.M.C. ASSER PRESS and the authors 2019 No part of this work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, microfilming, recording or otherwise, without written permission from the Publisher, with the exception of any material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. This T.M.C. ASSER PRESS imprint is published by the registered company Springer-Verlag GmbH, DE part of Springer Nature The registered company address is: Heidelberger Platz 3, 14197 Berlin, Germany

Series Information The Information Technology & Law Series was an initiative of ITeR, the national programme for Information Technology and Law, which was a research programme set-up by the Dutch government and The Netherlands Organisation for Scientific Research (NWO) in The Hague. Since 1995 ITeR has published all of its research results in its own book series. In 2002 ITeR launched the present internationally orientated and English language Information Technology & Law Series. This well-established series deals with the implications of information technology for legal systems and institutions. Manuscripts and related correspondence can be sent to the Series’ Editorial Office, which will also gladly provide more information concerning editorial standards and procedures.

Editorial Office T.M.C. Asser Press P.O. Box 30461 2500 GL The Hague The Netherlands Tel.: +31-70-3420310 e-mail: [email protected] Simone van der Hof, Editor-in-Chief Leiden University, eLaw (Center for Law and Digital Technologies) The Netherlands Bibi van den Berg Leiden University, Institute for Security and Global Affairs (ISGA) The Netherlands Gloria González Fuster Vrije Universiteit Brussel (VUB), Law, Science, Technology & Society Studies (LSTS) Belgium Eleni Kosta Tilburg University, Tilburg Institute for Law, Technology and Society (TILT) The Netherlands Eva Lievens Ghent University, Faculty of Law, Law & Technology Belgium Bendert Zevenbergen Princeton University, Center for Information Technology Policy USA

Foreword

When we wrote Privacy on the Ground several years ago, we did so with the aim of painting a picture of how people charged with protecting privacy and personal data actually do their work and what kinds of regulation, as well as other internal and external forces, effectively shape their behaviour. We compared five countries and discovered that countries with more ambiguous legislation—Germany and the USA—had the strongest privacy management practices, despite very different cultural and legal environments. They embedded privacy into business and risk management practices and built privacy into products, not just into legal texts. The more rule-bound countries—like France and Spain—trended instead towards compliance processes, not embedded privacy practices. Comparing privacy and personal data protection in practice thus revealed best practices, provided guidance to policymakers, and offered important lessons for everyone concerned with privacy and personal data protection. In many ways, EU Personal Data Protection in Policy and Practice is a continuation of our work, as it examines the practical implementation of privacy and data protection practices on the ground. While the countries analysed differ from those that we examined, the findings in this book confirm our previous results regarding the overlapping countries (the UK, Germany and France). Additionally, this book examines several additional countries in Europe such as Ireland, Sweden, Romania, Italy and the Netherlands, enriching our previous results with insights from more countries. Altogether, this provides an interesting cross section of countries from several regions in Europe with differing legal systems, economies and cultural backgrounds, resulting in different approaches towards privacy and personal data protection. EU Personal Data Protection in Policy and Practice is based on a myriad of sources, including consultations with representatives from data protection authorities, civil society and academics that specialize in data protection. Not only are the legal bases for privacy and personal data protection examined in this book, but also the practical implementation of the laws, the enforcement by data protection authorities, the attitudes of the public in response to regulation and the effectiveness of the protection the legislators envisioned. While the approach is distinct from the vii

viii

Foreword

in-depth qualitative approach we chose, the combined methods used provide a comprehensive overview of data protection frameworks across the European Union. This book provides an interesting snapshot of these privacy and personal data protection frameworks and their practical implementation under the EU Data Protection Directive (DPD), with references to the EU General Data Protection Regulation (GDPR), which entered into force in May 2018. As such, EU Personal Data Protection in Policy and Practice is a vital resource and an interesting point of comparison for further research and study into the development and implementation of data protection laws and regulations on the ground under the GDPR, especially in Europe, as well as further abroad. Berkeley, USA

Kenneth A. Bamberger Berkeley Center for Law and Technology University of California, Berkeley Deirdre K. Mulligan Berkeley Center for Law and Technology University of California, Berkeley

Contents

1

Introduction . . . . . . . . . . . . . . . . . . 1.1 Scope and Context . . . . . . . . . 1.2 Research Questions . . . . . . . . . 1.3 Research Approach . . . . . . . . . 1.3.1 Conceptual Approach . 1.3.2 Aspects to Compare . . 1.3.3 Countries to Compare . 1.3.4 Methodology . . . . . . . 1.4 Structure of This Book . . . . . . References . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

1 1 5 7 8 8 9 12 14 15

2

The Netherlands . . . . . . . . . . . . . . . . . . . . . . 2.1 General Situation . . . . . . . . . . . . . . . . . 2.2 National Government Policies . . . . . . . . 2.3 Laws and Regulations . . . . . . . . . . . . . . 2.4 Implementation . . . . . . . . . . . . . . . . . . . 2.5 Regulatory Authorities and Enforcement References . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

17 17 28 32 37 41 45

3

Germany . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 General Situation . . . . . . . . . . . . . . . . . 3.2 National Government Policies . . . . . . . . 3.3 Laws and Regulations . . . . . . . . . . . . . . 3.4 Implementation . . . . . . . . . . . . . . . . . . . 3.5 Regulatory Authorities and Enforcement References . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

49 49 58 61 63 67 70

4

Sweden . . . . . . . . . . . . . . . . . . . . . 4.1 General Situation . . . . . . . . . 4.2 National Government Policies 4.3 Laws and Regulations . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

73 73 80 82

. . . .

. . . . . . . . . .

. . . .

. . . . . . . . . .

. . . .

. . . . . . . . . .

. . . .

. . . . . . . . . .

. . . .

. . . . . . . . . .

. . . .

. . . . . . . . . .

. . . .

. . . .

ix

x

Contents

4.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Regulatory Authorities and Enforcement . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

84 86 89

5

United Kingdom . . . . . . . . . . . . . . . . . . . . . . 5.1 General Situation . . . . . . . . . . . . . . . . . 5.2 National Government Policies . . . . . . . . 5.3 Laws and Regulations . . . . . . . . . . . . . . 5.4 Implementation . . . . . . . . . . . . . . . . . . . 5.5 Regulatory Authorities and Enforcement References . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

91 91 99 102 105 109 113

6

Ireland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 General Situation . . . . . . . . . . . . . . . . . 6.2 National Government Policies . . . . . . . . 6.3 Laws and Regulations . . . . . . . . . . . . . . 6.4 Implementation . . . . . . . . . . . . . . . . . . . 6.5 Regulatory Authorities and Enforcement References . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

115 115 122 124 128 130 134

7

France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1 General Situation . . . . . . . . . . . . . . . . . 7.2 National Government Policies . . . . . . . . 7.3 Laws and Regulations . . . . . . . . . . . . . . 7.4 Implementation . . . . . . . . . . . . . . . . . . . 7.5 Regulatory Authorities and Enforcement References . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

137 137 143 145 146 148 151

8

Romania . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1 General Situation . . . . . . . . . . . . . . . . . 8.2 National Government Policies . . . . . . . . 8.3 Laws and Regulations . . . . . . . . . . . . . . 8.4 Implementation . . . . . . . . . . . . . . . . . . . 8.5 Regulatory Authorities and Enforcement References . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

153 153 160 163 166 169 173

9

Italy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1 General Situation . . . . . . . . . . . . . . . . . 9.2 National Government Policies . . . . . . . . 9.3 Laws and Regulations . . . . . . . . . . . . . . 9.4 Implementation . . . . . . . . . . . . . . . . . . . 9.5 Regulatory Authorities and Enforcement References . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

175 175 182 184 187 189 192

Contents

10 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1 Comparing Countries . . . . . . . . . . . . . . . . . . . . 10.1.1 General Situation . . . . . . . . . . . . . . . . . 10.1.2 National Government Policies . . . . . . . . 10.1.3 Laws and Regulations . . . . . . . . . . . . . . 10.1.4 Implementation . . . . . . . . . . . . . . . . . . 10.1.5 Regulatory Authorities and Enforcement 10.2 Ranking the Results . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xi

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

195 195 195 210 215 221 225 230 231

Appendix A: Questionnaire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Appendix B: Consulted Experts and Organizations . . . . . . . . . . . . . . . . . 239 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

About the Authors

Bart Custers holds Ph.D., M.Sc., LLM and is Associate Professor and Director of Research at eLaw, Center for Law and Digital Technologies at Leiden University. He has a background in both law and physics and is an expert in the area of law and digital technologies, including topics like profiling, big data, privacy, discrimination, cybercrime, technology in policing and artificial intelligence. He is a seasoned researcher and project manager who acquired and executed research for the European Commission, NWO (the National Research Council in the Netherlands), the Dutch national government, local government agencies, large corporations and SMEs. Until 2016, he was the head of the research department on crime, law enforcement and sanctions of the scientific research centre (WODC) of the ministry of security and justice in the Netherlands. Before that, he worked for the national government as a senior policy advisor for consecutive ministers of justice (2009– 2013) and for a large consultancy firm as a senior management consultant on information strategies (2005–2009). Dr. Custers published three books on profiling, privacy, discrimination and big data, two books on the use of drones and one book on the use of bitcoins for money laundering cybercrime profits. On a regular basis, he gives lectures on profiling, privacy and big data and related topics. He has presented his work at international conferences in the USA, Canada, China, Japan, Korea, Malaysia, Thailand, Africa, the Middle East and throughout Europe. He has published his work, over a hundred publications, in scientific and professional journals and in newspapers. Alan M. Sears is a Researcher at Leiden University’s eLaw Centre for Law and Digital Technologies, where he conducts research as part of a team within the EU-funded e-SIDES Project, which sets out to explore the ethical, social and legal challenges surrounding privacy-preserving big data technologies. His research interests include freedom of expression and privacy/data protection online, and he has also researched issues ranging from Internet governance to intermediary liability and telecommunications regulations (particularly net neutrality and zero rating). Alan has worked as a researcher with Article 19 Mexico and Central America and with Derechos Digitales in Chile, as a law clerk and researcher for Justice xiii

xiv

About the Authors

Madlanga of the Constitutional Court of South Africa and as a Google Policy Fellowship with Fundación para la Libertad de Prensa (FLIP) in Colombia. He received a B.A. in Psychology and Business Administration from Baylor University, a J.D. from the University of Notre Dame and an LLM in Law and Digital Technologies from Leiden University. Dr. Francien Dechesne works as a Researcher at Leiden University Law School’s Center for Law and Digital Technologies (eLaw), the Netherlands. She investigates the interaction between information technology and fundamental values in society. With a background in mathematics, computer science and philosophy, she analyses how values are either effectuated or compromised through the technology and to which extent technological design can play a role in preventing or solving ethical problems. She is particularly interested in cybersecurity, privacy, and fairness and accountability in data analytics. She currently works on the SCALES-project on responsible innovation with data. Ilina Georgieva is a Ph.D. candidate of ‘The Hague Programme for Cyber Norms’ at Leiden University’s Institute of Security and Global Affairs (ISGA). In her research, she is focusing on the capacity of networks of intelligence agencies to shape the international community’s perception of what is normal in cyberspace. For that purpose, she investigates the networks’ normative power by looking into their practice of foreign electronic surveillance. Prior to joining ISGA, she served as a researcher on the Sweetie Project and on the European DPC Project at eLaw, the Center for Law and Digital Technologies at Leiden University. Before joining eLaw’s team, she worked as an editor at the Utrecht Journal of International and European Law (October 2013–September 2014). She was also a part of Heidelberg University’s Cluster of Excellence ‘Asia and Europe in a Global Context’ (December 2012–August 2013) and of the Austria Institute for European and Security Policy (summer of 2012) in her capacity as a research assistant. From January 2009 to June 2010, she worked at the Max Planck Institute for Comparative Public Law and International Law in Heidelberg. She also served as a Senior Research Associate and later on as a Counsel for the Public International Law and Policy Group (PILPG) from September 2014 to October 2016. Tommaso Tani is an Italian legal expert on IT and data protection. After studying computer engineering, he completed his law studies in Alma Mater Studiorum University of Bologna in 2015 with a thesis on Media and the Right to be Forgotten. After two years of litigation practice in a local law firm, he joined the Advanced Master in Law and Digital Technologies in Leiden University and graduated with a thesis about ‘Legal Responsibility for False News’, which has been presented at the Southwestern Law School in California and is being published on the Journal of International Media & Entertainment Law. He is now working as Privacy Counsel for Europe in a multinational IT corporation.

About the Authors

xv

Simone van der Hof is the Director of the Center for Law and Digital Technologies (eLaw) at Leiden Law School, programme director of the Advanced Studies Programme in Law and Digital Technologies and one of the directors of the Leiden Law School research profile area interaction between legal systems. She coordinates and teaches various courses, amongst which ‘Regulating Online Child Safety’ (Master Youth Law), ‘Digital Child Rights’ and ‘Digital Government’ (both Advanced Master Law and Digital Technologies), ‘The Rights of the Child in the Digital World’ (Advanced Master International Children’s Rights). She is a key lecturer at the Cyber Security Academy. Simone’s particular academic interest is in the field of privacy and data protection, children’s rights in the digital world and the regulation of online child safety. She was involved in the Sweetie 2.0 project on online webcam child sex abuse, commissioned by children’s rights organization Terre des Hommes as well as a project on the levels of protection of personal data of European citizens commissioned by WODC (Research and Documentation Centre of the Ministry of Justice and Security). She participates in the SCALES project (big data and privacy) and leads the ethics by design work package of the Game Changers Project on the development of health games for children. Simone is part of the EU Kids Online III Dutch research team and the deputy chair of the NICAM complaints committee dealing with complaints on age classification for television and movies (‘De Kijkwijzer’). She is a member of the Leiden Center for Data Science and the Advisory Board of the SIDN fund for innovative internet projects as well as the European Law and Technology Network. Moreover, she is the chair of the editorial board of the T.M.C. Asser Press IT & Law Series.

Summary

As of May 2018, the protection of personal data in the European Union (EU) is regulated by the General Data Protection Regulation (GDPR, Regulation 2016/679). Prior to that, the EU legal framework was already harmonized via the EU Data Protection Directive (DPD, Directive 95/46/EC). The legal framework determines the rights and obligations of persons whose data are collected and processed (data subjects) and for companies and governments that collect and process these personal data (data controllers and processors). The GDPR, just like its predecessor the DPD, contains many open norms. This offers room for different approaches towards the interpretation, implementation and enforcement of the legal framework. Hence, despite a strongly harmonized legal framework across the EU, much of the actual protection of personal data strongly depends on the policies and practices of individual EU member states. Under the DPD, the differences in personal data protection policies and practices were mostly due to the legal implementation of the data protection framework. However, some differences were (and still are under the GDPR) due to additional sector-specific legislation and policies. Additionally, the open norms in legislation and the cultural differences in EU member states have resulted in different practices and policies across EU member states. These differences in the actual protection of personal data raise the question as to which country has the best policies and practices for protecting personal data, which is an important aspect of the protection of privacy in modern times. This book presents a study in which personal data protection policies and practices across the EU are compared with each other. A selection of eight different EU member states is used to compare not only ‘laws on the books’, but also ‘laws in practice’. This study is based on material from a previous study, in which the level of personal data protection in the Netherlands was determined. This book presents a much wider range of materials, now for the first time accessible for an international audience, in which the Netherlands is not the central focus point, but rather the relative positions of various European countries are compared. The research results show areas for improvement in the protection of personal data,

xvii

xviii

Summary

particularly data protection policies and practices, for individual EU member states. The central research question of this study is: What is the position of different countries with regard to the protection of personal data in comparison with other EU member states? This question was addressed by comparing different EU member states on the following topics: (1) the general situation regarding personal data protection, (2) the national government’s policies regarding personal data protection, (3) national laws and regulations regarding personal data protection, (4) the practical implementation of legislation and policies and (5) the organization of supervisory authorities and actual enforcement. These topics were further divided into a total of 23 aspects of comparison. For the general situation, these aspects are internet use, control, awareness, trust, protective actions, national politics, media attention, data breaches and civil rights organizations. For national government policies, these are national policies and Privacy Impact Assessments, privacy and data protection in new policies, societal debate and information campaigns. For laws and regulations, these are implementation of the EU directive, sectoral legislation, self-regulation and codes of conduct. For implementation, these are privacy officers, security measures and transparency. For regulatory authorities and enforcement, these are supervisory authorities, main activities, the use of competences and reputation. All 23 aspects were compared between a total of eight EU member states: The Netherlands, Germany, Sweden, the UK, Ireland, France, Romania and Italy. The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are front runners and which countries are lagging behind in specific aspects. With the group of countries compared in this research, Germany is front runner in most aspects, and Italy and Romania are at the other end of the spectrum for many aspects. Most of the other countries perform around or above average, depending on the particular aspect that is considered. For instance, the Netherlands is a leader regarding data breach notification laws and Privacy Impact Assessments. Ireland has recently become the front runner regarding the budgets for its data protection authority (DPA) and the number of employees serving at the DPA. At the same time, the Irish people are the least aware of the use of personal information by website owners. In Ireland and Romania, there is hardly any political debate on privacy and data protection issues. The political debate in Sweden may not be the fiercest, but it could be characterized as perhaps the broadest, in the sense that economic aspects, societal aspects and human rights aspects all play a role in the Swedish political debate, whereas only one of these aspects is focused on in most of the other countries. In terms of media attention for privacy and data protection issues, Sweden and Italy have lower levels of media attention and Romania very little media attention, but other countries show high levels of media attention. Civil rights organizations are more professional, better equipped, and more influential in the UK and Germany and, to a lesser extent, in France. However, in countries like Sweden and Romania, civil rights organizations have limited budgets

Summary

xix

and influence. For instance, the Swedish organization DFRI mainly operates on the basis of volunteers. Privacy Impact Assessments (PIAs) were not mandatory in most countries prior to the GDPR. An exception, to some extent, is France, where a legal obligation for data controllers to map the risks of processing personal data already existed. However, PIAs are not mandatory for new legislation or regulation in France. In the Netherlands, the situation is more or less the opposite: data controllers were not under any obligation to perform PIAs prior to the GDPR, but the national government has the duty to perform PIAs for legislative proposals that involve the processing of personal data (which is not required in the GDPR). In other countries, like the UK and Italy, the data protection authorities have issued guidelines for executing PIAs. In some countries, like the UK and France, models and standards for PIAs are available, and guidance is offered by the DPAs. Differences in the implementation of the Data Protection Directive into national legislation are very small in the countries investigated: although EU member states are allowed to implement more provisions than those mentioned in the EU Data Protection Directive, only a few countries implemented such additional provisions for further protection. Typical examples are breach notification laws in the Netherlands, data protection audits in Germany, privacy by design methods in the UK and special provisions for healthcare data and children in France. Many countries introduced additional, more specific sectoral legislation in many areas, however. Germany has by far the largest number of privacy officers and is the only country in which a legal obligation exists in particular situations to appoint a privacy officer. Romania has virtually no privacy officers. Since privacy officers were not mandatory in most countries prior to the GDPR, there are no data available to compare. Moreover, transparency on personal data processing practices is low in all countries investigated. The resources of the DPAs are comparable in many of the countries investigated, but the DPAs in Germany and Ireland have relatively (i.e. in comparison with their GDP) the largest budgets. Romania has the smallest budget. Most of the DPAs manage to get comparable amounts of employees for their budgets. Only Romania and the UK manage to employ considerably more employees within the available budgets. In Italy, the number of employees of the DPA is relatively low in comparison with the DPA’s budget. In comparison with the number of people in each country, Ireland and Germany have the most employees serving in their DPAs. The research results presented in this book offer many opportunities for policymakers, legislators, data controllers and data protection authorities throughout Europe and abroad to learn from experiences, practices and choices made in other countries. It shows that although the protection of personal data largely was harmonized within the EU by Directive 95/46/EC, many differences existed in the actual protection of personal data. Even though the protection of personal data is further harmonized by the General Data Protection Regulation (GDPR) since 2018, it may be expected that differences in national laws and practices will continue to exist. Hence, we believe this research should be replicated after the GDPR has been in force for a few years.

Chapter 1

Introduction

1.1

Scope and Context

Increasing numbers of people are concerned about their privacy. This is a worldwide trend, which may be due to increased numbers of people who are active on social media and technological developments that enable or even force people to perform more and more actions and transactions online. People indicate that they have limited knowledge about who is processing their personal data and for which purposes.1 Also, people experience limited control over their personal data.2 Since technological developments take place on an international level rather than on a national level, the European Commission adopted the General Data Protection Regulation (GDPR),3 which is in force as of May 2018. This regulation replaced the 1995 Data Protection Directive (DPD)4 that already harmonized the protection of personal data in the European Union. In comparison with the DPD, the GDPR is directly binding on all EU residents, companies, and (most) government agencies. It also contains several new elements for data subjects (such as a right to data portability and the right to be forgotten) and new obligations for data controllers (such as data breach notifications, mandatory data protection officers, Data 1 Only two out of 10 EU citizens indicate that they are informed on which personal data is collected about them and what happens with these data. Eurobarometer 431 2015, p. 81. 2 Only 15% of EU citizens indicate that they have full control over the personal data they put online. At the same time, 31% indicate that they have no control whatsoever. Some control is experienced by 50%. Two out of three EU citizens indicate that they are concerned about this lack of control over their personal data. Eurobarometer 431 2015, pp. 9, 12. 3 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 4 DIRECTIVE (EU) 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_1

1

2

1

Introduction

Protection Impact Assessments and Data Protection by Design). Another very important aspect of the GDPR is the possibility for supervisory authorities to impose administrative fines in the case of non-compliance. These fines can be considerable, to a maximum of 10 or 20 million euros (depending on the type of violation) or, in the case of a company, up to 2 or 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher.5 This obviously raises concerns for organizations about whether they are completely compliant with the GDPR. The introduction of the GDPR clearly is an attempt to reinforce data subject rights. Stronger data subject rights, it is hoped, will increase levels of control over their personal data (or at least perceived levels of control), which in turn may increase trust in the data economy. At the same time, by increasing the harmonization of data protection law within the EU, the GDPR aims to further facilitate the transfers of personal data within the EU, which also is an attempt to advance the data economy.6 It is clear that in most areas of society legislation sets the level of protection that residents actually have. In the area of privacy and data protection, the GDPR sets the levels of protection for EU residents. The GDPR predominantly determines the legal framework for rights and obligations of persons whose data are collected and processed (data subjects) and for companies and governments that collect and process these personal data (data controllers). The actual protection, however, does not only depend on the legal framework, but also on the actual implementation and interpretation of the legislation and the ways in which it is enforced by courts and Data Protection Authorities (DPAs). As many scholars already have pointed out, there are many forces beyond the law that affect human behavior. For instance, IT law professor Lawrence Lessig distinguishes four different modalities of regulation.7 Besides the law, he identifies norms, the market and architecture as regulating modalities. An action may be legal, but nevertheless considered unethical or impolite (such as smoking, adultery or stigmatization). In the case of personal data, which represent monetary value,8 data controllers may have many business and market related incentives to collect and process data in particular ways. Architecture, including the design of online environments, enables or disables particular behavior (such as obligations to complete a form before you can continue on a website or to accept all terms and conditions before being able to register an account). Obviously, the law must to be complied with, but within the confines of the legal framework, the other regulating modalities clearly influence the practical ways in which personal data are collected and processed. The legislation on privacy and the protection of personal data contains many open norms that need further translation and elaboration into workable,

5 6 7 8

General Data Protection Regulation, Article 83(4) and (5). Custers and Bachlechner 2018. Lessig 2006. Malgieri and Custers 2017. See also Prins 2004; Purtova 2015.

1.1 Scope and Context

3

sector-specific, and context-specific rules and practices. A typical advantage of this approach is that the legislation is more technology neutral, depending less on how and when technology further evolves. Another advantage of these open norms is that each case or situation – for instance, in specific sectors of society – can be judged on a case-by-case basis, allowing for modifications and further interpretation where necessary. As such, EU member states are encouraged to view the data protection legislation as a minimum level of protection that is provided, on top of which additional legislation can be created where it is considered necessary. As a result of differences in legal systems and cultures, the legal implementation of the Data Protection Directive varied across EU member states. For the legal implementation of the GDPR, some countries may also choose to draft additional legislation, for instance, for specific sectors of society. Similarly, open norms combined with cultural differences also result in different practical implementations of the protection of personal data in EU member states, such as different interpretations of the legal provisions and different levels of enforcement. Although the GDPR aims to further harmonize law and practice, it may be expected that the differences that existed between countries under the DPD, in both the legal and the practical implementation, will continue to exist under the GDPR. In their groundbreaking book,9 Privacy on the Ground, US law professors Kenneth Bamberger and Deirdre Mulligan compare the different ways in which countries apply the legal rules for the protection of privacy and personal data protection.10 They compare Germany, Spain, France, the United Kingdom and the United States. Even though the legal framework in the EU was substantially harmonized two decades ago, they demonstrate that there is considerable variation on the ground. Their comparison shows that in Spain, privacy and the protection of personal data is mainly regarded as legal text and an administrative burden. In France, protection of personal data was prescribed by the regulator, which led to diminished attention and resources within firms and fostered a compliance only mentality. By contrast, in Germany and the United States activist privacy regulators made firms responsible for determining what privacy protection required driving corporate attention and resources toward the task. In the United Kingdom, privacy was largely viewed as risk management, but the level of resources allocated was below that of the United States and Germany. In Germany and the United States, privacy professionals appeared to have the strongest approach towards privacy management. Particularly in the United States, there is a surprisingly deep chasm between privacy law in the books and privacy practice on the ground. In Germany, the focus is on an ethical and human rights-based approach of privacy and data protection law, whereas in the United States, the focus is on a reputation-based approach. Privacy is progressively becoming a strategic topic for organizations,

9 10

Earlier work includes: Flaherty 1989; Bennett 1992. See also Mulligan and Bamberger 2015.

4

1

Introduction

going beyond merely compliance issues: privacy is increasingly seen as a function of social license and corporate responsibility.11 Although some scholars may disagree,12 it may be argued that the EU legislation for personal data protection (both the DPD and the GDPR) focus on procedural fairness rather than substantive fairness. The entire legal framework is based upon the so-called OECD principles for the fair processing of personal data.13 These principles focus on issues like transparency, data quality, accountability and use and collection limitation. However, they do not address the fairness of the outcome of data analytics, such as profiling, algorithmic decision-making, fake news, nudging, etc. In fact, companies can be entirely compliant with EU data protection law, and still people may perceive interference with their privacy. Also, people feel concerned about their privacy online, but do not act in ways that confirm to these concerns – the so-called privacy paradox.14 Hence, from the perspective of (substantive) fairness, privacy and personal data protection require more than only compliance with legislation.15 For this reason, some scholars are already looking into other areas of law,16 such as consumer law,17 intellectual property law, anti-discrimination law18 and even competition law.19 Many of these areas of law also determine the extent to which personal data is protected, but within the EU they are not all harmonized. The differences in the levels of protection of privacy and personal data raise the question as to which country best protects personal data (which is an important aspect of privacy). This question was also raised in the Dutch parliament. During the debate on the budgets for the Ministry of Justice in the Netherlands in November 2014, two members of parliament submitted a motion in which they requested the government to investigate the position of the Netherlands regarding the protection of privacy in comparison to other EU member states. The question underlying this request was how the Netherlands was doing: is the Netherlands a frontrunner or is it lagging behind? An answer to this question is required for the Dutch parliament to decide whether supplementing measures are required, and if so, which measures should be adopted. As a result of these parliamentary proceedings, the Minister of Justice assigned the WODC, the research center of the Ministry of Justice to investigate the position of the Netherlands among other EU member states in the area of personal data protection. To limit the scope of this research, the focus was constrained to the

11 12 13 14 15 16 17 18 19

Mulligan and Bamberger 2015. See also Cannataci 2016; Vedder and Custers 2009. Clifford and Ausloos 2017. See https://www.oecd.org/sti/ieconomy/49710223.pdf. Norberg et al. 2007. Vedder and Custers 2009. For an overview, see Ursic and Custers 2016. Helberger et al. 2017. Custers et al. 2013. Stucke and Ezrachi 2015.

1.1 Scope and Context

5

protection of personal data as opposed to (the right to) privacy in a broad sense.20 To ensure an objective comparison, the WODC split the research into two parts. In the first part, aspects for the envisioned comparison and a possible selection of countries for the comparison were mapped. This part was performed by TNO (the Netherlands Organization for Applied Scientific research – an independent research organization in the Netherlands that focuses on applied science) and published in 2015.21 This report provided the guidance for the scope and design of the second part. This subsequent part concerned the actual comparison of eight countries on the aspects proposed by TNO, with the aim of positioning the Netherlands in relation to other countries. For the second part of the research, the WODC commissioned eLaw, the Center for Law and Digital Technologies at Leiden University. The results of the second part were published in 2017 (in Dutch).22 The main results were also published in a journal paper so that an international audience could have access to the research results of the project.23 After witnessing great international demand for more detailed research results, we decided to publish them in this book. However, this book is not a mere translation of the Dutch report, providing access to the research results for an international audience. The major difference is that the Dutch report puts the Netherlands in a central position, whereas in this book, we provide an international comparative approach, in which there is not a specific country as a central point of comparison, but rather show the interrelated positioning of all countries investigated. Another difference is that the Dutch report focused on an audience of legal professionals and policymakers, whereas this book also addresses an academic audience.

1.2

Research Questions

The differences in the extent to which personal data are protected raise the question as to which country best protects personal data (which is an important aspect of privacy). In this research, the personal data protection frameworks of eight different EU member states are compared.24 This comparison shows the position of these different countries in relation to each other. Based on this research, areas for improvement concerning the protection of personal data can be identified in the event that a particular country provides less protection in comparison to other EU member states. The central research question of this study is:

20

In other words, the focus is on informational privacy, rather than on spatial, relational, or physical privacy. 21 Roosendaal et al. 2015. 22 Custers et al. 2017. 23 Custers et al. 2018. 24 For the full report, see Custers et al. 2017.

6

1

Introduction

What is the position of different countries with regard to the protection of personal data in comparison with other EU member states? In order to be able to answer this question, the scope of this research needs to be limited and several choices need to be made. First, the protection of privacy, as indicated in the previous section, focuses on the protection of personal data (i.e., informational privacy). Second, some choices need to be made regarding the topics and aspects that will be compared. Third, choices need to be made in regards to the countries that will be included in the comparison. For these choices, the abovementioned TNO research was used for guidance.25 In that research, a framework was provided for the relevant topics to use in the comparison. To ensure a comprehensive qualitative comparison, it was suggested to include several cultural aspects as well as topics or aspects that the government cannot directly or indirectly influence, but that are nevertheless important to provide a deeper understanding of the protection of personal data and privacy in a particular country. The topics used in the comparison are (1) general situation regarding the protection of personal data, with a focus on awareness and trust, (2) government policies for personal data protection, (3) applicable laws and regulations, (4) implementation of those laws and regulations, and, (5) supervision and enforcement. The suggested framework leads to the following subquestions that need to be answered for each country examined: 1. What is the general situation regarding personal data? This question leads to a description of how the protection of personal data is addressed, what role national politics have, what media attention exists for this topic, whether there are major incidents, and what role civil rights organizations play. 2. What are the national government’s policies regarding personal data protection? This question concerns both policies that focus on the government itself and policies that focus on residents, and private companies and organizations. Both existing policies and policy development are taken into consideration. Furthermore, the role of the government in social debate is investigated and the extent to which the government provides information and raises awareness. 3. What are the national laws and regulations regarding personal data protection? On the basis of the 1995 EU Data Protection Directive, legislation throughout the EU was harmonized. The GDPR further harmonizes the protection of personal data.26 This question maps the national laws and regulations that

25

Roosendaal et al. 2015. Note that the GPDR revokes the DPD, but not the national legislation that implements the DPD. It is for each member state to decide whether such national legislation will be revoked or amended. In case the national legislation is not revoked or amended, it may serve as an addition to the GDPR provisions. In case of conflicting provisions, the GDPR obviously prevails over national legislation. 26

1.2 Research Questions

7

implemented the DPD and further details the legislation on lower echelons, such as sectoral legislation and self-regulation. 4. How are legislation and policies implemented in practice? This question focuses on the implementation of legislation and policies within organizations.27 Here, it is investigated to what extent self-regulation and codes of conduct are used, whether there are privacy officers, to what extent organizations have taken technical and organizational measures and to what extent data controllers ensure transparency. 5. How are supervisory authorities organized and how is enforcement carried out? On the basis of EU data protection law, each EU member state is obliged to establish a supervisory authority in the area of personal data protection, the so-called Data Protection Authority (DPA). This question aims to provide an overview of the general characteristics of each DPA, the way in which the DPA positions itself, the extent and nature of enforcement actions and the perceptions that individuals and organisations have of the DPA. These subquestions will be answered for each of the eight countries examined in this research, in Chaps. 2 through 9 of this book, respectively. For more details on how the countries were selected, see Sect. 1.3.2. By answering the questions above for each country, a description is provided of how each country performs with regard to the protection of personal data. Obviously, this is not yet a comparison between countries. However, the answers to these subquestions provide sufficient material to make the comparison described in the central research question. This question, “what is the position of different countries with regard to the protection of personal data in comparison with other EU member states?”, is answered in the final chapter of this book (Chap. 10) by first comparing all countries examined on each aspect, showing which countries are doing well or not so well on each aspect, and then integrating these results, in turn showing which countries are frontrunners and which countries are lagging behind.

1.3

Research Approach

An international comparison requires decisions to be made on which aspects of the protection of personal data to compare as well as which countries to compare. After explaining the conceptual approach of this research (in Sect. 1.3.1), these topics will be discussed below (in Sects. 1.3.2 and 1.3.3).

This is referring to “law in practice” or “law in action” as opposed to “law in the books”. Or, in the words of Mulligan and Bamberger 2015: “privacy on the ground”.

27

8

1

1.3.1

Introduction

Conceptual Approach

This research is primarily qualitative in nature. The eight countries that were selected (see Sect. 1.3.3) are likely to provide a representative overview of the different stances that EU member states may have towards the protection of personal data. However, the number of countries examined in this research and the qualitative nature of the aspects compared allow only limited quantitative analysis of the collected material. The focus of this research is on the protection of personal data (informational privacy), and not on the protection of privacy in a broad sense. Although a considerable number of the research questions have a legal nature, this is not typical legal or legally positivistic research. Rather, the focus is on the question of how the protection of personal data for EU residents is implemented in practice and experienced by them. Previous research has shown that the way people experience privacy does not always match the goals of legislation.28 In this research, no extensive survey was used to investigate citizen perceptions, but previous EU-wide and national surveys performed by others were used (see Sect. 1.3.4). This research does not provide a normative judgment on where a country should be positioned in comparison with other European countries, but it does provide suggestions for how a country could move in a specific direction regarding particular aspects of its data protection framework. This allows policymakers and legislators from different countries to decide for themselves which proposals for new policies or legislation may be appropriate. Since the GDPR harmonizes EU legislation even further than the DPD did, the focus of this research will not primarily be on the GDPR (which is the same for each country), but rather on national legislation, including sector specific legislation, soft law and policies, as well as the practical implementation of legislation (which may differ for each country). Typical examples of sector-specific legislation are found in health law, criminal law, national security law and administrative law. The underlying research of this book was performed from August 2016 until May 2017. During this period, the DPD was still in force, which is now replaced by the GDPR. Since this research does not always focus on the GDPR, this is not problematic, but rather helps to identify the difference between countries.

1.3.2

Aspects to Compare

Based on preparatory research,29 five topics were determined as points of comparison in this research. These topics are: (1) general situation, (2) national government policies, (3) laws and regulations, (4) implementation, and (5) regulatory 28 29

Custers et al. 2014. Roosendaal et al. 2015.

1.3 Research Approach

9

Table 1.1 The 23 aspects that are compared in this research, categorized into 5 topics Topics

Aspects to compare (labels)

1. General situation

Internet use, control, awareness, trust, protective actions, national politics, media attention, data breaches, and civil rights organizations National policies and Privacy Impact Assessments, privacy and data protection in new policies, societal debate, and information campaigns Implementation of the EU directive, sectoral legislation, self-regulation and codes of conduct Privacy officers, security measures, and transparency Supervisory authorities, main activities, the use of competencies, and reputation

2. National government policies 3. Laws and regulations 4. Implementation 5. Regulatory authorities and enforcement [Source The authors]

authorities and enforcement. Using an extensive questionnaire (see Appendix A) several questions were formulated on these five topics. Using desk research and expert consultation (see Sect. 1.3.3), these questions were answered for each country examined. Finally, the collected material was clustered into 23 aspects or labels to compare, see Table 1.1. For the general situation, these are internet use, control, awareness, trust, protective actions, national politics, media attention, data breaches, and civil rights organizations. For national government policies, these are national policies and Privacy Impact Assessments, privacy and data protection in new policies, societal debate, and information campaigns. For laws and regulations, these are implementation of the EU directive, sectoral legislation, self-regulation and codes of conduct. For implementation, these are privacy officers, security measures, and transparency. For regulatory authorities and enforcement, these are supervisory authorities, main activities, the use of competencies, and reputation.

1.3.3

Countries to Compare

The research questions 1 through 5 put forward in the previous section were answered for a total of eight countries. The following countries were analyzed in this comparison: Germany, Sweden, the United Kingdom, Ireland, France, the Netherlands, Romania and Italy (see Fig. 1.1). The countries were selected to ensure a distribution on several selection criteria. These selection criteria are: • Strict versus lenient approaches toward privacy protection • Different approaches to personal data protection (due to cultural dimensions, the legal system, and the monistic/dualistic approach to international law)

10

1

Introduction

Fig. 1.1 Countries selected for comparison: France, Germany, Ireland, Italy, the Netherlands, Romania, Sweden and United Kingdom. [Source The authors]

• Maturity of privacy protection (history, particularly accession to the EU) • Old versus new EU member states • Geographical distribution (North-South and East-West). Table 1.2 shows how the selected countries were rated according to each of these criteria. The countries were rated before research started on the basis of generally available knowledge. During research, a much more detailed picture could be painted of each of the countries examined. The initial determinations appeared to reasonably match the final research results. For a more detailed explanation of the general situation regarding privacy and data protection in each country examined, we refer to the first section of each of the country chapters (Chaps. 2 through 9) of this book. We recognize that with this set of selection criteria, other options would have been possible. For instance, Romania could have been replaced by Bulgaria, or Italy could have been replaced by Spain or Portugal. However, within the criteria listed, we preferred to include countries for which we knew or expected to have good access to available literature (both the existence of documentation and online access

Old (1958)

Old (1958)

West

Old/new member state (year of accession)f

Geographic orientation

High

North

Medium (1995)

West

Medium (1973)

Medium

Dualist

West

Medium (1973)

Medium

Dualist

West

Old (1958)

High

Monist

East

New (2007)

Low

Monist

South

Old (1958)

High

Dualist

[Source The authors] a When assessing a strict or lenient approach towards privacy protection, the privacy index of Privacy International, a non-profit organization in the UK that periodically publishes a country index, together with the Electronic Privacy Information Center (EPIC) in the US, was used. The most recent report of the National Privacy Ranking by Privacy International was from 2007. In this report, the UK is described as an ‘endemic surveillance society’ (worst scoring category for privacy protection). France was described as ‘extensive surveillance society’; Ireland, the Netherlands and Sweden as countries with a ‘systemic failure to uphold privacy safeguards’; and Germany, Romania and Italy as countries with ‘safeguards but weakened protection’. This final category is not the best scoring category for privacy protection, but there are few countries placing higher than this category. Only Greece scored better. See National Privacy Ranking 2007 – European Union and Leading Surveillance Societies (PDF). London: Privacy International. http://observatoriodeseguranca.org/files/ phrcomp_sort.pdf b For this general assessment the theory of organizational psychologist Geert Hofstede was used, who distinguishes a number of cultural dimensions. These dimensions are power distance, individualism versus collectivism, masculinity versus femininity, and uncertainty avoidance. Later, long-term orientation versus short-term orientation and indulgence versus restraint were also added. At http://www.geerthofstede.nl/ the scores for the first four dimensions can be found for each country. In the table, medium or mixed values are not mentioned c The most important distinction between legal systems is that between common law and civil law (continental law). In common law the body of law is mainly derived from case law, whereas in civil law, the body of law is mainly derived from legislation codified by the national government. Civil law has its origins in Roman law and can further be distinguished in Napoleonic, Germanic and Nordic law d In international law, the terms monism and dualism are used to indicate the relation between international and national law. In a monistic approach, international and national law are considered as one legal system in which provisions in international treaties have direct applicability in national law, without further implementation required. In a dualistic approach, international and national law are considered as separate legal systems and provisions in international treaties require implementation in national law before being applicable in national law. For an overview of which countries are monistic or dualistic, see Hoffmeister 2002, p. 209 e Maturity is strongly related to accession to the EU ad well as related laws and regulations in the domain of privacy and personal data protection. Sweden has a high maturity, being the first country that already had a personal data protection act in 1973 (whereas Sweden acceded to the EU relatively late, in 1995) f In 1958 the European Economic Community (EEC, renamed as the European Community, EC, in 1993) was established. In 2009 the EC’s institutions were absorbed into the EU framework. The Netherlands, Germany, France, and Italy were among the founding member states

West

High

High

Maturitye

Dualist

Civil Law (Napo-leonic)

Dualist

Civil Law (Napo-leonic)

Monist

Civil Law (Napo-leonic)

International lawd

Common Law

Civil Law (Ger-manic)

Civil Law (mixed)

Legal systemc Common Law

Medium power distance, individualistic, masculine, risk avoiding

Civil Law (Nordic)

Strict

High power distance, collectivistic, feminine, risk avoiding

High power distance, individualistic, risk avoiding

Low power distance, individualistic, masculine, not risk avoiding

Low power distance, individualistic, masculine, not risk avoiding

Low power distance, individualistic, feminine, not risk avoiding

Low power distance, individualistic, masculine

Low power distance, individualistic, feminine

Italy

Cultural dimensionsb

Romania Strict

France Lenient

Ireland Medium

United Kingdom Lenient

Sweden

Medium

Germany

Strict

Medium

Strict/lenienta

Netherlands

Table 1.2 Overview of the determinations of each selected country made according to the list of selection criteria, on the basis of available information prior to research

1.3 Research Approach 11

12

1

Introduction

to it) and a network of experts. The languages spoken within the research team were also a factor in the decision process. In total, the five topics of personal data protection (see Table 1.1) were mapped for eight European countries. After that, the countries were compared on these topics and the position of each country was determined by a comparison with the other countries.

1.3.4

Methodology

For each country investigated in this research, information was collected on the selected topics and aspects by means of desk research, an extensive questionnaire, and follow-up expert consultations. The methods of data collection and the subsequent additional research and analyses are explained in more detail below. Questionnaire In order to map the situation in each of the eight countries investigated in this research, an extensive questionnaire was used that needed completion for each country. This questionnaire is based upon the results of the preliminary research30 and can be found in Appendix A. Together, the answers to the questions in this questionnaire constitute the ‘pieces of the puzzle’ that enable answering the key question of this research. In total, there are 40 pieces of the puzzle (8 countries with 5 topics each). In order to obtain access to relevant information from the different countries, an extensive network of experts in the domain of personal data protection was needed, as well as a deeper understanding of national legal systems and adequate knowledge of the languages involved. This is why a research team was assembled with people from different nationalities and backgrounds. On the basis of prior European research projects, extensive knowledge on the countries investigated and a network of experts in these countries was available. In this research, no survey was performed among EU citizens. Neither were there any focus groups organized with resident of the respective countries. A survey among residents would require a large amount of respondents in order to be a sufficient representation of the populace. Such numbers were not feasible within the budget and deadlines for this project. More important, however, is that such a survey would not add much value to already existing surveys (see ‘desk research’ below). In these surveys, (very) large amounts of respondents were involved and thus we found them to be a good alternative for mapping citizen perceptions regarding the protection of personal data. This saved time and money, creating more room for in-depth research on the different aspects of personal data protection.

30

Roosendaal et al. 2015.

1.3 Research Approach

13

Desk Research During the desk research stage, available literature and online data (for instance, websites and reports of data protection authorities, governments, and civil rights organizations) were collected. This information was used by the researchers to complete the questionnaire as much as possible. A large amount of the information needed (approximately 50–60%) proved to be available through these sources. As was explained above, in this research no survey was conducted among EU citizens, but secondary analyses and the reuse of existing surveys were utilized to provide further information. Three sources in particular were important in this respect: • CONSENT survey (2012)31 In this research, respondents were asked to complete a survey of 75 questions on internet use, online behavior and perceptions regarding the protection of personal data and online privacy. The focus was on the use of personal data in social media. In total, 8,621 people from 26 different EU member states responded to this survey.32 • Eurobarometer 431 (2015)33 In this research, a total number of 27,980 respondents in 28 EU member states from different social and demographic groups were interviewed regarding their attitudes on data protection and electronic identity. All interviews were face-to-face at the homes of the respondents in their mother tongue. • Oxford Internet Survey34 The Oxford Internet Survey (OxIS) is a series of surveys (with the most recent publication in 2013)35 on internet behavior in the United Kingdom. In the latest survey, results of a total of 2,657 respondents were included. The survey is focused on internet use, privacy, and perceived trust and risks regarding personal data. The main goals of the desk research were, on the one hand, to collect general background information and, on the other hand, to enrich the information collected from expert consultation (see ‘expert consultation’ below). The literature research included, among other things, cabinet letters to parliament, parliamentary proceedings, policy documents, cabinet vision documents, coalition agreements, legislation, reports and minutes of previous research, and relevant academic publications. Expert Consultation Information that was not available via desk research was requested through sending (parts of) the questionnaire to experts in the respective countries. Furthermore, 31 32 33 34 35

CONSENT 2012. Brockdorff 2012. Eurobarometer Survey 431 2015. Dutton and Blank 2013. Previous versions were released in 2003, 2005, 2007, 2009, and 2011.

14

1

Introduction

employees at the data protection authorities in the selected countries were contacted for further information. These experts and data protection authorities did not receive the entire questionnaire, but only those questions that yielded limited results during the desk research. This approach yielded missing information (an additional 20– 30% of the total information needed) as well as information that could be used to validate the desk research results. An overview of the experts and organizations that were consulted is provided in Appendix B. Additional Research For aspects on which limited or no information was available after desk research and expert consultations, the results were supplemented with additional desk research, media analyses and interviews. For the follow-up interviews, experts on personal data protection, policy makers, companies processing personal data, data protection authorities, and civil rights organizations were contacted. To the extent that these experts provided substantive information, they are included in Appendix B. Furthermore, some of these experts referred to other experts. There was also a supervisory committee involved in this research that actively provided names of experts. Altogether, this filled the final gap of missing information. Analysis With the help of the methods described above, all pieces of the puzzle (i.e., 5 topics for 8 countries) were collected. This provided answers to the five subquestions for each country. The main question was then answered by ‘tilting’ the matrix and reviewing each topic and each aspect for eight different countries. In other words, all topics and aspects were first mapped per country and then each topic and aspect were compared between all countries. Whenever possible, quantitative data was compared (for instance: “How many people know of the existence of a data protection authority?”), but for many aspects a qualitative comparison was made (for instance: “how much media attention is there for privacy and personal data protection?”). As comparing the countries on the basis of the five topics proved too coarse, the comparison was made on the more detailed level of the 23 aspects (see Table 1.1).

1.4

Structure of This Book

The structure of this book closely follows the approach described above. In the next eight chapters (Chaps. 2 through 9) each of the eight selected countries is discussed. In each of these country chapters, the five topics of the subquestions 1 through 5 (see Sect. 1.2) are dealt with respectively. Hence, in Chap. 10 (Chap. 10 running from Chaps. 2 to 9) the structure is therefore: general situation (Sect. 10.1), national

1.4 Structure of This Book

15

government policies (Sect. 10.2), laws and regulations (Sect. 10.3), implementation (Sect. 10.4), and regulatory authorities and enforcement (Sect. 10.5).36 Hence, Chaps. 2 through 9 provide answers to research questions 1 through 5. The main research question (“What is the position of different countries with regard to the protection of personal data in comparison with other EU member states?”) is answered in the final chapter (Chap. 10) of this book. In that chapter, the selected countries are mapped on a spectrum for each aspect of comparison. This also provides an indication of how countries could move towards other positions on the spectrum, if it is deemed desirable from a political, legal or societal perspective.

References Bennett CJ (1992) Regulating Privacy: Data Protection and Public Policy in Europe and the United States. Cornell University Press, Ithaca Brockdorff N (2012) Quantitative Measurement of End-User Attitudes Towards Privacy. Work Package 7 of Consent. http://www.consent.law.muni.cz/ Cannataci J (2016) Report of the Special Rapporteur on the right to privacy, 8 March 2016 Clifford D, Ausloos J (2017) Data Protection and the Role of Fairness Data Protection and the Role of Fairness. CiTiP Working Paper Series CONSENT (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/ Custers BHM, Calders T, Schermer B, Zarsky TZ (2013) Discrimination and Privacy in the Information Society: Data Mining and Profiling in Large Databases. Springer, Heidelberg Custers BHM, Dechesne F, Georgieva I, van der Hof S (2017) De bescherming van persoonsgegevens: Acht Europese landen vergeleken. SDU, The Hague Custers BHM, Dechesne F, Sears AM, Tani T, van der Hof S (2018) A comparison of data protection legislation and policies across the EU. Computer Law and Security Review 34(2) Custers BHM, van der Hof S, Schermer B (2014) Privacy Expectations of Social Media Users: The Role of Informed Consent in Privacy Policies. Policy and Internet 6(3): 268–295 Custers BHM, Bachlechner D (2018) Advancing the EU Data Economy; Conditions for Realizing the Full Potential of Data Reuse. Information Polity. https://doi.org/10.3233/ip-170419 Dutton WH, Blank G (2013) Cultures of the Internet: The Internet in Britain. Oxford Internet Survey 2013. http://oxis.oii.ox.ac.uk/reports Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015 Flaherty DH (1989) Protection Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada and the United States. University of North Carolina Press, Chapel Hill Helberger N, Zuiderveen Borgesius F, Reyna A (2017) The perfect match? A closer look at the relationship between EU consumer law and data protection law. Common Market Law Review, 2017, no. 5, pp. 1427–1466

Note that it would have been possible to opt for five chapters each with eight sections on the different countries. However, we prefer to present the research results per country. In our experience, this improves readability, avoids repetition and overlap, and ensures improved reference and retrieval of information. 36

16

1

Introduction

Hoffmeister F (2002) International agreements in the legal order of the candidate countries In: Ott A, Inglis K (eds) Handbook on European Enlargement. TMC Asser Press, The Hague, p. 209 Lessig L (2006) Code Version 2.0. Basic Books, New York Malgieri G, Custers B (2017) Pricing privacy: the right to know the value of your personal data. Computer Law & Security Review. Available at SSRN: https://ssrn.com/abstract=3047257 Mulligan DK, Bamberger KA (2015) Privacy on the Ground; Driving Corporate Behavior in the United States and Europe. MIT Press Norberg PA, Horne DR, Horne DA (2007) The Privacy Paradox: Personal Information Disclosure Intentions versus Behaviors. Journal of Consumer Affairs, Vol. 41, No. 1, pp. 100–126 Prins JEJ (2004) The Propertization of Personal Data and Identities. EJCL. www.ejcl.org/83/art831.html Purtova N (2015) The Illusion of Personal Data as No One’s Property. Law, Innovation and Technology, vol. 7, no. 1, 2015 Roosendaal A, Ooms M, Hoepman JH (2015) Een raamwerk van indicatoren voor de bescherming van persoonsgegevens. Nederland ten opzichte van andere landen. TNO (WODC), Delft Stucke M, Ezrachi A (2015) Artificial Intelligence & Collusion: When Computers Inhibit Competition. Oxford Legal Studies Research Paper No. 18/2015 Ursic H, Custers BHM (2016) Legal Barriers and Enablers to Big Data Reuse – A Critical Assessment of the Challenges for the EU Law. European Data Protection Law Review 2(2): 209–221 Vedder AH, Custers BHM (2009) Whose responsibility is it anyway? Dealing with the consequences of new technologies. In: Sollie P, Duwell M (eds) Evaluating new technologies: Methodological problems for the ethical assessment of technology developments. Springer, New York, pp. 21–34

Chapter 2

The Netherlands

2.1

General Situation

The Netherlands has a long tradition in international law. Some even argue that the basis for international law was laid in the Netherlands by Hugo de Groot.1 In his famous book De jure belli ac pacis (‘on the law of war and peace’) he discusses the legal status of war.2 In later centuries, ideas and concepts in this book were used to draft international treaties and conventions. The Netherlands was one of the founding members of the UN, the EU and many of their predecessors, like the League of Nations, the European Coal and Steel Community (ECSC) and the European Economic Community (EEC). Similarly, the Netherlands is signatory to all relevant international human rights instruments, including the Universal Declaration of Human Rights, the European Convention on Human Rights and the EU Charter of Fundamental Rights. In 2014, the Netherlands Institute for Human Rights received the A status for full compliance with the Paris Principles, relating to the status and functioning of national institutions for the protection and promotion of human rights. In the Netherlands there is a so-called moderate monistic approach towards international law, in which international law and national law are usually considered as one legal system. Apart from some exceptions,3 international treaties do not require transposition into national law to have legal effect. As a result, human rights in international treaties, including the right to privacy, are firmly established in the Netherlands. However, elements of the right to privacy already existed in the Netherlands long before this. Already in the one of the earliest versions of the Dutch constitution in 1815 the right to private homes was established. In the 1848 revision of the constitution, the right to confidentiality of letters 1

Woods 2012. de Groot 1625. 3 Articles 93 and 94 of the Dutch constitution state that binding provisions in international treaties only have effect after they have been published domestically. This characterizes the moderate character of the Dutch monistic legal system. 2

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_2

17

18

2 The Netherlands

was included. In 1983, the most recent revision of the constitution, a general right to privacy (Article 10 of the Dutch Constitution) was established, together with several more specific privacy rights, including the protection of personal data (Article 10), bodily integrity/physical privacy (Article 11), search and seizure of private places (Article 12) and secrecy of correspondence (Article 13). Internet Use People in the Netherlands are very active internet users and there seems to be a high level of awareness regarding the processing of personal data, although the risks involved are perceived as low.4 A recent survey shows that 36% of the people spend between 1 and 2 hours online daily and 31% spends 3 to 4 hours online daily.5 The high level of internet use may also be illustrated, for instance, by the fact that 95% of Dutch shop online (EU average 87%), with little disparities between the different age groups and a preference to pay (via Debit/Credit card or Electronic Money) at the time of ordering.6 About 59% of the Dutch people use social media at least once a week, which is slightly above the EU average.7 Online banking is practiced by 75% of the Dutch, which is among the highest three countries in the EU (after Finland and Denmark) and significantly above the EU average (43%).8 The level of purchasing goods and services online is similar to EU averages.9 The extent to which online games are played in the Netherlands and the extent to which phone and video calls are made via the Internet are also comparable to EU averages.10 However, use of instant messaging and chat websites lags behind significantly (43% compared to an EU average of 53%).11 Control When asked, the Dutch generally do not feel in control of the information they provide online. According to a recent survey, only 9% feel they have control (lowest of all EU member states after Germany), 59% feel they have only partial control and 30% feel they have no control at all.12 When asked, however, the Dutch seem not to be very concerned about this lack of control. About 47% indicates to be concerned about this (lowest of all EU member states after Estonia and Sweden), compared to an EU average of 67%.13

4

Consent Country Report The Netherlands 2012, p. 4. Roosendaal et al. 2015, p. 24. 6 Consent Country Report The Netherlands 2012, p. 4. 7 Eurobarometer 431 2015, p. 109. 8 Eurobarometer 431 2015, p. 110. 9 Eurobarometer 431 2015, p. 112. 10 Eurobarometer 431 2015, p. 111. 11 Eurobarometer 431 2015, p. 110. 12 Eurobarometer 431 2015, p. 10. 13 Eurobarometer 431 2015, p. 13. 5

2.1 General Situation

19

The vast majority of Dutch people (86%) consider providing personal information as an increasing part of modern life. This is the third highest in the EU (average is 71%), after Cyprus and Denmark.14 Contrary to the EU average, this belief still seems to be increasing in the Netherlands. About 48% indicates that providing personal data is not a big issue (highest of EU member states after Denmark and Lithuania).15 When asked about using personal data for personalized advertisements and services, 4% feels very comfortable with this, 33% fairly comfortable, 39% fairly uncomfortable and 22% very uncomfortable.16 Awareness Generally, the Dutch show a high level of awareness about the use of personal information by website owners. There are high levels of awareness and acceptance of the use of information by website owners to contact users by email (awareness 86%, acceptance 80%).17 The awareness and acceptance of the use of personal information to customize content and advertising is similarly high. However, while there appears to be some form of “balance” between user awareness and user acceptance towards these practices, there are substantially lower levels of acceptance of in-depth gathering of information, selling it, or making it available to others. Such practices are seen as largely unacceptable (Netherlands 75%, total EU average 74%).18 Actual experience of privacy invasions is comparably low with Dutch people scoring 2.92 (EU average 2.89) on a 7-point scale (1 = never, 7 = very frequently).19 In dealing with privacy policies, 61% of the Dutch (which is significantly more than the EU average of 47%) decided not to use a website due to their dissatisfaction with the site’s privacy policy, but over half of the Dutch people never or rarely actually read a website’s terms and conditions (51%) or privacy policy (61%). If reading the privacy policies, Dutch people rarely read the whole text (Netherlands 9%, EU average 11%), although they are rather confident that – when reading it – the text is mostly or fully understood (Netherlands 72%, EU average 64%). The level of online experience of the Dutch is confirmed by their awareness and behavior regarding the handling of technical details: 91% are aware of “cookies” (EU average 65%), though just over two out of three Dutch people actually ever disabled them (Netherlands 72%, EU average 68%).20 About 50% of the Dutch

14 15 16 17 18 19 20

Eurobarometer 431 2015, p. 29. Eurobarometer 431 2015, p. 32. Eurobarometer 431 2015, p. 40. Consent Country Report The Netherlands Consent Country Report The Netherlands Consent Country Report The Netherlands Consent Country Report The Netherlands

2012, 2012, 2012, 2012,

p. p. p. p.

4. 4. 4. 3.

20

2 The Netherlands

have heard about the existence of their national Data Protection Authority. This is among the top 5 of EU member states (average is 37%).21 Trust The extent to which the Dutch trust public authorities and private companies to protect their personal data varies significantly for different sectors. Trust is relatively high in health and medicine (81%, EU average 74%), public authorities (82%, EU average 66%), banks and finance (74%, EU average 56%) and EU institutions (63%, EU average 51%). However, trust is significantly lower regarding shops and stores (31%, EU average 40%), telecommunications and internet providers (37%, EU average 33%) and online businesses (18%, EU average 24%).22 When looking at the Dutch people’s perception of the general risks related to the disclosure of personal information on social media websites, Dutch people perceive there to be less risks than the overall EU average.23 However, they do perceive a clearly increased risk of information misuse (6.23 on a 7 point scale, 1 = disagree and 7 = agree).24 On the level of specific risks perceived, more than 80% of the Dutch consider it likely or very likely that information disclosed on social media websites is used or shared without their knowledge or consent, and that it is used to send them unwanted commercial offers, proportions being above the overall EU average.25 Regarding the more “personal” risks, people from the Netherlands are the second lowest with a perceived risk to personal safety as a result of disclosure of personal information on social media websites at 14% (EU average 24%), and third lowest for the perceived risk of becoming a victim of fraud (23%, EU average 32%) and damage to personal reputation (17%, EU average 25%). Although 95% of the Dutch shop online, of those Dutch people who never bought anything online, only 8% highlighted their lack of trust in online sellers as a reason for this, which differs slightly from the EU average (15%).26 The main reason given for refraining from online shopping was a dislike of disclosing personal information (financial details/address) where the Dutch people score substantially above the EU average (35%, EU average 24%) which can also be viewed as a trust and privacy issue. Other research, performed by the Dutch Direct Marketing Association, divides people into three archetypes: 34% is pragmatic, 28% is sceptic and 38% is not concerned at all.27

21 22 23 24 25 26 27

Eurobarometer 431 2015, p. 52. Eurobarometer 431 2015, p. 66. Consent Country Report The Netherlands Consent Country Report The Netherlands Consent Country Report The Netherlands Consent Country Report The Netherlands DDMA 2016, p. 4.

2012, 2012, 2012, 2012,

p. p. p. p.

4. 4. 4. 4.

2.1 General Situation

21

Protective Actions The number of Dutch people that tried to change privacy settings in their social media profiles is 71%, which is the highest in the EU (together with the United Kingdom) and significantly above the EU average of 57%.28 Nevertheless, the Dutch also have the highest proportion of people who find it difficult to change these settings (after Germany and Belgium). About 36% finds this difficult and 64% finds this easy.29 People who do not change the privacy settings indicate to trust the website to set appropriate settings (26%), do not know how to change the settings (21%), are not worried about having their personal data online (28%), do not have time to look at the options (8%) or did not know they could change the settings (14%).30 Similar results are shown in the CONSENT survey, that shows that, to safeguard their privacy, 58% of Dutch people often or always change the privacy settings of their personal profiles on social media sites (EU average 54%), and 79% (EU average 80%) of those who change privacy settings indicated that they made the privacy settings stricter so that others can see less information about them.31 Dutch research also shows similarly high numbers: 89% has installed protective software and 68% has adjusted profile settings.32 On the level of specific technical measure taken to maintain or increase personal internet security, some practices (pop-up window blockers, checking opt-in/opt-out boxes, blocking emails) are more established than others (checking for spyware, clearing the browser history), with the Dutch people showing results that are clearly above the overall EU average.33 National Politics The Dutch parliament consists of a lower house (Tweede Kamer) and an upper house or senate (Eerste Kamer) and often discusses privacy and data protection issues in both its chambers. When it comes to balancing trade-offs between more abstract privacy and data protection issues on the one hand and more concrete, practical issues like data sharing, security, etc., the Tweede Kamer seems, generally speaking, to be more inclined to favor the practical issues. In the debate on privacy versus security, security issues are often favored.34 However, that is not to say that privacy issues are not important in the Tweede Kamer. This research, which was actually requested by some members of parliament (see Chap. 1) may illustrate this. Another typical example is the 2011 motion by senator Franken (Eerste Kamer), repeated in a 2015 motion by other members of parliament (Tweede Kamer) to 28

Eurobarometer 431 2015, p. 92. Eurobarometer 431 2015, p. 95. 30 Eurobarometer 431 2015, p. 98. 31 Consent Country Report The Netherlands 2012, p. 4. 32 Roosendaal et al. 2015, p. 5. 33 Consent Country Report The Netherlands 2012, p. 3. 34 Examples are legislative proposals regarding DNA, camera surveillance, data retention, preventive search and seizure, stronger identification, police powers and license plate recognition. 29

22

2 The Netherlands

require a Privacy Impact Assessment for each legislative proposal that may have consequences for the processing of personal data.35 The Dutch senate, however, seems to be much more critical and actually voted against some privacy-sensitive legislative proposals that were already approved by the Tweede Kamer. For instance, in 2011, the senate voted against proposed legislation on electronic patient records (Wet EPD) and against proposed reforms of the Intelligence and Security Agencies Act (Wet op de inlichtingen- en veiligheidsdiensten). In the past years, many legislative proposals that relate to or affect privacy and data protection issues have been discussed in the Tweede Kamer. Typical examples are the data breach notification act in which sanction competences for the DPA were also significantly expanded (Meldplicht datalekken, 2016), the cookies act (versoepeling cookiewet, 2014), the basic registration of persons act (Wet basisregistratie personen, 2013), the increased preventive searches act (verruiming preventief fouilleren, 2013), smart energy meters (slimme energiemeters, 2010). This is only a small selection of the proposed legislation. Legislative proposals extensively discussed in the senate include the (revised) electronic patients records act (Wet elektronische patiëntendossiers, 2016) and the increased camera surveillance act (Wet verruimen cameratoezicht, 2014). Obviously, all legislative proposals that are accepted by the Tweede Kamer are passed on to the senate. As such, there are many debates on privacy and data protection issues. Since the senate has no power to initiate legislative proposals itself, the debates are always more or less limited to the proposals that are received from the Tweede Kamer. In both chambers of the Dutch parliament many different parties are represented. The major parties are the PvdA (labour), VVD (liberals), CDA (Christian democrats), PVV (nationalists/right-wing populists), SP (socialists) and D66 (social-liberals). Generally speaking, the right-wing parties like VVD and PVV favor both freedom of speech and security over privacy and data protection issues, but left wing parties like PvdA and SP do not necessarily favor privacy and data protection issues over freedom of speech and security. In fact, PvdA voted in favor of many legislative proposals that restrain privacy and data protection.36 The website www.privacybarometer.nl keeps a scoring system for how well political parties observe privacy and data protection. This system is based on the voting behavior of political parties. According to their metrics, the SP is the only political party that seriously observes privacy and data protection, although they are quick to note that their political program does not contain any concrete plans or views on this.37

35 36 37

Kamerstukken II, 2015, 34000 VII, nr. 21 (motie Segers/Oosenbrug). www.privacybarometer.nl. www.privacybarometer.nl.

2.1 General Situation

23

None of the political parties explicitly mentions new, more detailed privacy legislation or stronger government regulation in their political programs.38 This may suggest that they are in favor of self-regulation rather than government regulation. However, it may also be the result of the fact that in recent years the focus was on preparing the GDPR. The acceptance of the GDPR and some data protection measures preceding the GDPR (like more powers for the data protection authority and legislation on breach notifications), may indicate a tendency towards stronger regulation. As was mentioned above, the Netherlands has a strong tradition in human rights law. In 2013, the Dutch government initiated a national action plan for human rights.39 There exists an active dialogue between the government and members of parliament on the hand and civil rights organizations on the other hand. In some cases, when preparing new legislation, the government actively consults human rights organizations.40 Also, many civil rights organizations are actively lobbying41 for improving privacy and data protection with the government and are addressing issues via the media. More on civil rights organizations that focus specifically on privacy and data protection is discussed at the end of this section. The policy of the current government, which started in 2017, more or less holds that privacy and data protection legislation put forward requirements, which should be taken into account.42 This is similar to the policy of the previous government.43 Apart from this rather formal approach, however, the coalition agreement of 2012 explicitly stated that the data protection authority should be equipped with more powers to impose fines (which was realized in 2016 by adopting the Data Breach Notification Act (Meldplicht datalekken). The 2017 coalition agreement puts a stronger emphasis on empowering people with data control rights.44 Also, the use of Privacy Impact Assessments is considered very important and legislation that infringes the right to privacy should have sunset clauses and should be subject to evaluations.45 The introduction of the European GDPR further confirmed most of these trends.

38 D66, the social-liberal party in parliament, has requested to no longer provide census data to religious institutions since 1994. In 2016, the Dutch minister of the Interior has indicated to arrange this. See: www.kamerbrief-over-beeindiging-verstrekking-van-persoonsgegevens.pdf. 39 Letter of the Dutch minister of the interior to the parliament, ‘Aanbieding Nationaal Actieplan Mensenrechten’, 10 December 2013. 40 Kamerstukken II, vergaderjaar 2015–2016, 32 761, nr. 102, p. 13. 41 See, for instance, the statements of Amnesty International in the Netherlands, at http:// jaarverslag.amnesty.nl/onze-werkwijze/amnesty-lobbyt/ and of Bits of Freedom, at https://www. bof.nl/over-ons/. 42 Regeerakkoord 2017, pp. 3, 8. 43 Regeerakkoord 2012, p. 22. 44 Regeerakkoord 2017, p. 8. 45 Regeerakkoord 2012, p. 28.

24

2 The Netherlands

Media Attention In the Netherlands there is extensive media attention for privacy and personal data protection. Obviously, there is coverage of international issues related to privacy, like WikiLeaks and the Snowden case. On a national level, privacy and data protection are a key topic in many debates in parliament. These debates are covered by national TV, national radio and national newspapers.46 Some newspapers, like De Telegraaf, the largest daily newspaper in the Netherlands, seem to have become more critical towards mass surveillance and data storage over the last few years. Privacy appears to be a key value in many of these debates, for instance, on identity management.47 Other organizations that regularly draw attention of the media towards privacy and data protection are the Data Protection Authority (Autoriteit Persoonsgegevens, see Sect. 2.5)48 and civil rights organizations that focus on the domain of privacy and data protection (see below)49 and opinion columns of opinion makers and academic researchers.50 Although there is no official nationwide debate on privacy or data protection, there are some initiatives of national media to have a debate. A typical example is the National Privacy Test, a TV show that was broadcast on 21 October 2016.51 In this TV show the viewers were confronted with a list of multiple choice questions, including questions on the use of social media and questions on security issues. The test results show the level of awareness of individuals (i.e., whether they are ‘privacy-proof’). The National Privacy Test was part of the so-called Privacy Weeks initiative of the national public broadcasting companies, in which more programs related to privacy and data protection were shown on national TV.52 Another TV show was a public lecture on privacy by professor Bart Schermer of Leiden University.53 There are also some journalists that have further specialized themselves in privacy and data protection related issues. Typical examples are privacy journalists Maurits Martijn and Dimitri Tokmetzis, who co-hosted the above-mentioned National Privacy Test and published a popularizing book on privacy.54 Another example is journalist Brenno de Winter, who specializes in security issues and privacy and revealed security issues regarding the Dutch national public transport

46 A typical example is the media coverage of a story in which a sextape of a young Dutch woman was put on Facebook (see http://nos.nl/op3/artikel/2129157-strijd-over-seksfilmpje-chantal-draaitopnieuw-om-privacy.html). 47 Andersson Elffers Felix 2013. 48 For an overview, see https://autoriteitpersoonsgegevens.nl/nl/actueel. 49 For an overview, see the websites of these civil rights organizations. 50 See, for instance, de Vries 2013. See also Custers 2016, p. 17. 51 http://www.npo.nl/npo3/de-privacytest-hoe-privacybewust-ben-jij. 52 http://www.metronieuws.nl/nieuws/showbizz/2016/10/privacyweken-op-npo3-veel-heftigerdan-ik-dacht. 53 http://www.universiteitvannederland.nl/hoogleraar/bart-schermer/. 54 Martijn and Tokmetzis 2016.

2.1 General Situation

25

cards.55 Sometimes people from the hacker’s community also participate in the public debate. A notable example is Rop Gonggrijp, who participated in the debate on electronic voting machines.56 Also some politicians try to focus on privacy as a unique selling point. A typical example is Sophie in ‘t Veld, a Dutch member of the EU parliament, who focuses on privacy and data protection. Another example is former playmate Ancilla van der Leest, who heads the Dutch Pirate Party and chose to focus on privacy rights as the major theme.57 A final media event worth mentioning are the annual big brother awards. These awards are given to government and private sector organizations that have done the most to threaten personal privacy. These awards exist in many countries, including Germany and the United States.58 The Dutch version is organized by civil rights organization Bits of Freedom.59 Categories include awards granted by the public and awards granted by experts. Recently, also an award for a positive contribution to privacy and data protection was introduced. In general, the attitude of media towards privacy and data protection issues is that of a critical approach. Issues are raised and concerns are addressed. Legislative proposals, policies and practices of both government organizations and private companies are criticized. As such, they significantly contribute to raising awareness. Offering solutions to such issues is rare, however. There are indications that this leaves people with confusion: they are concerned about their privacy, but do not show behavior that reflects these concerns (the so-called privacy paradox).60 Data Breaches Civil rights organization Bits of Freedom kept a record of data breaches in the Netherlands from 2009 to 2013.61 This is a long list of hospitals, telecommunications providers, airlines and other companies whose data breaches were disclosed. In some cases, the data of thousands of data subjects were disclosed, in other cases the data of hundreds of thousands of data subjects were disclosed. Data breach notifications were not mandatory in the Netherlands, however, until January 2016. As of that date, data breaches have to be notified to the data protection authority (Autoriteit Persoonsgegevens).62 In the first week of 2016, 20 data breaches were reported. By April 2016, over one thousand notifications were received.63 By September, over 3,600 data breaches were reported. By that time 44% of all Dutch municipalities (172 out of 390) reported a data breach. At the end of 2016, a press

55 56 57 58 59 60 61 62 63

https://nl.wikipedia.org/wiki/Brenno_de_Winter. http://wijvertrouwenstemcomputersniet.nl/Wij_vertrouwen_stemcomputers_niet. Van der Leest 2014. https://en.wikipedia.org/wiki/Big_Brother_Awards. https://bigbrotherawards.nl/. Norberg et al. 2007. https://www.bof.nl/category/zwartboek-datalekken/. https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/beveiliging/meldplicht-datalekken. https://informatiebeveiliging.nl/nieuws/autoriteit-persoonsgegevens-1-000-datalek-meldingen/.

26

2 The Netherlands

release of the Dutch DPA indicated that they received almost 5,500 data breach notifications in 2016.64 One of the biggest data breaches concerned an employee of an energy network management company who stole data of 2 million Dutch households.65 Another example is the UWV, the Dutch Employee Insurance Agency, which leaked data of 11,000 people who were looking for a new job.66 The rapidly increasing number of data breach notifications implies that data breaches are no longer news. Some experts have argued that, as a result, one of the basic ideas behind data breach notification laws, i.e., naming and shaming would force organizations to improve their security, may actually have limited effect.67 Also, news about data breaches does not seem to cause reactions from the public. The common reaction of people to data breaches seems to be that of acceptance – no protests or public reactions of outrage seem to have occurred. Civil Rights Organizations There are several civil rights organizations in the Netherlands that are active in the area of privacy and personal data protection. Most well-known are Bits of Freedom and Privacy First. Bits of Freedom calls itself the leading Dutch digital rights organization.68 Their focus is on informational self-determination. Their main goal is an internet that is open for everyone, where everyone can continue to share information and where private communication remains private. Bits of Freedom exists since 2000 and is a founding member of European Digital Rights (EDRi). They are perhaps best known for organizing the annual Big Brother Awards (see above), but they also host educational sessions called privacy cafés and developed the Internet freedom toolbox to keep personal data safe and private.69 Furthermore, they are active in lobbying, political debates, public debates and litigation. Bits of Freedom is located in Amsterdam and is a non-profit organization that is funded with private donations. In the period 2006–2009 their activities were suspended due to a lack of financial resources.70 Privacy First states that the right to privacy is under a lot of pressure and needs more defending.71 Their aim is to turn the Netherlands into a frontrunner when it comes to protection of privacy. The focus is on privacy as a starting point in innovation, ensuring people have really free choices, turning the Netherlands into a frontrunner regarding privacy and to ensure that governments and companies take

64 65 66 67 68 69 70 71

http://nos.nl/artikel/2150430-5500-datalekken-gemeld-bij-waakhond.html. https://informatiebeveiliging.nl/nieuws/grootste-datalek-energiecontracten-ooit-in-nederland/. https://informatiebeveiliging.nl/nieuws/uwv-lekt-gegevens-van-11-000-werkzoekenden/. See also: Schneier 2009. https://www.bof.nl/home/english-bits-of-freedom/. https://www.bof.nl/ons-werk/onze-successen/. http://webwereld.nl/security/31687-bits-of-freedom-stopt-per-1-september. https://www.privacyfirst.nl/.

2.1 General Situation

27

responsibility for privacy.72 Privacy First organizes information campaigns,73 but is also active in litigation, although mostly together with other organizations.74 In 2015, Privacy First sued the Dutch government for storing fingerprints in Dutch passports. Although Privacy First lost the case in court, the Dutch government discontinued this practice.75 Other litigation includes the data transfers from Dutch intelligence and security agencies to other countries, license plate parking and data retention. Privacy first is located in Amsterdam and is a non-profit organization that is funded with private donations. Their annual budget was approximately 80,000 euro in 2015.76 Since 2015, Privacy First also has an annual award, the so-called National Privacy Innovation Award, for privacy friendly solutions.77 So far, these awards have drawn less media attention than the Big Brother Awards. Perhaps less well-known to the general public is the Association for Privacy Law (Vereniging Privacy Recht, VPR), an association that offers a platform for enhancing the quality of privacy and data protection legislation.78 The association has among its members lawyers, privacy consultants and law professors. Apart from further developing privacy law, the association aims to be a dialogue partner for data protection authorities and policy makers. Their activities include organizing an annual conference and meetings and seminars. Litigation is not part of their activities. The association is established in Rotterdam. It is a non-profit organization and membership is open for everyone except people affiliated to data protection authorities and policymakers. Annual membership is 75 euro.79 The Dutch Section of the International Commission of Jurists (ICJ) is called the NJCM (Nederlands Juristen Comité voor de Mensenrechten) and was established in 1974.80 The ICJ is a non-governmental organization that is dedicated to ensuring respect for international human rights standards through law. There are national sections and affiliates in over 70 countries. The Dutch section, the NJCM, issues comments on proposed legislation and government policies, writes and coordinates shadow reports and lobbies with politicians, journalists, policy makers and social organizations. The NJCM also publishes a journal and a bulletin and organizes seminars. Their focus is on human rights, not on privacy and data protection in particular, but these rights are within their scope. The NJCM is a non-profit

72

Privacy First 2015. https://www.privacyfirst.nl/campagnes.html. 74 https://www.privacyfirst.nl/rechtszaken.html. 75 Privacy First 2016, p. 2. 76 Privacy First 2016, p. 25. 77 https://www.privacyfirst.nl/solutions/evenementen/item/1044-winnaars-iir-nationale-privacyinnovatie-awards-2016.html. 78 https://verenigingprivacyrecht.nl/. 79 https://verenigingprivacyrecht.nl/lid-worden/. 80 http://www.njcm.nl/site/njcm/vereniging/vereniging. 73

28

2 The Netherlands

organization that had an annual budget of approximately 131,000 euro in 2015.81 The organization is established in Leiden. Whereas Bits of Freedom and Privacy First could be said to focus on a protesting and litigation, the VPR and the NJCM focus more on facilitating the debate. They all play a role in influencing government policies and are in some cases consulted when the Dutch government proposes legislation. Bits of Freedom is the best-known organization in this domain (18% of the Dutch citizens as heard of them), followed by Privacy First (13% has heard of them).82

2.2

National Government Policies

National Policies, Privacy Impact Assessments The general policy of the Dutch government regarding privacy and personal data protection was discussed in the previous section. Sector specific policies are present in many domains. Most notably, in the criminal justice chain, there is specific legislation (see Sect. 2.3) that derogates the personal data protection legislation. Also, in the medical sector there is specific legislation that addresses professional secrecy. Similar sector-specific regulations exist for public administration, welfare and social security. The policies in these domains are usually stricter, as they concern special (more sensitive) categories of personal data. Privacy Impact Assessments (PIAs) are of increasing importance in the Netherlands, although they were not mandated by legislation prior to the GDPR. As mentioned in the previous section, in 2011 and 2015 members of Dutch parliament issued a motion that requires a Privacy Impact Assessment for each legislative proposal that may have consequences for the processing of personal data.83 The government accepted this motion. As a result, the first Privacy Impact Assessment that was executed in 2013 by the Dutch government was that for a legislative proposal on storing data regarding vehicle number plates with a technology called Automated Number Plate Recognition (ANPR).84 Later that year, the Dutch government drafted a standard format for performing Privacy Impact Assessments, which is now mandatory for the national government.85 This format raises questions to create awareness of potential privacy risks, but is not very user-friendly. Other drawbacks are that no instruments are provided to map the risks and to assess

81

NJCM 2016. Roosendaal et al. 2015, p. 39. 83 Kamerstukken II, 2015, 34000 VII, nr. 21 (motie Segers/Oosenbrug). 84 Kamerstukken II, 2012–2013, 33 542, nr. 3, bijlage 6. 85 https://www.rijksoverheid.nl/documenten/publicaties/2013/06/24/toetsmodel-privacy-impactassessment-pia-rijksdienst. 82

2.2 National Government Policies

29

likelihood of these risks occurring and their impact once they occur.86 The format is too much a compliance check, according to the data protection authority who advised on the format.87 The standard format does not appear to be used often: later Privacy Impact Assessments use their own approach.88 The national model for Privacy Impact Assessments has been evaluated and will be revised.89 The evaluation shows that there is room for improvement regarding the applicability, completeness, understandability and usefulness, and user-friendliness of the model. Others have developed formats that are more practical, such as the format issued by the IT-professionals association NOREA.90 This format contains an extensive checklist that better ensures completeness of the risk assessment. The data protection authority has not developed a format for PIAs, but does offer a reference to the guidelines of the Article 29 Working Party on its website.91 Privacy and Data Protection in New Policies In the Dutch parliament there are no specific debates on new technological developments like big data, the internet of things or the quantified self. However, these topics sometimes play a role in debates on other topics, like economics or justice. The government has not yet developed specific views on these new developments, but has commissioned research on these topics to start further development to governmental research institutes. Most prominent is research on big data developments. Most notably the Scientific Council for Government Policy (Wetenschappelijke Raad voor het Regeringsbeleid, WRR) started a research program on big data. Recent examples of WRR-reports include a high level overview,92 but also reports on more specific topics such as big data and security,93 international legal studies on big data,94 big data and fraud detection,95 big data for intelligence agencies96 and big data in health care.97 The Dutch government has reacted on these reports by stating that there are many opportunities for big data and that it wants to explore the potential benefits, together with mitigating any collateral 86

A high quality PIA should not only map risks, but also assess their likelihood and impact, see Wright and De Hert 2012. 87 Brief van het CBP aan de minister van BZK, 4 dec 2012 (Advies – concept Toetsmodel Privacy Impact Assessment), see https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacycheck/privacyimpact-assessment-pia. 88 See, for instance, Koops et al. 2016. 89 Versmissen et al. 2016. 90 http://www.norea.nl/Norea/Actueel/Nieuws/PIA+nieuwe+versie.aspx. 91 https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/europese-privacywetgeving/privacyimpactassessment-pia. 92 van der Sloot et al. 2016. 93 WRR 2016. 94 van der Sloot and van Schendel 2016. 95 Olsthoorn 2016. 96 van Schendel 2016. 97 Ottes 2016.

30

2 The Netherlands

risks that may exist.98 The Ministry of Education, Culture and Science commissioned research on big data in education and science.99 In an official response, the government indicates these developments offer opportunities but may also constitute risks and that it will closely monitor further developments.100 The Ministry of Economic Affairs and Climate Policy established an expert group that wrote a report on big data and innovation.101 In an official response, the government indicated to use this report for further discussion on the topic.102 Research on the Internet of things was requested by the Dutch Cyber Security Council and started by the research center of the Ministry of Justice and Security (WODC).103 Regarding the quantified self, the research center of the Ministry of Justice and Security (WODC) started research on applications of the quantified self in the context of justice.104 The benefits and risks (including privacy and data protection risks) of other technologies, such as nanotechnology,105 bitcoins106 and drones,107 are also closely monitored by the government. The Dutch government has shown interest in the use of privacy by design and has commissioned an action plan for privacy.108 Despite these plans to make more use of privacy by design, it is not apparent where and how these plans have been (or will be) implemented. Also, privacy by design does not yet seem to be a standard element in government policies. Research on factors that may facilitate or hinder the use of privacy by design in the Netherlands does not yet seem to have resulted in increased use of privacy by design.109 Societal Debate The Dutch government seems to take an active approach in the privacy debate. However, it sometimes seems to be difficult to translate privacy and data protection into concrete actions that can be taken. Concepts like privacy by design and Privacy Impact Assessments are not standardized and/or not always taken into account when new legislation is proposed or new policies are drafted. In many debates, the importance of privacy and data protection is stressed, but often there is no in-depth

98

Ministerie van Veiligheid en Justitie 2016. Bongers et al. 2015. 100 Ministerie van Onderwijs, Cultuur en Wetenschap 2016. 101 Expertgroep EZ 2016. 102 Ministerie van Economische Zaken 2016. 103 https://www.wodc.nl/onderzoeksdatabase/2734-kansen-en-bedreigingen-internet-of-things. aspx. 104 https://www.wodc.nl/onderzoeksdatabase/2716a-quantified-self-toepassingsmogelijkhedenin-justitiele-context.aspx?cp=44&cs=6778. 105 Schulze Greiving et al. 2016. 106 Oerlemans et al. 2016. 107 Custers et al. 2015. 108 Roosendaal et al. 2014. 109 van Lieshout et al. 2012. 99

2.2 National Government Policies

31

discussion or further follow-up. As was discussed in the previous section, to some extent there is a dialogue between the government and civil rights organizations, but this has not solved this issue. In 2015, a so-called privacy coalition was formed between several individuals and organizations in the areas of civil rights, free press, criminal law and academia.110 The government started a dialogue with this coalition, for instance, regarding topics like data storage111 and big data,112 and seems intent to continue to this dialogue. When creating new policies and legislation, the Dutch government increasingly uses internet consultations to allow citizens and companies to react on such proposals. This is via an official website that is used by both the government and parliament.113 Via internet consultations, started in 2008, the government intends to provide citizens, companies and other organizations information on legislative proposals and to invite people to comment on this. The basic idea is to improve the proposed policies or legislation and to expand public support. People have to register before they can comment. All comments are published. The name and residence of the person are published together with their comments, unless a person objects to this. Internet consultations are an addition to the existing consultation process, in which government institutes that are affected by the proposals are consulted. Although the government regularly uses internet consultations and is convinced that this is useful, consultations usually have the same format and the same group of respondents. There is no universal government policy for internet consultations and ministries are allowed to make their own decisions on whether they organize internet consultations and how and whom they consult.114 Information Campaigns In recent years, the Dutch government has initiated several internet campaigns to further inform citizens on privacy and data protection related issues and to further increase awareness. In 2008, the Dutch government started the website www.mijnoverheid.nl (‘my government’) at which citizens can arrange matters with the government online. In 2015, there were 1.6 million citizens with an account. When citizens log in, they can access their personal data, for instance, data in the persons registration, data from the vehicle registration and ownership data in the cadastral registrations.115

110

https://visieopprivacy.nl/. http://nos.nl/artikel/2028170-privacycoalitie-stop-op-wetgeving-dataopslag.html. 112 Kamerstukken II, 2014/15, 32 761, nr. 83, blz. 4. 113 www.overheidsconsultatie.nl. 114 Sandee 2014. 115 https://www.rijksoverheid.nl/onderwerpen/digitale-overheid/vraag-en-antwoord/wat-ismijnoverheid. 111

32

2 The Netherlands

In October 2016, the government launched the campaign Alert Online, to improve knowledge and skills of citizens on cybercrime.116 It is not the first campaign with this goal, but this campaign particularly focuses on ransomware, and advises to regularly create back-ups, update software and not to open attachments or links in e-mail messages.117 There is a special focus on personal data protection.118 In 2014, the campaign on being safe online (‘veilig internetten’) was started.119 The campaign mainly consists of a website (www.veiliginternetten.nl) with practical advice on what people can do and should not do to be safe on the Internet. The website provides information only, it is not a helpdesk. Special focus areas are basic security, wireless internet, social media, online banking, online shopping, privacy and kids online.120 The focus area on privacy has topics on protecting personal data and social media, identity fraud, digital traces and sharing files.121 In 2013, the government launched a campaign on identity fraud.122 This campaign disseminated digital information material to municipalities (who issue passports and ID-cards) to inform citizens about do’s and don’ts regarding copies of their identity documents, including erasure of their social security number on copies. In 2014, the Dutch government also launched the so-called KopieID app, an app that allows citizens to create a secure copy of their identity document on their smartphone. The app allows deleting the Burger Service Nummer (Social Security Number) and watermarking the digital identity document, making them traceable when used by fraudsters.123

2.3

Laws and Regulations

Implementation of the EU Directive The first act in the Netherlands that focused on the protection of personal data was the Wet persoonsregistraties (WPR, the Person Registrations Act), which came into force in 1989. According to this act, people had to consent to processing of their personal data for other purposes than for which the data was initially collected. The enforcement of this act was taken care of by the Registratiekamer (The Registration

116

https://www.rijksoverheid.nl/actueel/nieuws/2016/10/03/nederlanders-niet-voorbereid-opcybercrime. 117 https://www.alertonline.nl/. 118 https://www.alertonline.nl/experts/bescherming-persoonsgegevens. 119 https://www.rijksoverheid.nl/actueel/nieuws/2014/10/27/burgers-beter-geinformeerd-overveilig-internetten. 120 https://veiliginternetten.nl/themes/. 121 https://veiliginternetten.nl/themes/privacy/. 122 https://www.rijksoverheid.nl/actueel/nieuws/2013/01/15/campagne-tegen-identiteitsfraude. 123 https://www.rijksoverheid.nl/actueel/nieuws/2014/11/04/kopieid-app-maakt-misbruik-metkopie-identiteitsbewijs-moeilijker.

2.3 Laws and Regulations

33

Chamber), the first data protection authority in the Netherlands and predecessor of the College bescherming persoonsgegevens, which was renamed in 2016 as the Autoriteit Persoonsgegevens (see next section). In the Netherlands, the European Data Protection Directive was implemented in national law with the introduction of the Wet Bescherming Persoonsgegevens (WBP, Personal Data Protection Act), which came into force on 1 September 2001.124 A major difference between the WBP and the WPR it replaced is that the WPR was based on the concept of person registers, whereas the WBP is based on the concept of personal data. The WBP implements the so-called principles for the fair processing of personal data (i.e., collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and accountability),125 lists the different legal bases on which personal data can be processed and establishes the existence of the data protection authority. According to the data protection authority, the most important statements in the WBP are:126 • Processing personal data is only allowed when fair and adequate and in accordance with the law. • Collecting personal data is only allowed for specified, explicit and legitimate purposes. Further processing is only allowed when compatible with these purposes. • Data subjects should be informed on the identity of the data controller and the purposes of the processing. • Personal data should be adequately secured. For special categories of data there are stricter rules. The WBP was revised several times since its introduction in 2001. In 2012, the administrative burdens for data controllers were decreased.127 Prior investigations are no longer mandatory for requesting permission to process personal data such a prior investigation was already performed for another data controller who requested this processing of personal data as approved by the DPA. Third country data transfers to countries without an adequate level of protection are no longer subject to approval of the Ministry of Justice and Security when the model contract of the European Commission is used. Furthermore, privacy officers are no longer required 124

See http://wetten.overheid.nl/BWBR0011468/2016-01-01. An unofficial translation into English may be found at http://home.planet.nl/*privacy1/wbp_en_rev.htm. The three-year deadline for implementing the European directive had passed long before, on 24 October 1998. In January 2001, the European Commission decided to take five countries (France, Luxembourg, the Netherlands, Germany, and Ireland) to court for failure to notify all the measures necessary to implement the directive. 125 See http://www1.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM. 126 https://autoriteitpersoonsgegevens.nl/nl/over-privacy/wetten/wet-beschermingpersoonsgegevens. 127 Wijziging Wbp in verband met de vermindering van administratieve lasten en nalevingskosten, wijzigingen teneinde wetstechnische gebreken te herstellen en enige andere wijzigingen, Staatsblad, jaargang 2012, nr. 33. See also https://autoriteitpersoonsgegevens.nl/nl/ nieuws/wijziging-van-de-wet-bescherming-persoonsgegevens.

34

2 The Netherlands

to create an annual report of their activities and findings. In 2012, the maximum fines were also raised. The WBP implements the EU data protection directive at a minimum level. There are no additional provisions, with only one notable exception. In 2016, a revision of the WBP came into force, in which data breach notifications became mandatory (Article 34a WBP) and maximum fines were significantly increased and expanded to more types of offences (Article 66 WBP).128 According to the breach notification provisions, data controllers must notify any data breaches that involve theft, loss or abuse of personal data. The DPA must be notified and in some situations, the data subjects must also be notified. The Dutch data protection authority opened a special desk for data breach notifications.129 Prior to this revision of the WBP, fines were maximized to 4,500 euro, afterwards the fines were maximized to 820,000 euro (for more details, see Sect. 2.5). Sectoral Legislation For specific sectors, there exist specific laws and regulations in the Netherlands. In the domain of law enforcement and criminal justice, the Police Data Act (WPG, Wet politiegegevens)130 regulates the use of personal data by police agencies and the Justice and Criminal Procedure Data Act (WJSG, Wet justitiële en strafvorderlijke gegevens)131 regulates the use of personal data by the judiciary (i.e., the prosecution service and the courts). These acts explicitly derogated the WBP and are beyond the scope of the GDPR. They will probably be replace by the new EU Directive 2016/680, but its transposition into national law is delayed. The WPG regulates the processing of so-called police data, which are personal data processed by police agencies. This may include data on criminals, but also data on suspects, witnesses, etc. Apart from the Dutch National Police, the WPG also focuses on special investigation services, the Royal Border police (Koninklijke Marechaussee) and the National Police Internal Investigation Department (Rijksrecherche). The WPG also applies to police tasks for the justice department, such as executing of migration laws. Apart from the WPG, there is also a Decree on police data (Besluit politiegegevens)132 that provides further details on the WPG and prescribes to which organizations the police may transfer police data. The WJSG determines

128

Wet van 4 juni 2015 tot wijziging van de Wet bescherming persoonsgegevens en enige andere wetten in verband met de invoering van een meldplicht bij de doorbreking van maatregelen voor de beveiliging van persoonsgegevens alsmede uitbreiding van de bevoegdheid van het College bescherming persoonsgegevens om bij overtreding van het bepaalde bij of krachtens de Wet bescherming persoonsgegevens een bestuurlijke boete op te leggen (meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp) Staatsblad, jaargang 2015, nr. 230. See also: https://www.rijksoverheid.nl/actueel/nieuws/2015/07/10/meldplicht-datalekken-en-uitbreidingboetebevoegdheid-cbp-1-januari-2016-van-kracht. 129 https://datalekken.autoriteitpersoonsgegevens.nl/actionpage?0. 130 http://wetten.overheid.nl/BWBR0022463/2016-01-01. 131 http://wetten.overheid.nl/BWBR0014194/2016-01-01. 132 http://wetten.overheid.nl/BWBR0023086/2015-07-01.

2.3 Laws and Regulations

35

which personal data (and data pertaining to legal persons) the judiciary (particularly the public prosecution service) stores and for how long. As such, it also regulates the keeping of criminal records by the government. Also, personal data may be processed for assessing certificates of conduct. For the WJSG, there is a Decree on justice and criminal procedure data,133 which provides further details on the WJSG. Both the WPG and the WJSG are supervised by the Dutch data protection authority. The WBP was also derogated by several other laws, also beyond the scope of the GDPR, including the Intelligence and Security Agencies Act (Wet op de inlichtingen- en veiligheidsdiensten, WIVD),134 the Municipal Personal Records Database Act (Wet basisregistratie personen, BRP)135 and the Elections Act (Kieswet).136 The BRP regulates the personal data of Dutch citizens and is supervised by the Dutch data protection authority. The WIVD and the Kieswet are supervised by other authorities. In the medical sector, the GDPR regulates the processing of personal data, but on top of that, the Wet Geneeskundige Behandelingsovereenkomst (WGBO, Medical Treatment Contracts Act) also applies. The WGBO is part of Book 7 of the Dutch Civil Code and regulates professional secrecy, privacy rights and access rights for patients to their medical files. The WGBO clarifies the legal position of a patient, especially when no, or few, agreements were made between the doctor and the patient, something that happens frequently in practice. The WGBO gives the patient the right to access his medical files (Article 456) and requires the consent of the patient for starting treatment (Article 450).137 If a patient indicates that he does not want to be informed of his medical status, the doctor may refrain from providing information, unless the disadvantages for the patient are considered to be too great. In some situations, doctors are allowed to break their professional secrecy, for instance, when a patient consents to this, when there are conflicting obligations or a legal obligation. In 2016, the Dutch parliament accepted legislation for improving patient’s rights regarding the processing of their personal data, allowing patients to decide themselves with which health care providers their personal data may be shared.138 Self-regulation and Codes of Conduct Article 25 of the Dutch Data Protection Act (WBP) allowed organizations to draft codes of conduct that contain sector-specific rules that further elaborate on legal 133

http://wetten.overheid.nl/BWBR0016544/2015-07-01. http://wetten.overheid.nl/BWBR0013409/2013-01-01. 135 http://wetten.overheid.nl/BWBR0033715/2015-09-01. 136 http://wetten.overheid.nl/BWBR0004627/2016-01-01. 137 See also Article 11 of the Dutch constitution on bodily integrity. Note that the WGBO does not contain a patient’s right to have data in a medical record changed or removed. The patient has, however, the right to add documents to the medical record on the basis of Article 454 WGBO. Consent is dealt with in Subsection 5.2.4. 138 https://www.rijksoverheid.nl/actueel/nieuws/2016/10/04/wet-clientenrechten-bij-elektronische -verwerking-van-gegevens-belangrijke-verbetering-voor-de-patient. 134

36

2 The Netherlands

framework for processing personal data. Such codes of conduct can be submitted to the Dutch Data Protection Authority for a compliance check. The codes of conduct are approved for the maximum duration of five years. In 2015, the Dutch DPA assessed three codes of conduct (four in 2012, four in 2013, and four in 2014).139 An example of an approved code of conduct in 2016 was that of the use of smart meters by a collective of service providers in the energy sector.140 Another example of an approved code of conduct is that for private investigators.141 The legislator encourages self-regulation and particularly codes of conduct because these supposedly create more concretization of the open-ended, abstract legal framework.142 Another advantage may be that codes of conduct and other types of self-regulation have higher acceptance and compliance rates, because they were drafted by those who are responsible for this compliance. In practice, however, satisfaction levels are rather low, because the Dutch DPA sometimes plays a dominant role and offers limited freedom when creating codes of conduct.143 Drafting codes of conduct is also considered to be a long, time-consuming, costly process, with little concrete benefits.144 This is particularly the case for the private sector.145 Organizations can also create covenants for further cooperation when processing personal data and standard privacy policies for organizations that are specifically tailored for their own sector. Typical examples are the standard privacy policies in the educational sector146 and the public security.147 Finally, the Dutch DPA also establishes policy rules (beleidsregels or richtsnoeren) for specific topics. Policy rules exist for publication of personal data on the internet (2007), information duties of primary schools (2009), applying automatic number plate recognition by the police (2009), publication of government information (2009), copies of identity documents (2012), security of personal data (2013), data breach notifications (2015), camera surveillance (2016) and ill employees (2016).148

139

AP 2016, supplement, p. 7. https://autoriteitpersoonsgegevens.nl/nl/nieuws/besluit-gedragscode-slimme-meters-overigedienstenaanbieders. 141 https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/gedragscodes/gedragscode-voor-particuliererecherchebureaus-2016. 142 Zwenne et al. 2007, p. 78. 143 Holvast 2005, pp. 114–119. 144 Cuijpers 2006. 145 Zwenne et al. 2007. 146 https://www.passendonderwijs.nl/brochures/modelprivacyreglement-samenwerkingsverband/. See also: https://www.kennisnet.nl/artikel/alle-privacyhulpmiddelen-voor-scholen-op-een-rij/. 147 www.veiligheidshuizen.nl/doc/publicaties/modelconvenant-veiligheidshuizen_ob.pdf. 148 https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/thematische-beleidsregels. 140

2.4 Implementation

2.4

37

Implementation

The use of self-regulation and codes of conduct was discussed in the previous section. On the one hand, the government seems to encourage self-regulation and codes of conduct (on paper), while on the other hand, the data protection authority seems to sometimes play a dominant role and leaves little room (in practice). In recent years, the DPA only assessed small numbers of codes of conduct (2–4 each year). Enforcement of the codes of conduct is by the parties themselves, not by the DPA or other supervisory authorities. For more details on information security measures and their implementation, see below. Privacy Officers Prior to the GDPR, there was no obligation under Dutch law to have privacy officers in companies or government organizations. An exception are police forces, which must have a privacy officer according to Article 34 of the Wet Politiegegevens (WPG, the Police Data Act). However, organizations can appoint privacy officers as internal supervisors to the processing of personal data (Article 62 WBP) and the Dutch DPA seems to encourage this.149 Notifying the DPA of personal data processing activities is not required when a privacy officer is appointed and notified. The task of the privacy officer is to keep a registry of personal data processing (Article 30 WBP) and writing an annual report (Article 62 WBP). Privacy officers are subject to some conditions (Article 63–64 WBP). For instance, they have to be natural personals and dispose of adequate knowledge (e.g., regarding the organization and regarding data protection law) and be considered reliable (e.g., regarding professional secrecy). The data controller has to provide the privacy officer with investigative powers and an independent position within the organization. The Dutch DPA keeps a register of privacy officers,150 although notification of privacy officers is not mandatory. Early 2008, there were 215 privacy officers registered at the Dutch DPA.151 In December 2016, there are 722 privacy officers registered.152 Most ministries of the central government have a privacy officer, all police forces have a (mandatory) privacy officer and about 10% of the municipalities have a privacy officer. Other privacy officers can be found in hospitals and police forces.153

149

https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/functionaris-voor-de-gegevensbescherming. https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/functionaris-voor-de-gegevensbescherming. 151 Winter et al. 2009, pp. 91–93. 152 See the list at https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/functionaris-voor-degegevensbescherming. Register A-D: 137, Register E-H: 163, Register I-L: 77, Register M-P: 107, Register Q-T: 165, Register U-Z: 73. 153 Dubbeld 2007, pp. 69–70. 150

38

2 The Netherlands

Privacy officers have organized themselves in the Dutch Society for Privacy Officers (Nederlands Genootschap van Functionarissen voor de Gegevensbescherming, NGFG).154 The NGFG meets four times a year and has about one hundred members and a few associated members. People who are not privacy officers can express their interest, but full membership requires being a privacy officer and being registered as such at the Dutch DPA.155 People who are privacy officers but are not registered at the DPA as such can become associated members. The NGFG cooperates with similar organizations in other European countries in the Confederation of European Data Protection Organizations (CEDPO). This confederation was established in 2011 and has seven members, from Ireland, Austria, France, Spain, Germany, The Netherlands and Poland.156 Although having a privacy officer is not mandatory, organizations choose to appoint them because they value the protection of privacy.157 Privacy officers are mostly recruited internally in organizations. More than one out of four privacy officers are part of the legal staff, a bit less than one out of four privacy officers is part of the board of directors and less than 15% is part of a quality assurance department.158 Although Article 63 sub 2 of the Dutch Data Protection Act prescribes that privacy officers cannot receive instructions from the data controller or the organization that has appointed him or her, almost one out of four privacy officers indicate to have to follow instructions of the management of the organization. This conflicts with the legal requirement of independence.159 An explanation for this may be that most privacy officers fulfill this role only part-time, whereas for the rest of the time they fulfill another role in the organization, a role in which they usually are not independent. Because they are part of the organization, privacy officers also experience difficulties when taking an independent position towards their employer. Privacy officers on average report 1, 4 offences in their organization, but most of their time they are busy with explaining things and creating awareness.160 The role of privacy officer is not very popular.161 An exception to this is the role of privacy officer in multinationals: these are influential roles because protection of privacy is considered an asset that is important for clients and prevents reputational damage.

154 155 156 157 158 159 160 161

http://www.ngfg.nl/. Annual report NGFG 2006–2007. www.cedpo.eu. Mulligan and Bamberger 2015. Winter et al. 2009. Winter et al. 2009. Winter et al. 2009. Winter et al. 2009, p. 63.

2.4 Implementation

39

Security Measures According to Article 13 of the Dutch Data Protection Act, every data controller had to take appropriate technological and organizational measures to secure personal data against loss or unauthorized access. When security is lacking, illegitimate database coupling is facilitated. Appropriate measures can be authorization protocols, authentication procedures and other security measures.162 For determining whether security measures are appropriate, the state of the art of available security technologies and the costs for implementation are relevant. When security measures are outdated, they are not appropriate. When better security measures are available but extremely costly, not using these technologies may not fail compliance with the appropriateness standard. For online applications, higher security standards may be required to meet the appropriateness criterion, because the Internet is an open system with additional privacy risks.163 The Dutch DPA has created guidelines for security measures.164 These guidelines are mainly based on one of the most commonly used standards for information security, is the Code voor Informatiebeveiliging (Code for Information Security).165 This is an NEN/ISO code166 that is part of a group of standards for initiating, implementing, enforcing and improving information security within organizations. These standards are part of a list for which government organization have a comply-or-explain regime.167 The Code for Information Security is a technology neutral standard that can be broadly applied when creating and implementing security measures. For the public health sector, a further specification of the Code for Information Security can be found in NEN 7510.168 When the Dutch Health Care Inspectorate (IGZ) investigated the implementation of this norm, it appeared that before 2003 not one of the twenty investigated hospitals had implemented this norm.169 In 2008, this had not improved.170 Although security measures are available, many electronic patient records are not adequately protected.171 For instance, when information security experts investigated the security of two hospitals, they were able to access one million records of patients.172 Also in other government sectors information security does not seem to be adequately implemented. For instance, the Dutch social intelligence and 162 163 164 165 166 167 168 169 170 171 172

Zwenne et al. 2007. Hooghiemstra 2002. CBP 2013. NEN-ISO/IEC 27002:2007 nl. NEN is Dutch standardization code. Artikel 3 sub b Instellingsbesluit College en Forum Standaardisatie 2012, Stcrt, 2011, 23581. NEN, Steunpunt NEN 7510 (http://www.nen7510.org). IGZ, ‘ICT in ziekenhuizen’, August 2004. CBP 2008. PvG. ‘Implementatie van de Wbp: de resultaten van Prismant’, JPG June 2003. Zwenne et al. 2007.

40

2 The Netherlands

investigation service (SIOD), the supervisory authority for social security, had no security plan and no overview of security measures taken when the Dutch DPA investigated this.173 Also, when audited, the Dutch police had not sufficiently and adequately implemented information security measures for the protection of the personal data it was processing.174 A general picture of the implementation of security measures in the private sector cannot be provided. Although it may be assumed that many organizations take adequate security measures, for instance, to protect their trade secrets, a number of data breaches has occurred in the past (see Sect. 2.1). Principles like privacy by design, privacy by default, need-to-know and role-based access are increasingly used in policy documents, but have not yet resulted in actual implementations, at least not on a larger scale (see Sect. 2.2). Transparency As was already indicated in Sect. 2.1, the Dutch show in general a high level of awareness about the use of personal information by website owners. There are high levels of awareness and acceptance of the use of information by website owners to contact users by email (awareness 86%, acceptance 80%).175 If reading the privacy policies, Dutch people rarely read the whole text (Netherlands 9%, EU average 11%), although they are rather confident that – when reading it – the text is mostly or fully understood (Netherlands 72%, EU average 64%).176 Organizations do not, generally speaking, offer personalized privacy settings. Such options are mostly present in (some) social media, which are services mainly provided by international organizations rather than Dutch organizations. In some cases, anonymized services are offered. For instance, customers of Albert Heijn, one of the biggest supermarket chains in the Netherlands, can opt for an anonymous version of the Bonuskaart, the supermarket’s loyalty card. When the Dutch DPA presented its priorities for 2017, it stressed the focus on transparency, particularly with regard to profiling.177 This may indicate that there is room for improvement when it comes to transparency. As mentioned in Sect. 2.3, the Dutch government attempts to improve transparency regarding the personal data it is processing on citizens with the website www.mijnoverheid.nl (‘my government’). When citizens log in, they can access their personal data, for instance, data in the persons registration, data from the vehicle registration and ownership data in the cadastral registrations.178

173

CBP 2010. Politie 2016. 175 Consent Country Report The Netherlands 2012, p. 4. 176 Consent Country Report The Netherlands 2012, p. 4. 177 https://autoriteitpersoonsgegevens.nl/nl/nieuws/autoriteit-persoonsgegevens-presenteertagenda-2017. 178 https://www.rijksoverheid.nl/onderwerpen/digitale-overheid/vraag-en-antwoord/wat-ismijnoverheid. 174

2.5 Regulatory Authorities and Enforcement

2.5

41

Regulatory Authorities and Enforcement

Supervisory Authorities The Dutch Data Protection Authority (DPA) changed its name in 2016 from College Bescherming Persoonsgegevens (CBP) into Autoriteit Persoonsgegevens (AP). Until 2001, the name of the Dutch DPA was Registratiekamer. The Autoriteit Persoonsgegevens is responsible for addressing infringements of the law, advising on new laws and regulations, being aware of societal dilemmas related to privacy, raising awareness with governmental organizations, businesses and civil society on their respective responsibilities regarding data protection, providing information to enable people to exercise their rights, making the results of its supervisory and enforcement actions public and seeking national and international cooperation in order to better protect personal data.179 The scope of their enforcement activities encompasses the GDPR (and previously the WBP), but also the WPG and the WJSG (see previous section). The AP consists of a board with a chairman and a maximum of two other members. Currently, the board consists of two members, a chairman and vice-chairman.180 The chairman is appointed for a six-year term, which can be renewed once with another six years. Other members are appointed for four years and their term can be renewed once with another four years. Appointments are suggested by the Minister of Security and Justice. There is also an advisory board, consisting of representatives from government, industry and academia.181 Apart from staff departments, there are two major departments that focus on supervision of the public sector and the private sector. The AP currently has approximately 80 employees. In 2015, they had approximately 72.5 employees and an annual budget of 8.2 million euro.182 In 2015, the Dutch DPA performed 43 investigations, mediated in 226 cases and provided advice on 27 legislative proposals.183 Main Activities The five main activities of the Dutch DPA are supervision, providing advice, providing information, education and accountability and international assignments.184 Supervision regards undertaking investigations assessing compliance and, in cases of non-compliance, the use of enforcement powers, including sanctions.

179

https://autoriteitpersoonsgegevens.nl/en/about-cbp/mission-vission-and-core-values. https://autoriteitpersoonsgegevens.nl/nl/over-de-autoriteit-persoonsgegevens/de-leden-van-deautoriteit-persoonsgegevens. 181 https://autoriteitpersoonsgegevens.nl/nl/over-de-autoriteit-persoonsgegevens/organisatie/raadvan-advies. 182 AP 2016, p. 63. 183 AP 2016, p. 63. 184 https://autoriteitpersoonsgegevens.nl/en/node/1930. 180

42

2 The Netherlands

Supervision also includes assessing codes of conduct, mediating disputes and assessing requests for granting exemptions from the prohibition to process sensitive data. Advice is given on legislative proposals that deal with or are related to the processing of personal data and on permits for third country data transfers in case the receiving countries do not have an adequate level of protection. Providing information, education and accountability sees to providing information on how to interpret data protection legislation. This is mainly done via their website and by phone and, as such, is very general. The AP does not mention on their website or in their annual reports organizing any workshops, conferences or educational courses. Also, the AP seems to be restrictive in handling questions of citizens and organizations on how to be compliant with legislation or to be ‘privacy proof’. Therefore, it could be argued that citizen support is limited. International assignments include participation in the Article 29 Working Party, an independent advisory board in which all data protection authorities of the EU and the European Data Protection Supervisor participate, and attending international conferences such as the annual Conference of European Data Protection Authorities and the annual International Conference of Data Protection and Privacy Commissioners. Top priorities of the AP are made public each year. The priorities for 2016 are securing personal data, big data and profiling, medical data, personal data and governments and personal data in labor relations.185 A few years ago, such top priorities were not available.186 There is no extensive dialogue between the Dutch DPA and the organizations under supervision. The main reason seems to be that the DPA is reluctant to have such a dialogue as it may raise conflict of interests when enforcement is required. When the DPA would provide concrete advise on what to do or which measures to take, this may raise issues when these recommendations or measures are evaluated by the DPA. A potential solution for this would be to advise on the results of measures rather than on the measures itself.187 Notifications of citizens (via the DPA’s website)188 may result in further investigations, but the DPA can also start an investigation without such notifications. In 2016, there were 6778 questions and tips from citizens.189 There were 43 investigations and 226 cases in which the DPA mediated for a solution.190 It is not clear how many of these investigations were on the basis of notifications of concerned citizens. Prior to the GDPR, the competences of the Dutch DPA could be found in Articles 60, 61 and 66 of the WBP. Article 60 WBP allows the DPA the

185

https://autoriteitpersoonsgegevens.nl/nl/over-de-autoriteit-persoonsgegevens/agenda. Note that this agenda does not differ significantly from the 2015 agenda. 186 Custers and Zwenne 2009. 187 Custers and Zwenne 2009. 188 https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/tip-ons. 189 AP 2016, p. 64. 190 AP 2016, p. 63.

2.5 Regulatory Authorities and Enforcement

43

competence to start an investigation. Article 61 WBP allowed the DPA to enter (with a warrant of the DPA and under specific conditions) a home without the permission of the residents and to impose an administrative order (including a non-compliance charge). Article 66 WBP allowed the DPA to impose fines with a maximum of 20,500 euro or fines with a maximum of 820,000 euro, depending on the type of violation of data protection law. Fines with a maximum of 20,500 applied, for instance, to cases of illegal third country data transfers. Fines with a maximum of 820,000 euro could be applied by the DPA in most other situations of non-compliance, for instance, when specific orders of the DPA are not followed (Article 66 sub 5 WBP), when personal data are processed without a legal basis, in case of non-compliance with the principles for the fair processing of personal data (e.g., purposes specification, use limitation, etc.), when security measures are absent or inadequate, etc. The competence to impose fines was relatively new: it was only available for the DPA as of January 2016.191 Use of Competences The Dutch data protection authority does not seem to encourage filing complaints: in case of a complaint on the use of personal data, the official advice is to first contact the data controller and, if that does not yield the desired results, to go to court.192 According to the EU Data Protection Directive (and also in the EU General Data Protection Regulation), each supervisory authority shall hear claims lodged by any person, or by any person representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data.193 An interesting question is to which extent the DPA can prioritize particular requests for enforcement. In 2015, the Dutch Council of State, which acts as the Supreme court in cases of administrative law, was asked for advise in a case in which two complainants contested the refusal of the Dutch DPA to process a request for enforcement.194 However, the complainants withdrew the case and no judicial decision was made. The new chairman of the Dutch DPA seems intent to broaden this: in a recent press release he indicated the desire to let the DPA grow into a ‘privacy ombudsman’ where people can ‘file complaints’ (sic).195 A distinction should be made, however, between complaints and requests for enforcement.

191 https://autoriteitpersoonsgegevens.nl/nl/nieuws/cbp-krijgt-boetebevoegdheid-en-wordt-autoriteitpersoonsgegevens. Note that before 2016, there were some limited competences for imposing administrative fines. For instance, failure to notify the processing of data to the DPA could be sanctioned with an administrative fine with a maximum of 4,500 euro (Article 66 WBP). 192 https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/klacht-over-gebruik-persoon sgegevens?qa=klacht. 193 See also Article 57 sub 1 sub f of the GDPR. 194 http://www.minbuza.nl/binaries/content/assets/ecer/ecer/import/hof_van_justitie/nieuwe_hof zaken_inclusief_verwijzingsuitspraak/2015/c-zakennummers/c-192-15-verwijzingsbeschikkingrvs.pdf. 195 http://nos.nl/artikel/2150430-5500-datalekken-gemeld-bij-waakhond.html.

44

2 The Netherlands

There are no official statistics available regarding the number of complaints made at the Dutch DPA. In its annual report, the AP states that it received 6778 questions and tips in 2015. This number may include complaints. About one third (34%) of this number relates to commerce and the service industry.196 About 17% is related to government organizations, 15% to labor and 13% to health.197 Since the competence to impose fines is only available to the Dutch DPA since 2016, it was not used in 2015 or before and there are no official statistics available on 2016. Administrative fines were possible, but not imposed in 2015 or the years before.198 The administrative order (including a non-compliance charge) was applied 17 times in 2015, 13 times in 2014, 19 times in 2013 and 12 times in 2012.199 For instance, in 2014, the AP imposed an administrative order to Google with a non-compliance charge of 20,000 euro per day (with a maximum of 5 million euro) because Google was not properly informing its users and not asking for explicit consent regarding the use of their personal data.200 Although the AP can start litigation, this does not happen frequently. A major case is that of the AP against Facebook. In 2015, Facebook refused to provide information during an investigation of the Dutch DPA on its terms and conditions. The case was already scheduled in the courts when Facebook decided at the last minute to cooperate and provide the requested information.201 More recently, in 2016, the AP won a lawsuit against WhatsApp when claiming this company did not comply with several aspects of personal data protection law, for instance, because WhatsApp requested by default access to all contacts of a user, including details on non-users.202 Reputation In 2006, only 17% of the Dutch people had ever heard of the data protection authority.203 In this research, 32% of the people indicated to be satisfied with the information provided by the DPA, whereas 16% was not satisfied. According to a recent survey, 76% of the Dutch people has heard of the data protection authority.204 Hence, it may be concluded that this number has significantly increased the last decade. This may be at least partially due to an active media policy of the DPA: in 2016, the Dutch DPA has been in contact with the media 617 times.205

196

AP 2016, p. 64. AP 2016, supplement, p. 11. 198 AP 2016, supplement, p. 8. 199 AP 2016, supplement, p. 6. 200 http://nos.nl/artikel/2009119-privacywaakhond-dreigt-google-met-miljoenenboete.html. 201 http://www.volkskrant.nl/tech/rechtszaak-facebook-tegen-cbp-van-de-baan*a4003468/. 202 http://www.nu.nl/mobiel/4354627/whatsapp-verliest-rechtszaak-van-nederlandse-privacywaa khond.html. 203 Tolboom and Mazor 2006, p. 15. 204 Roosendaal et al. 2015, p. 39. 205 AP 2016, p. 64. 197

2.5 Regulatory Authorities and Enforcement

45

Companies seem to be more fearful of reputational damage than of fines and increasingly try to avoid publications of the DPA.206 In the past, the DPA has been regarded as a watchdog without teeth,207 but given the increased possibilities for imposing fines, this may be something of the past. Fear of data protection authorities is likely to further increase since the GDPR has come into force in May 2018. Since that date, administrative fines may be imposed of up to 10 or 20 million euro (depending on the type of non-compliance), or in the case of a company, up to 2 or 4% (again depending on the type of non-compliance) of the total worldwide annual turnover of the preceding financial year, whichever is higher.

References Andersson Elffers Felix (2013) Media-analyse identiteitsmanagement. AEF, Utrecht. http://www. aef.nl/aef-onderzoekt-identiteitsmanagement-in-europa AP (2016) Jaarverslag 2015. Autoriteit Persoonsgegevens, The Hague Bongers F, Jager CJ, te Velde R (2015) Big data in onderwijs en wetenschap. Dialogic, Utrecht CBP (2008) Informatiebeveiliging in ziekenhuizen voldoet niet aan de norm. CBP, The Hague CBP (2010) Onderzoek van het College bescherming persoonsgegevens (CBP) naar bestandskoppelingen door de SIOD voor de ontwikkeling van risicoprofielen, z2009-00672, May 2010. CBP, The Hague CBP (2013) Beveiliging van persoonsgegevens. CBP, The Hague Consent Country Report The Netherlands (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/ Cuijpers CMKC (2006) Verschillen tussen de Wbp en richtlijn 95/46/EG en de invloed op de administratieve lasten- en regeldruk, 22 June 2006. See: www.actal.nl Custers BHM (2016) Etnisch profileren is wettelijk verboden en dat moet zo blijven. Trouw, 7 June 2016, p. 17 Custers BHM, Oerlemans JJ, Vergouw SJ (2015) Het gebruik van drones; een verkennend onderzoek naar onbemande luchtvaartuigen. Boom Lemma Uitgevers, Meppel Custers BHM, Zwenne GJ (2009) Aandachtspunten voor het College Bescherming Persoonsgegevens. Openbaar Bestuur 19(8): 14–17 DDMA (2016) Hoe Nederlanders denken over data en privacy. DDMA, Amsterdam de Groot H (1625) De iure belli ac pacis. Apud Nicalaum Buon, Paris de Vries J (2013) Blijf af van onze privacy. Trouw, 14 June 2014. See: http://www.trouw.nl/tr/nl/ 4324/Nieuws/article/detail/3459001/2013/06/14/Blijf-af-van-onze-privacy.dhtml De Zeeuw J (2009) De FG en de evaluatie van de WBP. Privacy & Informatie, afl. 2, April 2009, pp. 91–93 Dubbeld L (2007) Functionarissen voor de gegevensbescherming: onzichtbare privacybeschermers. Privacy & Informatie, 2007, aflevering 2, pp. 69–70 Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015 Expertgroep EZ (2016) Licht op de digitale schaduw; verantwoord innoveren met big data. Ministerie van Economische Zaken en Klimaat [Dutch Ministry of Economic Affairs and Climate Policy], The Hague Holvast J (2005) Interview met Jacob Kohnstamm. Privacy & Informatie, 2005-3, pp. 114–119

206 207

van Teeffelen 2015. van Essen 2014; Custers and Zwenne 2009.

46

2 The Netherlands

Hooghiemstra TFM (2002) Privacy bij ICT in de zorg. Bescherming van persoonsgegevens in de informatie-infrastructuur voor de gezondheidszorg. Cbp, A&V 2002 nr. 26, The Hague Koops BJ, Roosendaal A, Kosta E, van Lieshout M, Oldhoff E (2016) Privacy Impact Assessment Wet op de inlichtingen- en veiligheidsdiensten 20XX. TNO, Delft. See: https://www. rijksoverheid.nl/documenten/rapporten/2016/02/12/privacy-impact-assessment-wet-op-deinlichtingen-en-veiligheidsdiensten-20xx Martijn M, Tokmetzis D (2016) Je hebt wel iets te verbergen. De Correspondent BV, Amsterdam Ministerie van Economische Zaken (2016) Aanbieding rapport expertgroep big data en privacy, brief van de minister van economische zaken aan de Tweede Kamer, 4 October 2016 Ministerie van Onderwijs, Cultuur en Wetenschap (2016) Big data in onderwijs, cultuur en wetenschap, brief van de minister van onderwijs, cultuur en wetenschap aan de Tweede Kamer, 28 June 2016 Ministerie van Veiligheid en Justitie (2016) Kabinetsstandpunt over het WRR-rapport Big Data in een vrije en veilige samenleving, brief van de minister van veiligheid en justitie aan de Tweede Kamer. 11 November 2016 Mulligan DK, Bamberger KA (2015) Privacy on the Ground; Driving Corporate Behavior in the United States and Europe. MIT Press NJCM (2016) Financieel jaarverslag 2015. NJCM, Leiden. See: http://www.njcm.nl/site/njcm/ vereniging/vereniging Norberg PA, Horne DR, Horne DA (2007) The Privacy Paradox: Personal Information Disclosure Intentions versus Behaviors. Journal of Consumer Affairs, Vol. 41, No. 1, pp. 100–126 Oerlemans JJ, Custers BHM, Pool RLD, Cornelisse R (2016) Cybercrime en witwassen; bitcoins, online dienstverleners en andere witwasmethoden bij banking malware en ransomware. Boom Juridische Uitgevers, The Hague Olsthoorn P (2016) Big data voor fraudebestrijding WRR, The Hague Ottes L (2016) Big Data in de zorg. WRR, The Hague Politie (2016) Verbeterplan Wet politiegegevens en Informatiebeveiliging. See: https://www. rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2016/05/27/tk-bijlageverbeterplan-wet-politiegegevens-en-informatiebeveiligign/tk-bijlage-verbeterplan-wetpolitiegegevens-en-informatiebeveiligign.pdf Privacy First (2015) Visie op privacy 2.0, visiedocument. Privacy First, Amsterdam. See: https:// www.privacyfirst.nl/index.php?option=com_k2&view=item&layout=item&id=117&Itemid= 156 Privacy First (2016) Jaarverslag 2015. Privacy First, Amsterdam, June 2016 Regeerakkoord (2012) Bruggen slaan, regeerakkoord VVD-PvdA. 29 October 2012 Regeerakkoord (2017) Vertrouwen in de toekomst, regeerakkoord VVD, CDA, D66 en ChristenUnie, 10 October 2017 Roosendaal A, Nieuwenhuis O, Ooms M, Bouman-Eijs A, Huijboom N (2015) Privacybeleving op het internet in Nederland. TNO, The Hague Roosendaal A, van Lieshout M, Cuijpers C, Leenes R (2014) Actieplan privacy. TNO, The Hague Sandee R (2014) Het zwarte gat van de internetconsultatie. SC Online, 28 October 2014. See: http://www.sconline.nl/achtergrond/het-zwarte-gat-van-de-internetconsultatie Schneier B (2009) State Data Breach Notification Laws: Have They Helped? Information Security, January 2009 Schulze Greiving V, te Kulve H, Konrad K, Kuhlman S, Pinkse P (2016) Nanotechnologie in dienst van veiligheid en justitie. University of Twente - Department of Science, Technology and Policy Studies (STePS), Enschede Tolboom M, Mazor L (2006) Bekendheid en beleving informatieplicht onder burgers; kwantitatief onderzoek onder burgers. TNS-NIPO Consult, Amsterdam Van der Leest (2014) We zijn allemaal naakt. Joop, 3 September 2014. See: http://www.joop.nl/ opinies/we-zijn-allemaal-naakt van der Sloot B, Broeders D, Schrijvers E (2016) Exploring the Boundaries of Big Data. Amsterdam University Press, Amsterdam

References

47

van der Sloot B, van Schendel S (2016) International and comparative legal study on Big Data. WRR, The Hague van Essen J (2014) CBP een waakhond zonder tanden? Mr-online, 1 December 2014. http://www. mr-online.nl/opinie/432-wetgeving/25169-cbp-een-waakhond-zonder-tanden van Lieshout M, Kool L, Bodea G, Schlechter J, van Schoonhoven B (2012) Stimulerende en remmende factoren van Privacy by Design in Nederland. TNO, Delft van Schendel S (2016) Het gebruik van Big Data door de MIVD en AIVD. WRR, The Hague van Teeffelen K (2015) Organisaties zijn banger voor reputatieschade bij schending privacy. Trouw, 29 April 2015 Versmissen JAG, Terstegge JHJ, Siemers KM, Tran TH (2016) Evaluatie Toetsmodel PIA Rijksdienst. Privacy Management Partners, Utrecht Winter HB, De Jong PO, Sibma A, Visser FW, Herweijer M, Klingenberg AM, Prakken H (2009) Wat niet weet, wat niet deert. Een evaluatieonderzoek naar de werking van de Wet bescherming persoonsgegevens in de praktijk. Groningen Woods T (2012) How the Catholic Church Built Western Civilization. Regnery Publishing, Inc., p. 5 and pp. 141–142 Wright D, de Hert P (2012) Privacy Impact Assessment. Springer, Heidelberg WRR (2016) Big data in een vrije en veilige samenleving. Amsterdam University Press, Amsterdam Zwenne GJ, Duthler AWW, Groothuis M, Kielman H, Koelewijn W, Mommers L (2007) Eerste fase evaluatie Wet bescherming persoonsgegevens. WODC, The Hague

Chapter 3

Germany

3.1

General Situation

Germany is a federal republic, consisting of sixteen federal states (Bundesländer, or Länder in short). This structure was created in 1949, in the aftermath of 1949. With the German reunification in 1990, federal states of the former DDR (Eastern Germany) ascended into the federal republic. The German federal constitution contains provisions for exclusive responsibilities for the federation (the federal level), such as foreign affairs and defense.1 All other responsibilities, including legislative authority, remain at the state level, including education, science and culture. For privacy and data protection, both the federal government and the states have legislative competences and supervisory authorities. The federal German constitution has an extensive catalogue of ‘basic rights’ (Grundrechte).2 The strong focus on basic rights is a result of the aftermath of World War II, which yielded a reluctance towards too many government powers. These basic rights apply directly to German citizens.3 The catalogue of basic rights includes in Article 10 of the federal German Constitution, which protects the secrecy of correspondence, posts and telecommunications. The right to privacy is not mentioned literally in the German constitution. Contours of the right to privacy could already be distinguished in the Elfes case of the federal constitutional court (Bundesverfassungsgericht) in 1957.4 The right to privacy (or rather the right to informational self-determination) was constructed from the right to protection of

1

Kommers 2012. Note that the federal states in Germany also have their own constitutions. These also contain basic rights. In this report, we will focus on the federal constitution only. 3 Pintens 1998. 4 BVerfG 16 January 1957 (Elfes) NJW 1957. For the development of the right to privacy in Germany, see also Janssen 2003, pp. 296 et seq. 2

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_3

49

50

3 Germany

personal freedom (Article 2, para 1) and the protection of human dignity (Article 1, para 1) by the Federal Constitutional Court (Bundesverfassungsgericht) in the Mikrozensus case in 1969.5 Germany is a signatory to the Universal Declaration of Human Rights (‘UDHR’), the European Convention on Human Rights (ECHR) and the International Covenant on Civil and Political Rights (‘ICCPR’), three legal instruments that contain a right to privacy (in Articles 12, 8 and 17 respectively). Also, the provisions in the European Convention on Human Rights and the EU Charter of Fundamental Rights provide strong guidance in the German legal landscape. In Germany, there is a dualistic approach towards international law, meaning that international and national law are considered as separate legal systems and provisions in international treaties require implementation in national law before being applicable in national law. In comparison to other EU countries, the Office of the Federal Commissioner for Data Protection (Bundesdatenschutzbeauftragte or BfDI) does not compile statistics or surveys on the general level of data protection awareness.6 However, other sources7 indicate that German citizens are quite attentive to data protection issues and developments. The same goes for private organizations and companies. Accordingly, their data protection compliance measures are usually of a high standard. To substantiate these insights, some additional findings from the third party surveys will be discussed below. Internet Use Germany has a population of more than 80 million inhabitants, of which it is estimated that more than 71 million or 89% have access to Internet services. Yet, it appears that when compared to the overall situation in the EU, Germans are reluctant to use certain online services. Germany is one of the countries in which less than half of the people (46%, EU average 57%) use online social networks once a week.8 This attitude seems to reflect a general skepticism towards US tech companies and social media platforms.9 A similar number (48%) uses instant messaging or chat websites once a week.10 Furthermore, it appears that a relatively low number of German citizens use the Internet to play online games (17%, EU average 25%) or to exchange movies or music (8%, EU average 18%) by means of peer-to peer software. German citizens have also the lowest score (18%, EU average 27%) in using online phone and video calls.11 However, there are some

5

BVerfG 16 July 1969 (Mikrozensus) 1 BvL 19/63. See also Dörr and Aernecke 2012, p. 114. Based on survey results (see Sect. 1.3.4). 7 Vodafone Survey on Big Data 2016; Eurobarometer 431 2015; EMC Privacy Index 2014; Consent Country Report Germany 2012. 8 Eurobarometer 431 2015, p. 109. 9 Hohmann 2018. 10 Eurobarometer 431 2015, p. 110. 11 Eurobarometer 431 2015, p. 111. 6

3.1 General Situation

51

types of online services Germans are more inclined to use. For instance, about 95% shop online (compared to 87% EU average).12 Also, 40% of Germans use online banking at least once a week.13 Control According to a recent survey about 42% of the Germans feel to only partially have control over the information they provide online, while 45% of the people do not feel in control at all.14 Furthermore, only 4% feel to have complete control. This seems to indicate that Germany is below the EU averages with regard to partial control (EU average 50%) and full control (EU average 15%), and above average in relation to no control (EU average 31%). Overall, Germans seem to be quite concerned about the lack of control. About 70% of the people indicate concern, compared to an EU average of 69%. 78% of the Germans consider providing personal information as an increasing part of modern life, which exceeds the EU average (71%).15 In this context, about 38% indicates that providing personal data is not a big issue, while 56% is concerned about it.16 When inquired whether they mind providing personal information in return for free online services, 49% of the Germans do.17 This finding is confirmed by another recent survey, in which about 54% of the German people indicated they would rather pay for an online service than allow the online service provider to use some of their personal data for commercial purposes.18 Awareness In comparison to the rest of the EU, Germans show the highest level of awareness regarding the use of personal information by website owners.19 In detail, German people show an above-average level of non-acceptance to website owners using users’ personal information to customize the user content and advertising and there are substantially higher levels of non-acceptance for contacting users by email, in-depth gathering of information, selling it, or making it available to others. Such practices are seen as largely unacceptable and commercial trade-offs in this respect also meet little acceptance. Here, again, Germany generally shows the highest level of non-acceptance (83%, EU average 74%). Actual experience of privacy invasions is comparably high with German citizens scoring 3.36 (EU average 2.89) on a 7 point scale (1 = never, 7 = very frequently).20

12

Consent Country Report Germany 2012, p. 3. Eurobarometer 431 2015, p. 110. 14 Eurobarometer 431 2015, p. 10. 15 Eurobarometer 431 2015, p. 29. 16 Eurobarometer 431 2015, p. 32. 17 Eurobarometer 431 2015, p. 40. 18 Vodafone Survey on Big Data 2016, p. 79. 19 Consent Country Report Germany 2012, p. 4. 20 Consent Country Report Germany 2012, p. 4. 13

52

3 Germany

When dealing with privacy policies, comparatively many Germans (50%, EU average 47%) ever decided not to use a website due to their dissatisfaction with the site’s privacy policy, but about half of the German people never or rarely actually read a site’s terms and conditions (45%) or privacy policy (39%).21 If reading the privacy policies, Germans, like other EU citizens, rarely read the whole text (Germany 13%, EU average 11%), although there is a high level of confidence that – when reading it – the text is mostly or fully understood (Germany 73%, EU average 64%). Trust When looking at trust in more detail, Germans are mostly in line with the EU average. This is true for sectors such as health and medicine (77%, EU average 74%), public authorities (71%, EU average 66%) and banks and finance (57%, EU average 56%). Trust in shops and stores is with 39% also very close to the EU average (40%). The same goes for telecommunications and internet providers (32%, EU average 33%). Trust in online businesses like search engines is 19%, which is slightly under the EU average (24%). When asked about the general risks related to the disclosure of personal information on social media websites, Germans appear to generally perceive slightly less risk than the overall EU average. This is true also for the specific risks (personal safety being at risk, becoming a victim of fraud, being discriminated against, or reputation being damaged), where German citizens score lower than the EU average. However, in relation to the likelihood of information being used by data controllers without the user’s knowledge (Germany 89%, EU average 74%), information being shared with third parties without user’s agreement (Germany 82%, EU average 81%) and information being used to send unwanted commercial offers (Germany 90%, EU average 81%), German people seem to perceive a higher risk than the average EU citizen.22 Protective Actions The number of Germans that tried to change privacy settings in their social media profiles is 54% (EU average 57%).23 An overall of 61% (compared to EU average 64%) finds it easy to make such changes.24 People who do not change the privacy settings indicate to trust the website to set appropriate privacy settings (26%), do not know how to change the settings (24%), are not worried about having personal data online (19%), do not have time to look at the options (12%) or did not know they could change the settings (24%).25 Germans that often or always change the privacy settings of their personal profiles on social media sites are with 77% high

21

Consent Country Report Germany 2012, p. 4. Consent Country Report Germany 2012, p. 4. 23 Eurobarometer 431 2015, p. 92. 24 Eurobarometer 431 2015, p. 95. 25 Eurobarometer 431 2015, p. 98. 22

3.1 General Situation

53

above the EU average (54%). Furthermore, 90% (EU average 80%) of those Germans who change privacy settings indicated that they made the privacy settings stricter so that others can see less information about them.26 On the level of particular technical measures taken to maintain or increase personal Internet security, some practices (pop-up window blockers, checking opt-in or opt-out boxes, checking for spyware, deleting the browser history) are more established than others (such as blocking emails), with the Germans showing results that are generally above the EU average.27 The ability to take those technical measures points at a certain level of perceived control towards these data controller’s practices.28 National Politics The results of the German elections held in 2017 led to difficulties in forming a government for a longer period of time. In early March 2018, an agreement was reached and the governing coalition was confirmed to consist of the Christian Democratic Union (CDU/CSU) and the Social Democratic Party (SPD). The coalition agreement,29 seems to hint towards the beginning of a new era in German data protection – one that focuses more on data as fuel of innovation and services, while maintaining the previously achieved data protection standards. The parties agree among other things to work towards strengthening the competences of the individual user, and to promote and support the development of innovative consent management. Further, in order to facilitate the easy transfer of the user’s data from one platform to another by the users themselves, the government envisions developments in data portability and interoperability.30 The digital milestones in the coalition agreement are not, however, met without hesitation.31 Among the major political parties there appears to be a growing consensus in favor of stronger privacy and data protection. The Left Party (Die Linke), the liberal Free Democratic Party (FDP), the Green Party (Bündnis 90/Die Grünen), and the Pirate Party (Die Piratenpartei)32 collectively oppose unconditional data retention, one of the most debated matters in data protection.33 The FDP has voiced some concerns about the constitutional conformity of video surveillance in public spaces, while the Green, Left and Pirate parties generally oppose it. Video surveillance in public spaces has been part of a heated public

26

Consent Country Report Germany 2012, p. 4. Consent Country Report Germany 2012, p. 3. 28 Consent Country Report Germany 2012, p. 38. 29 https://www.cdu.de/system/tdf/media/dokumente/koalitionsvertrag_2018.pdf?file=1, pp. 46, 47. 30 https://www.cdu.de/system/tdf/media/dokumente/koalitionsvertrag_2018.pdf?file=1, p. 46. 31 Hohmann 2018. 32 The Pirate Party is a new political player with the primary objective to further privacy and data security. 33 Based on survey results (see Sect. 1.3.4). 27

54

3 Germany

debate ever since on New Year’s Eve 2015 numerous sexual assaults took place without police intervention.34 Although the governing coalition had committed to extend video surveillance in its 2013 coalition agreement, a recent court ruling has partially deemed current video surveillance methods in public spaces unconstitutional. The ruling thereby posed questions as to the government’s aspired surveillance efforts. Furthermore, all of the major parties are in favor of ‘net neutrality’ or to treat all data on the Internet in the same way and according to the same rules. They also oppose network surveillance and data trade without the user’s explicit consent. The Left Party advocates a right to be forgotten, while the Green Party wants to elevate data protection to a constitutional right. The Pirate Party on its turn is in favor of extending the privacy of letters to all forms of communication.35 Despite these ongoing debates, it should be noted that during the 2013–2017 election cycle the German parliament has voted on data protection on two occasions only.36 The German Federal Data Protection Act (FDPA or Bundesdatenschutzgesetz) guarantees the existence of a Federal Commissioner for Data Protection and Freedom of Information (for more details, see Sect. 3.5). While the Commissioner oversees data protection in public federal bodies, corporations, and in telecommunication and postal services, he also actively informs the public on data protection. In addition, the Foundation for Data Protection (Stiftung Datenschutz),37 established by the German government in 2013, aims to promote privacy ‘self-protection’. Media Attention Both data protection developments and incidents are regularly featured in German mainstream media outlets.38 Furthermore, several specialized online media platforms (www.heise.de, www.golem.de and www.netzpolitik.org) cover developments in data protection and data security. While the first two platforms focus more on the technological aspects, netzpolitik.org publishes regular contributions on all issues surrounding the discussion on Internet and society, including but not limited to data protection, net neutrality, the regulation of the Internet, the impact of politics on the Internet and vice versa, and digital freedoms and their implementation.39 Interestingly, netzpolitik.org is almost entirely funded by its readers and publishes

34

Eddy 2016. Based on survey results (see Sect. 1.3.4). 36 Based on survey results (see Sect. 1.3.4). 37 https://stiftungdatenschutz.org/startseite. 38 See for instance these contributions on data protection related topics by some of Germany’s major newspapers and broadcasters: http://www.faz.net/aktuell/politik/inland/mangelnder-datenschutz-fuerwohnungssuchende-14484176.html; http://www.handelsblatt.com/adv/digitalatscale/spark-finalistrelayr-ploetzlich-vernetzt-/14545808.html; http://www.zeit.de/2016/43/datenschutz-terrorabwehrgeheimdienste-fluechtlinge-chemnitz; https://www.tagesschau.de/inland/faq-ip-adressen-103.html. 39 https://netzpolitik.org//about-this-blog/. 35

3.1 General Situation

55

annual reports of how it makes use of the received donations.40 All three platforms usually express strong pro data protection opinions.41 The Snowden revelations on the NSA and the following disclosure of similar activities performed by the Federal Intelligence Agency (Bundesnachrichtendienst or BND) still very much dominate the nationwide discussion on privacy and data protection in the media.42 Accordingly, data transfer to the United States before and after the Safe Harbor judgement of the EU Court of Justice continues to be topical.43 A heated public debate has been also triggered by a proposed bill on video surveillance that aims to expand existing surveillance authorities.44 In addition, the discussions (and disagreements) between different branches of the government in relation to the draft legislation aimed to implement the GDPR in 2018 have a permanent place in Germany’s major newspapers and broadcasters. In this regard, a statement by Angela Merkel advocating a departure from the principle of data minimization has contributed to additional controversy.45 Data Breaches Project Data Protection, an initiative launched in September 2009 by PR-COM,46 documents data protection incidents such as data breaches or data leaks within German public or private organizations.47 In addition, it actively traces all events related to the Snowden revelations. It thereby takes account of the fact that incidents are now occurring in such a large number that it becomes increasingly difficult to keep track of them. It also aims to sensitize all stakeholders to deal with data carefully and responsibly. Project Data Protection lists all reported data protection incidents on its website, and provides information on the date and origin of the information, the nature of the data incident, the affected organization and the number of affected individuals.48 Most of the affected entities are private organizations, although some entries do

40 https://netzpolitik.org/2016/jahresbericht-uns-liegen-die-einnahmen-nicht-nur-vor-wir-veroeffent lichen-sie-auch/. 41 Based on survey results (see Sect. 1.3.4). 42 Based on survey results (see Sect. 1.3.4). 43 http://www.handelsblatt.com/my/technik/it-internet/attacke-auf-google-und-co-transatlantischedaten-blockade/12506476.html?nlayer=Organisation_11804700; http://www.handelsblatt.com/ technik/sicherheit-im-netz/datenschutz-in-deutschland-so-ungeschuetzt-sind-deutsche-surfer-im-netz/ 14592766.html. 44 Based on survey results (see Sect. 1.3.4). 45 http://www.handelsblatt.com/politik/deutschland/merkel-gegen-datensparsamkeit-bundesregierungzerstreitet-sich-ueber-datenschutz/19237484.html. 46 PR-Com is an agency for strategic company communications and PR in Munich, http://www. pr-com.de. 47 https://www.projekt-datenschutz.de/ueber-die-projekte. 48 https://www.projekt-datenschutz.de/datenschutzvorfaelle.

56

3 Germany

point out data incidents within public bodies as well. Some of the recently reported incidents are briefly discussed below. One of the latest notices (February 2017) concerns an energy company in Wissen (Rhineland-Palatinate), which emailed around 800 of its customers and accidentally included the emails of all addressees in cc. The managing director of the company issued a public statement regretting the incident and assuring the public that all necessary steps to comply with the companies’ legal obligations have been taken.49 Another signal from November 2016 reports a hacking attack into a carpooling portal. The affected company issued a security warning that the archived data of former customers had been compromised, including about 638,000 IBAN/bank account numbers, 101,000 e-mail addresses and 15,000 mobile numbers, as well as names and addresses.50 The company stated that no misuse had been reported yet. It further set up a telephone hotline to allow customers to inquire whether their data has been affected. A data protection incident that apparently has affected millions of individuals since the end of 2011, relates to a security gap within the computer system of Aerticket, a Berlin-based airline ticket provider. Names and addresses of passengers, travel data such as departure airport, airline, date and price of the flight ticket were easily accessible online. If a ticket was paid by a bank transfer, the invoices included IBAN and BIC of the customers and portrays this information as well. The gap is now remedied and according to Aerticket was not exploited by criminals. The matter was investigated by the Berlin DPA.51 Exact data regarding law suits or economic damages following these data protection incidents is not available. Civil Rights Organizations There are several civil rights organizations campaigning for data protection and privacy rights of both German and European citizens. The influence of these organizations on legislative matters and the enforcement of provisions is not to be underestimated. They actively take part in legislative committees by submitting statements on the respective legislative proposals. Further, they see it as their mission to expose data abuses in companies and state bodies. They usually seek to attract the public’s attention on the matter by giving press statements and by hosting events or lectures to feed the data protection dialogue. Some of the main actors in the field are addressed below. The Consumer Advice Centers (Verbraucherzentralen or CACs) are independent non-profit organizations predominantly financed by public funds and located in all 16 federal states. Their umbrella organization (Verbraucherzentrale 49

https://www.projekt-datenschutz.de/vorfall/mailing-versehentlich-ffentlichem-verteiler? position=0&list=_82070XiNPLS1iD65vURVFw7nY689qoiB8uWo-uUWck. 50 https://www.projekt-datenschutz.de/vorfall/mitfahrgelegenheitde-daten-gestohlen?position= 4&list=_82070XiNPLS1iD65vURVFw7nY689qoiB8uWo-uUWck. 51 https://www.projekt-datenschutz.de/vorfall/pers-nliche-angaben-von-millionen-flugreisendenoffen-im-web?position=16&list=_82070XiNPLS1iD65vURVFw7nY689qoiB8uWo-uUWck.

3.1 General Situation

57

Bundesverband) consists of the 16 state organizations plus 25 other civil rights organizations. Their mission is to provide the public with information on certain consumer-relevant topics and to represent the interests of consumers in political discussions on local and federal level. The CACs operate as a special interest group between the public authorities, the different industry sectors and the public. Consumer privacy and data protection are topics the CACs are deeply concerned with. They therefore actively take part in the respective political decision making processes by lobbying and submitting statements on new legislative initiatives on behalf of the consumers.52 Founded in 1997, the German Privacy Association (GPA) is a non-profit association that represents the interests of citizens as data subjects. One of the association’s priorities is to advise and educate citizens in relation to the risks of electronic data processing and the corresponding implications for their right to informational self-determination. For that purpose, the GPA regularly publishes a newsletter and holds press conferences. It also organizes lectures and speeches during public events and debates, and hosts data protection seminars for different target groups (trade unions, personnel boards, etc.) in cooperation with several partner organizations.53 The association furthermore participates in parliamentary expert hearings on general and specific data protection acts on both state and federal level. The Network Data Protection Expertise (NDPE or Netzwerk Datenschutzexpertise) is a consortium of data protection experts that aim to stimulate the public discussion on data protection issues and on the protection of basic rights in the digital world in general. The organization sees itself as a necessary supplement to the work of other civil rights entities. The NDPE seeks to provide qualified scholarly articles on a variety of topics such as information technology, the fundamental right to confidentiality and probity in information technology systems, the freedom of speech on the Internet, the freedom of information on the Internet, as well as on other constitutional rights, as long as they are related to digitalization. The NDPE examines specific issues, legislative drafts or legal statements.54 The Association for Data Protection and Data Security (ADPDS) was founded in 1976 and stands as a non-profit organization for practical and effective data protection. It engages with government officials, data protection authorities, associations and privacy experts worldwide. The association helps data controllers, and particularly their data protection officers (DPOs) in the exercise of their duties, to achieve a proper balance between the interests of data subjects who merit protection and the equally justified need for information on the part of controllers. A major goal of the ADPDS is to strengthen effective self-regulation and corporate

52

https://www.verbraucherzentrale.nrw/home; http://www.vzbv.de/. https://www.datenschutzverein.de/. 54 http://www.netzwerk-datenschutzexpertise.de/. 53

58

3 Germany

self-monitoring to make state supervision and data protection controls unnecessary as far as possible.55 The Foundation for Data Protection (Stiftung Datenschutz) was founded in 2013 as an independent institution by the federal government. Its goal is to provide a platform for discussion to the different stakeholders from the public, policy, industrial and research sectors to develop proposals for a practice-oriented and well working data policy in Germany. The foundation supports the work of the data protection authorities on state and federal level as a neutral actor. It further works towards improving the sensitization of the public regarding the value of their personal data.56

3.2

National Government Policies

National Policies, Privacy Impact Assessments In 2011, the Federal Office for Information Security (FOIS – In German: BSI or Bundesamt für Sicherheit in der Informationstechnik) published a Guideline57 for the implementation of the Privacy Impact Assessment Framework (PIAF) for radio frequency identification devices (RFID) developed by the industry and co-regulated by the European Commission back in May 2009.58 The purpose of the Guideline was to enable the German industry to efficiently comply with the recommendations of the PIAF, while at the same time promoting the safe use of RFIDs. To develop the guidelines, the FOIS worked in close cooperation with the Vienna University of Economics and Business Administration.59 The guidelines explain extensively to whom the PIAF applies and offer a detailed methodology on how to assess that.60 The document outlines privacy targets, threats and controls in detail; furthermore, it includes an evaluation process that qualitatively analyses privacy demands and threats so that adequate control measures can be chosen.61 PIAs (or Datenschutz-Folgenabschätzung) were not mandatory under the Federal Data Protection Act.

55

https://www.gdd.de/ueber-uns. https://stiftungdatenschutz.org/ueber-uns/die-stiftung/. 57 Ötzel et al. 2011. 58 European Commission 2009. 59 https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/RadioFrequencyIdentification/PIA/ pia_node.html. 60 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ElekAusweise/PIA/Privacy_Impact_ Assessment_Guideline_Langfassung.pdf?__blob=publicationFile&v=1. 61 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ElekAusweise/PIA/Privacy_Impact_ Assessment_Guideline_Langfassung.pdf?__blob=publicationFile&v=1. 56

3.2 National Government Policies

59

Privacy and Data Protection in New Policies In general, privacy and data protection are important matters to all political parties in Germany. However, some of the strict control over access to public information such as tax and employment records seems to have been loosening to meet the EU goal of achieving greater standardization of data protection regulations.62 In addition, as noted above,63 the main objectives of the governing coalition point towards an ambition to facilitate a ‘European Digital Economy’. Noteworthy is also a dominant policy debate regarding the increased use of employers (46%) of social media platforms to gain information about potential employees.64 Current data protection law does not restrain an employer to search social media for information that is of interest for recruitment purposes or even the current employment.65Accordingly, there is an emergent awareness that potential and current employees need better protection, especially those at the beginning of their career, from the adverse effects of publications they may have made about themselves.66 Following the notion that all parts of society should benefit from and participate in the technological progress, the federal government’s ‘Digital Agenda’ encourages the development of innovative services.67 The Agenda identifies as priorities economic growth and employment, access to and participation in the digital world, and security and confidence within the IT infrastructure. As a necessary prerequisite to accomplish these goals the government has set to create an infrastructure that copes with the challenges of new data streams. Different federal ministries engage in this field to implement the Digital Agenda. Noteworthy is, for instance, the involvement of the Federal Ministry of Education and Research.68 It supports various projects that deal with big data, the most prominent of which is ‘Abida – Assessing Big Data’.69 Abida is an interdisciplinary project that studies the opportunities and risks of big data.70 The project serves as a knowledge hub for scientists and practitioners from different fields that work on big data issues.

62

Koch 2016, p. 122. Koch 2016, p. 49. 64 Werry et al. 2017, p. 136. 65 Werry et al. 2017, p. 136. 66 Werry et al. 2017, p. 136. 67 https://www.digitale-agenda.de/Webs/DA/DE/Home/home_node.html; https://www.bmwi.de/ BMWi/Redaktion/PDF/Publikationen/digitale-agenda-2014-2017,property=pdf,bereich=bmwi2012, sprache=de,rwb=true.pdf. 68 https://www.bmbf.de/de/big-data-management-und-analyse-grosser-datenmengen-851.html. 69 www.abida.de. 70 http://www.abida.de/de/content/forschungsfragen-und-ziele. 63

60

3 Germany

Societal Debate The German government hears a number of NGOs and representatives of private organizations in the process of drafting new data protection legislation and before enacting it. In this sense the government’s approach towards designing new policies can also be considered reactive for taking into account the concerns of the public. Further, additional information may reach governmental entities by petitions and private submissions to the legislative bodies and other state authorities, to which every citizen is entitled.71 Information Campaigns The Federal DPA (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI) publishes numerous information materials and in-depth activity reports intended for both the legislative bodies and the general public.72 The state level data protection authorities do the same for their respective activities. All DPAs are constantly looking for new venues and strategies to promote data protection awareness and to publicize corresponding information.73 Some federal ministries also regularly publish informational materials related to data protection issues, although these usually have a broader scope. In 2014, the Federal Ministry of Economics and Energy, the Federal Ministry of the Interior and the Federal Ministry for Transport and Digital Infrastructure jointly introduced a collective brochure ‘Digitale Agenda 2014–2017’ (digital agenda) intended as a manual of the government’s digital policy for the citizens.74 The brochure illustrates Germany’s digitalization approach in a number of sectors and the instruments (and initiatives) the government has put in place to implement it. The main topics of the manual are digital infrastructure; digital economy and work; the state’s innovation; education, research, media and culture; and security and safety for society and the economy.75 The latter section extensively deals with data protection of the citizens (and consumers) on the Internet. The participating ministries regularly publish reports and research papers on developments concerning the Digital Agenda. The latest report on data protection ‘Sicher unterwegs im Netz’76 (safely navigating through the Internet) was published in 2016 and contains tips on how to protect oneself against the misuse of personal data.

71

Based on survey results (see Sect. 1.3.4). Based on survey results (see Sect. 1.3.4). 73 Based on survey results (see Sect. 1.3.4). 74 http://www.bmi.bund.de/SharedDocs/Downloads/DE/Broschueren/2014/digitale-agenda.html. 75 http://www.bmi.bund.de/SharedDocs/Downloads/DE/Broschueren/2014/digitale-agenda.pdf; jsessionid=6655B3B8D024FE8B5F1790C4FBDDA3B2.2_cid287?__blob=publicationFile. 76 https://www.bundesregierung.de/Content/Infomaterial/BPA/Bestellservice/Sicher_unterwegs_ im_Netz.pdf?__blob=publicationFile&v=17. 72

3.3 Laws and Regulations

3.3

61

Laws and Regulations

Implementation of the EU Directive The 16 federal states in Germany (die Bundesländer) implemented the EU Data Protection Directive 95/46/EC in their state data protection laws sooner than the federal German legislator. Still, this was after the EU deadline. This state legislation applies only to the states’ public sectors. The Federal Data Protection Act (FDPA or Bundesdatenschutzgesetz) implemented the EU Data Protection Directive into federal German law with a delay of two and a half years.77 Previous attempts to implement the Data Protection Directive on a federal level had failed due to disagreements on the reform’s desired extent. While some wanted to use the occasion for a comprehensive reform of the German data protection law, others insisted on keeping the previous data protection act as it was and on merely carrying out selective changes. Under the pressure of an infringement procedure following Article 226 ECT (today Article 258 TFEU) launched by the European Commission against Germany,78 the German legislator eventually decided to limit the reform for the time being. Thus, only a few aspects have been introduced in addition to the EU Data Protection Directive’s minimal requirements.79 The legislation came into force in 2001 and has undergone major amendments in 2003 and in the first half of 2009. The amendments of 2003 pertained mainly to the registration of processors and the rights and duties of privacy officers.80 The changes made in 2009 concerned individual provisions and appear to have served the juridical solution of isolated case problems.81 They 2009 amendments further raised existing fines for serious data breaches to €300,000.82 The FDPA is considered to lack clarity and to contain many unclear legal concepts and ambiguous legal exceptions.83 In addition, the implementation was found insufficient by the European Court of Justice (ECJ) as well.84 In the opinion of the judges, the German data protection reform does not fulfill the demands of the data protection directive, so that the FDPA 2001 constituted a violation of European law.

77

The conversion of the directive would have had to occur until 24.10.1998. Commission of the European Community against the Federal Republic of Germany, Rs. C-443/ 00. 79 Pseudonymisierung, data thrift and data avoidance, videosupervision and data protection audit count to these among other things. 80 https://www.bfdi.bund.de/bfdi_wiki/index.php/Synopse_BDSG_1990-2001-2003. 81 Based on survey results (see Sect. 1.3.4). 82 Koch 2016, p. 122. 83 Based on survey results (see Sect. 1.3.4). 84 EuGH, Urt. v. 9.3.2010 – Rs. C-518/07. 78

62

3 Germany

Sectoral Legislation Both the FDPA and the state-level Data Protection Acts are only applicable if there are no further specific regulations regarding the respective data protection constellation. For instance, the Telecommunications Act (Telekommunikationsgesetz) contains sector-specific data protection provisions that apply to telecommunications service providers such as Internet access providers. The Telemedia Act (Telemediengesetz) also contains sector-specific data protection provisions that apply to telemedia service providers such as website providers. In addition, rules for online marketing by means of email, SMS or MMS are set out in the Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb). Following the requirements set out in Article 8 EU Data Protection Directive, the FDPA contains provisions for ‘special categories of personal data’ in Sections 13 (2), 28 (6) to (9) and 29 (5). Section 3 (9) clarifies that ‘special’ refers to information regarding a person’s racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life. The list is exhaustive and based on the principle of non-discrimination under Article 14 ECHR.85 Information on criminal offences is not considered to be sensitive personal data. The provisions are exposed to the criticism that the severity of effects when dealing with sensitive data does not entirely depend on the nature of the data itself, but also on the context of its use.86 Dealing with a seemingly harmless indication such as an address can become extremely sensitive when it turns out to be the location of a psychiatric institution. Section 3 (9) does not include any further guidance on how to determine the data’s status. For many types of information it is therefore usually necessary to examine whether they belong to one of the special categories (like, for instance, an annotation ‘participation in back gymnastics’ is considered an indication of a state of health). With regard to the ratio legis to protect against discrimination, data which indirectly convey information on the categories of data specified in Section 3 (9) are also to be considered sensitive. For instance, the skin color reveals the person’s race, the participation in a religious ceremony reveals their religious conviction, and the participation in a special rehabilitation or self-help group indicates a medical history. However, should there be doubt about the data’s conclusiveness (for example, because the group also includes people with no pre-existing condition), the data is to be treated as non-sensitive.87 The FDPA rules make it more difficult to process sensitive data without prohibiting it altogether. The processing regulations can be found in Sections 13 (2), 14 (5) and (6), 16 (1) no. 2 for public bodies and in Sections 28 (6) to (9), 29 (5), 30 (5) and 30a (5) for the non-public area. The collection, processing and use of sensitive data requires, according to section 4a (3), the data subject’s consent to expressly refer to these data. 85

https://www.bfdi.bund.de/bfdi_wiki/index.php/3_BDSG_Kommentar_Absatz_9. Kommentar zum BDSG, 10. Auflage, § 3. 87 https://www.bfdi.bund.de/bfdi_wiki/index.php/3_BDSG_Kommentar_Absatz_9. 86

3.3 Laws and Regulations

63

The FDPA contains also additional processing rules that apply to the processing of CCTV footage, and German data protection authorities have issued guidelines on the use of CCTV in 2014. Furthermore, although not considered sensitive data, information on criminal offences (especially in relation to criminal offences committed by employees) is treated as more sensitive than other personal data.88 Self-regulation and Codes of Conduct Self-regulation is explicitly encouraged by Section 38a of the FDPA, which formally implements the requirement embedded in Article 27 EU Data Protection Directive. The provision allows for the industry-wide or sector-specific development of data protection guidelines in the form of Codes of Conduct (CoC), which are subject to the administrative approval of the respective supervisory body.89 The rationale behind the guidelines is to render additional sector-specific legislative efforts unnecessary.90 Those entitled to make use of the provision are recognized professional organizations and trade associations that aim to unify the implementation of data protection for all their affiliated companies, traders and freelance workers.91 Once approved, however, the guidelines are not legally binding. Their legal status largely depends on the bylaws of the respective trade association.92

3.4

Implementation

Section 3a of the FDPA mandates that as little personal data as possible should be collected, processed and used, and data processing systems should be chosen and organized accordingly. Furthermore, organizations should anonymize or pseudonymize personal data if and when the purpose for which they are processed allows it and the effort required is not disproportionate.93 The section thereby embeds the principle of data minimization and the additional requirement of data economy and thus lays down requirements for the design of the technical and organizational structures that determine the extent of the data processing (privacy by design). However, as the provision’s rationale is to set general technological objectives,

88

https://clientsites.linklaters.com/Clients/dataprotected/Pages/Germany.aspx#enforcement. As data protection in the private economy falls within the competence of the regional data protection authorities, § 38 (6) BDSG refers to the respective state law when determining the responsible supervisory body. 90 Bull 1999, p. 148. 91 Kommentar zum BDSG, 10. Auflage, § 38a, para 4. 92 Kommentar zum BDSG, 10. Auflage, § 38a, para 6. 93 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/germany#chapter content1. 89

64

3 Germany

which are not enforceable94 and do not render the respective data processing system unlawful if not complied with,95 privacy by design is still rare in the German landscape. Companies typically implement a range of security measures, in particular with respect to IT security, but these measures often protect company data and business secrets and not personal data. Section 28 of the FDPA regulates the collection and storage of personal data for business purposes. The provision allows the collection, storage, modification, transfer or use of the data when needed to create, carry out or terminate a legal or quasi-legal obligation with regard to the data subject. However, the processing has to be necessary to safeguard justified interests of the data controller and there must be no reason to assume that the data subject has an overriding legitimate interest in having his or her data excluded from the processing. The purposes of the data processing are to be stipulated in concrete terms. To ensure the adherence to these rules, organizations have to appoint a Data Protection Officer (DPO) according to Section 4f FDPA. Privacy Officers Section 4f (1) of the FDPA harbors the general requirement to appoint a privacy or data protection officer (DPO) in both public and private entities. However, private organizations with only nine (or fewer) staff members who regularly process personal data are exempted from the requirement. However, an appointment has to always take place if the entity in question uses automated data processing for the purposes of commercial data transfer, anonymized commercial transfer or market or opinion research.96 The DPO must be appointed within one month following the beginning of the data processing. The officer enjoys independence in the performance of his duties and special protection against dismissal.97 Furthermore, explicit provisions see to the officers’ adequate expertise in the field.98 Privacy officers typically oversee the entity’s compliance with data protection provisions. To this end they advise management and employees on data protection matters, train the staff and act as a contact point for persons that feel affected in the exercise of their data protection rights. Furthermore, they carry out regular checks on the data processing procedures and, if necessary, compile a list of procedures and make it available to the authorities upon request. Depending on the size of the organization, the official’s duties may be designed as a full-time job or as an additional (employer-independent) task.

94 Supervisory bodies have merely an advisory function. See Kommentar zum BDSG, 10. Auflage, § 3a, para 2. 95 Kommentar zum BDSG, 10. Auflage, § 3a, para 2. 96 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/germany#chapter content6. 97 See Sections 4f (3) 2 and 4f (3) 4-6 BDSG. 98 See Sections 4f (2) 1-2 BDSG.

3.4 Implementation

65

The German DPO model is seen as a rather successful one and regarded as a milestone in German data protection.99 It is considered to bring about both administrative relief within the entity of appointment and data protection compliance.100 The role of DPOs has gained important and become increasingly empowered over the last few years.101 Security Measures Section 9 of the FDPA requires data controllers to have certain technical and organizational measures in place to ensure the proper implementation of the data protection legislation. To concretize the general tenets of the provision, the Federal Office for Information Security (FOIS) has developed together with participants from the industry technical standards102 to guide organizations. In addition, the FOIS encourages a particular methodology of IT-baseline protection, which identifies and implements computer security measures.103 Organizations that follow this methodology can obtain an ISO/IEC 27001 certificate. Furthermore, Section 9a of the FDPA provides suppliers of data processing systems with the option to audit their systems to improve data protection and security. As a result, both data systems suppliers and processing bodies may have their data protection strategies and technical facilities tested and evaluated by independent and approved auditors. They may further publish the audit’s results. Detailed system evaluation criteria, as well as the selection procedure of the auditors were supposed to be introduced in a separate statute. However, no such statute has been enacted up to date.104 Some state data protection laws contain rules on volunteer data auditing.105 However, these rules are only applicable to the public bodies of the respective state. When it comes to self-regulation, it appears that so far Section 38a of the FDPA has not found wide implementation. Scholars see the reason for that in the lack of clear procedural rules for the administrative process of approval of codes of conduct.106 Also, the legislator’s drafting guidelines are considered too vague to develop genuine incentives for the economy to commit to or even come to develop codes of conduct.107 In this regard it is unclear, for instance, what requirements apply content-wise. Many supervisory authorities have hitherto assumed that

99

Koch 2016, p. 126. Koch 2016, p. 126. 101 Mulligan and Bamberger 2015. 102 https://www.bsi.bund.de/DE/Themen/StandardsKriterien/standardskriterien_node.html. 103 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html;jsessionid=BB 468510300255177D9DC2974F43883F.2_cid359. 104 Based on survey results (see Sect. 1.3.4). 105 § 11c Brandenburgisches Datenschutzgesetz; § 7b Bremisches Datenschutzgesetz; § 10a Datenschutzgesetz Nordrhein-Westfalen; § 4 Abs. 2 Landesdatenschutzgesetz Schleswig-Holstein. 106 von Braunmühl 2015. 107 von Braunmühl 2015. 100

66

3 Germany

guidelines must go beyond the legal level of data protection in order to be recognized.108 Transparency The FDPA imposes a transparency requirement on organizations. Section 4 (3) of the FDPA obliges data controllers to notify the data subject when his or her personal information is being gathered. The notification has to encompass the identity of the controller, the purpose of the collection, the intended processing or use and the respective recipients. The latter requirement, however, applies only when the circumstances of an individual case do not allow the data subject to assume that the data will be transferred to such recipients. In addition, if personal data is being collected pursuant to a legal provision that so requires for the granting of legal benefits, the data subject is to be informed on the purpose of the collection as well. Depending on the particular case or upon the data subject’s request, the data subject has to be legally informed about the consequences of withholding the required data. Furthermore, the Federal Ministry of Justice and Consumer Protection and the Internet platform ‘Consumer Protection in the Digital World’109 have jointly introduced a ‘one-pager’ on data processing transparency.110 The template is a recap of all relevant information and is intended as a guide to organizations that want to make their data processing transparent to consumers in a simple way on the Internet. In an attempt to be more transparent about their data processing practices, some organizations also publish their internal data policies on the Internet and make them thereby accessible to the data subjects.111 About half of the German people (45%) rarely or never read the terms and conditions, while 39% consent to privacy policies without reading them.112 In this context, the users’ behavior appears to be connected with the general quality of privacy policies.113 Of those who read privacy terms and conditions, about 89% do not read the entire text. An overall of 73% claim to usually understand most or all of what they read in privacy policies. Furthermore, it appears that about 50% has ever decided not to use a website due to dissatisfaction with the site’s privacy terms.

108

von Braunmühl 2015. The platform is composed of consumer representatives and representatives from the political, economic and scientific sector and data protection organisations. It is currently focusing on two major initiatives – “Privacy by Design/ Data Protection through Technology” and “Consumers’ Sovereignty and Transparency”. 110 https://www.bmjv.de/SharedDocs/Pressemitteilungen/DE/2015/11192915_Vorstellung_OnePager. html. 111 See for instance Bayer at http://www.bayer.com/en/group-regulation-data-protection-andpersonal-data-privacy.aspx. 112 Consent Country Report Germany (2012) p. 36. 113 Consent Country Report Germany (2012) p. 38. 109

3.5 Regulatory Authorities and Enforcement

3.5

67

Regulatory Authorities and Enforcement

Supervisory Authorities Following the respective legislation introduced in Sect. 3.3, German data protection law distinguishes between data protection authorities on federal and on state (regional) levels. On the federal level data protection supervision is vested with the authority of the federal data protection commissioner (die Bundesdatenschutzbeauftragte or BfDI). The institution exists since 1978. The federal commissioner is independent in the performance of her duties and is only subject to the law. Neither individual ministers nor the federal government can instruct her in the performance of her duties. The last budget report of the BfDI counts 110 federal employees.114 The commissioner’s competences are mainly determined by Sections 24 and 26 of the FDPA. According to the provisions, the commissioner oversees and enforces data protection compliance within federal ministries, other public agencies of the federal government, telecommunications and postal service companies under the Telecommunications Act (TKG) and the Postal Act (PostG), and private companies when subject to the SÜG (Security Surveillance Act). Main Activities To perform her duties the BfDI provides advice and recommendations on improvements to data protection, issues opinions and reports on relevant topics, and submits activity reports to the German parliament every two years.115 Furthermore, anyone can turn to the BfDI and file a complaint if he or she feels the bodies under its supervision have infringed upon their rights.116 The commissioner then investigates the complaint and informs the data subject about the result. All entries are treated confidentially. Upon request of the concerned, the complainant can remain anonymous for the public authority he complains about. Similarly, data subjects can file a complaint with the regional data protection authorities (Landesdatenschutzbeauftragten) should they feel their rights are infringed upon in this area of jurisdiction. The state jurisdiction for enterprises and other non-public bodies is determined by the seat of the non-public body.117 The oversight of data protection in the general private economy pertains to the tasks of the regional data authorities.118 On a regional level there are 17 state data protection bodies that

114

https://www.bundeshaushalt-info.de/fileadmin/de.bundeshaushalt/content_de/dokumente/2016/ soll/epl21.pdf. 115 http://www.bmi.bund.de/SharedDocs/Behoerden/DE/bfdi_einzel.html. 116 http://www.bfdi.bund.de/DE/BfDI/Artikel_BFDI/AufgabenBFDI.html. 117 Text und Erläuterungen zum BDSG, p. 64. 118 See Section 38 FDPA.

68

3 Germany

oversee and enforce private and public sector data protection compliance of entities established in their state.119 They are bound by state-level data protection laws. The FDPA is not applicable to churches and church institutions. Therefore, the Evangelical Church, the Evangelical Regional Churches and the Bishoprics of the Catholic Church in Germany have appointed their own data protection authorities. Both the federal and state data protection authorities have the power to take enforcement actions. Following data audits usually carried out in the form of on-site inspections or questionnaires, they (sometimes in co-operation with other administrative authorities) may impose on organizations administrative fines,120 order that any detected breach be remedied and, in the event of serious violations, even ban certain data processing procedures. However, for criminal sanctions the authorities must refer to the public prosecutor under Section 44 (2) FDPA. The latter can trigger fines and imprisonment of up to two years.121 Data protection authorities have a voluntary consultative function on draft legislation relating to personal data protection. Their advice is mandatory only with regard to executive regulations.122 Interestingly, the authorities themselves have been subject of debate and scrutiny regarding their own compliance with the data protection framework in recent past.123 Use of Competences In 2016, the BfDI has received 3699 written complaints and 6687 phone information requests.124 However, further information on the nature and outcome of these complaints is difficult to obtain, as the BfDI does not publicize these figures. The same applies with regard to exact numbers of how many complaints the state DPAs receive and handle, as the responsible authorities do not publish case details. Only some complaints are subsequently reported to the public via press releases or engaging the media otherwise, if the case is considered by the respective DPA of substantial novelty and interest to the public. Some of those cases are addressed below. They demonstrate that data protection compliance is taken very seriously by the German DPAs and the German courts.

119

http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/germany#chapter content; https://www.bfdi.bund.de/bfdi_wiki/index.php/Aufsichtsbeh%C3%B6rden_und_Landes datenschutzbeauftragte. 120 Both regional and federal data protection authorities can impose fines of up to €50,000 under section 43 (1) BDSG on private (regional authorities) and public (federal authority) entities that have violated their notification duties. The same applies under section 43 (2) BDSG for failing to appoint a data protection officer. The fines there can reach up to €300,000. 121 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/germany#chapter content14. 122 Text und Erläuterungen zum BDSG, p. 9; see also European Union Agency for Fundamental Rights 2010, p. 28. 123 Koch 2016, p. 123. 124 Based on survey results (see Sect. 1.3.4).

3.5 Regulatory Authorities and Enforcement

69

Some of the more recent examples concern the DPAs of Rhineland-Palatinate and Bavaria. Noteworthy is a case from December 2014, in which the DPA of Rhineland-Palatinate imposed a fine of €1,300,000 on the Debeka insurance group.125 According to the respective press release, company sales representatives had obtained (in some occasions against a fee) lists or contact data of potential customers without their consent and against internal company guidelines. Debeka was fined for its lack of internal controls and its violations of data protection law. In addition to the monetary fine, Debeka was obliged to follow strict data protection processes and procedures, including that its employees obtain the customers’ written consent before disclosing their addresses. The company has further agreed to provide additional €600,000 to fund a professorship at the Johannes Gutenberg University of Mainz that aims to promote data protection and its implementation in practice. The Bavarian DPA delivers further (rather recent) examples. On July 30, 2015, it issued a press release126 that it imposed a significant fine on both the seller and purchaser of an online shop’s customer email addresses that had been unlawfully transferred. Both parties had failed to obtain valid customer consent for the transaction and had not taken any measures towards informing affected individuals. Both companies were thereby found in violation of German data protection provisions. The DPA also indicated that both organizations were data controllers, which implied a greater degree of responsibility than data processors. Although not revealing the exact fine, the statement indicates that the fine consists of at least five figures. On August 26, 2015, it issued a press release127 stating that it imposed a significant fine on a data controller for failing to specify the security controls protecting personal data in a data processing agreement with a data processor. The DPA had found that the data processing agreement did not contain sufficient information regarding the technical and organizational measures undertaken to protect the personal data. Furthermore, the agreement was found to be vague and to merely repeat provisions mandated by law. In all data processing agreements, however, the following controls must be specified: (1) physical admission control; (2) virtual access control; (3) access control; (4) transmission control; (5) input control; (6) assignment control; (7) availability control; and (8) separation control. Reputation In contrast to other EU data protection authorities, the German DPA itself (or another public/ private organization for that matter) does not conduct surveys

125 https://www.datenschutz.rlp.de/de/aktuelles/detail/news/detail/News/bussgeldverfahren-gegendie-debeka-einvernehmlich-abgeschlossen-debeka-akzeptiert-geldbusse-und-gar/. 126 https://www.lda.bayern.de/media/pm2015_10.pdf. 127 https://www.datenschutzbeauftragter-online.de/datenschutz-aufsicht-bayern-bussgeld-vertragauftragsdatenverarbeitung/9001/.

70

3 Germany

regarding the citizens’ or companies’ opinion on the performance of its tasks or its popularity. Therefore, official statistical sources thereon are largely absent. Some media attention following the Commissioner’s appointment in 2013 and newspaper articles reflecting on her first two years in office, however, hint towards the public’s perception of finding the DPA largely invisible.128 While the public is aware of the DPA and its activities, it has voiced a desire for more direct interaction with both the Commissioner and her office. Further, the BfDI has been criticized for voicing support for the bulk data collection aspirations of the German government, which many see as incompatible with her data protection mandate.129

References Bull HP (1999) Aus aktuellem Anlass: Bemerkungen über Stil und Technik der Datenschutzgesetzgebung. RDV 1999, pp. 148–153 Consent Country Report Germany (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/ Dörr D, Aernecke E (2012) A never ending story: Caroline v Germany. In: Dörr D, Weaver RL (eds) The right to privacy in the light of media convergence. De Gruyter, Berlin, p. 114 Eddy M (2016) Reports of Attacks on Women in Germany Heighten Tension Over Migrants. The New York Times, 5 January 2016 EMC Privacy Index (2014) https://www.emc.com/campaign/privacy-index/index.htm Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015 European Commission (2009) Commission recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification. Brussels. Available at http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32009H0387 European Union Agency for Fundamental Rights (2010) Data Protection in the European Union: The role of National Data Protection Authorities (Strengthening the fundamental rights architecture in the EU II) http://fra.europa.eu/sites/default/files/fra_uploads/815-Data-protection_en.pdf Hohmann M (2018) Deutschland 4.0? Germany’s Digital Strategy Over the Next Four Years, https://www.cfr.org/blog/deutschland-40-germanys-digital-strategy-over-next-four-years Janssen HL (2003) Constitutionele interpretatie. Sdu, The Hague Koch JM (2016) Germany. In: Raul AC (ed) The Privacy, Data Protection and Cybersecurity Law Review, 3rd edn Kommers DP (2012) The Constitutional Jurisprudence of the Federal Republic of Germany. Durham NC, Duke University Press Mulligan DK, Bamberger KA (2015) Privacy on the Ground; Driving Corporate Behavior in the United States and Europe. MIT Press Ötzel MC, Spiekermann S, Grüning I, Kelter H, Mull S (2011) Privacy Impact Assessment Guideline for RFID Applications. BSI, Bonn. Available at https://www.bsi.bund.de/SharedDocs/Downloads/ DE/BSI/ElekAusweise/PIA/Privacy_Impact_Assessment_Guideline_Langfassung.pdf?__blob= publicationFile&v=1 Pintens W (1998) Inleiding tot de rechtsvergelijking. Universitaire Pers Leuven, Leuven

128 http://www.zeit.de/digital/datenschutz/2013-12/datenschutzbeauftragte-vosshoff-bundestaggewaehlt; http://www.zeit.de/2015/51/andrea-vosshoff-datenschutz-telekommunikation. 129 http://www.zeit.de/digital/datenschutz/2013-12/datenschutzbeauftragte-vosshoff-bundestaggewaehlt.

References

71

Vodafone Survey on Big Data (2016) Big Data: A European Survey on the Opportunities and Risks of Data Analytics. http://www.vodafone-institut.de/bigdata/links/VodafoneInstituteSurvey-BigData-Highlights-en.pdf von Braunmühl P (2015) Regulierte Selbstregulierung im Datenschutz – Chancen und Voraussetzungen. Berliner Datenschutzrunde, 15 January 2015. https://berliner-datenschutzrunde.de/node/145 Werry N, Kirschbaum B, Koch JM (2017) Germany. In: Raul AC (ed) The Privacy, Data Protection and Cybersecurity Law Review, 4th edn

Chapter 4

Sweden

4.1

General Situation

The Swedish constitution consists of four fundamental laws (grundlager). These include the 1810 Act of Succession (Successionsordningen), the 1949 Freedom of the Press Act (Tryckfrihetsförordningen), the 1974 Instrument of Government (Regeringsformen) and the 1991 Fundamental Law on Freedom of Expression (Yttrandefrihetsgrundlagen). These contain several provisions relevant to the right to privacy.1 For instance, Article 2 of chapter 1 of the Instrument of Government includes a provision that public institutions protect the private and family lives of the individual and Article 6 of chapter 2 includes a provision to protect everyone against body searches, house searches and other such invasions of privacy, including invasions of mail, correspondence, telephone conversations and confidential communications. Sweden is a signatory to the Universal Declaration of Human Rights (‘UDHR’), the European Convention on Human Rights (ECHR) and the International Covenant on Civil and Political Rights (‘ICCPR’), three legal instruments that contain a right to privacy (in Articles 12, 8 and 17 respectively). Sweden follows a dualist approach to international treaties. This, implementation of an international treaty is required for making its provisions applicable by Swedish courts and public authorities.2 International obligations under a ratified treaty do not automatically prevail over the constitution.3

1

Translations of some Swedish terminology: personal data = personsuppgift, data controller = personsuppgiftsombud, data processing = personuppgiftsbehandling, privacy = integritet. 2 Hermida 2004, p. 141. 3 Council of Europe 2001. © T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_4

73

74

4 Sweden

Sweden, like the other Scandinavian countries, has a long tradition of transparency with respect to data on personal income and property. Because the public resources such as education and the health care system are paid for by the state and require relatively high tax rates, this transparency allows citizens to report if they detect non-compliance with the tax rules. As a counterpart to this tradition, Sweden was also early in describing the boundaries on what information should be available. In fact, Sweden’s Datalag of 1973 was the first data protection bill in the world.4 Swedish culture is egalitarian, individualistic and focuses more on caring than on competition. Moderation is a central part of the culture, as expressed in the word lagom meaning “not too much, not too little.” In general Swedes have a relaxed and optimistic attitude.5 Internet Use Sweden has a population of just under 10 million people, with an estimated 94% using internet services (this is fourth highest in the world after the Falklands, Iceland and Norway). Internet speed is the second highest in the world, after Norway.6 Swedish people are very active online, especially with regard to social media and online banking. For instance, 66% of Swedes use social media at least once a week – this is the fifth in rank compared to the other EU countries (EU average is 57%).7 They are among the top users of the internet for online banking at least once a week (67%, clearly above the average of 43%).8 The use of instant messaging and chat websites is slightly below average within the EU with 52% using them at least once a week (EU average 53%).9 Making (video) calls over the internet at least once a week is slightly above the EU average with 31% (EU average 27%).10 For online shopping behavior the Swedes are also around the middle position, with only a few people who never shop online (12%), but many who do this less than once a week (74% compared to the EU average of 59%).11 Sweden scores relatively low only on use of the internet for online games with 69% who never play online games (EU average at 59%) and only 20% who do this more than once a week (compared to 25% on average).12

4

DATALAG (Svensk författningssamling [SFS] 1973:289); see Siepel 2001. https://geert-hofstede.com/sweden.html. 6 https://www.stateoftheinternet.com/downloads/pdfs/Q4-2015-SOTI-Connectivity-ExecutiveSummary.pdf. 7 Eurobarometer 431 2015, p. 109. 8 Eurobarometer 431 2015, p. 110. 9 Eurobarometer 431 2015, pp. 110, 111. 10 Eurobarometer 431 2015, p. 111. 11 Eurobarometer 431 2015, p. 112. 12 Eurobarometer 431 2015, p. 111. 5

4.1 General Situation

75

Control Swedes are among the Europeans who are least concerned about lack of control over their personal data (with 37%), with only Estonia scoring lower (with 41%) on the percentage of people who are concerned (EU average at 67%).13 Swedish people disagree that their government asks for more and more information: with 27% agreeing with this statement, Sweden scores the lowest of all EU countries (average 56%) and also significantly lower than in 2010 (when they scored 40%).14 With respect to paying for services by providing personal information in return, acceptance is relatively low in Sweden (24%, EU average 29%) and clearly decreasing since 2010 when it was 32%.15 A survey16 on consumer attitudes towards Terms and Conditions in the EU shows that in Sweden the Terms & Conditions are least often accepted and most often accessed.17 Awareness The EU Survey on consumer attitudes towards Terms and Conditions18 shows that familiarity with consumer organizations in Sweden is very low (2.49 on a 7 point scale).19 Civil rights organization D-FRI (Föreningen för Digitala Fri- och Rättigheter) indicates that they perceive as one of the biggest issues related to data protection in Sweden that the awareness on issues like privacy and data protection is low among the public and organizations.20 Trust In terms of the trust Swedish people have in various types of organizations to handle their data responsibly, within the EU they are the least concerned with authorities and private companies using the information they hold for purposes other than it was initially collected for, without informing the data subject: only 41% compared to 69% on average in the EU. Relatively few Swedish people (37%) think enforcement of the rules on data protection should be dealt with on the European level, compared to the European average (45%) and especially compared to countries like the Netherlands and France (61 and 62% respectively).21

13

Eurobarometer 431 2015, p. 13. Eurobarometer 431 2015, p. 31. 15 Eurobarometer 431 2015, p. 33 16 Elshout et al. 2016. 17 Elshout et al. 2016, Tables 7.19, p. 82 and 7.27, p. 88. 18 Elshout et al. 2016. 19 Elshout et al. 2016, p. 71. 20 Response from D-FRI to our enquiry (by Peter Michanek, secretary, March 2017). 21 Eurobarometer 431 2015, p. 48 14

76

4 Sweden

Protective Actions In 2012, a study on “cyber norms” by Lund University reported that an increasing number of Swedes (about 15% in the age group of 15–25 year olds and an estimated total of 700,000 people) use techniques to remain anonymous online for fear of online surveillance. The research suggests a link with the upcoming implementation of copyright law at the time (the IPRED law).22 National Politics A 2013 article on the Internet Policy Review23 states the following about Sweden: “It seems that from a policy perspective Sweden is an interesting example, as it is perceived as free and neutral, while at the same time pursuing a tough and much contested policy approach.” In the World Wide Web Foundation’s 2012 Web Index, Sweden ranked first among 61 nations, as the nation where the Internet has the most significant political, social and economic impact. Surprisingly, as it may seem, Sweden’s interpretation of the directive on intellectual property rights enforcement (IPRED), has exceeded the directives’ scope to an extent that has caused critics to bemoan a curtailment of privacy rights. Similarly, in early 2009 passing of the so-called FRA-law – a legal measure sanctioning the surveillance of internet traffic content by state authorities - stirred considerable controversy as the law goes beyond the scope of surveillance established by the European Commission. As a result, some civil rights organisations went as far as bringing the case before the European Court of Human Rights for human rights violations.24 Scandinavia has a tradition of openness with respect to personal data related to taxes and citizen data and this is also the case in Sweden. Sites such as Eniro, Hitta. se, Birthday.se, Ratsit and Merinfo25 make use of that available information and allow anyone to find contact information (street address, phone number and email-address) and date of birth of anyone registered as Swedish citizen. These sites have a so-called public authorization and are therefore exempt from the Data Protection Act. Sweden has the ambition “to become the best in world at exploiting the opportunities of digitalization.”26 To analyze and monitor the progress towards this policy goal, the Digitalization Commission was established by the Swedish

22

https://www.svd.se/allt-fler-svenskar-anonyma-pa-natet (1 May 2012, consulted 21 February 2017). Münch 2013. 24 https://policyreview.info/articles/analysis/do-swedes-do-internet-policy-and-regulation-swedensnapshot. 25 http://www.datainspektionen.se/fragor-och-svar/personuppgiftslagen/fragor-och-svar-omwebbplatser-med-utgivningsbevis/. 26 https://digitaliseringskommissionen.se/in-english/. 23

4.1 General Situation

77

Government in 2012. This commission is also tasked with presenting proposals for new policy actions, highlighting the benefits associated with the digital transformation and sharing best practices. In their report to the Swedish government on digital transformation presented in December 2015, “Security and Integrity in a digital age” (integritet is the Swedish word for privacy) is one of six strategic areas identified.27 The Digitalization Commission was active until 31 December 2016.28 In the accompanying anthology on Digital Opportunities,29 a collection of contributions by several experts, data protection is only mentioned in a chapter “Deconstructing the digital economy – progressing towards a holistic ICT-policy framework” as one of the demand-side ICT-policy issues.30 In the chapter “The Biological Society”, Anders Ekholm claims that “personal privacy, as it is handled today, is built on a view that is held by an extremely small minority of the population – lawyers at the Government Offices of Sweden and their government agencies”. He recommends that the role of the Data Protection Authority should be redefined to abolish those tasks that pose obstacles to innovation and efficiency.31 The current minority government (138 out of 349 seats) consists of the Social Democratic Party (Socialdemokraterna, 113 out of 349 seats) and the Green Party (Miljöpartiet de gröna, 25 out of 349 seats). In their separate programs, the Green Party is especially explicit in stressing the importance of the right to privacy:32 they want the right to privacy in the constitution; to develop privacy protection in international collaborations (UN, EU); to redo the FRA-law and to make file sharing for personal use legal. The Social Democrats state in their political program to replace the FRA- and IPRED-laws (also points of the Green Party), to establish a privacy ombudsman, and in general to make legislation for media use that is more future-proof. 33 The largest opposition party is the Moderate Party (Moderaterne, 84 out of 349 seats), who state their attitude to privacy as follows: “We operate an open society with a set of values based on tolerance, freedom, equality and respect for human rights. Laws that restrict personal integrity should be proportionate, necessary and appropriate. The protection of privacy must be strong.”34 On the local level they do express that more surveillance in public spaces may be desirable to combat organized crime.35 The third biggest party are the Swedish Democrats (49 out of 349 Digitaliseringens transformerande kraft – vägval för framtiden. http://www.regeringen.se/pressmeddelanden/2015/11/digitaliseringskommissionens-arbetefortsatter-ett-ar-till/ (consulted 16 March 2018). 29 Digitaliseringskommissionen 2015. 30 Digitaliseringskommissionen 2015, pp. 151–179. 31 Digitaliseringskommissionen 2015, pp. 71–95. 32 https://www.mp.se/politik/internet-och-integritet. 33 https://www.socialdemokraterna.se/upload/Internationellt/Dokument/Political%20guidelines.pdf (p. 92). 34 http://www.moderat.se/integritet (3 November 2015, consulted 21 February 2017). 35 http://www.moderat.se/ett-tryggare-linkoping/trygghet-kontra-integritet (13 June 2014, consulted 21 February 2017). 27 28

78

4 Sweden

seats). They do not have an explicit statement on privacy, but in their policies om security they do imply support for increasing use of data (including personal data, among other things for tracking pedophiles and to combat terrorism).36 Media Attention The Swedish newspaper Dagens Nyheter published an extensive dossier37 on privacy in 2015 that was also reported on Swedish national television.38 In 2017, it reported also that police are investing heavily in new smart camera surveillance systems, mentioning that these can only be placed at locations with proven high crime risk, because of privacy protection legislation.39 The general attitude in such coverage seems to be that people’s personal data need to be better protected. Articles dedicated to privacy related to internet use appear about once per two months in the major newspapers.40 In specialized media, this is (of course) more frequently. For example, the web magazine “CIO Sweden” (on tech website http:// www.IDG.se for IT professionals) published on the GDPR in February 2017 through interviews with four CIOs on how they prepared for the introduction of the GDPR.41 Data Breaches There have been a number of hacks and data breaches in Sweden in recent years. In 2011, a hacker disclosing 90,000 email addresses and passwords was reported to be the worst ever data leak at that point.42 Government servers were hacked by hackers group Anonymous as retaliation for actions against The Pirate Bay in 2014.43 Also, the Swedish company Spotify suffered a data breach in 2014.44 As mentioned above, the FRA-law - a legal measure sanctioning the surveillance of internet traffic content by state authorities - stirred considerable controversy as the law goes beyond the scope of surveillance established by the European Commission. For example, consumer organization Sveriges Konsumenter has sued fitness app MyFitnessPals for breach of the Data Protection Act and the Data Protection Directive with its Terms & Conditions.45 36

https://sd.se/wp-content/uploads/2015/01/Kriminalprogram_2015-10-26.pdf (p. 7). http://www.dn.se/stories/dn-granskar-vara-overvakade-liv/ (31 August-2 September 2015, consulted 17 February 2017). 38 http://www.svt.se/opinion/article3451479.svt (7 September 2015; consulted 17 February 2017). 39 http://www.aftonbladet.se/senastenytt/ttnyheter/inrikes/article24398726.ab (13 February 2017, consulted 17 February 2017). 40 Inventory of online news content of Dagens Nyheter, Svenska Dagbladet, and Dagens Media (consulted 17 February 2017). 41 https://cio.idg.se/2.1782/1.675960/gdpr-cio-forberedelser (consulted 20 February 2017). 42 http://www.bcs.org/content/conWebDoc/42623. 43 http://thehackernews.com/2014/12/anonymous-pirate-bay.html. 44 https://news.spotify.com/us/2014/05/27/important-notice-to-our-users/. 45 http://www.sverigeskonsumenter.se/nyheter-press/pressmeddelanden/sveriges-konsumenteranmaler-traningsapp/ (published 30 March 2016). 37

4.1 General Situation

79

The Data Inspection Board initiated 85 inspection matters in total during 2014, which is a decrease compared to the 209 inspections in 2013.46 The typical penalties imposed for violations of the Data Protection Act that result in prosecution are fines and damages awarded to the victim. The level of the fines varies according to the severity of the crime and the income of the person responsible for the breach of the data protection legislation. During 2013, the Swedish Commission on Security and Integrity Protection (Säkerhets- och integritetsskyddsnämnden or “SAKINT” in Swedish), which inspects police and judicial authorities, found that the processing of a register of “travelling people” kept by the police in southern Sweden was illegal in several aspects. The register contained around 4,000 names of Roma people in Sweden. The most serious breach was that the purpose of the processing was far too wide. SAKINT stated that an imprecise purpose provides no framework for the personal data, which in practice undermines the protection of the individual’s integrity. SAKINT reviewed the actions taken by the police to remedy the breaches.47 There have been cases of imprisonment for breaches of the data protection legislation, in particular cases where the infringer has committed other additional offences, for example, severe defamation. One case that involved imprisonment for a breach of the data protection legislation concerned two persons with Nazi leanings who set up a register containing details of religious and political beliefs, sexual life and race for a large group of people. The sentence referred mainly to the breach of the data protection legislation. One of the victims of the infringement received SEK 10,000 in damages (approximately EUR 1,070 at the time).48 Civil Rights Organizations DFRI (Föreningen för Digitala Fri- och Rättigheter, pronounced as D-Fri - which means “D-free”) is a non-profit and non-political organization working for the promotion of digital rights and a member of European Digital Rights (EDRi).49 The organization currently has 80 members and works exclusively with volunteers (no staff members). Their budget is around 80,000 SEK per year (approximately 84,000 euro).50 DFRI aims to achieve a society with as little monitoring, tracking and interception as possible. The goal is to defend freedom of expression, transparency and freedom of information, privacy and the right to self-determination with respect to

46

LinkLaters Data Protected, https://clientsites.linklaters.com/Clients/dataprotected/Pages/Sweden. aspx. 47 LinkLaters Data Protected, https://clientsites.linklaters.com/Clients/dataprotected/Pages/Sweden. aspx. 48 LinkLaters Data Protected, https://clientsites.linklaters.com/Clients/dataprotected/Pages/Sweden. aspx. 49 https://www.dfri.se/dfri/. 50 Response from D-FRI to our enquiry (by Peter Michanek, secretary, March 2017).

80

4 Sweden

their personal information and digital footprints. DFRI has organized protests against increasing surveillance.51 They helped the DPA (Datainspektionen) in 2014 with the technical details of the investigation against Bumbee Lab’s monitoring center for their use of MAC addresses.52 In 2012, website Dataskydd.net was founded by former member of the European Parliament Amelia Andersdotter together with web designer Plus Stahre. Since April 2015, it formally became a membership-based politically independent non-profit organization. Its main purpose is to promote informed decisions on law and technology in accordance with the fundamental right to data protection and privacy.53 In their stakeholder submission for the UNHRC Universal Periodic Report 2012–2016, UK-based NGO Privacy International mentions the following areas of concern with respect to privacy:54 the NSA-related surveillance program FRA (see above), the criminal record database Lexbase, the case brought forward by SAKINT (see above), security breaches at private data silo Logica, practices of the Swedish Secret Service with respect to telecommunication data, providing government authorities with access to communication flowing through Swedish networks, and the absence of control regimes preventing the export of surveillance technology to repressive regimes.55

4.2

National Government Policies

National Policies, Privacy Impact Assessments The Swedish government has defined three areas of priority, in none of which data protection seems to play an explicit role: a new labour agenda, education and to be leading in emission reduction to slow down climate change.56 The policy statement of the current minority government (consisting of the Social Democratic Party and the Green Party, see above, under National Politics) mentions the following on privacy and data protection: “The Government will work in Sweden and the EU to strengthen legal certainty and personal privacy, including with regard to data storage. The Data Inspection Board and the Parliamentary Commission on Privacy will conduct a review of existing legislation, taking account of the increasing numbers of private sector actors gathering information on consumers.”57

51

Dagens Nyheter 2016. https://www.dfri.se/mobilkartlaggning-bryter-mot-lagen/, http://www.datainspektionen.se/ Documents/beslut/2015-06-23-vasteras.pdf. 53 https://dataskydd.net/om. 54 Privacy International 2016. 55 Privacy International 2016. 56 http://www.regeringen.se/regeringens-politik/regeringens-prioriteringar/. 57 Policy Statement of the Swedish government, 2014, p. 19. 52

4.2 National Government Policies

81

Privacy and Data Protection in New Policies In their report on the implementation of Data Protection Directive 95/46/EC in 2010, the Swedish ministry of justice mentions the processing of personal data in the form of sound and image data, the rise of cloud computing and ubiquitous computing as grounds to underline the need for a reform of the legal framework of data protection. This reformed legal framework needs to gain general acceptance in a globalized society and be able to deal with changes inherent to the rapid technological development. A simplification of the regulation concerning data processing would probably also have the positive effect of actually promoting the acceptance of and respect for the data protection principles in common practice, as the rules applicable to the processing become more comprehensible and thus justifiable.58 They also write: “Another challenge is that new phenomena keep turning up that can entail specific risks to privacy and where society’s attention at an early stage can be crucial for the individuals’ privacy. In the light of this development, it is important that data protection authorities are given effective tools in order to discover and supervise – at an early stage – new phenomena that might entail specific risks. One possible way would be to change today’s all-embracing general notification duty with enumerated exemptions into a limited notification duty containing a positive enumeration of processing that from one time to another need to be notified. Such a notification duty can be aimed at new phenomena and technical applications and the supervisory authorities could be empowered to issue regulations regarding the extent of the said duty.”59 With the transition from the Data Protection to the GDPR, the previously existing notification duties have indeed been removed and replaced by other instruments. Societal Debate Each year in Sweden the government proposes about 200 legislative proposals to the parliament. Many of these proposals require extensive deliberation and debate before voting.60 Although most legislative proposals are initiated by the government, bills can also be based on suggestions by the parliament, privacy citizens, special interest groups or public authorities. Before drafting a legislative proposal there is an inquiry stage in which the matter is analyzed and evaluated. This task may be assigned to independent people or committees, including experts, public officials and politicians. After the inquiry stage, there is also a referral process, in which relevant bodies are consulted. This may include government agencies, special interest groups and other bodies whose activities may be affected by the pro-

58

Memorandum 23 April 2010, Question 18, pp. 14–15. Memorandum 23 April 2010, Questions 19–21, pp. 14–18. 60 http://www.government.se/how-sweden-is-governed/swedish-legislation—how-laws-are-made/. 59

82

4 Sweden

posals. Via this process, the opinions of citizens and companies (via special interest groups) are taken into account. The societal debate on civil rights, including privacy and data protection, also takes place outside the more formal legislative procedures. For instance, when the surveillance law (FRA) was proposed, an extensive societal debate took place in Sweden.61 For more details on media attention for data protection, see the previous section. Information Campaigns A brochure on the Personal Data Act was made available in 2006 at the government website http://www.regeringen.se and it has been updated in 2015.62 Furthermore, the most important means of communication of the Datainspektionen is its website.63 It also has installed a website where online abuse can be reported: http:// www.krankt.se/. Furthermore, the Datainspektionen publishes a public magazine on privacy, which is titled Integritet i Focus (Privacy in Focus).64

4.3

Laws and Regulations

Implementation of the EU Directive Sweden was the first country in the world to have data protection legislation, with the Data Act (Datalag) in 1973.65 This was adapted and replaced to conform to the EU Data Protection Directive 95/46/EC in 1998 after Sweden had joined the EU in 1995. The Library of Congress Online Privacy Law website writes the following on the character of the legislation in Sweden:66 “An important distinction exists between privacy laws and the Swedish approach of protecting the personal integrity of its citizens.67 Swedish privacy legislation focuses on the use by others of personal and sensitive information online and not on the individual’s right to privacy when he or she acts online, i.e., the right to be anonymous online.”68 The Data Protection Directive 95/46/EC has been implemented in Sweden mainly through the Personal Data Act (PDA) (1998:204), the Personal Data Ordinance

61

https://professorsblogg.com/2008/09/22/sweden-the-surveillance-law-fra-debate/. http://www.regeringen.se/informationsmaterial/2006/12/personal-data-protection/, last consulted 9 December 2016. 63 Datainspektionens årsredovisning 2014 – Dnr 231-2015, p. 8. 64 https://www.joomag.com/en/newsstand/integritet-i-fokus/M0368835001443601288. 65 DATALAG (Svensk författningssamling [SFS] 1973:289); see Siepel 2001. 66 http://www.loc.gov/law/help/online-privacy-law/2017/sweden.php (last consulted 26 March 2018). 67 This distinction is mentioned in Siepel 2001, supra note 1, at 119. 68 Carlén-Wendels 2000. 62

4.3 Laws and Regulations

83

(1998:1191) and a large quantity of sector specific laws.69 In addition to the PDA, supplementary regulations are found in the Personal Data Ordinance (1998:1191) (Personuppgiftsförordningen) and the statute book (DIFS) of the Data Protection Authority (DPA or Datainspektionen in Swedish). If provisions in other legislation deviate from what is set out in the PDA, those provisions will take priority.70 The government has also published preparations for the new EU regulation.71 Sectoral Legislation There are over 300 sector specific laws and regulations in Sweden that regulate the processing of personal data within various areas of society.72 The Patient Data Act (2008:355) and the Pharmacy Data Act (2009:367) regulate the use of personal data in the health care sector. The use of personal data in advertising and marketing activities is regulated in the Marketing Act (2008:486) and the Act on Names and Pictures in Advertising (1978:800). The use of credit information on individuals and debt collector activities, which generally require a permit from the DPA, are regulated in the Credit Information Act (1973:1173) and the Debt Recovery Act (1974:182). The Electronic Communications Act (LEK, 2003:389) implements EU Directive 2002/58/EC on the protection of privacy in the electronic communications. It contains, among others, provisions on the retention of data generated or processed in connection with the provision of electronic communication networks and services. The Camera Surveillance Act (2013:460) (Kameraövervakningslag) applies to camera surveillance in Sweden and processing of image and sound recordings from such surveillance. A permit is generally required for surveillance of public areas. Self-regulation and Codes of Conduct Decentralized regulation and self-regulation are not uncommon in Sweden. Rather than a strong body of laws and regulations, much regulation is self-regulation, resulting from experience and negotiations.73 For instance, the securities market has

69

For more information and general background description concerning the laws and regulations in Sweden owing to the Directive 95/46/EC that oversee the processing of personal data, we received the following documents and references:

• “Questionnaire for Member States on the Implementation of Directive 95/46/EC” and “Annex 1–4” • “Myndighetsdatalag SOU 2015:39” a publication in the Swedish Government Official Reports (SOU Series) (chapter 3.2.2 and chapters 4.1.2–4.2.2.). 70 Cf. the Thomson Reuters Practical Law Privacy in Sweden Overview: http://uk.practicallaw. com/3-385-8827. 71 http://www.datainspektionen.se/lagar-och-regler/eus-dataskyddsreform/. 72 Thomson Reuters Practical Law Privacy in Sweden Overview: http://uk.practicallaw.com/3-3858827. 73 Boddewyn 1985.

84

4 Sweden

a body for self-regulation of privacy sector insurance companies.74 Also in the domain of data protection there is self-regulation. For instance, a broad alliance of industry organizations and online international and domestic companies has collaborated on a code of conduct for cookie use.75 In 2013, the Royal Academy for Engineering Sciences (IVA) organized a seminar titled “Svensk moral på export” (Swedish morals for export). At the closing session, the minister of finance Peter Norman discussed the state’s sustainability policy, including equality, diversity, environment, human rights, labor, anti-corruption and business ethics. He said: “We believe that this creates value. You get more customers if you take these matters into account, and this also gives a high probability that it takes into account other important matters in the company.” Therefore, the government required all 51 state-owned companies themselves to define a set of measurable sustainability goals, which are compatible with the companies’ business.76

4.4

Implementation

Privacy Officers Under the EU Data Protection Directive, it was not obligatory for data controllers to appoint a Data Protection Officer (Personuppgiftsombud). If a data controller had a DPO registered with the DPA, it was exempted from the requirement to notify the DPA when initiating the processing of personal data. In that case, the Data Protection Officer had to keep a record containing all personal data processing carried out by the data controller.77 There are no specific qualifications required for the personal data protection representative. The personal data protection representative may be an employee or a person, such as a lawyer, from outside the company. A DPO has the function of independently ensuring that the data controller processes personal data in a lawful and correct manner and in accordance with good practice and also points out any inadequacies to him or her. The DPO should notify the DPA in case of inadequate response to reported breaches of the provisions applicable for processing personal data. Furthermore, the DPO should consult the DPA in case of doubt about applicability of rules. The DPO shall assist registered persons to obtain rectification when there is reason to suspect that the personal data processed is incorrect or incomplete.78

74

http://www.corporategovernanceboard.se/about-the-board/swedish-self-regulation. http://iclg.com/practice-areas/data-protection/data-protection-2016/sweden. 76 http://www.iva.se/publicerat/hog-etik-kan-bli-svensk-konkurrensfordel/. 77 https://iclg.com/practice-areas/data-protection/data-protection-2017/sweden. 78 https://iclg.com/practice-areas/data-protection/data-protection-2017/sweden. 75

4.4 Implementation

85

In 2015, the number of DPOs registered at the Swedish DPA rose from 7276 (in 2014) to 7513 (an increase of 3%). The number of people working as a DPO rose from 4548 (in 2014) to 4756 (an increase of 5%). One person can be a DPO at several data controllers at the same time and, conversely, a data controller can register several people as DPO.79 Security Measures Datainspektionen provides information and guidelines for companies to implement Privacy by Design (innbygd integritet).80 In a folder with guidelines on personal data security from 2008, it mentions as additional source the 27000 ISO security certificate-series.81 Transparency Article 14(b) of the EU Data Protection Directive is transposed as Section 11 of the Swedish Personal Data Act. Under that provision, personal data may not be processed for purposes related to direct marketing if the data subject has notified the controller in writing that he or she objects to such processing. The Ministry of Justice has issued information material in Swedish and English on the rights of the data subject under the Personal Data Act. This information and further information is available inter alia on the Internet on the Ministry of Justice website.82 The Data Inspection Board informs the data subjects about their rights under Section 11 of the Personal Data Act in various information brochures (Balancing of Interest according to the Personal Data Act, Personal Registers in Sweden and Your Rights according to the Personal Data Act). The information is available in printed form and on the Data Inspection Board’s website.83 On the website there is also information about the rights of data subjects under the heading Questions and answers. In Sweden private so called NIX-registers, NIX-addressees and NIX-telephones have been set up. Private persons may give notice to NIX in order to be spared from some marketing measures by mail or telephone. Private persons also have the possibility to turn to SPAR, the State’s register of personal addresses, and require that data is not to be disclosed for direct marketing. Marketing managers complying with good marketing practices shall check these registers before any marketing measure is taken. This follows from the Code of Conduct containing rules on how to use personal data in connection with direct marketing for the purposes of selling, fund-raising, member recruiting and the like. This code has been elaborated on the initiative of the Swedish Direct Marketing Association (SWEDMA).84

79

Datainspektionen 2015, p. 10. http://www.datainspektionen.se/lagar-och-regler/personuppgiftslagen/inbyggd-integritetprivacy-by-design/. 81 http://www.datainspektionen.se/Documents/faktabroschyr-allmannarad-sakerhet.pdf. 82 http://www.government.se/government-of-sweden/ministry-of-justice/. 83 https://www.datainspektionen.se/. 84 Törngren 2010, Answer to question 15. 80

86

4 Sweden

4.5

Regulatory Authorities and Enforcement

Supervisory Authorities The Swedish Data Protection Authority (Datainspektionen, the Data Inspection Board) is a public authority with about 40 employees, the majority of whom are lawyers.85 In 2014 the budget was 45 million Swedish Kroner, about 4.6 million euros.86 In 2014 it advised on 117 legal bills. Datainspektionen is the supervisory authority for almost all processing of personal data. In certain areas covered by Article 3(2) of the EU Data Protection Directive the supervision has been reinforced by the establishment of other authorities. This is the case with (i) the Swedish Commission on Security and Integrity Protection which inter alia supervises the processing of personal data by the Swedish Security Service and (ii) the Court of Foreign Intelligence and the Swedish Foreign Intelligence Inspectorate, which are entrusted with the task to uphold the protection against infringements of personal integrity regarding the activities of the National Defense Radio Establishment. Matters of privacy and the processing of personal data are also handled indirectly inter alia by the Chancellor of Justice, the Parliamentary Ombudsman, the National Archives, Swedish Companies Registration Office, Swedish Financial Supervisory Authority and the National Post and Telecom Agency (Post- och telestyrelsen: PTS).87 The latter, the PTS,88 was established in 1992 and is a government agency guarding electronic communication and mail in Sweden. It enforces the Electronis Communications Act (LEK, 2003:389). It has four overreaching goals: working for long-term consumer benefit, long-term sustainable competition, an effective use of resources, and safe communication.89 Main Activities The task of the Swedish Data Protection Authority is to protect the individual’s privacy in the information society. The DPA supervises that authorities, companies, organizations and individuals follow:90 • • • •

85

the Personal Data Act (1998), the Data Act (1973), the Debt Recovery Act (1974), and the Credit Information Act (1973).

http://www.datainspektionen.se/. Datainspektionens årsredovisning 2014 – Dnr 231-2015, p. 29. https://www.datainspektionen. se/Documents/arsredovisning-2014.pdf. 87 Törngren 2010, Answer to question 5. 88 http://www.pts.se/sv/Om-PTS/. 89 Library of Congress, Online Privacy catalogue www.loc.gov/law/help/online-privacy-law/ sweden.php. 90 Törngren 2010, Answer to question 5. 86

4.5 Regulatory Authorities and Enforcement

87

The DPA works to prevent encroachment upon privacy through information and by issuing directives and codes of statutes (Svensk författningssamling, the official publication of new laws). The DPA also handles complaints and carries out inspections. By examining government bills the DPA ensures that new laws and ordinances protect personal data in an adequate manner. In the Memorandum,91 the powers of the Datainspektionen are stated as follows: “The Data Inspection Board is the authority established pursuant to Article 28 of the Directive.” The powers of the Data Protection Authority are set out in Sections 43–47 of the Personal Data Act and have not been changed since the implementation of the EU Data Protection Directive. The DPA can request access to the personal data that is being processed, information and documentation regarding the processing of personal data and the security measures implemented during this processing, and access to facilities that are linked to the processing of personal data. The DPA can also prescribe what security measures the data controller should apply in individual cases.92 The Post and Telecom Agency (PTS) assists data subjects in the pursuit of their rights by making sure market participants follow the integrity rules under the Law on Electronic Communication (LEK).93 PTS does this by processing complaints, conducting inspections, and monitoring to ensure compliance with determined requirements.94 Most of the decisions by the PTS have concerned free competition among Internet providers, pricing, and Internet access, rather than Internet security or Internet privacy.95 Use of Competences Everyone has the possibility to lodge complaints with the Data Protection Authority calling in question the processing of his or her personal data. The Data Protection Authority shall – in its capacity as supervisory authority according to the Personal Data Act – independently decide whether or not to initiate an audit regarding a data controller on account of the complaint. According to a 2010 Memorandum: “It is difficult to give a precise number on how many audit cases the Data Protection Authority has initiated based on complaints from data subjects. The Data Protection Authority has just recently begun a task aiming at getting a better picture of what individuals’ complaints result in.’’96

91

Törngren 2010, Answer to question 5. http://uk.practicallaw.com/8-502-0348?service=ipandit. 93 LAGEN OM ELEKTRONISK KOMMUNIKATION [LEK] (SFS 2003:389), http://www. riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2003389-omelektronisk-kommunikation_sfs-2003-389. 94 http://www.pts.se/globalassets/startpage/dokument/icke-legala-dokument/pm/2017/internet/ plan-pts-tillsyn-saker-konfidentiell-kommunikation.pdf. 95 See http://www.pts.se/. 96 Törngren 2010, Answer to question 8. 92

88

4 Sweden

It has occurred that a complainant, i.e. the data subject, has appealed against a decision of the Data Protection Authority implying that an audit has not been initiated. However, such an appeal is not considered to be of such nature that it can be the subject of a review by an administrative court. It has also occurred that data subjects have appealed against decisions regarding exemptions from the prohibition for other parties than public authorities to process personal data concerning legal offences in Section 21 of the Personal Data Act. The courts of law have not considered that the complainants have the right to plead in such cases.97 During the first years following the implementation of the EU Data Protection Directive there were a number of Swedish court cases concerning the transfer of personal data to third countries, in particular regarding the publication of personal data on the Internet. Specific mention can be made of the Ramsbro case (NJA 2001 s. 409) which concerned the interpretation of Section 7 of the Personal Data Act (which corresponds to Article 9 of the Directive). However, the most influential judicial decisions are certainly the judgements of the Court of Justice of the European Union, such as the Lindqvist case (judgement on 6 November 2003 in case C-101/01) and the Satakunnan case (judgement on 16 December 2008 in Case C-73/07).98 A recent verdict (2016) is about a violation of the Personal Data Act in the municipal cooperation Östra Östergötland in the informationsystem Aventus for use of personal data outside the mission of the cooperation.99 Another case relates to a violation of the law on data use for social services by home care organization ParaGå (2001:454).100 Reputation The Netherlands (50%) and Sweden (51%) are among the five European nations where more than half of the population report to have heard about the public authority in their country for protecting their rights regarding personal data.101 In Sweden this percentage increased with 9 percentage points from 2010 to 2015, whereas in the Netherlands this increase was 16 percentage points. The 2015 European average is significantly lower at 37%. When asked where they would file complaints concerning personal data protection, 77% of the Swedish people indicate they would prefer to file the complaint directly with the authority or company handling their data, and 57% to the Swedish DPA, followed by 17% for the DPA of the country where the authority or private company is established. Only 2% mentions the EU institutions and bodies (lowest percentage, shared with (inter alia) Germany and Ireland; as opposed to Netherlands and Romania scoring 6% and France scoring 7%).102 Sweden has the

97

Törngren 2010, Answer to question 9. Törngren 2010, Answer to question 10. 99 http://www.datainspektionen.se/Documents/beslut/2016-03-03-samordningsforbund.pdf. 100 http://www.datainspektionen.se/Documents/beslut/2016-02-18-paraga.pdf. 101 Eurobarometer 431 2015, p. 51. 102 Eurobarometer 431 2015, p. 56. 98

4.5 Regulatory Authorities and Enforcement

89

highest percentage of respondents who think the data handling authority or company should report data breaches: 91% (highest of the EU-countries; EU average: 65%), with only 31% stating they think this is the DPA’s task (lowest of the EU-countries; EU average 45%).103 This may indicate that Swedish people have a strong feeling of attributing responsibility for data protection to companies.

References Boddewyn JJ (1985) The Swedish Consumer Ombudsman System and Advertising Self-Regulation. The Journal of Consumer Affairs, Vol. 19, No. 1, pp. 140–162 Carlén-Wendels T (2000) Näturjuridik - Lag och rätt pa Internet, 95–98, 3rd edn Council of Europe (2001) The implications for Council of Europe Member States of the Ratification of the Rome Statute of the International Criminal Court, Progress Report, Sweden, consult/icc 37 Dagens Nyheter (2016) Proteser mot ökad övervakning, 14 April 2016, see http://www.dn.se/ sthlm/protester-mot-okad-overvakning/ Datainspektionen (2015) Annual report 2015, see http://www.datainspektionen.se/Documents/ arsredovisning-2015.pdf Digitaliseringskommissionen (2015) Om Sverige i framtiden – en antologi om digitaliseringens möjligheter [On the future in Sweden – an anthology on the opportunities in digitalization]. Report from Digitaliseringskommissionen. SOU 2015:65. Fritzes, Stockholm Elshout M, Elsen M, Leenheer J, Loos M, Luzak, J (2016) CentERdata, Tilburg University, Study on consumers’ attitudes towards Terms and Conditions, final report. Publications Office of the EU, Luxembourg 2016, https://doi.org/10.2818/950733 Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015 Hermida J (2004) Legal basis for national space legislation. Kluwer, Dordrecht Münch M (2013) Do as the Swedes do? Internet policy and regulation in Sweden – a snapshot. Internet Policy Review, Vol 2 Issue 2, 10 May 2013, https://doi.org/10.14763/2013.2.127 Privacy International (2016) The right to Privacy in Sweden, stakeholder report for the UNHRC Universal Periodic Report, 2nd cycle 2012–2016, 21st session, January 2015 for Sweden Siepel P (2001) Sweden. In: NORDIC DATA PROTECTION LAW 115, 116. Peter Blume Törngren D (2010) Questionnaire for Member States on the implementation of Directive 95/46/ EC, Department of Constitutional Law, Ministry of Justice Sweden, Memorandum 23 April 2010, Answer to question 15

Eurobarometer 431 2015, p. 76 – percentages are among respondents who indicate they want to be informed. 103

Chapter 5

United Kingdom

5.1

General Situation

In contrast to many countries in continental Europe, the United Kingdom (UK) has a common law system that places great weight on court decisions. The United Kingdom has three legal systems for England and Wales, for Northern Ireland and for Scotland. Many substantive laws apply across the United Kingdom, but the United Kingdom does not have one specific constitutional document. The constitution is found within a variety of (mostly written) sources, including statute law (laws from the legislature), common law (laws from court judgments), parliamentary conventions and other works of authority (from academia).1 The United Kingdom constitution does not contain an explicit right to privacy. The United Kingdom has been a member of the EU since 1973 and is a party to the European Convention on Human Rights (ECHR). The UK takes a dualistic approach towards international law, meaning that international and national law are considered as separate legal systems and provisions in international treaties require implementation in national law before being applicable. In 1998, the United Kingdom adopted the Human Rights Act in order to allow direct application of the ECHR in national legislation. The Human Rights Act came into force in 2000. Via the Human Rights Act, it is possible to bring violations of human rights in the ECHR (including the right to privacy in Article 8) before UK courts. Although in 2016 a majority of the UK citizens voted in a referendum to exit the EU, the UK will continue adhering to the European Convention on Human Rights and the right to privacy mentioned in it. However, when the UK exits the EU, it is not obliged to adhere to the European Charter of Fundamental Rights of the

1

Blick and Blackburn 2012.

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_5

91

92

5 United Kingdom

European Union, Articles 7 and 8 of which relate to the right to privacy and the protection of personal data. Also, the GDPR will no longer be directly applicable in the UK after leaving the EU.2 However, the Queen’s Speech delivered on 21 June 2017, confirmed that the UK will still be part of the EU when the GDPR becomes effective and that the government intends to introduce a legal framework to implement the regulation.3 It appears that after Brexit the UK will still be adhering to EU data protection.4 Obviously, the ECHR and the UK Human Rights Act will still be apply after the UK exits the EU. According to civil rights organization Privacy International, the United Kingdom can be described as an endemic surveillance society.5 Of all EU member states, the UK has the worst score when it comes to the protection of the privacy of its citizens according to their research. The UK is part of the Five Eyes collaboration (an intelligence alliance with Australia, Canada, New Zealand and the United States) and is known for its bulk collection of data and surveillance capabilities.6 Data is collected, among other methods, via the enormous amounts of CCTV cameras that were installed in public spaces in recent years. In 2011, the number of local government operated CCTV cameras was around 52,000 across the UK.7 When all cameras (i.e., both public and private cameras) are taken into account, the UK counts an estimated 1.85 million cameras, which is an average of one camera for every 32 UK citizens.8 Most of these, approximately 500,000, are in the area of Greater London. Internet Use The use of the Internet in the UK has risen substantially over the last years, up to 78% in 2013.9 The digital divide has been narrowed as internet access has become increasingly available for people with lower incomes and educational qualifications and retired and disabled people. The percentage of people active on social networks was 61% of internet users.10 Surveys show that 96% of the UK citizens shop online (EU average 87%), with an increase of shopping online with increasing age.11 When shopping online, UK citizens show a strong preference to pay at the time of ordering online by debit or credit card or by using electronic money.

2 http://www.eversheds-sutherland.com/global/en/what/articles/index.page?ArticleID=en/DataProtection/brexit_impact_on_gdpr_170616. 3 Long et al. 2017, p. 347. 4 This is similar to countries like Iceland, Liechtenstein and Norway, who are not EU member states, but nevertheless adhered to the EU Data Protection Directive 95/46/EC. 5 http://observatoriodeseguranca.org/files/phrcomp_sort.pdf 6 Reuters 2013. 7 Big Brother Watch 2012, p. 30. 8 The Guardian 2011. 9 Dutton and Blank 2013, p. 3. 10 Dutton and Blank 2013, p. 3. 11 Consent Country Report UK 2012, p. 3.

5.1 General Situation

93

An expert survey from the UK indicates that the collection and processing of personal data by both public and private organizations does not significantly concern the general public. The perceived prevailing attitude towards control of their personal data is one of relative indifference, combined with a certain inevitability of the collection and processing of their data by public and private entities.12 Citizens do indicate concern when inquired, but rarely seem to act upon it.13 Exceptions therefrom relate to specific topics from the public sector such as ID cards, a national child register or a national health data database.14 Experts also indicate it is unlikely that the general public is aware of the extent to which data is actually being collected, processed, matched or exchanged between public and private organizations, and the implications of such practices. These findings overlap for the most part with insights on the general public’s attitudes towards data protection provided by recent surveys. Control According to a recent survey about 50% of the UK people feel to only partially have control over the information they provide online, while 26% of the respondents do not feel in control at all.15 Furthermore, 18% feel to have complete control. This seems to indicate that the UK is in line with the EU averages with regard to partial control (EU average 50%), above it with regard to full control (EU average 15%), and below the EU average in relation to no control (EU average 31%). Overall, UK citizens seem to be quite concerned about the lack of control. About 80% of the people indicate concern, compared to an EU average of 69%. 83% of the UK people consider providing personal information online as an increasing part of modern life, which exceeds the EU average (71%).16 In this context, about 38% indicates that providing personal data is not a big issue, while 56% is concerned about it.17 When inquired whether they mind providing personal information in return for free online services, 50% of UK citizens do.18 This finding is confirmed by another recent survey, in which about 56% of the UK people

12

Based on survey results (see Sect. 1.3.4). The ICO statistics on requests from the public to assess the practices of data controllers provide some countervailing evidence to this attitude. See ICO, (undated) Complaints and concerns data sets [webpage] https://ico.org.uk/about-the-ico/our-information/complaints-and-concerns-data-sets/. The fact that UK citizens are 3rd in Google’s list within the EU for URL removals, and that companies that have suffered significant data breaches have also seen a decline in customer numbers (for instance TalkTalk in 2015) also suggests that citizens act when see their personal data at risk. 14 Based on survey results (see Sect. 1.3.4). 15 Eurobarometer 431 2015, p. 10. 16 Eurobarometer 431 2015, p. 29. 17 Eurobarometer 431 2015, p. 32. 18 Eurobarometer 431 2015, p. 40. 13

94

5 United Kingdom

indicated they would rather pay for an online service than allowing the supplier to use some of their personal data for commercial purposes.19 Awareness In comparison to the rest of the EU, UK citizens show a low level of awareness regarding the use of personal information by website owners.20 Nevertheless, there appears to be a certain balance between user awareness and user acceptance. For instance, while UK citizens show a higher than average level of awareness for personal information being used to contact users by email they show a lower than average level of non-acceptance for the same practices. At the same time, while UK citizens show a lower than average level of awareness for the sharing of information linked to user names, with other parts of the company and for in-depth gathering of information, selling it, or making it available to others, they also show a higher than average level of non-acceptance for the same practices. Such practices are seen as generally unacceptable and commercial trade-offs in this respect also meet little acceptance by UK citizens. Actual experience of privacy intrusions is comparably low with UK citizens scoring 2.60 (EU average 2.89) on a 7 point scale (1 = never, 7 = very frequently).21 When dealing with privacy policies, comparatively less UK citizens (40%, EU average 47%) ever decided not to use a website due to their dissatisfaction with the website’s privacy policy and more than half of the UK citizens never or rarely actually read a website’s terms and conditions (69%) or privacy policy (63%).22 If reading the privacy policies, they rarely read the whole text (UK 7%, EU average 11%), although being somewhat confident that – when reading it – the text is mostly or fully understood (59%, EU average 64%). Trust When looking at trust in more detail, UK citizens widely exceed the EU average. This is true for most sectors such as health and medicine (81%, EU average 74%), public authorities (69%, EU average 66%), banks and financial institutions (70%, EU average 56%), shops and stores (46%, EU average 40%), telecommunications and internet providers (45%, EU average 33%) and even online businesses like search engines (32%, EU average 24%). The only exception in this context is trust in European institutions, where the UK with 44% is below the EU average of 51%. When asked about the general risks related to the disclosure of personal information on social media, UK citizens appear to generally perceive less risk than the overall average in the EU. This is true also for the specific risks (information used to send unsolicited commercial offers or without the user’s consent, personal safety being at risk, becoming a victim of fraud), where UK citizens score lower than the

19

Vodafone Survey on Big Data 2016, p. 79. Consent Country Report UK 2012, p. 4. 21 Consent Country Report UK 2012, p. 4. 22 Consent Country Report UK 2012, p. 4. 20

5.1 General Situation

95

total average. However, in relation to the likelihood of being discriminated against (UK 23%, EU average 23%) and the likelihood of reputation being damaged UK citizens are in line with the EU average.23 As to the attitude of data controllers towards data protection, it has been described as one of ‘box-ticking’ compliance rather than one of a holistic approach.24 This appears to stem from the regulatory design of the UK Data Protection Act 1998 that seems to encourage such behavior.25 Since the late 2000s the UK Data Protection Authority, the ICO, has sought to tackle this by the promotion of Privacy Impact Assessments’ (PIAs) and a ‘privacy by design’ (PbD) approach to personal data processing system development. PIAs are nowadays implemented by both public and private organizations.26 However, their nature varies widely and one of their key elements – that the outcome should be publicly accessible – appears to be rarely observed. The ICO reports that there are limited resources and a general lack of understanding in some organizations in relation to data protection in general and PIAs in particular. Organizational attitudes towards data protection compliance have tended to be primarily concerned with financial risks and reputation. The recent ability of the ICO to issue monetary penalty notices of up to £500,000 for serious data protection breaches has had some notable effect in the public sector. In the private sector, however, the ICO’s authority is dwarfed by the penalties that can be imposed by other regulators, particularly in the financial sector. Thus, some businesses appear to treat failing to comply with the DPA 1998 and being caught out, as both a low risk and a relatively small cost of doing business.27 A frequent complaint from data protection officers is the lack of financial resources to carry out their tasks. National Policies The issues of privacy and data protection are regularly debated in the UK parliament and receives more attention when new legislation is laid before parliament.28 The parliament (both the House of Commons and the House of Lords) has Select Committees who also look at privacy issues, either directly or indirectly. Below are some examples of committees which have an interest in data protection: • The (House of Commons) Culture, Media and Sport Committee monitors the policy, administration and expenditure of the Department for Culture, Media and Sport (which is the Department responsible for data protection in the UK) and regularly meets to review issues relating to data protection, security and privacy (as well as other matters within the portfolio of responsibilities of this

23

Other sources indicate slightly higher numbers, see: Consent Country Report UK 2012, p. 4. Based on survey results (see Sect. 1.3.4). See also Mulligan and Bamberger 2015. 25 Based on survey results (see Sect. 1.3.4). 26 Trilateral Research & Consulting 2013. 27 Based on survey results (see Sect. 1.3.4). 28 http://www.parliament.uk/topics/Privacy.htm. 24

96

5 United Kingdom

department). Recently discussed topics have included an inquiry into cyber security and the protection of personal data online.29 The Select Committee also assessed the suitability of the government’s preferred candidate for the post of Information Commissioner.30 Prior to September 2015, responsibility for data protection laid with the Ministry of Justice and it was the Justice (House of Commons) Select Committee which scrutinized the EU Data Protection Framework Proposals.31 The (House of Lords) Science and Technology Committee has recently been hearing evidence on ‘autonomous vehicles’, which also covered privacy implications of driverless cars. • The (House of Lords) Communications Committee conducted an inquiry into children’s access to, and use of, the internet. • Although they have different roles, the (House of Commons) European Scrutiny Committee and the (House of Lords) EU Sub-Committees both assess and scrutinize the approach of the UK government and importance of EU legislation. The adoption of the new EU data protection framework has obviously prompted discussions by those committees, but these committees were also very attentive to the implementation of EU legislation in relation to border controls (SIS II, VIS and EURODAC), Customs (CIS) and cooperation for law enforcement purposes (EUROPOL). As part of their enquiries or their roles, the Select Committees invite various participants to their meetings and oral hearings. Invitations invariably extend to industry experts, academics, civil society’s representatives, or regulatory agencies and sector associations. With regard to the major political parties’ positions on data protection and privacy, most parties share a general understanding on the role that data play in developing the economy and improving lives and on the necessary safeguards that must be applied to the processing of personal data. Two resources in particular contain information about the political view in the United Kingdom: • The Big Brother Watch manifesto which was published in 2015, ahead of the UK General Election, is an analysis of the political parties’ manifestos of 2010 with respect to civil liberties and inspects their position on data protection issues, among others.32

29 http://www.parliament.uk/business/committees/committees-a-z/commons-select/culture-mediaand-sport-committee/inquiries/parliament-2015/cyber-security-15-16/. 30 http://www.parliament.uk/business/committees/committees-a-z/commons-select/culture-mediaand-sport-committee/inquiries/parliament-2015/information-commissioner-pre-appointment-1516/. 31 http://www.parliament.uk/business/committees/committees-a-z/commons-select/justicecommittee/inquiries/parliament-2010/eu-data-protection/ 32 https://www.bigbrotherwatch.org.uk/wp-content/uploads/2015/02/manifesto.pdf.

5.1 General Situation

97

• The new draft Digital Economy Bill to Parliament33 was introduced by the government in July 2016. Before laying the Bill before Parliament, the government initiated several consultations on certain aspects for which it envisaged to introduce legislation. One of the consultations asked for the public’s views on a Better Use of Data in Government which received more than 280 responses, including from political parties, commenting on the government initiative in relation to ‘data sharing’ provisions.34 Media Attention The media in the United Kingdom are increasingly interested in data protection stories, mirroring the growing awareness of data protection issues among the public. In the printed press there is a definite caution around anything perceived as government surveillance, as evidenced by front page coverage of the ID card issue and, more recently, the care.data program.35 There is some debate around privacy and data protection, but it tends to be a bit one-sided: the liberal and the left leaning media are pro-personal data rights, as may be expected, but the right leaning media tend to also be protective of people’s rights with regard to personal data. There does not tend to be a very strong media voice calling for lesser data protection rights for consumers.36 The UK Daily Mail tends to most often cover data protection stories, while the Guardian frequently touches on personal data issues, particularly in relation to new technology (e.g., Twitter, WhatsApp, etc.) The BBC also covers a lot of data protection stories, particularly online. There tends to be a good understanding of the regulator’s role. This is definitely helped by UK civil monetary penalties, which have attracted considerable media coverage and help people understand what the supervisory authorities do.37 In the UK, the Information Commissioner’s Office (ICO, the UK Data Protection Authority, see Sect. 5.5) publicly presents its annual report to give mass media the opportunity to cover the publication.38 Data Breaches Although there is no legal obligation for data controllers to report data breaches which result in loss, disclosure, destruction or corruption of personal data, the ICO believes that serious breaches should be reported. Upon receiving notification of a 33

https://services.parliament.uk/bills/2016-17/digitaleconomy.html. https://www.gov.uk/government/consultations/better-use-of-data-in-government. 35 “The care.data programme was established by NHS England and the Health and Social Care Information Centre to securely bring together health and social care information from different healthcare settings, such as GP practices, hospitals and care homes, in order to see what’s working really well in the NHS – and what we could be doing better.” https://www.england.nhs.uk/ ourwork/tsd/care-data/. 36 Based on survey results (see Sect. 1.3.4). 37 Based on survey results (see Sect. 1.3.4). 38 European Union Agency for Fundamental Rights 2010. 34

98

5 United Kingdom

breach, the ICO will assess the nature of the contravention together with the level of compliance of the data controller with the Data Protection Act 1998 before considering how it will use its enforcement powers.39 The ICO’s latest statistics suggest a considerable increase in reported data breaches. According to the published information, alone in the period between October and December 2017 the reported incidents amount to 815.40 The number suggests a rise of 41% in comparison to the same period in 2016. It is considered that the ICO’s data breach helpline in combination with the growing awareness of the GDPR have contributed to the rise in reporting.41 Furthermore, according to the ICO’s 2015/2016 annual report, in the period of 2015–2016 there has been one incident within the ICO Office itself that has been reported to the Commissioner’s Enforcement Department following its own guidance for the self-reporting of personal data incidents.42 The incident involved a small amount of personal information about five individuals held on one of ICO’s customer case files being disclosed by a mistake to a customer of the same name. Some of the information about one of the five individuals concerned sensitive personal data. According to the report, the incident has been investigated and dealt with in the same way as any other incident reported to the ICO by a data controller. Some recommendations have been made for further improvement of the casework process. All recommendations have been accepted and implemented. No formal action has been proposed in response to the incident.43,44 Civil Rights Organizations When discussing matters which have an impact on the privacy of individuals and the protection of their personal data, the Select Committees ensure that the views of civil rights organizations are duly represented. The ICO also regularly meets with stakeholders from various sectors of the industry, local and central government as well as with representatives of the civil society. Among the civil rights organization within the UK landscape, the Open Rights Group and the Foundation for Information Policy Research are the most prominent ones. The two main organizations involved in personal data protection in UK are Big Brother Watch and Privacy International. Big Brother Watch was founded in 2009 and “produces unique research exposing the misuse of powers, informative 39

For more information on how the ICO uses its powers in relation to reported breaches, please refer to our Data Protection Regulatory Action Policy see https://ico.org.uk/media/about-the-ico/ policies-and-procedures/1853/data-protection-regulatory-action-policy.pdf. 40 https://ico.org.uk/action-weve-taken/data-security-incident-trends/. 41 Bordessa 2018. 42 Information are published as part of the ICO Annual Reports which are laid to Parliament. The most recent report is available here: https://ico.org.uk/media/about-the-ico/documents/1624517/ annual-report-2015-16.pdf. 43 ICO 2016, p. 50. 44 In relation to the actions taken by the ICO in relation to data breaches or security incidents, please refer to this section: https://ico.org.uk/action-weve-taken/enforcement/.

5.1 General Situation

99

factsheets explaining complex laws and briefings for parliament, the press and the public”.45 The group campaigned through the years on a variety of issues related to privacy online, surveillance and more generally on civil rights. Privacy International (PI) is a London-based charity that aims to promote worldwide protection of rights to privacy, founded in 1990. Among their goals they “advocate for strong national, regional, and international laws that protect privacy” and “raise awareness about technologies and laws that place privacy at risk, to ensure that the public is informed and engaged”.46 According to the Audited Financial Statement 2014–2015, PI had £1,398,207 of total incoming resources and £1,625,947 of total resources expended.47 PI is funded by charitable trusts and foundations as well as statutory bodies, but they do not accept donations by corporations in order to defend the independence of their activities.

5.2

National Government Policies

National Policies, Privacy Impact Assessments The expert survey conducted in the UK for the purposes of this research describes the UK government’s attitude towards personal data protection as ameliorative.48 Although the government tends to treat data protection as a ‘necessary evil’, it has nevertheless been prepared to provide the necessary subject rights, data controller obligations and ICO regulator powers to align UK law with the respective EU requirements. This outcome, however, appears to have been influenced by the 2004 ‘letter of formal notice’ sent by the European Commission to the UK government regarding alleged deficiencies in the UK implementation of the EU Data Protection Directive (its content was not disclosed by the government), and the Commission’s 2010 ‘reasoned opinion’, which comments among other things on the limitations to the ICO powers, the limits on rectification or erasure of personal data, and the limits to compensation for non-pecuniary damage due to breach of the DPA 1998.49 Unlike other EU jurisdictions, the UK government approaches personal data protection by divorcing personal data protection from individual privacy rights and, instead, focusing on personal data protection in the context of commercial continuity, commercial risk and information security. This approach can be witnessed, for instance, in the government’s Cyber Security Regulation and Incentives Review published in December 2016.50 While a link between personal data protection and 45

https://bigbrotherwatch.org.uk/about/. https://privacyinternational.org/. 47 Audited Financial Statement 2014–2015, see: https://privacyinternational.org/sites/default/files/ Audited%20Financial%20Statement%202014-2015.pdf. 48 Based on survey results (see Sect. 1.3.4). 49 EU Commission 2010. 50 HM Government 2016. 46

100

5 United Kingdom

privacy has been recognized by the UK courts, successive UK governments have been careful not to make the link between human rights/privacy rights and personal data protection explicit.51 Risk analyses and Privacy Impact Assessments (PIAs) were not mandatory under UK law prior to the GDPR, although PIAs have become a ‘mandatory minimum measure’ in the government and its agencies.52 The ICO provides guidance on the design and execution of PIAs.53 A government initiative worth mentioning is the midata program, which encourages the release of consumer data back to individuals in reusable form. The idea is that consumers should have access to the data companies collect on their transactions to make it easier for them to compare the different available offers.54 The program concerns specific sectors such as energy, credit cards and mobile phones, and personal current accounts. The ICO is actively advising on the program’s privacy implications. A recent development in relation to the initiative is that bank customers can now download a file of their financial transactions and use it to find the best current account for them. A similar approach is currently being adopted by energy providers.55 Privacy and Data Protection in New Policies The ICO is aware of different initiatives in the domain of big data (and has issued guidance on the matter).56 For instance, in the 2014 budget, the government committed £42 million over 5 years to set up the Alan Turing Institute. Together with IBM they also fund the Hartree Centre. This offers big data scale computing power which businesses can use. There is also discussion regarding the setup of a Council of Data Science Ethics.57 Government-funded research councils also support big data initiatives, e.g., ESRC support for the Administrative Data Research Network. There are other examples of support for big data in the previous government’s information economy strategy.58 The Department for Culture, Media and Sports, as well as the ICO, regularly meet with stakeholders and hear through

51

Based on survey results (see Sect. 1.3.4). See Cabinet Office 2008. 53 ICO 2014. 54 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/327845/bis-14941-review-of-the-midata-voluntary-programme-revision-1.pdf. 55 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/united-kingdom#chapter content12. 56 ICO, Guidelines on Big Data and Data Protection, 28 July 2014 and revised 18 August 2017. In the revised version of the guidelines, the ICO suggests among other how data controllers can comply with the GDPR from May 2018 onwards while using big data. The guidelines cover topics like anonymization, privacy impact assessments, repurposing data, data minimization, transparency and subject access. 57 http://www.publications.parliament.uk/pa/cm201516/cmselect/cmsctech/992/992.pdf, para 57. 58 https://www.gov.uk/government/publications/information-economy-strategy. 52

5.2 National Government Policies

101

stakeholders, including from conversations with international counterparts, about new developments and associated risks. With regard to Privacy by Design, the ICO encourages organizations to think about their legal obligations under the DPA from the start. Privacy Impact Assessments (PIAs) are an integral part of a ‘Privacy by design’ approach and a code of practice has been published which explains the principles which form the basis for PIAs and how they can be used to identify and reduce the privacy risks of organizations’ projects. Guidance on PIAs has been published in 2014. ICO made clear under this code that sectoral groups who wish to develop a PIA methodology to apply to their particular sector would be supported. Societal Debate In the UK there is an active societal debate, covered by considerably media attention, see Sect. 5.1. Furthermore, the UK government makes use of internet consultations to take into account the citizens’ and companies’ attitudes when designing new (data protection) policies.59 An example of such a consultation is the one on the sharing and use of data within public sector organizations,60 which was online for eight weeks in early 2016. It aimed to compile a list of good practices to maximize data sharing within institutions, while at the same time improving data security. The consultation prompted civil society organizations, privacy groups, government officials, academics and representatives from parts of the wider public sector to consider data sharing proposals from a number of government departments (as for instance the Department for Work and Pensions or the Driver and Vehicle Licensing Agency), and to state whether they find these appropriate.61 The consultation was understood as the next step of a yearlong open policy-making initiative that the government has been running in close cooperation with civil society organizations.62 The results were published on a non-governmental website, www. datasharing.org.uk, to serve both as a repository and audit trail of the ongoing work.63 Information Campaigns Several information campaigns were promoted by the UK government about data protection: • “Responsible for Information” - The government has developed a course to help employees and business owners understand information security and associated

59

https://www.gov.uk/government/publications?publication_filter_option=consultations. https://www.gov.uk/government/news/launch-of-new-data-sharing-consultation. 61 https://www.gov.uk/government/news/launch-of-new-data-sharing-consultation. 62 https://www.gov.uk/government/news/launch-of-new-data-sharing-consultation; http://datasharing.org.uk/. 63 http://datasharing.org.uk/conclusions/index.html. 60

102

5 United Kingdom

risks, as well as their responsibilities with regards to data privacy and protection against fraud and cyber-crime.64 • “Cyber Aware” - The UK Home Office has also published online material to favor behavioral changes from small businesses and individuals to help them protect themselves from cyber criminals.65 • “Get Safe Online” is another online resource which provides practical advice on how individuals can protect themselves, their computers and mobiles device and business against fraud, identity theft, viruses and many other problems encountered online. The initiative is supported by the government.66 The ICO has developed material for schools to increase awareness among children and students about the value and importance of their personal information.67 It has also produced material to encourage organizations and their employees to think hard about their responsibilities under the Data Protection Act 1998.68

5.3

Laws and Regulations

Implementation of the EU Directive Prior to the GDPR, the main data protection legislation in the United Kingdom was the Data Protection Act 1998 (DPA), which came into force in 2000 and implemented the EU Data Protection Directive 95/46/EC on a national level. Furthermore, the Privacy and Electronic Communications Regulations (PECR) (first introduced in 2003 and amended in 2011) implemented into UK law the requirements of the ePrivacy Directive 2002/58/EC. PECR is the instrument regulating direct marketing by electronic means, the use of cookies and other similar technological means. It also introduced sector specific requirements regarding the reporting of data protection breaches, which concern providers of public electronic communications services.69 The DPA 1998 largely followed the Directive, although the ICO has taken the initiative on introducing good practices from other jurisdictions, such as PIAs and Privacy by Design methodologies, which, while not mandatory, go further than the measures provided for in the EU Data Protection Directive. Since its adoption, the DPA was amended by a number of UK primary and secondary laws, most notably

64

http://www.nationalarchives.gov.uk/sme/. https://www.cyberaware.gov.uk/. 66 https://www.getsafeonline.org. 67 https://ico.org.uk/for-organisations/education/resources-for-schools/. 68 https://ico.org.uk/for-organisations/improve-your-practices/posters-stickers-and-e-learning/. 69 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/united-kingdom# chaptercontent1. 65

5.3 Laws and Regulations

103

by the Freedom of Information Act 2000.70 In its current form, the DPA organizes data protection around eight main tenets: • • • • • •

Personal data processing must be fair and lawful; Personal data processing requires specified and lawful purposes; Personal data must be adequate, relevant and not excessive; Personal data must be accurate and kept up to date. Personal data must not be kept for a period longer than necessary. Personal data must be processed in accordance with the rights of the data subjects. • Measures must be taken against unauthorized/ unlawful personal data processing. • Personal data transfer to a country outside of the EU requires the existence of adequate levels of protection in that country for the rights and freedoms of the data subjects.71

Sectoral Legislation In addition, there is some sector specific legislation concerning financial services. Regulated organizations within the financial sector have the additional obligations to conduct their business activities with ‘due skill, care and diligence’ and to ‘take reasonable care to organize and control [their] affairs responsibly and effectively, with adequate risk management systems’. This legislation imposes further compliance obligations on data controllers within the financial services sector, in addition to the ones under the DPA.72 Reports from 2010 indicate that the European Commission had launched an investigation procedure against the UK for alleged failures to implement eleven of the EU Data Protection Directive’s thirty-four provisions properly. Many deficiencies were pointed out.73 The UK has been also criticized for the lack of special legislation to enhance the protection of employees.74 In this regard, the data protection authority has issued guidelines to raise rights-awareness and help individuals seeking redress.75 The guidelines cover issues of recruitment and selection, employment records, monitoring at work and employees’ health (relating to occupational health, medical testing and drug screening).76 Under the DPA and the GDPR, sensitive personal data includes the standard types of sensitive personal data (ethnicity, race, political or religious beliefs, trade 70

The UK government’s legislation website indicates 485 amendments since 2002, see http:// www.legislation.gov.uk/. 71 Schedule 1 to the DPA; Long et al. 2017, p. 357. 72 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/united-kingdom# chaptercontent1. 73 European Union Agency for Fundamental Rights 2010. 74 European Union Agency for Fundamental Rights 2010. 75 European Union Agency for Fundamental Rights 2010. 76 Long et al. 2017, p. 355.

104

5 United Kingdom

union membership, health, sexual life and orientation), as well as information about actual or alleged criminal offences or criminal proceedings. The categories are broadly drawn so that, for instance, information concerning a person that has a broken leg is considered sensitive personal data as well, even though such information is relatively easy to obtain when the individual concerned has his leg in plaster and is using crutches.77 A relevant example in this regard can be found in Murray v Big Pictures where the High Court held that a photo could be sensitive personal data if it revealed the ethnic origin of the persons in the picture.78 Sensitive personal data may be processed if the standard conditions for processing personal data79 are met and at least one of several other requirements is fulfilled. Those include, to name just a few, the explicit consent of the individual, the data subject deliberately making the information public, the necessity to process the sensitive information in the framework of legal proceedings or for monitoring equality of opportunities.80 A range of additional processing conditions are set out both in the DPA and in a separate Order, the Data Protection (Processing of Sensitive Personal Data) Order 2000, that regulates among other things the data processing for regulatory investigations, or research and political activities.81 The individual’s consent should leave no doubt about the processing. It should thus cover the specific processing details and purpose, the information type, and any special aspects that may affect the individual, such as any disclosures that may be made. Self-regulation and Codes of Conduct The UK has a long history of self-regulation.82 Consequently, industry self-regulation is part of the UK regulatory landscape and has seen consistent governmental support, even if being in the line of fire with regard to its transparency, public accountability and effectiveness.83 Several self-regulatory initiatives are already in place, for instance, in the area of consumer data. Some are described in the 2015 report by the Competition and Markets Authority on The

77

ICO undated, p. 7. https://www.linklaters.com/en/insights/data-protected/home. 79 These conditions are set in Schedules 2 and 3 to the DPA and refer to the individual’s consent, the necessity of the processing due to a contractual relationship or a legal obligation, due to vital interests or legitimate interests, or for administering justice. See for more on the matter https://ico. org.uk/for-organisations/guide-to-data-protection/conditions-for-processing/#conditions-sensitivedata. 80 https://ico.org.uk/for-organisations/guide-to-data-protection/conditions-for-processing/#conditionssensitive-data. 81 http://www.legislation.gov.uk/uksi/2000/417/contents/made. 82 See for instance self-regulation of the press by the Press Complaints Commission (PCC), now the Independent Press Standards Organisation (IPSO); self-regulation of advertising, via the Advertising Standards Authority; and self-regulation of direct marketing by the Direct Marketing Association & Commission. 83 Based on survey results (see Sect. 1.3.4). 78

5.3 Laws and Regulations

105

commercial use of consumer data84 and concern mainly online advertising and direct marketing practices. The initiatives commonly consist of a code or framework of principles, as well as practical guidance to members, and various enforcement mechanisms when breached.85 The ICO also encourages and supports self-regulation: organizations are encouraged to ‘self-regulate’ as far as possible, for example by adopting sectoral codes or adopting standards for collecting and processing personal information. The ICO has no doubt that self-regulation by organizations, and self-protection by well-informed individuals will become increasingly important elements of an effective data protection regime.86 The ICO itself has developed a range of guidelines and practical advice to help organizations with the implementation of new projects. Some of them are drafted in the form of Codes of Conduct (CoC) and address issues such as data sharing, privacy notices and anonymization processes.87 However, it appears that the policy adopted by the ICO tends to reflect the concerns and interests of the current office holders, and may change over time.88

5.4

Implementation

Some companies make use of binding corporate rules when it comes to the protection of personal data and privacy in general. However, these are usually organizations that act in multiple jurisdictions that therefore take additional compliance measures to meet various standards.89 The ICO has published a large amount of guidance in relation to data protection and privacy and electronic communications. These publications are regularly updated to keep in line with technology or legal developments.90 The ICO consults on its draft codes of conduct and publishes the responses it has received online. For instance, the ICO launched a consultation on

84

CMA 2015. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/435817/The_ commercial_use_of_consumer_data.pdf, p. 71. 86 See e.g. ICO (undated) The Information Commissioner’s response to the European Commission’s consultation on the legal framework for the fundamental right to protection of personal data http://ec.europa.eu/justice/news/consulting_public/0003/contributions/public_authorities/ico_ uk_en.pdf. 87 https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/. 88 UK Expert Survey, p. 5. 89 Chapter 8, Empirical Findings – United Kingdom, p. 149. 90 A full list of ICO guidance can be found here: https://ico.org.uk/for-organisations/guidanceindex/data-protection-and-privacy-and-electronic-communications/. 85

106

5 United Kingdom

privacy notices.91 The responses it received were published in a document available on its website.92 Furthermore, the ICO has begun to publish guidance on issues relating to the implementation of the GDPR. Whether to compose entirely new guidance documents or to adapt the already existing comprehensive ones, is currently under debate.93 Privacy Officers Similar to many other EU countries, UK data protection laws prior to the GDPR did not oblige entities to appoint a Data Protection Officer (DPO). It appears, however, that in practice many larger organizations do so.94 Within public organizations, the DPO functions are often combined with those of a freedom of information officer.95 The appointed DPOs typically have experience in information or records management, IT, data security, and/or compliance. The DPO may be part of a number of departments within an organization – as the 1984 Data Protection Act dealt only with personal data held on a computer, they used to be primarily based in IT departments (but over time have migrated to, amongst others, records management and legal departments).96 Their tasks usually cover replying to queries and requests from data subjects, the ICO, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), the developing of internal data security policies and procedures, staff training, advising on compliance with the applicable law, reviewing and advising on new products or procedures, identifying risk areas, and advising on legal developments that may be significant for the respective entity.97 Once appointed, there is no requirement to notify and register the respective DPO to the data protection authorities, although the officer can be designated as a contact person to the ICO. Security Measures Privacy by Design was not a requirement of the DPA,98 but encouraged by the ICO nevertheless. The ICO advocates the integration of core privacy considerations into

91 https://ico.org.uk/about-the-ico/consultations/privacy-notices-transparency-and-control-a-codeof-practice-on-communicating-privacy-information-to-individuals. 92 https://ico.org.uk/media/about-the-ico/consultations/1625139/ico-privacy-notices-code-of-practiceconsultation-summary-20161006.pdf. 93 Long et al. 2017, p. 347. 94 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/united-kingdom#chapter content6. 95 Based on survey results (see Sect. 1.3.4). 96 Based on survey results (see Sect. 1.3.4). 97 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/united-kingdom#chapter content6. 98 The DPA 1998 simply requires that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’ It is not specified what is considered ‘appropriate’ in any context. However, it is often interpreted as measures that conform to contemporary industry standards. See on the matter the survey results (Sect. 1.3.4).

5.4 Implementation

107

existing project management and risk management tools and policies.99 In this context, the ICO has developed a code of practice for Privacy Impact Assessments (PIAs).100 The code explains organizations how to effectively use PIAs and contains annexes which the data processor can use as the basis for their own PIA. These include guiding questions and templates in an editable format to record the process. The ICO has further commissioned a report on the use of PIAs and the potential for their further integration within project and risk management tools.101 The ICO requires data handling entities to have in place appropriate technical and organizational measures against unauthorized or unlawful processing of personal data, and against accidental loss, destruction or damage of the personal data. The level of security must be appropriate considering the nature of the data (with a higher level of security required where sensitive personal data is at stake) and the potential risk of harm to data subjects if the security safeguards suffer a breach.102 However, specific standards in this regard are not established by law or binding guidelines. Nevertheless, the ICO expects organizations to implement internal controls, including appropriate data protection policies and procedures, access controls, staff training and awareness, and technical controls. The latter should include password-protected devices, use of encryption and the secure disposal of IT assets.103 The DPA did not contain particular obligations regarding reporting of security breaches. The ICO, however, has issued guidance on the matter stating that it expects to be informed when serious security breaches do occur.104 Failure to report serious breaches is taken into account in determining any applicable monetary penalty. In addition, there is an expectation that organizations will notify data subjects at particular risk of harm, especially where data subjects could take action to offset or prevent the harm.105 Breach notification requirements existed under the DPA in line with the PECR provisions that implement the Directive 2009/136/EC on users’ rights relating to electronic communications networks and services, and for data controllers in the financial sector that have to inform the Financial Conduct Authority of any breach.106. The ICO is also currently developing a privacy seal certification. Organizations which have been awarded the privacy seal will be able to use it externally to show

99

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/. https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf. 101 https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/. 102 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/united-kingdom# chaptercontent12. 103 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/united-kingdom# chaptercontent12. 104 https://lpscdn.linklaters.com/-/media/files/linklaters/pdf/mkt/london/tmt_data_protection_survival_ guide_singles.ashx. 105 Based on survey results (see Sect. 1.3.4). 106 https://www.linklaters.com/en/insights/data-protected/home. 100

108

5 United Kingdom

that they are complying with the existing best practice when processing personal data. The seal will function as a trust mark. The ICO is working with the UK Accreditation Service and other stakeholders to outline criteria to select privacy seal scheme operators to which organizations will apply for a privacy seal.107 Noteworthy in terms of security initiatives is also the ‘Bring your own device’ (BYOD) guideline. In it, the ICO created a clear policy for companies that allow their staff members to connect their own devices to company hardware and software.108 The guideline portrays responsibilities for both company and employees in terms of data protection and security breach risks.109 Transparency The experts surveyed for this research indicate that current transparency perceptions diverge and therefore it is hard to make a general statement.110 The somewhat differing outcomes of a number of official reports confirm this statement to a certain extent. According to the findings of the Consent survey, a substantial number of UK citizens never or rarely reads privacy policies (UK 63%, EU average 54%). Those who do read privacy policies do not read the whole text - only 6% do so. However, despite the low reading numbers there is a fair amount of confidence that what is read in privacy policies is fully or mostly understood – 58% of the UK people claim to understand usually most or all of it.111 On the other hand, a survey conducted by the ICO suggests poor understanding of privacy policies. According to its focus group research awareness of privacy notices is extremely limited.112 At best, respondents would recognize a term, but only a small number would be able to explain what it meant and how it protected them and their data. Furthermore, the 2015 report of the Competition and Markets Authority on The commercial use of consumer data indicates the consumers’ perception that privacy policies fail to perform the purpose for which they have been created – to generate understanding and to ensure the fair collection of personal data.113 Respondents indicate they feel that these policies filled with complicated juridical jargon are designed to serve the companies, not the consumers. Consequently, in their opinion the balance of power over the collection and use of data has moved from consumers 107 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/united-kingdom# chaptercontent12. 108 https://ico.org.uk/media/for-organisations/documents/1563/ico_bring_your_own_device_byod_ guidance.pdf. 109 Long et al. 2017, p. 358. 110 Based on survey results (see Sect. 1.3.4). 111 Consent Country Report UK 2012, p. 36. 112 ICO (2015) Data protection rights: What the public want and what the public want from Data Protection Authorities. 113 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/435817/The_ commercial_use_of_consumer_data.pdf, p. 170.

5.4 Implementation

109

towards businesses.114 The same report has also documented the attitude of private organizations to collect information users are not aware of by moving from the so-called volunteered information (given by tacking a box or completing forms) to ‘passive’ data collection (i.e., by using cookies).115 In this context, governmental working groups have been advocating for the ICO’s involvement in simplifying the content of both terms and conditions contracts and privacy policies, and for the government to enable the active participation of the public throughout the process.116

5.5

Regulatory Authorities and Enforcement

Supervisory Authorities The Information Commissioner’s Office (ICO) monitors and enforces the DPA and PECR in the UK. The Information Commissioner is appointed by The Queen. The ICO is an independent body and reports directly to British parliament. The current Information Commissioner is Elizabeth Denham, appointed in July 2016. The ICO’s head office is located in London, but it also holds offices in Scotland, Wales and Northern Ireland. Its budget for 2015–2016 was more than 23 million pounds, more than 18 million of which has come from notification fees that flow directly into its budget.117 The ICO currently counts 442 employees, of which 409 have a full-time position.118 Data controllers within the sector of financial services are also regulated by the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). Main Activities The ICO promotes openness by public bodies and data privacy for individuals. Its main activities in this regard are to raise awareness and to educate organizations and the public on data protection and other relevant legislation. It further maintains the public register of data controllers.119 As described below, the ICO can also take particular actions to enforce this legislation. In its 2015–2016 annual report, the ICO has identified the following objectives as its main priorities for the coming years:

114

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/435817/The_ commercial_use_of_consumer_data.pdf, pp. 104–105. 115 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/435817/The_ commercial_use_of_consumer_data.pdf, p. 169. 116 http://www.publications.parliament.uk/pa/cm201415/cmselect/cmsctech/245/245.pdf, p. 22. 117 Data protection activities in the UK are financed almost entirely by fees collected from data controllers who have to notify their processing of personal data under the DPA. 118 https://ico.org.uk/about-the-ico/our-information/key-facts/. 119 Long et al. 2017, p. 350.

110

5 United Kingdom

• To help organizations to better understand their information rights obligations; • To proportionately use its enforcement powers to ensure the improved compliance with information rights; • To give data subjects a proportionate, fair and efficient response to their information rights concerns; • To empower individuals to use their information rights; • To be alert and responsive to changes which impact information rights.120 The ICO has a number of tools at its disposal to influence the behavior of data collectors and processors. These include not only measures of civil and administrative enforcement, but also criminal prosecution. The tools are not mutually exclusive and are regularly used in combination.121 With regard to collecting information on a certain data protection matter, the ICO has the power to request information and documents by serving information notices to organizations.122 Furthermore, the ICO can conduct consensual audits at the request of the data controller, as well as compulsory audits upon serving an assessment notice to verify whether the organization in question follows good data processing practices.123 Its findings are communicated via decision notices.124 The ICO can also issue public undertakings that commit organizations to take a particular course of action in order to comply with the data protection regulations. Although the undertakings do not have a statutory power, the practice has ‘name and shame’ implications for organizations and serves as an admission of guilt should further breaches occur.125 The undertakings method appears to be frequently practiced.126 The ICO also issues enforcement notices and ‘stop now’ orders when a data breach has taken place and thereby requires organizations to take (or refrain from taking) particular steps to ensure data protection compliance.127 Failure to comply with the notices is a criminal offence, punishable by unlimited fines but not by imprisonment. However, as the ICO has no enforcement authority, the actual prosecution of a criminal offence must be brought before the UK criminal courts. In this regard, the ICO liaises with the Crown Prosecution Service. On an administrative level, the ICO has the power to impose monetary fines (monetary payment notices) of up to £500,000 if there is a serious data protection breach that has been deliberately or recklessly induced and this is likely to cause substantial damage or distress.128 In 2015, some legislative changes were

120

ICO 2016, p. 13. https://ico.org.uk/about-the-ico/what-we-do/taking-action-data-protection/. 122 European Union Agency for Fundamental Rights 2010. 123 https://ico.org.uk/about-the-ico/what-we-do/taking-action-data-protection/. 124 http://search.ico.org.uk/ico/search/decisionnotice. 125 https://www.linklaters.com/en/insights/data-protected/home. 126 https://ico.org.uk/action-weve-taken/enforcement/. 127 https://ico.org.uk/about-the-ico/what-we-do/taking-action-data-protection/. 128 https://www.linklaters.com/en/insights/data-protected/home. 121

5.5 Regulatory Authorities and Enforcement

111

introduced to make it easier to issue a monetary penalty notice for breach of the rules on direct marketing by email, telephone or fax. The ICO can now fine data breaches without having to show substantial damage or distress.129 As it will be discussed in the following section, the ICO has made notable use of these competences. Furthermore, although not directly deciding about the merits of a complaint, the ICO supports citizens in their efforts to raise data protection concerns with the responsible organizations. The ICO’s role is to help individuals understand how to best interact with the organization to resolve the issue at stake. It provides specific check lists with information and steps that could be considered. The ICO organizes the concerns according to the following six categories: nuisance calls and messages, internet search results, accessing or re-using information, cookies, how personal information has been handled, and complaints about the Information Commissioner’s Office.130 Once a citizen has contacted the organization in question and the latter has been unable or unwilling to address the matter, the ICO expects individuals to report back the outcome. The ICO uses the information to decide whether the concern presents an opportunity for the ICO to improve data protection practices. If it decides that this is the case, the ICO takes steps as described above.131 The ICO is only randomly consulted by the legislature when drafting statutes that may affect privacy and data protection issues for there is no particular requirement for the legislature to do so.132 Use of Competences According to its 2015–2016 annual report, the ICO has seen an increase in data protection concerns brought to it with over 16,300 cases. During that period, the ICO has resolved 15,700 cases with over 90% of them concluded within three months. In most of the cases the ICO has identified actions that organizations were expected to take.133 Complaints about access to information from public authorities have also witnessed an increase. In the same period, the ICO has registered over 5,100 complaints and closed 5,068 of them. More than 70% of the cases have been concluded within three months and 90% of them resulted in a decision within six months. The ICO has further issued 1,376 decision notices. There have been 275 appeals to the Information Tribunal, of which in 80% of the cases the ICO’s decision has been upheld.134 The ICO’s helpline has received 204,700 calls during that period, which is number fairly similar to previous years. Half of the registered calls were from the

129

https://www.linklaters.com/en/insights/data-protected/home. https://ico.org.uk/concerns/. 131 https://ico.org.uk/for-the-public/raising-concerns/. 132 European Union Agency for Fundamental Rights 2010. 133 ICO 2016, p. 18. 134 ICO 2016, p. 18. 130

112

5 United Kingdom

public. 80% of the calls were related to data protection matters, 15% to PECR and 4% to freedom of information issues. The ICO has also conducted independent research to assess the level of satisfaction with the helpline service. When asked how helpful the service was, 95% of callers have referred to it as helpful or very helpful. Nine out of ten calls were dealt with by the first point of contact with the caller.135 In 2016, security failings within a telecom company had made large volumes of customers’ personal data easy pray for an attacker. The ICO issued the company with a record £400,000 monetary penalty.136 Notable cases from 2017 are the fine for an insurance company (£150,000) that lost the personal data of about 60,000 customers, and the monetary penalty (£100,000) for a telecom company that failed to protect the personal data of nearly 21,000 customers.137 Reputation The ICO commissions annual surveys and reports on customer satisfaction available on its website.138 It thereby documents the level of awareness experienced by individuals of their rights and the institutions designated to protect them. The ICO 2016 Annual Track statistics,139 which accompanies the Annual Track report and the Customer Satisfaction report,140 indicated a general awareness of the DPA 1998 with 97% of the UK people having heard of the regulation and 75% having some knowledge about it. However, it appears that fewer were aware of their rights under the Data Protection Act and of the existence of the ICO in general. Only 35% have heard of it, while only 5% consider to have a good knowledge of what the ICO does. Additional information on how the ICO is being perceived is available from the ICO stakeholder perception studies conducted in 2008141 and 2012142 respectively. The studies consider the relationships a number of audiences have developed with the ICO and cover the experiences of both organizations and individuals. However, ‘the stakeholders’ in both surveys do not include members of the general public, but rather public sector organizations, commercial organizations, academics, informed commentators or preselected stakeholders (2012 survey).143 In the 2012 survey it is unclear from which particular organizations the preselected stakeholders originate. Of the issues highlighted in the 2008 report stand out the

135

ICO 2016, p. 18. Long et al. 2017, p. 359. 137 Long et al. 2017, p. 359. 138 ICO (undated) Information rights research [webpage], https://ico.org.uk/about-the-ico/ourinformation/research-and-reports/information-rights-research/. 139 https://ico.org.uk/media/about-the-ico/documents/1624382/ico-annual-track-2016.pptx. 140 ICO (undated) Information rights research [webpage] https://ico.org.uk/about-the-ico/ourinformation/research-and-reports/information-rights-research/ 141 Jigsaw Research 2008. 142 Ipsos MORI 2012. 143 Based on survey results (see Sect. 1.3.4). 136

5.5 Regulatory Authorities and Enforcement

113

timeliness of addressing a concern and the consistency of the advice given by the ICO.144 The 2012 survey shows the wish for the ICO to be more public with regard to its enforcement actions.145 In general, the willingness of the ICO to seek amicable solutions and to reach agreeable outcomes with data controllers has generated its reputation of being ‘data controller-friendly’.146 The fact, however, that until fairly recently it had limited enforcement powers may have contributed to that. Since 2010 the ICO’s mandate has been strengthened by a greater fining capacity.147 The firms that comment on the ICO’s fining process find it transparent and easy to comprehend.148 Imposing monetary penalties to data controllers is, however, still an instrument of last resort for the ICO, which appears to prefer, where possible, to reach a settlement.149

References Big Brother Watch (2012) The Price of Privacy: How local authorities spent £515m on CCTV in four years. Big Brother Watch, February 2012 Blick A, Blackburn R (2012) Mapping the Path to Codifying - or not Codifying - the UK’s Constitution, Series paper 2. Centre for Political and Constitutional Studies, King’s College London Bordessa E (2018) ICO data security statistics highlight need for increased staff awareness, see: https://www.itgovernance.co.uk/blog/ico-data-security-statistics-highlight-need-for-increasedstaff-awareness/ Cabinet Office (2008) Cross Government Actions: Mandatory Minimum Measures (Section I, 4.4: All departments must “conduct privacy impact assessments so that they can be considered as part of the information risk aspects of Gateway Reviews”) http://www.cabinetoffice.gov.uk/ sites/default/files/resources/cross-gov-actions.pdf CMA (2015) The commercial use of consumer data (June 2015), pp. 69–73. https://www.gov.uk/ government/uploads/system/uploads/attachment_data/file/435817/The_commercial_use_of_ consumer_data.pdf Consent Country Report UK (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/ Dutton WH, Blank G (2013) Cultures of the Internet; The Internet in Britain, Oxford Internet Survey 2013. http://oxis.oii.ox.ac.uk/reports EU Commission (2010) Data protection: Commission requests UK to strengthen powers of national data protection authority, as required by EU law [press release] (Brussels, 24 June). http://europa.eu/rapid/press-release_IP-10-811_en.htm?locale=en Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015

144

https://ico.org.uk/media/1042339/ico-stakeholder-perception-study-research-report.pdf, p. 5. https://ico.org.uk/media/about-the-ico/documents/1042371/stakeholder-perceptions-2012.pdf, p. 2. 146 Based on survey results (see Sect. 1.3.4). 147 Chapter 8, Empirical Findings – United Kingdom, p. 155. 148 Chapter 8, Empirical Findings – United Kingdom, p. 155. 149 Based on survey results (see Sect. 1.3.4). 145

114

5 United Kingdom

European Union Agency for Fundamental Rights (2010) Data Protection in the European Union: The role of National Data Protection Authorities (Strengthening the fundamental rights architecture in the EU II) http://fra.europa.eu/sites/default/files/fra_uploads/815-Data-protection_ en.pdf HM Government (2016) Cyber Security Regulation and Incentives Review. Department for Culture, Media & Sport, December 2016. See: https://www.gov.uk/government/uploads/system/uploads/ attachment_data/file/579442/Cyber_Security_Regulation_and_Incentives_Review.pdf ICO (undated) The Guide to Data Protection. See http://www.pkc.gov.uk/media/23015/ICOGuide-to-Data-Protection/pdf/ICO_Guide_to_Data_Protection.pdf?m=636114321579170000 ICO (2014) Conducting privacy impact assessments code of practice. See https://ico.org.uk/media/ for-organisations/documents/1595/pia-code-of-practice.pdf ICO (2016) Annual Report 2015/16. ICO, Wilmslow. See https://ico.org.uk/media/about-the-ico/ documents/1624517/annual-report-2015-16.pdf Ipsos MORI (2012) Stakeholder Perceptions 2012, Prepared for the ICO (March 2012). https://ico. org.uk/media/about-the-ico/documents/1042371/stakeholder-perceptions-2012.pdf Jigsaw Research (2008) ICO Stakeholder Perceptions Study (May 2008) https://ico.org.uk/media/ 1042339/ico-stakeholder-perception-study-research-report.pdf Long WRM, Scali G, Blythe F (2017) United Kingdom. In: Raul AC (ed) The Privacy, Data Protection and Cybersecurity Law Review, 4th edn., p. 347 Mulligan DK, Bamberger KA (2015) Privacy on the Ground; Driving Corporate Behavior in the United States and Europe. MIT Press Reuters (2013) British spy agency taps cables, shares with U.S. NSA – The Guardian, Reuters, 21 June 2013 The Guardian (2011) You’re being watched: There’s one CCTV camera for every 32 people in UK - Research shows 1.85m machines across Britain, most of them indoors and privately operated, 2 March 2011 Trilateral Research & Consulting (2013) Privacy Impact Assessment and Risk Management Report for the Information Commissioner’s Office, 4 May 2013. https://ico.org.uk/media/ 1042196/trilateral-full-report.pdf Vodafone Survey on Big Data (2016) Big Data: A European Survey on the Opportunities and Risks of Data Analytics. http://www.vodafone-institut.de/bigdata/links/VodafoneInstituteSurvey-BigData-Highlights-en.pdf

Chapter 6

Ireland

6.1

General Situation

Ireland is a country with a common law legal system with a written constitution. The legal system to some extent is similar to that of the UK, mainly due to the historic ties between these two countries. The Irish constitution contains a section of fundamental rights, including provisions on the inviolability of the home (Article 40.5), family and home life (Article 41.1) and personal rights (Article 40.3). The Constitution of Ireland does not explicitly guarantee a right to privacy, but the courts have recognized an unenumerated right to privacy as one of the personal rights in the constitution.1 Ireland is a signatory to the Universal Declaration of Human Rights (UDHR) and has ratified the International Covenant on Civil and Political Rights (ICCPR), two legal instruments that contain a right to privacy. Ireland has been a member of the EU since 1973 and is a party to the European Convention on Human Rights, which has been incorporated into domestic law. In matters within the scope of European Union Law, Ireland is bound by the Charter of Fundamental Rights of the European Union, Articles 7 and 8 of which relate to the right to privacy and the protection of personal data respectively. Furthermore, Ireland has ratified the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Ireland takes a dualistic approach towards international law, meaning that international and national law are considered as separate legal systems and provisions in international treaties require implementation in national law before being applicable.

1

McGee v. Attorney General [1974] IR 284; Kennedy and Arnold v. Attorney General [1987] IR 587.

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_6

115

116

6 Ireland

With regard to privacy and data protection issues, it is interesting that the European headquarters of several tech giants are located in Ireland, such as Google, Facebook, Apple, Adobe, Airbnb and LinkedIn. A reason for this may be the low tax rates and lenient data protection standards,2 in combination with a young, well-educated, English speaking workforce.3 Any litigation from Europeans against these companies usually starts in Ireland. In recent years, there were some interesting cases in Irish courts against these tech companies. Most notable in this respect was the Schrems case, a 2015 ruling of the Court of Justice of the EU (CJEU) in which the so-called Safe Harbor Decision (an agreement between the EU and the US on a voluntary code of conduct that was considered adequate protection for the transfer of personal data from the EU to the US) was declared invalid.4 This case was started by the Austrian privacy activist Max Schrems in Ireland in 2011. Another notable ruling was the CJEU ruling in 2014 that declared the EU Data Retention Directive (Directive 2006/24/EC) invalid.5 This case was started by Digital Rights Ireland, an Irish civil rights organization, against the Irish authorities. Internet Use Ireland has a population of 4.7 million inhabitants, of whom it is estimated that 85% had access to the Internet at home in 2015.6 The Irish appear to be experienced and very tech savvy when it comes to the use of online services. 66% of the Irish people (EU average 57%) use online social networks at least once a week.7 A similarly high number (59%) uses online banking once a week.8 Furthermore, it appears that a significant number of Irish people use the Internet to make or receive phone calls or video calls (43%, EU average 27%) or to purchase goods (23%, EU average 17%). Irish people also have high scores (24%, EU average 18%) in using peer-to-peer software or sites to exchange movies or music.9 Irish Internet users are generally interested in networking (29%, EU average 31%) and the worldwide web usage (13%, EU average 15%).10

2

http://thesovereigninvestor.com/asset-protection/ireland-sets-big-tech-internet-privacy-policies/. https://www.quora.com/Why-have-Google-and-Facebook-chosen-Dublin-for-their-Europeanheadquarters. See also https://qz.com/124133/the-reason-american-tech-firms-like-ireland-isntjust-the-low-taxes/. 4 CJEU 6 October 2015, case C-362/14, Facebook/Schrems, ECLI:EU:C: 2015:650. 5 Case number C-293/12. Court of Justice of the European Union. 8 April 2014. 6 http://www.cso.ie/en/releasesandpublications/er/isshh/informationsocietystatistics-households2015/. 7 Eurobarometer 431 2015, p. 109. 8 Eurobarometer 431 2015, p. 110. 9 Eurobarometer 431 2015, p. 113. 10 Consent Country Report Ireland 2012, p. 3. 3

6.1 General Situation

117

Control About 52% of the Irish feel they have partial control over the information they provide online, while 26% of those inquired do not feel in control at all.11 On the other hand, 20% feel they have complete control. This seems to indicate that Ireland is above the EU averages with regard to partial control (EU average 50%) and full control (EU average 15%), and is below the EU average in relation to no control (EU average 31%). Overall, the Irish seem to be quite concerned about the lack of complete control. About 79% of the people indicate concern, compared to an EU average of 67%. Among the Irish people, 81% consider providing personal information an increasing part of modern life, which exceeds the EU average (71%).12 In this context, about 44% indicates that providing personal data is not a big issue, while 49% is concerned about it.13 When inquired about whether they mind providing personal information in return for free online services, 46% of the Irish responded that they do mind.14 This finding is confirmed by another recent survey, in which about 52% of the interviewees indicated they would rather pay for an online service than allowing the supplier to use some of their personal data for commercial purposes.15 Awareness In comparison to the rest of the EU, the Irish show a low level of awareness regarding the use of personal information by website owners.16 In detail, however, the Irish show slightly above-average levels of non-acceptance to website owners using users’ personal information to customize the content and advertising users see, and there are substantially higher levels of non-acceptance for contacting users by e-mail, in-depth gathering of information, selling it, or making it available to others. Such practices are seen as largely unacceptable and commercial trade-offs in this respect also meet little acceptance. Here, the Irish show a level of non-acceptance (73%) similar to the EU average of 74%.17 Actual experience of privacy invasions is comparably low with Irish people scoring 2.63 (EU average 2.89) on a 7 point scale (1 = never, 7 = very frequently).18 When dealing with privacy policies, comparatively few people (37%, EU average 47%) ever decided not to use a website due to their dissatisfaction with the website’s privacy policy, and more than half of the Irish people never or rarely read

11

Eurobarometer 431 2015, p. 10. Eurobarometer 431 2015, p. 29. 13 Eurobarometer 431 2015, p. 32. 14 Eurobarometer 431 2015, p. 40. 15 Vodafone Survey on Big Data 2016, p. 79. 16 Consent Country Report Ireland 2012, p. 4. 17 Consent Country Report Ireland 2012, p. 33. 18 Consent Country Report Ireland 2012, p. 4. 12

118

6 Ireland

a website’s terms and conditions or privacy policy (both 70%).19 If reading the privacy policies, the Irish, like other EU citizens, rarely read the whole text (6%, EU average 11%), although they are somewhat confident that – when reading it – the text is mostly or fully understood (54%, EU average 64%).20 Trust When looking at trust in more detail, the Irish are mostly in line with the EU average when it comes to sectors such as health and medicine (73%, EU average 74%) and banks and finance (59%, EU average 56%). However, Irish people are notably above the EU average in relation to trust in public authorities (72%, EU average 66%), trust in shops and stores (54%, EU average 40%), and trust in telecommunications and internet providers (48%, EU average 33%). The same tendency is kept with trust in online businesses like search engines (39%, EU average 24%). When asked about the general risks related to the disclosure of personal information on user-generated content (UGC) websites, the Irish appear to generally perceive slightly less risk than the overall EU average. In this regard, they score lower than the total average when it comes to specific risks (such as personal safety being at risk, or information being used to send unsolicited commercial offers or without the user’s knowledge or consent). However, Irish people seem to perceive a higher risk than the average EU citizen in relation to the likelihood of becoming a victim of fraud (34%, EU average 32%), the likelihood of being discriminated against (28%, EU average 23%) and the likelihood of reputation being damaged (29%, EU average 25%).21 Protective Actions The number of Irish people that tried to change privacy settings in their social media profiles is 62% (EU average 57%).22 An overall of 81% (EU average 64%) finds it easy to make such changes.23 People who do not change the privacy settings indicate that they trust the website to set appropriate privacy settings (29%), do not know how to change the settings (23%), are not worried about having personal data online (14%), do not have time to look at the options (19%), or did not know they could change the settings (15%).24 According to the CONSENT survey, the Irish people that often or always change the privacy settings of their personal profiles on social media websites are, with 62%, above the EU average (54%). Furthermore, 84% (EU average 80%) of those who change privacy settings indicated that they

19

Consent Country Report Ireland 2012, p. 4. Consent Country Report Ireland 2012, p. 4. 21 Consent Country Report Ireland 2012, p. 4. 22 Eurobarometer 431 2015, p. 92. 23 Eurobarometer 431 2015, p. 95. 24 Eurobarometer 431 2015, p. 98. 20

6.1 General Situation

119

made the privacy settings stricter so that others can see less information about them.25 On the level of particular technical measures taken to maintain or raise personal Internet security, all practices (pop-up window blockers, checking opt-in/opt-out boxes, checking for spyware, deleting the browser history, blocking emails) are well established, with the Irish people showing results that are generally above the overall average.26 Despite a general lack of information about the most recent practices of social media website providers, the ability to take those technical measures points at a certain level of Internet experience.27 National Politics Personal data protection is almost non-existent as a subject of debate in the national parliament. Data sharing between public bodies was brought up once in relation to agreements that may exist, but not with regard to data protection.28 Only slightly more extensive was the discussion that occurred in relation to the Cyberbullying Bill 2013,29 although this and other similar measures30 have not passed.31 The Fianna Fáil party proposed the aforementioned bill and other leaders from other parties, such as the Fine Gael32 party and the Labour Party,33 have proposed alternative arrangements to combat cyberbullying. However, none of the four largest parties (according to the number of seats in parliament) – which includes Fine Gael,34 Fianna Fáil,35 Sinn Féin,36 and the Labour Party37 – have data protection as a primary policy issue and instead focus on 25

Consent Country Report Ireland 2012, p. 4. Consent Country Report Ireland 2012, p. 3. 27 Consent Country Report Ireland 2012, p. 39. 28 “Deputy Terence Flanagan asked the Minister for Public Expenditure and Reform Information on Brendan Howlin Zoom on Brendan Howlin if there are service level agreements between Government Departments regarding the sharing of data, for example, between the Revenue Commissioners and the Department of Social Protection; and if he will make a statement on the matter.” http:// oireachtasdebates.oireachtas.ie/debates%20authoring/debateswebpack.nsf/(indexlookupdail)/201311 20*WRO?opendocument#WRO00800. 29 http://oireachtasdebates.oireachtas.ie/debates%20authoring/debateswebpack.nsf/(indexlookup dail)/20131106*W?opendocument#W03000. 30 http://www.independent.ie/irish-news/politics/labour-brings-two-separate-bills-targeting-onlinebullying-31149776.html. 31 One of the more recent initiatives is a report by the Law Reform Commission which is accompanied by a draft bill. http://www.irishexaminer.com/ireland/new-laws-to-combat-onlineabuse-such-as-cyberbullying-and-revenge-porn-422963.html. 32 https://www.thejournal.ie/cyber-bullying-ireland-1162881-Nov2013/. 33 http://www.independent.ie/irish-news/politics/labour-brings-two-separate-bills-targeting-onlinebullying-31149776.html. 34 https://www.finegael.ie/our-priorities/. 35 https://www.fiannafail.ie/the-issues/. 36 http://www.sinnfein.ie/policies. 37 https://www.labour.ie/manifesto/. 26

120

6 Ireland

common topics such as health, housing, jobs, and childcare.38 That said, Fianna Fáil has issued numerous press releases in relation to data protection,39 and the Labour Party’s manifesto includes a commitment to ensuring that strong data protection policies will apply to the sharing of data between public bodies.40 Apart from increasing the budget, year-over-year, of the Data Protection Commissioner,41 and the initiative of the Department of the Taoiseach (Prime Minister) called the Government Data Forum,42 which is discussed in more detail below, there seem to be no direct policies, initiatives, or information campaigns initiated by the government on the specific issue of data protection. It thus appears that self-regulation is largely favored over regulation. Media Attention In general, there has been extensive media attention on privacy and personal data protection issues, especially over the past three years in light of the Snowden revelations and the CJEU decisions in the Digital Rights Ireland and Schrems cases.43 Media coverage has focused on a range of issues: Snowden and international surveillance; domestic surveillance; Schrems, Safe Harbor and Privacy Shield; Ireland as a data hub, and the effectiveness of the Data Protection Commissioner; the Microsoft Ireland litigation; personal data protection (of both children and adults); the impact of the Google Spain case; and the introduction of the General Data Protection Regulation.44 Generally, there has been broad debate on contentious issues and there has been substantial and regular coverage not only in newspapers, but in television and radio programs as well.45 On the whole, the media has been in favor of stronger privacy and data protection rights.46 Data Breaches There have been multiple significant data breach and data leak incidents in Ireland. In addition to international data breaches – such as Ashley Madison and Yahoo –

38

See previous footnotes for the primary policy issues of each party. https://www.fiannafail.ie/?s=data+protection. 40 Labour Party Manifesto, p. 101, available at https://www.labour.ie/download/pdf/labour_ manifesto_2016.pdf. 41 https://www.dataprotection.ie/docs/13-10-2016-Data-Protection-Commissioner-welcomesBudget-2017-increase-in-funding/1601.htm. 42 http://www.taoiseach.gov.ie/eng/publications/publications_2015/government_data_forum.html. Within the Department of the Taoiseach there is the Data Protection Division, but it is not clear what their responsibilities are. The website merely has links to the minutes of the Government Data Forum meetings. See http://www.taoiseach.gov.ie/DOT/eng/Work_Of_The_Department/Data_ Protection_Division/Data_Protection_Division.html. 43 Based on survey results (see Sect. 1.3.4). 44 Based on survey results (see Sect. 1.3.4). 45 Based on survey results (see Sect. 1.3.4). 46 Based on survey results (see Sect. 1.3.4). For example, see McIntyre 2014a, b, 2015; Lillington 2015; Weckler 2015a, b; The Independent 2015. 39

6.1 General Situation

121

that have affected Irish users, there have been substantial domestic breaches as well. Of the latter, the most well-known instance is from 2013, when the promotions firm LoyaltyBuild suffered a data breach which resulted in the personal data of approximately 1.5 million people throughout Europe, including 90,000 Irish users, being compromised.47 LoyaltyBuild had posted a profit of 1 million euro in 2013; however, after the breach, they recorded pre-tax losses of 18 million euro for 2014 and invested 500,000 euro in new security systems.48 Other large scale data breaches included the incumbent gas supplier Bord Gáis (75,000 customers’ banking details lost in 2009),49 Bank of Ireland (31,000 customers’ insurance and mortgage details in 2008)50 and bookmaker Paddy Power (649,000 customers’ data lost, including 120,000 customers in Ireland).51 There have also been numerous data breaches on a smaller scale52 and in a 2016 survey over half of the respondent firms admitted to having suffered some form of data breach within the last year.53 the same study conducted one year later found that the number of companies increased up to 61% during 2016.54 Where data breaches have occurred only a few lawsuits resulted;55 however this remains a developing area.56 These incidents have not resulted in organized protests, but civil society has been concerned about data protection and data retention issues and has been active in bringing these issues to the forefront of public discussion.57 Civil Rights Organizations There are a few civil rights organizations in Ireland that are active in relation to data protection issues. Two of the more notable organizations are Digital Rights Ireland and the Irish Council for Civil Liberties. Digital Rights Ireland is comprised of

47

Edwards 2014. Deegan 2016; Edwards 2014. 49 Cullen 2009. 50 Kennedy 2008. 51 Mulligan 2014. 52 Edwards 2016a, b. 53 Weckler 2016. 54 ‘61% of organisations had data breach in 2016 – survey’, RTE.ie, https://www.rte.ie/news/2017/ 0119/846140-data-breaches/. 55 See Collins v FBD Insurance Plc [2013] IEHC 137 (14 March 2013), available at http://www. bailii.org/cgi-bin/format.cgi?doc=/ie/cases/IEHC/2013/H137.html&query=(fbd), which awarded damages of €15,000 in relation to data protection, however the award was overturned on appeal to the High Court; and Mc Keogh v John Doe 1 & Ors [2012] IEHC 95 (26 January 2012), available at http://www.bailii.org/cgi-bin/format.cgi?doc=/ie/cases/IEHC/2012/H95.html&query=(mc)+AND+ (keogh), which was settled. 56 Based on survey results (see Sect. 1.3.4). 57 Based on survey results (see Sect. 1.3.4) [summary of survey responses from experts]. 48

122

6 Ireland

volunteers operated with a budget of €51,762 in 2014 and €124,888 in 2015.58 The organization has litigated issues relating to data protection and the DPC,59 appeared before a committee on cyberbullying, and organizes and participates in public information campaigns.60 Digital Rights Ireland is also represented through its chair, Dr. T. J. McIntyre, in the Government Data Forum,61 although it is unclear to what extent these meetings have influence on government policy, which is discussed in more detail below. While less focused on digital issues, the Irish Council for Civil Liberties is an independent non-governmental organization that also facilitates public awareness on data protection issues and recently organized a symposium on the matter.62 Digital Rights Ireland is particularly well-known in this field due to their contributions to radio, print, and online publications63 as well as for the case that they argued and won before the CJEU,64 which received considerable press attention.

6.2

National Government Policies

National Policies, Privacy Impact Assessments The government of Ireland does not appear to have general or sector-specific policies regarding personal data protection. Policies on when Privacy Impact Assessments (PIAs) should take place seem to be delegated to the DPC, which has mentioned the importance of PIAs and risk analyses in large-scale government data projects,65 and that both of these are expected to be carried out prior to the roll-out of privacy-impacting technologies such as body-worn cameras by the police66 or the use of CCTV.67 Apart from these indications, it was not clear prior to the GDPR when PIAs should be conducted or even if they are strictly mandatory, and the DPC does not offer a model or any guidance for carrying out PIAs. Recently, the DPC

58

Digital Rights Ireland Limited, Income and Expenditure Account for the year ended 31 December 2015. 59 These cases are mentioned in more detail below. 60 https://www.digitalrights.ie/about/. 61 http://www.taoiseach.gov.ie/eng/Work_Of_The_Department/EU_Division/Membership_of_ the_Government_Data_Forum.html. 62 http://www.iccl.ie/articles/surveillance–democracy-privacy-rights-in-the-digital-age-symposium-. html. 63 https://www.digitalrights.ie/about/. 64 http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&docl ang=en&mode=lst&dir=&occ=first&part=1&cid=196677. 65 DPC 2015, p. 3. 66 DPC 2015, p. 13. 67 https://www.dataprotection.ie/docs/Data-Protection-CCTV/m/242.htm.

6.2 National Government Policies

123

issued a report on the GDPR which notes that Data Protection Impact Assessments (DPIAs) are mandatory with high-risk processing.68 Privacy and Data Protection in New Policies The only apparent means that the government may use to anticipate new developments in issues pertaining to data protection is through the Government Data Forum,69 which was created in 2015 under the Department of the Taoiseach (Prime Minister). However, it is unclear whether the government takes any of these discussions into account when creating new policies. It is also unclear whether principles such as privacy by design are used when the government is creating new policies. The DPC has stated its “importance… for all data controllers with complex product offerings, those with large and multinational audiences, and often where technology is a key element in product delivery”, which seems to imply that privacy by design is primarily useful for businesses.70 Societal Debate Ireland’s national government seems to take an active approach towards the societal debate on data protection. For instance, the aforementioned Government Data Forum gathers a variety of voices – including from industry, civil society, academia, and the public sector – in order to improve data protection in the digital economy.71 There have been five forums since its creation,72 and the next forum will take place in May 2017, which will discuss the role of data in modern society, to promote greater awareness of individuals’ data protection rights, and to promote Ireland as a thought leader in the area of data and data protection.73 Apart from this initiative, the government does not appear to take the lead in the societal debate on data protection. Information Campaigns The government provides information and reports related to data protection, but the primary concern is child safety online.74 The Office for Internet Safety (OIS), part of the Department of Justice and Equality, provides educational material targeting

68

The GDPR and You, General Data Protection Regulation, Preparing for 2018, Data Protection Commissioner of Ireland, at pp. 9–10, available at https://www.dataprotection.ie/docimages/ documents/The%20GDPR%20and%20You.pdf. 69 More information on the Government Data Forum can be found just below. 70 DPC 2015, p. 15. 71 http://www.taoiseach.gov.ie/eng/publications/publications_2015/government_data_forum.html; http://merrionstreet.ie/en/News-Room/Releases/Minister_Murphy_launches_Government_Data_ Forum_.html. 72 http://www.taoiseach.gov.ie/DOT/eng/Work_Of_The_Department/Data_Protection_Division/ Data_Protection_Division.html. 73 http://www.taoiseach.gov.ie/eng/Taoiseach_and_Government/About_the_Ministers_of_State/ Minister/MoS_Murphy_s_Press_Releases/Dara.html. 74 http://www.internetsafety.ie/website/ois/oisweb.nsf/page/safety-en.

124

6 Ireland

parents,75 and they have more specialized information on topics such as new media technologies,76 filtering technologies,77 social networking websites,78 and cyberbullying.79 The DPC provides information and links to resources on personal data protection. Some general information on the data protection framework,80 as well as educational material,81 is located on the website, and there is additional information that targets both individuals82 and organizations.83 The DPC and others have occasionally promoted public awareness campaigns related to personal data protection and technical security issues.84

6.3

Laws and Regulations

Implementation of the EU Directive Prior to the GDPR, the main Irish legislation dealing with data protection was the Data Protection Act 1988, which was amended by the Data Protection Act 2003 (hereafter the DPActs) in order to implement the EU Directive 95/46/EC at the national level. The legislation is supplemented by the European Communities Regulations 2011 (2011 Regulations), which gives effect to the ePrivacy Directive 2002/58/EC and thereby covers data protection issues relating to the use of electronic communications devices, and introduces direct marketing restrictions.85 The DPActs generally provided a minimum implementation of Directive 95/46/ EC. However, there are a number of areas where the DPActs, as applied by Irish courts, appeared to not meet the minimum requirements of the Directive. For example: • Article 23 of the EU Data Protection Directive states that “Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered”. This provision requires that damages may

75

http://www.internetsafety.ie/website/ois/oisweb.nsf/page/safety-guideparents-en. http://www.internetsafety.ie/website/OIS/OISWeb.nsf/page/EJST-A9FDX61194628-en. 77 http://www.internetsafety.ie/website/OIS/OISWeb.nsf/page/EJST-A9FF9312165228-en. 78 http://www.internetsafety.ie/website/OIS/OISWeb.nsf/page/EJST-A9FFC512214628-en. 79 http://www.internetsafety.ie/website/OIS/OISWeb.nsf/page/EJST-A9FFEQ12255628-en. 80 https://www.dataprotection.ie/docs/Guidance-Material-Menu-Page/m/219.htm. 81 https://www.dataprotection.ie/docs/Training-and-Public-Awareness/b/805.htm. 82 https://dataprotection.ie/docs/A-guide-to-your-rights-Plain-English-Version/r/858.htm. 83 https://dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm. 84 Based on survey results (see Sect. 1.3.4). 85 https://www.dataprotection.ie/docs/Law-On-Data-Protection/m/795.htm. 76

6.3 Laws and Regulations

125

be awarded for non-pecuniary harms, such as distress or anxiety. However, in Collins v. FBD Insurance86 the High Court held that the provision as implemented in the Irish DPActs was limited to compensation for “special damages” (such as monetary loss or expenses incurred) and did not allow for damages to be awarded for non-pecuniary harms. • The DPActs exclude from their scope “personal data consisting of information that the person keeping the data is required by law to make available to the public”.87 This essentially indicates that information located on public registers may be extracted and re-used without restriction. Directive 95/46/EC does not permit this under any exemption and it has been described as being “in flat contradiction with the view of the Article 29 Working Party that the Data Protection Directive applies to personal data which have been made publicly available”.88 • In EMI v. Data Protection Commissioner89 the High Court held that IP address logs held on behalf of the music industry were not personal data as the individuals concerned could not be identified without further information. Experts questioned this at the time as inconsistent with the Article 29 Working Party’s guidelines and it now appears to conflict with the recent CJEU decision in Patrick Breyer v. Bundesrepublik Deutschland.90 The DPActs also required that the DPC must first respond to complaints by attempting to “arrange… for the amicable resolution by the parties concerned of the matter the subject of the complaint”.91 This provision has been criticized for its soft approach to regulation and for creating a procedural delay in instances where it is obvious that a more formal determination is needed.92 There appears to be significant tension between Directive 95/46/EC and some Irish legislation, such as the Health Identifiers Act 2014. The legislation authorizes wide scale data sharing within the Irish government, without the opportunity to opt-out, in a manner that seems to contravene the recent ruling of the CJEU in Bara, which confirmed that when a public body intends to transfer personal data to another public body, data subjects must be informed in advance of the transfer of their personal data and as to the purpose of the processing.93 The Irish legal system also harbors further general regulations relevant to data protection. The Freedom of Information Act 2014 provides persons with the rights 86

[2013] IEHC 137. Section 1(4). 88 Kelleher 2015, p. 91. 89 [2012] IEHC 264. 90 Case C-582/14. 91 Section 10(1)(b)(ii). 92 Weckler 2015a, b. 93 Based on survey results (see Sect. 1.3.4). Case C 201/14, Bara and others v. Președintele Casei Naționale de Asigurări de Sănătate, Casa Naţională de Asigurări de Sănătate and Agenţia Naţională de Administrare Fiscală (ANAF). 87

126

6 Ireland

to access information held by a body to which the Act applies, to have official information relating to oneself amended if it is incomplete, incorrect or misleading, and to obtain reasons for decisions affecting oneself. Further, S.I. No. 337 of 2014 – Data Protection Act 1988 (Commencement) Order 2014 and S.I. No. 338 of 2014 – Data Protection (Amendment) Act 2003 (Commencement) Order 2014 render it illegal for employers to require employees or applicants for employment to make an access request seeking copies of personal data which is then made available to the employer or prospective employer. The regulation is applicable to anyone who engages another person to provide a service.94 Lastly, the DPActs require registration with the DPC if the controller processes specific categories of data, like financial, genetic and health data.95 On 1 February 2018, the Irish Data Protection Bill was published and will be subject of the analysis and amendments of the Irish Parliament (Seanad and Dáil). The law will generally reflect the content of the GDPR, repealing most of the content of the Data Protection Acts from 1988 and 2003.96 Sectoral Legislation A number of sector-specific provisions also concern data protection. For instance, there is S.I. No. 83/1989 Data Protection (Access Modification) (Social Work) Regulations 1989, which stipulates specific restrictions in respect of social work data. S.I. No. 421 of 2009 Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009 exempts from the scope of the DPActs the use of personal data in the performance of certain functions of the Director of Corporate Enforcement and inspectors appointed by the High Court or Director of Corporate Enforcement. S.I. No. 687/2007 Data Protection (Processing of Genetic Data) Regulations 2007 restricts the processing of genetic data in relation to employment. Moreover, the S.I. No. 337 of 2014 – Data Protection Act 1988 (Commencement) Order 2014 and S.I. No. 338 of 2014 – Data Protection (Amendment) Act 2003 (Commencement) Order 2014 regulate access requests for employees and applicants. S.I. No. 95/1993 Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993 exempts from the scope of the DPActs the use of personal data in the performance of certain functions of the Central Bank, the National Consumer Agency and various functions performed by auditors under the Companies Acts. S.I. No. 81/1989 Data Protection Act, 1988 (Restriction of Section 4) Regulations 1989 restricts the right of access to information on adopted children and information which the Public Service Ombudsman acquires during an investigation. Last but not least, S.I. No. 82/1989 Data Protection (Access Modification) (Health)

94

http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/ireland#chaptercontent1. Carney and Bohan 2016. 96 Lavery 2018. 95

6.3 Laws and Regulations

127

Regulations 1989 concerns the right of access relating to health data and the corresponding restrictions.97 With regard to sensitive categories of personal data, the DPActs covered both ‘standard’ sensitive data (such as information regarding a person’s racial or ethnic origin, political opinions, religious or philosophical convictions, trade union membership, health or sex life) and information regarding criminal offences or criminal proceedings.98 The consent of the data subject for the processing of such data must be explicit, which may be given orally or in writing, and must be obtained before a data controller starts processing the data. It is regarded as insufficient to merely ask a data subject to indicate if he or she objects to the processing.99 The DPActs also introduce additional conditions for the legitimate processing of sensitive personal data. These include the processing necessary for statistical purposes, political activities, tax collection, assessment of entitlement to social benefits and processing that is authorized by regulations made by the Minister for Justice for reasons of substantial public interest.100 Self-regulation and Codes of Conduct Section 13 of the Data Protection Act 1988 stipulated that representative trade associations should have direct input into the establishment of data protection standards within their sectors and that the Data Protection Commissioner should encourage the preparation of Codes of Conduct (CoC) in this regard.101 Once such a code has been formally approved by the Data Protection Commissioner, it may be employed in the respective sector. If a representative body wishes to initiate the drafting process of a Code of Conduct, it is encouraged to contact the Data Protection Commissioner to arrange meetings and discussion sessions on how to proceed. The Data Protection Commissioner provides practical advice on matters that should be covered and how particular circumstances, expectations, and good practices pertaining to the specific sector are to be handled. Furthermore, the Data Protection Commissioner may also draft a code of practice upon his or her own initiative. In 2010, for instance, the DPC published a Personal Data Security Breach Code,102 which has wide-ranging implications for entities who suffer a data security breach. Although the code itself is voluntary, the DPC views it as complimentary to the security obligations under the DPA.103 The codes of practice prepared by the DPC can have a binding legal effect if approved by the legislature.

97

http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/ireland#chaptercontent1. See the list in S.1 [No. 25.] DPActs. 99 S. 2B DPActs. 100 https://www.linklaters.com/en/insights/data-protected/home. 101 https://www.dataprotection.ie/docs/Self_Regulation_and_Codes_of_Practice/m/98.htm. 102 https://www.dataprotection.ie/docs/Data_Security_Breach_Code_of_Practice/1082.htm. 103 https://www.linklaters.com/en/insights/data-protected/home. 98

128

6 Ireland

6.4

Implementation

The 1988 and 2003 DPActs did not mandate specific security measures that a data controller or data processor must comply with, although the 2011 Regulations refer to some requirements that are specific to the electronic communications services sector. The DPActs instead oblige data controllers to have ‘appropriate security measures’ in place to prevent data protection breaches and incidents. The DPActs point to a number of factors that need to be taken into account when assessing the ‘appropriateness’ of the respective data security tools. Organizations have thus to consider: • • • •

the the the the

state of technological development; cost of implementing the measures; harm that might result; and nature of the data concerned.104

Data controllers and processors have to also ensure that their staff is aware of the company’s data security policies and complies with them. The legal obligation to appropriately secure personal data applies to every data controller and processor regardless of their size. The DPC supports the design of internal security policies by providing non-binding guidance on matters such as access control, access authorization, encryption, anti-virus software, firewalls, software patching, and remote access.105 So far, a number of organizations have opted for the development of a sectoral Code of Conduct (CoC). The Commissioner has formally approved such Codes of Conducts for the police force (Garda Síochána), the Injuries Board, the insurance sector, the Department of Education and Skills, the Revenue Commissioners, the Vocational Educational Committee, the Probation Service, and the Department of Health.106 Privacy Officers Prior to the GDPR, Irish legislation did not include any provisions concerning the requirements of appointment of data protection officers (DPOs), although data controllers and data processors had to provide details of a ‘compliance person’ when registering with the DPC. The appointment of a DPO was thereby optional. However, in recent years, voluntarily appointments have witnessed an increase, as these have proved beneficial not only for customer relationships and reputational purposes, but also for building a relationship with the DPC through a centralized

104

https://www.dataprotection.ie/docs/Data-security-guidance/1091.htm. https://www.dataprotection.ie/docs/Data-security-guidance/1091.htm. 106 For the full list, see https://www.dataprotection.ie/docs/Self_Regulation_and_Codes_of_ Practice/m/98.htm. 105

6.4 Implementation

129

office.107 As there was no requirement to appoint such an officer, there were also no specific requirements as to the DPO’s knowledge or expertise in the field. This appears to have prompted the emergence of DPO associations, which provide a platform for working DPOs to share insights and best practices, to seek clarity on legislation, and to share concerns.108 When appointed, DPOs typically ensure the organization’s compliance with data protection provisions and have the duty to be the contact point relating to all such matters. They support, assist, advise and train the employees of the organization on data protection matters and provide input into risk management processes.109 Security Measures Organizations are using measures to protect personal data, although some measures are yet to be fully implemented.110 There have been a number of instances in which personal data was divulged or accessed inappropriately by official organizations, such as the police.111 This has resulted in strengthened policies and an increase in the number of prosecutions related to unauthorized data access and disclosure.112 The DPC has promoted Privacy by Design (PbD) for years; however, it is only recently becoming more widely known and it is unclear how many organizations will adopt it as a policy.113 Need to know access has become increasingly widespread, especially among larger organizations, and the differing levels of access are segregated both in policy and through technical measures.114 Organizations are willing to implement technical safeguards, international standards, and employ in-house and external security professionals in order to achieve satisfactory levels of security and data protection; the extent of the measures taken generally depends on the size of the organization.115 Although not required, the DPC encourages companies to adopt a security policy that includes data collection and retention, access control and an incident response plan.116 DPC had also published a not mandatory personal data security breach Code of Practice with specific guidelines to help companies with the reaction to security incidents.117

107

http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/ireland#chaptercontent6. See for instance the Association of Data Protection Officers, https://dpo.ie/about. 109 http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/ireland#chaptercontent6. 110 Based on survey results (see Sect. 1.3.4). 111 Based on survey results (see Sect. 1.3.4). 112 Based on survey results (see Sect. 1.3.4). 113 Based on survey results (see Sect. 1.3.4). 114 Based on survey results (see Sect. 1.3.4). 115 Based on survey results (see Sect. 1.3.4). 116 Carney and Bohan 2016. 117 Breach Notification Guidance, https://www.dataprotection.ie/docs/Data-Breach-Handling/901. htm. 108

130

6 Ireland

Transparency While most organizations in Ireland have privacy policies in place and there is increasing use of cookie policies on Irish websites, they are often not very user-friendly.118 The DPC has participated in the annual “Privacy Sweep” organized by the Global Privacy Enforcement Network since 2013. That year, a survey found that 63% of Irish websites had information on privacy which was difficult to read or understand, 13% made it difficult to find information regarding privacy, and 5% had no privacy policy at all.119 Concentrating on apps, the 2014 Privacy Sweep found that “the privacy information provided only partially explains the app’s collection, use and disclosure of personal information, with questions remaining with regard to some of the permissions requested” for 55% of Irish apps.120 The 5th edition of Privacy Sweep in 2017 saw the DPC conducting a study on the use of e-receipts by retail companies, finding that in 94% of the cases, retailers did not provide information on their websites regarding the deletion of the collected emails.121 On the other hand, a significant number of Irish people (70%) rarely or never read the terms and conditions before consenting to them.122 Of those who read privacy terms and conditions, about 89% do not read the entire text. 54% claim to usually understand most or all of what they read in privacy policies. Furthermore, it appears that about 37% of the Irish people have, at one point, decided not to use a website due to dissatisfaction with the site’s privacy terms, which is significantly below the EU average (47%).123 Personalized privacy settings are not common and are not typically promoted except by tech multinationals and tech websites.124

6.5

Regulatory Authorities and Enforcement

Supervisory Authorities The Office of the Data Protection Commissioner (DPC) is established under the Data Protection Act 1988 and has existed since 1989. It is the supervisory body that oversees and enforces compliance with data protection legislation in Ireland. The 118

Based on survey results (see Sect. 1.3.4). Based on survey results (see Sect. 1.3.4). Data Protection Commissioner, ‘2013 Privacy Sweep Results’, 2013, https://www.dataprotection.ie/documents/GPEN2013.pdf. 120 Data Protection Commissioner, ‘Global Privacy Sweep Raises Concerns about Mobile Apps’, 2014, https://www.dataprotection.ie/docs/10-09-14-Global-Privacy-Sweep-raises-concerns-aboutmobile-apps/i/1456.htm. 121 Data Protection Commissioner, ‘Annual Report 2017’, 2018, https://www.dataprotection.ie/ docimages/documents/DPC%20Annual%20Report%202017.pdf, p. 14. 122 Consent Country Report Ireland 2012, p. 37. 123 Consent Country Report Ireland 2012, p. 37. 124 Based on survey results (see Sect. 1.3.4). 119

6.5 Regulatory Authorities and Enforcement

131

Data Protection Commissioner is appointed by the government and is independent in the exercise of his/her functions.125 The budget of the DPC’s office is decided upon by the Irish Department of Justice and Equality. In 2016, it had been significantly increased from 3.65 million euro to 4.7 million euro. Over 7.5 million euro has been allocated to the Commissioner for the 2017 budget, which allowed DPC to recruit extensively, bringing its staff number to 85 at the end of 2017. For 2018, it is planned a further increase in the budget (to 11.7 million euro), giving the possibility to DPC to hire additional 55 people.126 The fees it collects from the statutory registration are remitted directly back to the exchequer.127 Main Activities In the exercise of its competences the DPC carries out investigations and privacy audits, provides guidance to individuals and organizations regarding their data protection rights and obligations, drafts codes of conduct,128 and publishes annual reports on the office’s activities. Under Section 10 of the DPActs, the DPC could start an investigation into a particular data protection matter upon receiving an individual complaint. The DPC has the statutory obligation to first seek to amicably resolve complaints. Where this is not possible, the DPC may issue a decision on whether there has been a breach of the DPActs’ provisions. Both the complainant and the data controller have the right to appeal the DPC’s decision to the Circuit Court. The DPC may also launch investigations on his or her own initiative, where he or she is of the opinion that there might be a data protection breach or considers it appropriate to ensure compliance with the DPActs. The latter investigations are usually carried out in the form of privacy audits, for which the data controller receives an advance notice. If an individual or an organization does not cooperate with an investigation, the DPC can require such cooperation by issuing an ‘information notice’. This information notice can be appealed to the Circuit Court. Failure to comply with an information notice without a reasonable excuse is an offence.129 Furthermore, Section 10 of the DPActs authorized the DPC to require a data controller or data processor to take whatever steps he or she considers appropriate to comply with the terms of the DPActs. Such steps may cover the correcting or blocking of data, supplementing the data with a statement approved by the DPC, or even erasing the data. The DPC exercises these powers by providing an ‘enforcement notice’ to the data controller/processor. This enforcement notice can be

125

https://www.dataprotection.ie/docs/About-the-office-of-the-DPC/b/1032.htm. Data Protection Commissioner, ‘Annual Report 2017’, 2018, https://www.dataprotection.ie/ docimages/documents/DPC%20Annual%20Report%202017.pdf, p. 5. 127 DPC 2015, p. 4. 128 As discussed in Sect. 6.3. 129 https://www.dataprotection.ie/docs/Powers-of-the-Data-Protection-Commissioner/e/96.htm. 126

132

6 Ireland

appealed to the Circuit Court as well. Failure to comply with it without a reasonable excuse is an offence.130 Violations of the data protection provisions laid down by the DPActs were not, in general, offences and the DPC had no direct power to impose fines. However, if one disregards an enforcement notice, information notice, or prohibition notice issued by the DPC, the latter could initiate summary proceedings before the Irish courts for an offence under the DPActs. Section 31 clarified that fines can be up to a maximum of 3,000 euro on summary conviction and up to 100,000 euro following conviction on indictment. In contrast, all violations of the 2011 Regulations, which cover telecommunications companies and for which the DPC has responsibility, are separate offences.131 These primarily concern the sending of unsolicited marketing communications by electronic means. The offences are also punishable by fines – a maximum of 5,000 euro for each unsolicited message on summary conviction and 250,000 euro following conviction on indictment. The Regulations authorize the DPC under S.I. 336 of 2011 to bring summary proceedings for an offence. In addition to assisting organizations in the drafting process of codes of conduct,132 the DPC also offers voluntarily consultations to entities and individuals in order to ensure data protection compliance. For that purpose, it operates a helpdesk which can be reached via phone, e-mail or letter. A consultation team handles more in-depth inquiries. It is also worth noting that the DPC has merely a consultative function in the context of new legislation on personal data protection. Its advice is thus optional. Use of Competences In 2017, the DPC dealt with 2,642 complaints that were opened for investigation, which represents a 79% increase compared to the numbers from 2016;133 52% of them were related to access rights, while complaints concerning personal data disclosure appear to make out the second largest category (351 complaints). Individual complaints appear to be disfavored by the current DPC.134 According to the DPC’s annual report, the vast majority of complaints were resolved amicably. Formal decisions were only issued in 34 cases: 21 right to be forgotten cases were investigated, six of which had been upheld, 12 rejected and three are still under investigation.135 The Data Protection Commissioner issued three statutory

130

https://www.dataprotection.ie/docs/Powers-of-the-Data-Protection-Commissioner/e/96.htm. http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/ireland#chapter content14. 132 See Sect. 6.3. 133 Data Protection Commissioner, ‘Annual Report 2017’, 2018, https://www.dataprotection.ie/ docimages/documents/DPC%20AR2015_FINAL-WEB.pdf. 134 Edwards 2016a, b. See also Logue 2016. 135 Data Protection Commissioner, ‘Annual Report 2017’, 2018, https://www.dataprotection.ie/ docimages/documents/DPC%20Annual%20Report%202017.pdf, p. 13. 131

6.5 Regulatory Authorities and Enforcement

133

enforcement notices in 2015.136 The DPC does not have the authority to fine or impose administrative sanctions on offenders. However, it is able to order remedial and preventive measures such as enforcement notices.137 In 2017, a total of 15,500 the Irish DPA received a total of 15,500 emails, over 20,000 telephone calls and almost 5,500 items via post.138 The DPC also has the ability to bring cases to the District Court for offences related to data protection and unsolicited marketing.139 In 2017, it brought proceedings against six entities concerning a total of 42 offences under the 2011 Regulations. Of the total 146 investigated complaints related to electronic direct marketing, 80 were related to email marketing, 58 to unsolicited SMS messages and 8 to unsolicited phone calls.140 Little information is available on successful prosecutions brought under the Data Protection Acts, although recently a private investigator was fined €7,500 for unlawfully obtaining personal information from the Department of Social Protection.141 However, the DPC’s ability to prosecute is limited to what is provided as an offence under the Data Protection Acts. For example, there is no offence for the reckless handling of personal data and thus there can be no criminal liability for such an act.142 There are relatively few lawsuits in the domain of data protection in which the DPC does not play a role.143 However, examples are found in the cases of Collins v FBD Insurance Plc.144 and Digital Rights Ireland Ltd v Minister for Communication & Ors.145 In private litigation, data protection claims are typically

136 These relate to data protection breaches by Telefonica Ireland Limited, Arizun Services Ireland Limited and Aer Lingus. See DPC 2015, p. 7. 137 Based on survey results (see Sect. 1.3.4). Such measures may include “correcting the data, blocking the data from use for certain purposes, supplementing the data with a statement which the Commissioner approves, or erasing the data altogether”. See Powers of the Data Commissioner, DATA PROTECTION COMMISSIONER OF IRELAND, available at https://www.dataprotection.ie/docs/ Powers-of-the-Data-Protection-Commissioner/e/96.htm#The Commissioner's Power to Enforce Compliance with the Act. 138 Data Protection Commissioner, ‘Annual Report 2017’, 2018, https://www.dataprotection.ie/ docimages/documents/DPC%20Annual%20Report%202017.pdf, p. 13. 139 Ibid., p. 12. 140 Data Protection Commissioner, ‘Annual Report 2017’, 2018, https://www.dataprotection.ie/ docimages/documents/DPC%20Annual%20Report%202017.pdf, p. 16. 141 https://www.irishtimes.com/news/ireland/irish-news/private-investigator-fined-7-500-overdata-protection-breaches-1.2824210. 142 Based on survey results (see Sect. 1.3.4). 143 Based on survey results (see Sect. 1.3.4). 144 Collins v FBD Insurance Plc [2013] IEHC 137 (14 March 2013), available at http://www.bailii. org/cgi-bin/format.cgi?doc=/ie/cases/IEHC/2013/H137.html&query=(fbd). 145 Digital Rights Ireland Ltd v Minister for Communication & Ors [2010] IEHC 221 (05 May 2010). [2010] 3 IR 251, [2010] IEHC 221, available at http://www.bailii.org/cgi-bin/format.cgi? doc=/ie/cases/IEHC/2010/H221.html&query=%28digital%29+AND+%28rights%29+AND+% 28ireland%29.

134

6 Ireland

supplementary as opposed to the main cause of action.146 Irish law does not allow for class action lawsuits, which may explain the dearth of litigation following data breaches.147 Reputation Both citizens and companies are generally knowledgeable of the regulatory authorities and their activities, but the awareness in the commercial sphere is likely higher than in the public sphere.148 The DPC has been criticized for appearing to favor companies and state bodies.149 A non-governmental organization, Digital Rights Ireland, has lodged a lawsuit against the state contending that the DPC is not adequately independent of the government.150 During the Schrems case, a judge of the CJEU questioned whether the DPC was deliberately underfunded so as to impede oversight.151 A former commissioner of the authority has stated that the office focuses on correction and guidance as opposed to harder punitive measures of enforcement.152 As such, companies do not fear the DPC153 and a recent survey154 of executives found that 82% (out of 200 companies) rated the DPC as ‘good to excellent’.155

References Carney A, Bohan A (2016) Chapter 14 – Ireland. The Privacy, Data Protection and Cybersecurity Law Review. Law Business Research Consent Country Report Ireland (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/ Cullen P (2009) Bord Gáis Failed to Say Stolen Laptop Data Not Encrypted. The Irish Times, 19 June 2009, http://www.irishtimes.com/news/bord-g%C3%A1is-failed-to-say-stolen-laptopdata-not-encrypted-1.787045 Deegan G (2016) Cyber attack victim firm Loyaltybuild in Clare has €18m loss, Irish Examiner, 2 February 2016, http://www.irishexaminer.com/business/cyber-attack-victim-firm-loyaltybuildin-clare-has-18m-loss-379472.html

146 Based on survey results (see Sect. 1.3.4). See e.g. Collins v FBD Insurance Plc [2013] IEHC 137 (14 March 2013), available at http://www.bailii.org/cgi-bin/format.cgi?doc=/ie/cases/IEHC/ 2013/H137.html&query=(fbd). 147 Based on survey results (see Sect. 1.3.4). 148 Based on survey results (see Sect. 1.3.4). 149 Based on survey results (see Sect. 1.3.4). 150 Based on survey results (see Sect. 1.3.4). Edwards, ‘Independence of Data Protection Commissioner Questioned’. 151 Based on survey results (see Sect. 1.3.4). Lillington 2015. 152 Based on survey results (see Sect. 1.3.4). Hawkes 2016, pp. 446 and 454. 153 McGeveran 2016. 154 Fry 2016. 155 Based on survey results (see Sect. 1.3.4). Taylor 2016.

References

135

DPC (2015) Annual Report of the Data Protection Commissioner of Ireland, available at https:// www.dataprotection.ie/docimages/documents/DPC%20AR2015_FINAL-WEB.pdf Edwards E (2014) Loyaltybuild Reopens for Business after Huge Data Breach. The Irish Times, 12 March 2014, http://www.irishtimes.com/news/consumer/loyaltybuild-reopens-for-businessafter-huge-data-breach-1.1722266 Edwards E (2016a) Civil Service Payroll System to Be Audited Following Data Breach. The Irish Times, 20 June 2016, http://www.irishtimes.com/news/ireland/irish-news/civil-service-payrollsystem-to-be-audited-following-data-breach-1.2691360 Edwards E (2016b) Data Protection Commissioner Helen Dixon Accuses Lawyers of “digital Ambulance Chasing”. The Irish Times, 7 July 2016, http://www.irishtimes.com/business/ technology/data-protection-commissioner-helen-dixon-accuses-lawyers-of-digital-ambulancechasing-1.2712459 Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015 Fry W (2016) Europe for Big Data, November 2016, http://www.williamfry.com/docs/defaultsource/reports/william-fry-europe-for-big-data-report.pdf?sfvrsn=0 Hawkes B (2016) The Irish DPA and Its Approach to Data Protection. In: Wright D, De Hert P (eds) Enforcing Privacy. Springer International Publishing, Cham, p. 446 and p. 454, http:// link.springer.com/10.1007/978-3-319-25047-2_18 Kelleher D (2015) Privacy and Data Protection Law in Ireland. Bloomsbury Professional, Haywards Heath Kennedy E (2008) Victims of BoI Laptop Theft Treble to 31,500. Independent.ie, 29 April 2008, http://www.independent.ie/irish-news/victims-of-boi-laptop-theft-treble-to-31500-26442003. html Lavery P (2018) Ireland issues Data Protection Bill to implement the GDPR. Privacy Laws & Business, Issue 151, February 2018 Lillington K (2015) Strong Data Protection Laws Better for EU than Sniping. The Irish Times, 23 April 2015, http://www.irishtimes.com/business/technology/strong-data-protection-lawsbetter-for-eu-than-sniping-1.2185370 Logue F (2016) Data Protection Chief Must Not Distance Herself from Complainants. The Irish Times, 9 August 2016, http://www.irishtimes.com/business/technology/data-protection-chiefmust-not-distance-herself-from-complainants-1.2750669 McGeveran W (2016) Friending the Privacy Regulators. Social Science Research Network, Rochester, NY, 5 August 2016, https://papers.ssrn.com/abstract=2820683 McIntyre TJ (2014) Why Ireland Must Protect Privacy of Irish Emails and Internet Usage from Surveillance. The Irish Times, 20 December 2014, http://www.irishtimes.com/opinion/whyireland-must-protect-privacy-of-irish-emails-and-internet-usage-from-surveillance-1.2044384 McIntyre TJ (2014) The State Must Be More Mindful of Your Private Data. Independent.ie, 21 August 2014, http://www.independent.ie/opinion/the-state-must-be-more-mindful-of-yourprivate-data-30524449.html McIntyre TJ (2015) Europe Has Failed in Duty to Protect Citizens over Web Privacy Threat. Independent.ie, 7 October 2015, http://www.independent.ie/opinion/comment/europe-hasfailed-in-duty-to-protect-citizens-over-web-privacy-threat-31589481.html Mulligan J (2014) Massive Data Breach at Paddy Power Bookmakers. Independent.ie, 31 July 2014, http://www.independent.ie/business/irish/massive-data-breach-at-paddy-powerbookmakers-30474614.html Taylor C (2016) Ireland Seen as Contender for Data-Driven Investments. The Irish Times, 16 November 2016, http://www.irishtimes.com/business/technology/ireland-seen-as-contenderfor-data-driven-investments-1.2870112 The Independent (2015) Data Office Still Underfunded despite €1m Boost in Budget. Independent. ie, 21 October 2015, http://www.independent.ie/business/technology/news/data-office-stillunderfunded-despite-1m-boost-in-budget-34126722.html

136

6 Ireland

Vodafone Survey on Big Data (2016) Big Data: A European Survey on the Opportunities and Risks of Data Analytics. http://www.vodafone-institut.de/bigdata/links/VodafoneInstituteSurvey-BigData-Highlights-en.pdf Weckler A (2015a) Safe Harbour Is Gone but Europe Is Still Afraid to Tackle the US on Privacy. Independent.ie, 8 October 2015, http://www.independent.ie/business/technology/safe-harbouris-gone-but-europe-is-still-afraid-to-tackle-the-us-on-privacy-31591450.html Weckler A (2015b) German Jeers at Irish Data Privacy May Help Us. Independent.ie, 31 May 2015, http://www.independent.ie/business/technology/news/german-jeers-at-irish-data-privacy-mayhelp-us-31266778.html Weckler A (2016) Tsunami of Data Breaches Strikes Irish Companies as Half Report Incidents. Independent.ie, 21 January 2016, http://www.independent.ie/business/technology/tsunami-ofdata-breaches-strikes-irish-companies-as-half-report-incidents-34382305.html

Chapter 7

France

7.1

General Situation

The history of human and civil rights in France starts with the Declaration of the Rights of Man and of the Citizen in 1789, a document of the French Revolution. This document states that the rights of man are held to be universal and is still the basis of the current constitution. The French constitution does not contain any articles on human rights, but human rights are contained in the preamble of the constitution. The French constitution has been amended many times, most recently in 2008. France has a monistic approach towards international law, i.e., international treaties do not have to be implemented in national legislation before they become binding.1 France has ratified the Universal Declaration of Human Rights, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. These legal instruments contain a right to privacy. The French constitution does not contain a right to privacy, but the right to privacy is enshrined in Article 9 of the French Civil Code, inserted by Act of Parliament of 17 July 1970, stating that “everyone has the right to respect for his or her private life”. Although there is no legal definition of private life, courts have held that private life includes a person’s love life, friendships, family circumstances, leisure activities, political opinions, trade union or religious affiliation and state of health.2 France was one of the first countries in the world to have a data protection law. Its original data protection act (Loi informatique et libertés) dates back to 1978.3 See Article 26 of the French constitution: “les traités régulièrement ratifiés et publiés ont force de loi sans qu'il soit besoin d'autres dispositions législatives que celles qui auraient été nécessaires pour assurer sa ratification”. 2 http://franceintheus.org/spip.php?article640. 3 Loi numéro 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés (Act on information technology, data files and civil liberties), see https://www.cnil.fr/sites/default/files/ typo/…/Act78-17VA.pdf. 1

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_7

137

138

7

France

France is one of the bigger EU countries with 67 million inhabitants.4 It is part of French culture to keep professional and private life separate, with a strong right to privacy. In 2016, the French government expressed the ambition to adopt the GDPR well ahead of it coming into force in 2018.5 After the terrorist attacks in Paris (November 2015) and Nice (July 2016), a state of emergency was declared, creating tension between national security and protection of personal data. Internet Use Internet use in France has grown rapidly from 14.4% of the population in 2000 to 83.8% in 2015.6 It scores about average on broadband connectivity (average Mbps is 17.4 in 2017).7 France is one of the five EU countries where internet is used by less than half of the population for social networks at least once a week: 47% against the EU average of 57%.8 Regarding use for instant messaging and chats at least once a week, France is closer to the EU average of 53% with 49%.9 For online banking, this percentage is also low with 33%, where the EU average is 43% and the top three countries score above 75% (The Netherlands 75%, Denmark 79% and Finland 84%). For the use of internet for making (video) calls at least once a week, France scores just slightly over the EU average with 28%. France is in a large group of EU-countries where the use of the internet for games at least once a week lies between a quarter and a third of the population (16 out of the 28 countries, including France with 29%).10 The French have the highest percentage of people who never use the internet who use peer-to-peer media sharing sites with 76%.11 Control The French are in the top three of EU countries where a lack of control is experienced with respect to personal information provided online (with 34% of the French people reporting feeling no control, after Spain with 36% and Germany with 45%).12 They are also among the most concerned on their payment activities being recorded (62% compared to the EU average of 55%).13 4

http://www.bdm.insee.fr/. This is stated in the bill for a République Numérique that was passed in 2016: http://www.economie. gouv.fr/projet-loi-pour-republique-numerique-definitivement-adopte, http://privacylawblog.fieldfisher. com/2016/france-to-adopt-gdpr-provisions-before-it-comes-into-force-in-2018/. 6 http://www.internetworldstats.com/eu/fr.htm. 7 https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q1-2017-state-ofthe-internet-connectivity-executive-summary.pdf. 8 Eurobarometer 431 2015, p. 109. http://ec.europa.eu/public_opinion/archives/eb_special_439_ 420_en.htm#431. 9 Eurobarometer 431 2015, p. 110. 10 Eurobarometer 431 2015, p. 111. 11 Eurobarometer 431 2015, p. 113. 12 Eurobarometer 431 2015, p. 10. 13 Eurobarometer 431 2015, p. 17. 5

7.1 General Situation

139

Awareness In a survey, the French respondents showed a slightly below-average level of awareness about the use of personal information by website owners and, interestingly, the highest portion of respondents who answered that they were “not sure what this means”.14 In detail, however, the French show a similar-to-average level of awareness and a clearly above-average level of non-acceptance to website owners using users’ personal information to customize the content and advertising users see.15 In 2013, the French data protection authority Commission Nationale de l’Informatique et des Libertés (CNIL) created Le collectif Educnum,16 a platform uniting about 60 member organizations, dedicated to raising awareness of citizens and companies on personal data protection. Their website contains research and information about internet use and data protection for citizens and consumers.17 Trust The overall trust in France with respect to data protection by different types of authorities is relatively high compared to the European average: 79% over 74%. This is a decrease of 7 percent points compared to 2010. Especially, trust in national public authorities is relatively high (73% compared to the EU average of 66%), somewhat high for banks and financial institutions (60% over 56% EU average) and EU institutions (53% over 51% EU average). On the other hand, France scores low on some other categories: like in the Netherlands (31%), French people’s trust in shops and stores to deal well with personal data is particularly low (29%), as opposed for example to Ireland (54%, European average 40%). Trust in telecommunication companies to protect personal data is also relatively low compared to the other EU countries with 25% (with the European average at 33%), as it is for online businesses (16% over the EU average of 24%).18 Protective Actions Regarding actions taken by citizens to protect their personal data, the platform Educnum of the CNIL underlines that two out of three young citizens use an ad blocker.19 The CNIL recommends also the utilization of a cookie blocker.20

14

Consent Country Report France 2012, p. 27. Consent Country Report France 2012, p. 4. 16 https://www.educnum.fr/fr/le-collectif-educnum. 17 Our questionnaire, answers from Emmanuel Laforet (Adjoint au chef de bureau du droit constitutionnel et du droit public général), [email protected]. 18 Eurobarometer 431 2015, p. 66. 19 https://www.educnum.fr/fr/2-jeunes-sur-3-utilisent-un-adblocker (published 26 September 2016). 20 https://www.educnum.fr/fr/cookies-les-outils-pour-les-maitriser. 15

140

7

France

In 2015 Google accidentally revealed data on ‘the right to be forgotten’ requests received by them.21 According to those data, the French had the highest portion of requests for removing personal information (98%, with the Netherlands second at 98%, Germany third at 98%, Sweden fifth at 96%, UK 95% and Italy 85% - in Italy 12% of requests were related to serious crime). This can be seen as an example of action taken by citizens to protect their personal data and online reputation.22 National Politics The French traditional political parties have not expressed a specific point of view on privacy and personal data protection, but the French government enjoys good cooperation with the CNIL.23 The major political parties favor a combination of both regulation and self-regulation. There is a dialogue between political parties and civil organizations; some are consulted by the government in public consultations, others by committees of either the National Assembly or the Senate. Events are also organized in the Assembly or by the French data protection authority. In 2014, the government published a public data policy for the purpose of transparency and accountability of the administration. It includes the appointment of a State Chief Data Officer (CDO), and the installment of an open public data platform (Data.gouv.fr).24 In September 2015, the government initiated the Project de Loi pour une République Numérique: a three-week long process of co-design with citizens online of a legal text on topics such as net neutrality, data portability, confidentiality of private communications online, the right to be forgotten, openness of public data, accessibility for people with handicaps. All political parties accorded the resulting law in October 2016.25 During the night of Friday 13 to Saturday 14 November 2015, immediately after the terrorist attacks in the Bataclan theatre in Paris, the president of the French Republic declared a state of emergency by means of two decisions taken in the Council of Ministers. It was in force throughout France and was the source of various lawsuits against data processing for intelligence purposes26 or copying of data when a raid takes place.27 The balance between privacy and security has been

21

https://www.theguardian.com/technology/2015/jul/14/google-accidentally-reveals-right-to-beforgotten-requests (last consulted 6 March 2017). 22 Our questionnaire, answers from Emmanuel Laforet. 23 Our questionnaire, answers from Emmanuel Laforet. 24 http://www.gouvernement.fr/en/public-data-policy (consulted 22 February 2017). 25 http://www.economie.gouv.fr/projet-loi-pour-republique-numerique-definitivement-adopte, http:// proxy-pubminefi.diffusion.finances.gouv.fr/pub/document/18/21499.pdf (consulted 22 February 2017). 26 http://www.conseil-etat.fr/Actualites/Communiques/Controle-des-techniques-de-renseignement. 27 http://www.conseil-constitutionnel.fr/conseil-constitutionnel/francais/les-decisions/acces-pardate/decisions-depuis-1959/2016/2016-536-qpc/decision-n-2016-536-qpc-du-19-fevrier-2016. 146991.html.

7.1 General Situation

141

clarified by new rules on the state of emergency28 and through modifications in the Code on internal security.29,30 Media-Attention As mentioned above, new laws make the processing of more data admissible for security reasons. This is sometimes criticized by the CNIL31 or in the press.32 A wide range of topics related to privacy is addressed in the media. The CNIL is well-known by the public and usually by the specialized and general press,33 both in mainstream and new media. French privacy laws drew international press attention when the French president François Hollande invoked his right to a private life with respect to investigations into an alleged extramarital affair.34 Data Breaches The French data protection authority CNIL issues written public warnings on its homepage in the case of large data breaches.35 Recent incidents occurred in the e-commerce sector,36 the telecom sector37 and in relation to dating sites.38 The CNIL responded to them with a public warning, but also with an increase of the possible administrative sanctions in the Act Nr. 78-17. Citizens may complain at the CNIL and may challenge the decisions at the Council of State.39 A list of privacy related lawsuits is available on the website of the CNIL and other websites.40 Civil Rights Organizations In France, there are many organizations active in the field of privacy and data protection. Some of them are actually not civil rights organizations (Conseil

28

https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000032921910&categorie Lien=id. 29 Our questionnaire, answers from Emmanuel Laforet. 30 http://www.conseil-constitutionnel.fr/conseil-constitutionnel/root/bank_mm/Tables/tables_ analytiques.pdf. 31 https://www.legifrance.gouv.fr/affichTexte.do?cidTexte= JORFTEXT000033318979&dateTexte=&categorieLien=id. 32 Our questionnaire, answers from Emmanuel Laforet. 33 As a Google search would demonstrate, according to Emmanuel Laforet: https://www.google.fr/ search?q=CNIL&ie=utf-8&oe=utf-8&gws_rd=cr&ei=ogkaWIilFMyeaNWxq9AB#q= CNIL&tbm=nws. 34 See for example https://edition.cnn.com/2014/01/14/world/europe/france-hollande/index.html. 35 https://www.cnil.fr/. 36 https://www.cnil.fr/fr/cdiscount-avertissement-et-mise-en-demeure-pour-de-nombreuxmanquements. 37 https://www.cnil.fr/fr/la-societe-orange-sanctionnee-pour-defaut-de-securite-des-donnees-dansle-cadre-de-campagnes. 38 https://www.cnil.fr/fr/donnees-traitees-par-les-sites-de-rencontre-8-mises-en-demeure. 39 Our questionnaire, answers from Emmanuel Laforet. 40 https://www.legalis.net/jurisprudences/vie-privee/.

142

7

France

national du numérique, Syndicat de la magistrature, Syndicat des avocats de France, Syntec numérique, Tech In France).41 La Quadrature du Net42 is a non-profit association that defends the rights and freedoms of citizens on the Internet. More specifically, it advocates the adaptation of French and European legislation to the founding principles of the Internet, most notably the free circulation of knowledge. As such, La Quadrature du Net engages in public-policy debates concerning, for instance, freedom of expression, copyright, regulation of telecommunications and online privacy. La Quadrature is funded by individual donations but also by French, European and international NGOs, including the Electronic Frontier Foundation, the Open Society Institute and Privacy International. In January 2017, la Quadrature reported that the annual campaign for individual donations resulted in 245K€, which covers about 77% of the annual budget for 2017 of the organization, implying that the 2017 budget is around 320K€. Another 11% of the budget is covered by subsidies from other foundations.43 Privacy International, in their submission for the UN Human Rights Committee periodic report for France of 1 June 2015,44 already expressed concern about the overly broad use of electronic surveillance by French intelligence agencies. They are concerned that the current law in France does not adequately protect against interference with the right to privacy and signal that this situation is made worse by the 2015 Intelligence bill45 following the attacks on Charlie Hebdo in January 2015, in “an attempt to legalize already existing practices among intelligence agencies and to broaden surveillance powers under the guise of preventing terrorism.’’ They write that “the lack of judicial authorization and oversight of surveillance, particularly in light of the wide ranging surveillance powers envisaged in the bill, is of particular concern.’’ Other civil rights organizations active in France are Amnesty International France, l’Association des services internet communautaires, Cecil, Creis-Terminal, French Data Network, Génération Libre, Les exegetes amateurs, Ligue des droits de l’Homme, and Fédération des fournisseurs d’accès à Internet associatifs. These organizations facilitate debate, contribute to public consultation, file complaints, and contest some legislation at the Council of State or Constitutional Court. They also influence the legislative process by lobbying at the national and the European level, and advocating data protection with members of the parliament. These organizations are well known in France.46 41

Our questionnaire, answers from Emmanuel Laforet. https://www.laquadrature.net/. 43 http://www.laquadrature.net/fr/campagne-dons-2016-merci. 44 https://www.privacyinternational.org/sites/default/files/PI%20submission%20France.pdf. 45 LOI n° 2015-917 du 28 juillet 2015 actualisant la programmation militaire pour les années 2015 à 2019 et portant diverses dispositions concernant la défense https://www.legifrance.gouv.fr/ affichTexte.do;jsessionid=9D17CF9469F7DC1FE559D0DC2C940429.tpdila10v_3?cidTexte= JORFTEXT000030943133&idArticle=&categorieLien=id. 46 Our questionnaire, answers from Emmanuel Laforet. 42

7.2 National Government Policies

7.2

143

National Government Policies

National Policies, Privacy Impact Assessments The general policy for data protection is based on the framework of the Data Protection Act (Nr. 78-17). There are sector specific policies in the health sector, for archives, research and access to documents.47 Article 34 of the French Data Protection Act provided that data controllers shall “take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data”. Data controllers are to identify risks that arise from their processing in order to identify the adequate measures to reduce them. In order to help SMEs and micro companies, the CNIL published a first security guide in 2010.48 The guide provides simple precautions that should be implemented to improve security of a processing of personal data. In June 2012, the CNIL published a guide on privacy risk management, applicable to complex processing or high risks scenarios.49 In 2015, the CNIL published three documents assisting data controllers in executing Privacy Impact Assessments (PIAs): methodology, tools and good practices.50 These update the guide on Privacy Risk Management that was published by the CNIL in 2012 to help “data controllers to get an objective understanding of the risks arising from their processing, in order to select the necessary and sufficient security controls”. A PIA can be executed when a new law is drafted or new forms of data processing are created, but PIAs were not mandatory before the introduction of the GDPR in May 2018. They are now mandatory only in some cases.51 Privacy and Data Protection in New Policies The CNIL is consulted on draft Acts or Decrees that relate to personal data processing.52 The CNIL can also propose new regulation. Privacy and personal data protection play a role in policy-making in this way.53 The French government initiated an independent commission called Conseil National du Numérique, a think

47

Our questionnaire, answers from Emmanuel Laforet. https://www.cnil.fr/sites/default/files/typo/document/Guide_Security_of_Personal_Data-2010. pdf. 49 Our questionnaire, answers from Emmanuel Laforet. 50 https://www.cnil.fr/en/privacy-impact-assessments-cnil-publishes-its-pia-manual. 51 Our questionnaire, answers from Emmanuel Laforet. 52 Data Protection Act, Article 11 paragraph 4° modified in October 2016, https://www.legifrance. gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000886460. 53 Our questionnaire, answers from Emmanuel Laforet. 48

144

7

France

tank on the impact of information technology and innovation on society. It has 30 members, who are representatives of different parts of society (public organizations, private companies, NGOs, education). The first of its main themes is loyalty and freedom in a common digital space.54 Privacy by design is used when creating new policies by the implementation of Article 34 of the French Data Protection Act and when complying with principles such as data minimization, purpose limitation, etc.55 The CNIL took the initiative for establishing a network of privacy experts and stakeholders. With it, the CNIL wants to develop its analysis in the area of forecasting, to better understand technological developments and new uses, and to anticipate and assess the new key issues for data protection. This is reflected in the CNIL foresight committee report on Privacy Towards 2020.56 Societal Debate The government takes opinions of citizens and companies into account when creating new policies and legislation, for example through the platform République Numérique57 on the Digital Republic Act (Nr. 2016-1321).58 The government also replies to questions of the public.59 More generally, the French government has installed the abovementioned Conseil National du Numérique,60 an independent committee with representatives from a broad range of stakeholders to discuss the impact of digital technologies on society. Information Campaigns The government subsidizes projects which create further awareness for both citizens and companies. The campaigns are initiated by the CNIL and financed through the State budget. An example is the Educnum platform mentioned before.61 One of the missions of the CNIL is to inform data subjects (according to Article 11 paragraph 1 of the Data Protection Act Nr. 78-17). The government finances both the Conseil National du Numérique (budget about 91K€ for 2016) and the CNIL.62

54

https://cnnumerique.fr/. Our questionnaire, answers from Emmanuel Laforet. 56 CNIL foresight Committee, Privacy Towards 2020. IP Innovation & Foresight Reports No 1. Available at https://www.cnil.fr/sites/default/files/typo/document/CAHIER_IP_EN.pdf. 57 https://www.republique-numerique.fr/. 58 https://www.legifrance.gouv.fr/eli/loi/2016/10/7/ECFI1524250L/jo. 59 Our questionnaire, answers from Emmanuel Laforet. 60 https://cnnumerique.fr/. 61 https://www.educnum.fr/. 62 Our questionnaire, answers from Emmanuel Laforet. 55

7.3 Laws and Regulations

7.3

145

Laws and Regulations

Implementation of the EU Directive Prior to the GDPR, EU Directive 95/46/EC was implemented by the French Data Protection Act of 6 January 1978 (Act Nr. 78-17),63 modified by the Law Nr. 2011-334 of 29 March 2011, the Ordinance Nr. 2011-1012 of 24 August 2011 (the “Ordinance”), the Law Nr. 2013-907 of 11 October 2013 and the Law Nr. 2014-344 of 17 March 2014.64 According to the Act Nr. 78-17 the processing of personal data encompasses any set of operations which is performed upon personal data by automatic means relative to the collection, recording, development, modification, storage and destruction and any set of operations of the same nature dealing with the usage of files or data bases and interconnections, consultations or communications of personal data. The Data Protection Act states that any automatic processing of personal data on behalf of parties other than the State, public establishments, territorial authorities, or private legal entity managing a public service, must be declared prior to its implementation to the CNIL. There are specific provisions for health data of children. For example, specific procedures protecting children are in place and healthcare data controllers have to be authorized to store health data.65 Sectoral Legislation There are a number of laws and regulations relating to personal data protection regulating specific sectors, including:66 • Postal and Electronic Communications Code (Articles L 34 et seq. and Articles R 10 et seq.) (regulating online electronic communication services to the public). • Consumer Code (Articles L 223-1 et seq.) (on telemarketing). • Consumer Code (Articles L 224-42 to L 224-42-4). These will come into force on 25 May 2018 and will set out a general principle that consumers have a right to recover all of their data. • Public Health Code (Articles L 1110-4 et seq., L 1111-8 et seq., L 1115-1 et seq., L 1122-1 et seq., L 1435-6, L 1460-1 et seq., R 1111-1 et seq.) (on the processing of health data).67

63

https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000886460. LinkLaters DataProtected https://clientsites.linklaters.com/Clients/dataprotected/Pages/France. aspx. 65 Our questionnaire, answers from Emmanuel Laforet. 66 http://uk.practicallaw.com/6-502-1481. 67 https://www.legifrance.gouv.fr/affichTexte.do?cidTexte= JORFTEXT000031912641#LEGIARTI000031916294. 64

146

7

France

• Property Code (Article L 212-3) (on the retention of personal data contained in public archives). This legislation concerns more than just sensitive categories of personal data, as for example in the context of employment.68 Self-regulation and Codes of Conduct The CNIL provides recommendations on good practices and it delivers quality labels.69 Self-regulation initiatives exist, for example with codes of conduct.70 The CNIL actively participates in the program of Binding Corporate Rules (BCR) of the European Commission.71 The BCR “are used by multinational companies in order to adduce adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals within the meaning of Article 26(2) of the Directive 95/46/CE for all transfers of personal data protected under a European law.” The list of 88 companies for which the BCR procedure is closed, contains 28 French companies with lead authority CNIL (as compared to 16 Dutch companies, 8 German companies, 22 UK companies and 1 Irish company).

7.4

Implementation

Some of the companies use other means to implement data protection, such as privacy seals,72 certifications or codes of conduct.73 In January 2015 the CNIL published a standard to define what accountability with respect to privacy means in practice: the CNIL-seal Gouvernance Informatique et Libertés.74 It has been suggested as a model for a European standard.75 The privacy seal program is coordinated by the CNIL in order to receive the privacy seal, organizations have to meet 25 cumulative standards. These standards are divided into three different categories: • the internal organization of the management of personal data; • the methods of verifying compliance with the law; • the handling of complaints and incidents. 68

Our questionnaire, answers from Emmanuel Laforet. https://www.cnil.fr/fr/les-labels-cnil. 70 Our questionnaire, answers from Emmanuel Laforet. 71 http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_ en.htm. 72 https://www.cnil.fr/fr/les-labels-cnil, https://www.cnil.fr/en/cnil-privacy-seal-privacy-governa nce-procedures, https://www.cnil.fr/sites/default/files/typo/document/CNIL_Privacy_Seal-GovernanceEN.pdf. 73 Our questionnaire, answers from Emmanuel Laforet. 74 https://www.cnil.fr/fr/un-nouveau-label-cnil-gouvernance-informatique-et-libertes. 75 http://www.hldataprotection.com/2015/01/articles/international-eu-privacy/new-cnil-accountabilitystandard-may-become-european-model/. 69

7.4 Implementation

147

It constitutes, for companies, authorities, associations or jurisdictions, adequate ethical and legal framework, demonstrates the willingness of the organization to innovate and process personal data responsibly. Additionally, these privacy seals prepared organizations for the introduction of the General Data Protection Regulation, especially by introducing the notion of accountability.76 In June 2016, the CNIL also launched the initiative for a public consultation on the GDPR for professionals. The goals were to assemble concrete questions, interpretation difficulties and examples of best practices evoked by the text. The contributions served as input for the Article 29 Working Party (WP29), which will adopt the operational guidelines on the different topics submitted for consultation.77 Privacy Officers The DPA permitted organizations to appoint data protection officers (Correspondants Informatique et Libertés; DPO is CIL in French) on an optional basis and this could provide an exemption from notification. A DPO is responsible for ensuring the application of the obligations provided by the DPA and for keeping a register of processing (except where processes are involved that require an authorization or an opinion and this includes, in general, processes where a transborder dataflow is contemplated). According to the CNIL 2015 activity report, approximately 16,400 data controllers have appointed a data protection officer.78 There are no specific qualifications required by law for a DPO, except that the person should be qualified to do the job. If the organization has less than 50 people involved in the processing of data, the DPO may be external, otherwise they should be employed by the data processor.79 The responsibilities of the Data Protection Officer prescribed by law include: (i) establishing and keeping a list of the organization’s Data Processing activities for which he/she was appointed; (ii) ensuring compliance with data protection legislation; (iii) advising the organization, in particular on any new data processing activities to be included on that list, prior to their implementation; (iv) receiving data subjects’ requests and complaints relating to these data processing activities; and (v) submitting an annual report of his/her activities to the organization and making it available to the CNIL. In practice, typical duties also include: developing internal policies and procedures; conducting compliance checks; preparing (and delivering) staff training; reviewing contractual clauses relating to data protection; advising on appropriate notices to data subjects; registering with the CNIL the data processing activities subject to prior approval;

76

https://www.cnil.fr/en/cnil-privacy-seal-privacy-governance-procedure. https://www.cnil.fr/sites/default/files/atoms/files/resultats_de_la_consultation_publique_ reglement_0.pdf. 78 https://clientsites.linklaters.com/Clients/dataprotected/Pages/France.aspx (consulted 20 February 2017). 79 https://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/france (consulted 20 February 2017). 77

148

7

France

and generally raising awareness of data protection issues throughout the organization.80 The CNIL should be notified of the appointment of a DPO.81 Security Measures The CNIL provides through its website a number of guidelines and advice to both citizens and organizations about the data protection laws, principles and ways of dealing with them. For organizations for example, a part of its site is dedicated to “Les Outils de la Conformité”82 (compliance tools). Here they describe how organizations can assign a DPO (CIL in French, see above) to “reduce data risks and maximize investments.”83 An important role of the DPO is to advise about data protection measures, and to warn about data protection risks when developing new services. The aforementioned privacy seals issued by the CNIL are also an important tool to stimulate and assist with compliance to security standards.84 Transparency In a public speech, CNIL Head of Compliance Sophie Nerbonne mentioned (lack of) transparency as one of the main issues concerning the Internet of Things. The CNIL issued a warning against an organization called PROFILS SENIORS for lack of transparency in early 2016.85 This organization works towards constituting a database with information on senior citizens with the purpose of leasing it to third parties for e-commerce. In 2015, during an investigation after a complaint in 2013, several breaches of the law “Informatique et Liberté” were found.

7.5

Regulatory Authorities and Enforcement

Supervisory Authorities The French Data Protection Act Nr. 78-17 of 6 January 1978 on information technology, data files and civil liberties created the French data protection authority CNIL (the Commission Nationale de l’Informatique et des Libertés) after a political debate in the national parliament. As of January 2015, the CNIL has 192 employees. The budget is almost 19 million euro for 2016.86

80

https://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/france (consulted 20 February 2017). 81 https://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/france (consulted 20 February 2017). 82 https://www.cnil.fr/fr/les-outils-de-la-conformite. 83 https://www.cnil.fr/fr/le-role-du-cil-et-ses-benefices. 84 https://www.cnil.fr/en/privacy-seals. 85 http://www.liberation.fr/direct/element/donnees-personnelles-la-cnil-sanctionne-la-societeprofils-seniors_27831/ (consulted 20 March 2018). 86 https://www.data.gouv.fr/fr/datasets/budget-de-la-cnil-1/.

7.5 Regulatory Authorities and Enforcement

149

The members of the CNIL congregate in plenary sessions once a week on an agenda pre-established by the Chair. A major part of these sessions is devoted to the assessment of bills and draft decrees that are submitted by the government for an official CNIL opinion. Additionally, the CNIL gives authorizations for the processing of sensitive data including, but not limited to, those requesting the use of biometrics. It also analyses the consequences of new technologies on citizens’ private life.87 CNIL was one of about twenty national DPAs to initiate the so-called Privacy Sweep, coordinated by the Global Privacy Enforcement Network.88 On this yearly event, a number of groups are targeted according to a theme,89 but in general, the DPA works with all data controllers, processors and data subjects.90 Main Activities Prior to the GDPR, the role of the data protection authority was described Article 11 of the French Data Protection Act. The CNIL advises on proposed legislation or decrees, and supports citizens. It supports a dialogue between the authorities and organizations under supervision. The authorities start an investigation when they want, usually after complaints of citizens or in the press. The CNIL sanctions for example in case a data breach impacts many citizens, improper use of sensitive data, or when a data controller does not comply after a formal notice.91 In its investigation program for 2015, the CNIL indicated it intended to conduct approximately 550 investigations, both on-site and online. Priority for these investigations include contactless payment, internet of things for healthcare and ex post investigations on the companies that have obtained authorizations for their Binding Corporate Rules (BCR).92 Its focus program includes connected cars, smart cities and the commercial exploitation of personal data by cultural devices such as digital e-books, music players or video-on-demand. The CNIL has the power to take enforcement action in France. It has the ability to fine organizations itself, and the CNIL’s sanctions can be made public (usually on its website) and be published in newspapers at the cost of the defaulting data controller. Prosecutions for criminal offences are brought before the French criminal courts, which have the power to impose criminal fines and/or imprisonment.93

87

Our questionnaire, answers from Emmanuel Laforet. https://www.privacyenforcement.net/. 89 https://www.cnil.fr/fr/internet-sweep-day-2016-comment-les-objets-connectes-du-quotidienimpactent-la-vie-privee. 90 Our questionnaire, answers from Emmanuel Laforet. 91 Our questionnaire, answers from Emmanuel Laforet. 92 LinkLaters resource https://clientsites.linklaters.com/Clients/dataprotected/Pages/France.aspx. 93 LinkLaters resource https://clientsites.linklaters.com/Clients/dataprotected/Pages/France.aspx. 88

150

7

France

Use of Competences In 2014, the CNIL received 5,825 complaints about breaches of the DPA.94 There were 421 investigations, which lead to 62 formal notices (four of which were made public), seven warnings, 18 sanctions (including eight financial sanctions, seven of which were made public).95 In 2014, 68% of the formal notices led to compliance and were then closed but three procedures led to a discharge.96 In January 2014, the CNIL issued a fine of 150,000 euros against Google with respect to its merged privacy policy covering 60 of its services, for violation of the rules on providing fair processing information, obtaining valid consent to cookies, retention periods and combining users’ data collected across its services. In August 2014, the CNIL sanctioned a French telecommunication company for a data breach concerning approximately one million customers caused by the temporary technical failure of one contractor. Despite the breach being disclosed voluntarily, the CNIL issued a public warning. In 2014, 333 on-site investigations have been conducted (88 targeting CCTV systems), 58 of which were on-line investigations. Indeed, the new “Law on consumption”, dated 17 March 2014, provides new investigative tools for the CNIL by modifying the DPA. Now, the CNIL is expressly entitled to make on-line investigations, i.e. to collect data from internet websites as long as the data is freely accessible or made accessible, including by imprudence, negligence or intervention of a third-party. Some criminal lawsuits are initiated by a transmission of the CNIL to the prosecutor (on the basis of Article 11.2.e of the Act Nr. 78-17).97 The CNIL received 7908 complaints in 2015.98 Reputation The Data Protection Authority (CNIL) is well known by the public. Companies work in good cooperation with the CNIL at the national and the European level as the CNIL chairs the Article 29 Working party.99 Some of the companies use their attention for practices such as privacy seals,100 certifications or codes of conduct as a way of adding value.101

94

LinkLaters resource https://clientsites.linklaters.com/Clients/dataprotected/Pages/France.aspx consulted 31 October 2016. 95 LinkLaters resource https://clientsites.linklaters.com/Clients/dataprotected/Pages/France.aspx consulted 31 October 2016. 96 LinkLaters resource https://clientsites.linklaters.com/Clients/dataprotected/Pages/France.aspx consulted 31 October 2016. 97 Answer to our questionnaire by Emmanuel Laforet. 98 Answer to our questionnaire by Emmanuel Laforet. 99 Answer to our questionnaire by Emmanuel Laforet. 100 https://www.cnil.fr/fr/les-labels-cnil. 101 Our questionnaire, answers from Emmanuel Laforet.

References

151

References Consent Country Report France (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/ Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015 Mulligan DK, Bamberger KA (2015) Privacy on the Ground; Driving Corporate Behavior in the United States and Europe. MIT Press

Chapter 8

Romania

8.1

General Situation

Romania is included in this research as an Eastern European country that typically does not have a long history of privacy and personal data protection. Relatively recently, in 2007, Romania acceded to the European Union. As of 1976, the right to privacy existed in Romania because of its adherence to the International Covenant on Political and Civil Rights (ICCPR), which contains a right to privacy in Article 17, but during the Soviet era this right to privacy was frequently violated by the security services.1 Romania has also signed the Universal Declaration of Human Rights. Romania takes a monistic approach to international law, meaning that provisions in international treaties apply directly in national law, without any further implementation being necessary. After the collapse of the Soviet Union and the Warsaw Pact in 1989, large portions of the communist constitution were suspended and in 1991 a new constitution was adopted in Romania, in which for the first time a right to privacy was established (in Article 26). At the time, Romania’s ambition was to accede to the European Union and it therefore actively implemented EU Directives. The EU Directive on the protection of personal data (95/46/EC) dates from 1995 and was closely followed when establishing data protection (see Sect. 8.3). Since Romania has no long history in the area of privacy and personal data protection, there was no existing national data protection legislation that needed to be amended and there was the opportunity to start from scratch with establishing a completely new regulatory framework for the protection of personal data.

1

Manolea 2007, p. 1.

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_8

153

154

8 Romania

In the existing research (see Chap. 1) Romania is one of the least marked privacy orientated countries among EU member states. In Romania, there are low predispositions to both self-disclosure and digital involvement.2 Internet Use Romania has a population of 22 million inhabitants, out of which it is estimated that 9 million have access to Internet services. Approximately 2.6 million citizens have access to broadband Internet services.3 When compared the average of the EU, Romanians seem to be very active on the Internet and technology savvy. For instance, 59% of Romanians use social media at least once a week.4 Furthermore, 52% uses instant messaging or chat websites at least once a week.5 83% of Romanians check the Internet for news more than once a week (EU average 72%).6 Also, Romanians are among users that most often use the internet for access to music, images and videos. The use of online phone calls and video calls in Romania is similar to EU averages.7 About 40% plays online games at least once a week (EU average is 25%). However, some types of online services Romanians are considerably more reluctant to use. For instance, about 70% of Romanians shop online (compared to 87% EU average).8 About 48% never buys anything online, compared to an EU average of 24%.9 Also, 65% of Romanians never use online banking, which is significantly higher than the 35% EU average.10 Control When asked, Romanians generally do not feel in control of the information they provide online. According to a recent survey, 14% feels to have control, 53% feels to have only partial control and 30% feels to have no control at all.11 This closely resembles the EU averages, which are 15%, 50% and 31% respectively. At the same time, not all Romanians seem to be very concerned about this lack of control. About 56% of the people indicate concern, compared to an EU average of 67%.12

2

Consent Country Report Romania 2012, p. 44. Consent Country Report Romania 2012, p. 46. 4 Eurobarometer 431 2015, p. 109. 5 Eurobarometer 431 2015, p. 109. 6 Eurobarometer 431 2015. 7 Eurobarometer 431 2015, p. 111. 8 Consent Country Report Romania 2012, p. 3. 9 Eurobarometer 431 2015, p. 111. 10 Eurobarometer 431 2015, p. 110. 11 Eurobarometer 431 2015, p. 10. 12 Eurobarometer 431 2015, p. 13. 3

8.1 General Situation

155

Slightly less than half of all Romanians (48%) considers providing personal information as an increasing part of modern life. This is the lowest in the EU (average is 71%).13 It should also be noted that this belief still seems to be increasing in Romania, whereas it is in the EU average it is actually decreasing. About 33% indicates that providing personal data is not a big issue.14 When asked about using personal data for personalized advertisements and services, 6% feels very comfortable with this, 38% fairly comfortable, 36% fairly uncomfortable and 14% very uncomfortable.15 Awareness Generally, Romanians show a level of awareness that is comparable to the rest of the EU when it comes to the use of personal information by website owners.16 However, whilst Romania shows the highest level of awareness in the EU of personal information being used by website owners to contact users by email (Romania 90%, EU average 87%), it also stands out with a comparably high level of acceptance (85%). Similar relations can be observed in the awareness and acceptance of the use of personal information to customize content and advertising. However, whilst there appears some form of “balance” between user awareness and user acceptance towards these practices, there are substantially lower levels of acceptance of in-depth gathering of information, selling it, or making it available to others. Such practices are seen as largely unacceptable, and commercial trade-offs in this respect also meet little acceptance throughout the EU. Here, Romanians show a level of non- acceptance which is at a similarly high level as the EU average (Romania 75%, EU average 74%). Actual experience of privacy invasions is comparably low with Romanian people scoring 3.01 (EU average 2.89) on a 7 point scale (1 = never, 7 = very frequently).17 In dealing with privacy policies, a proportion of Romanian people that is identical to the EU average (both 47%) ever decided not to use a website due to their dissatisfaction with the site’s privacy policy, and about half of Romanian people never or rarely actually read a site’s terms and conditions (49%) or privacy policy (55%).18 If reading the privacy policies, Romanians, like other EU citizens, rarely read the whole text (Romania 15%, EU average 11%), although they are rather confident that – when reading it – the text is mostly or fully understood (Romania 76%, EU average 64%).

13 14 15 16 17 18

Eurobarometer 431 2015, p. 29. Eurobarometer 431 2015, p. 32. Eurobarometer 431 2015, p. 40. Consent Country Report Romania 2012, p. 4. Consent Country Report Romania 2012, p. 4. Consent Country Report Romania 2012, p. 4.

156

8 Romania

Only 22% of Romanians have heard about the existence of their national Data Protection Authority. This is one of the lowest percentages in the entire EU (average is 37%).19 Trust On average, the extent to which Romanians trust public authorities and private companies with their personal data is 55%, which is close to the EU average (51%). However, when looking at trust in more detail, Romanians have considerably less trust in specific sectors, such as health and medicine (58%, EU average 74%), public authorities (54%, EU average 66%) and banks and finance (39%, EU average 56%). Trust in shops and stores is (at 39%) close to the EU average (40%).20 The same goes for online businesses like search engines (24%, EU average 24%). Trust in telecommunications and internet providers is 41%, which is significantly above the EU average (33%). Romanian perception of general risks related to the disclosure of personal information on social media websites appear to be similar to the overall EU average.21 This also applies to the specific risks perceived - information being used or shared by website owners without the user’s knowledge or consent, and information used to send unwanted commercial offers. However, regarding perceptions of personal safety being at risk, reputation being damaged, and, in particular, becoming a victim of fraud, Romania scores substantially higher than the EU average (likelihood of becoming a victim of fraud: Romania 54%, EU average 32%). This increased level of risk perception may be the result of recent reports about “hackers” and phishing cases – some of them, actually, originating in Romania. Protective Actions The number of Romanians that tried to change privacy settings in their social media profiles is 51% (EU average 57%).22 Romanians find it rather easy to change these settings (86%, compared to EU average 64%).23 People who do not change the privacy settings indicate to trust the website to set appropriate privacy settings (17%), do not know how to change the settings (16%), are not worried about having personal data online (25%), do not have time to look at the options (27%) or did not know they could change the settings (13%).24 Similar results are shown in the CONSENT survey, that shows that, to safeguard their privacy, 43% of Romanian people often or always change the privacy settings of their personal profiles on social media sites (EU average 54%), and 79% (EU average 80%) of those who

19 20 21 22 23 24

Eurobarometer 431 2015, p. 52. Eurobarometer 431 2015, p. 66. Consent Country Report Romania 2012, p. 4. Eurobarometer 431 2015, p. 92. Eurobarometer 431 2015, p. 95. Eurobarometer 431 2015, p. 98.

8.1 General Situation

157

change privacy settings indicated that they made the privacy settings stricter so that others can see less information about them.25 On the level of specific technical measures taken to maintain or increase personal internet security, some practices (pop-up window blockers, checking opt-in/opt-out boxes, blocking emails) are more established than others (checking for spyware, clearing the browser history), with the Romanian people showing results that are mostly below the overall EU average.26 It appears that the ability to take technical measures to maintain or increase personal internet security cannot (yet) fully keep up with the high-frequency usage of the Internet and social media.27 The level of digital involvement is much higher than the tendency to take measures for the protection of personal privacy.28 Also, the predisposition to self-disclosure is much stronger than the tendency to take measures for the protection of personal privacy.29 National Politics Personal data protection does not play an important role in national politics or party politics. Looking at the current programs of political parties, privacy and data protection are absent or only marginally mentioned. When discussing legislative proposals, privacy may be an issue that is raised. A typical example of this occurred when the Liberal Party submitted a draft cybersecurity law to the Romanian Constitutional Court (CCR).30 Mostly such debates in parliament or public discussions arise from legislative proposals in the security domain. Usually this starts with a strong pro-security position presented in the parliament or in the government that evokes reactions to stop the expansion of security measures. In the security domain, regulation is often seen as the only option, but this is not uncommon in other sectors in Romania, in which detailed regulation is also preferred above soft law and other approaches. Romania does not have a tradition of self-regulation. Self-regulation is regarded by politicians (and sometimes by the public as well) as a ‘doing nothing’ approach, which is considered (too) passive. There is no real dialogue between civil society and political parties on privacy and data protection issues. Neither is there a dialogue between the DPA and political parties or between the DPA and public institutions. Furthermore, the DPA’s opinion is sometimes ignored, particularly in sensitive issues like mass surveillance measures. In 2016, there were at least three legislative proposals on

25

Consent Country Report Romania 2012, p. 4. Consent Country Report Romania 2012, p. 3. 27 Consent Country Report Romania 2012, p. 39. 28 Consent Country Report Romania 2012, p. 52. 29 Consent Country Report Romania 2012, p. 53. 30 See news: https://privacy.apti.ro/2015/01/29/romanian-cybersecurity-law-sent-to-the-constitutional-court/ The draft law was declared unconstitutional in January 2015 - https://privacy. apti.ro/2015/01/29/icing-on-the-cake-romanian-cybersecurity-law-unconstitutional/. 26

158

8 Romania

new security requirements in which arguments of the DPA and previous decisions of the Romanian Constitutional Court were ignored.31 Media Attention The media does not frequently cover privacy and data protection issues. There is no nationwide debate on privacy or data protection. This is at least partially due to some structural problems in the Romanian media landscape.32 As a result, media coverage seems to be interested in the tabloid or ‘sensational’ side of privacy stories rather than on the analysis, investigation or debate of the issues. Nevertheless, given this sensationalist side in presenting stories, general media have been particularly following laws that raised privacy concerns or went to the Romanian Constitutional Court in the past five years.33 On the internet, there is a large spectrum of news items, but just a few of them are actively following data protection issues. There seems to be a lack of awareness or interest among journalists on data protection and privacy issues, even when it is related to their own occupation, for instance, when it comes to confidentiality of their sources. Data Breaches In recent years, there were no major data breaches or data leaks that went public or attracted a lot of media attention or public attention. In the CONSENT study, the major social media websites in Romania were investigated. None of these were subject to legal dispute with respect to consumer protection or data protection.34 However, there were privacy incidents that attracted public attention: • The Fiscal Authorities (ANAF) on 24 May 2016 published a list of 187,000 private persons (with full details, including name, address and unique national identifier) that owned the state budgets of more than 1500 RON (approximately 333 euros), irrespective of the question whether they contested the amount in court.35 The list was published as “open data” on the Romanian open data portal. The ANAF was fined with 16,000 RON (approximately 3,500 euros) for breaching data protection laws, but was not asked to erase the data from the

31 See Intelligence organizations get more surveillance powers in Romania, see https://edri.org/ intelligence-organisations-get-more-surveillance-powers-in-romania/. 32 For details, see ActiveWatch FreeEx report 2015 – 2016. The organization highlights the main problems of the press in Romania: “Excessive politicization of the media, corrupt financing mechanisms, editorial policies subordinated to owner interests and intelligence agency infiltration of staff – such has been the impact of the media’s transformation into political propaganda tools, which has been particularly visible in election years, including 2014.” http://activewatch.ro/en/ freeex/publications/freeex-report-2015-2016. 33 Four major laws were declared unconstitutional in 2011–2015 on right to privacy grounds – two data retention laws, one on mandatory registration of pre-paid SIM cards and Internet user's WiFi traffic, and one on cybersecurity. 34 Consent Country Report Romania 2012 2.1, Annex 1. 35 See news https://republica.ro/anaf-a-fost-amendata-cu-16-000-de-lei-pentru-lista-rusinii.

8.1 General Situation

159

Internet. ANAF contested the fine in court. A second list was published in September 2016, with stricter technical limitations.36 Much media attention was attracted and comments were made in public. • The Romanian Intelligence Services (SRI) were granted EU funds in July 2016 for a project called SII Analytics, to acquire software and hardware for “consolidating and assuring eGovernment interoperability between public information systems”. The project seems to aim at gathering all major state owned databases (e.g., citizens and company registries, health card data, fiscal data) in SRI’s playground. The data will be stored in one large system, through which other public institutions could potentially have unlimited and unwarranted access to the personal data collected. The project also aims at aggregating datasets from all major public institutions and at allowing advanced searches in order to permit inquiries to any available information on citizens and residents. Furthermore, the project description also includes a chapter on behavioral analytics. The system would enable complicated analyses, correlations of information across databases and combining it with other information.37 The project has attracted some attention from the media, but especially from NGOs – from Romania and abroad. • There are constant allegations of illegal wiretapping and widespread surveillance by secret services which attract media attention, although it should be noted that this is by media whose owners have been sent to jail or are under investigation. Although there exist conditions for the secret wiretapping systems managed technically by the secret services, there seems to be a general public mistrust in how these systems work in practice. Apparently, the number of wiretappings on “national security” grounds are two times that of the FBI38 and many of these wiretappings are leaked to the press before the trial. For the latter issue Romania has been convicted at the ECtHR several times.39 • Much public attention has been attracted in the past years by a number of projects and legislative proposals related to biometric and electronic documents, such as the biometric passport, the electronic ID card (not implemented yet), the Electronic Health Record and the Electronic Health Card.40 These projects and

36 The list is available at https://www.anaf.ro/restante/. In this list, searching for names is more difficult than in the previous list. 37 More info at https://edri.org/romania-mass-surveillance-project-disguised-egovernment/, http:// www.liberties.eu/en/ and http://mediapowermonitor.com/content/eu-helps-romanian-intelligenceagency-officially-become-big-brother. 38 http://coalitiaromanilor.org/a41-romania-stat-politienesc-cu-o-populatie-de-16-ori-mai-micadecat-sua-sri-asculta-de-2-ori-mai-multe-telefoane-ca-fbi.aspx. 39 Case Casuneanu vs Romania (22018/10) http://hudoc.echr.coe.int/sites/fra/Pages/search.aspx# %7B%22appno%22:[%2222018/10%22]%7D or Voicu vs Romania (22015/10) or Apostu vs Romania (22765/12). 40 See for example articles on similar subjects at http://asociatialibertatearomanilor.ro/.

160

8 Romania

proposals have been heavily contested, especially by religious groups.41 Some of their actions also culminated in street protests42 where they gathered up to 2,000 participants.43 Civil Rights Organizations There are a few civil rights organizations in Romania that are active on privacy and data protection issues. ApTI (Association for Technology and Internet) is a non-governmental organization whose aim is to support and promote a free and open Internet where human rights are guaranteed and protected.44 APADOR (Association for the Defense of Human Rights in Romania) is a non-governmental organization working to raise awareness of human rights issues and promote human rights standards in Romania and the region.45 CRJ (Center for Legal Resources) has a particular focus on surveillance and secret services in relation to privacy and data protection issues.46 Other NGOs include Activewatch, CJI, CRJI, AMPER, Militia Spirituala and SAR and these are also supporting privacy and data protection standpoints, especially when major legislative proposals are initiated. These NGOs often have common positions on new security laws. Generally their direct support by the general population is limited, but it depends on the topic. Their role is almost always critical with respect to the government and security positions, but they are always present at debates and sometimes organizing these debates. Sometimes they are consulted during the regulation transparency consultation process. Although they are sometimes invited and listened to, their positions are not always taking into consideration. Usually these NGOs do not operate solely on the basis of complaints. As an example, ApTI started a data protection strategic litigation project in 2015, but it had received merely approximately 35 complaints in 6 months.

8.2

National Government Policies

National Politics, Privacy Impact Assessments There is no general policy on privacy and data protection in the current government or in any previous government. Mostly privacy and data protection are considered

41

This is a euphemism for ultra-orthodox conservative movements. Their basic argument is that all these eIDs contain the number 666 of the devil. More details and extremist views at https:// graiulortodox.wordpress.com/ or http://www.apologeticum.ro. 42 See https://www.youtube.com/watch?v=AHq8GemUiC4. 43 See http://www.mediafax.ro/social/miting-anticip-in-bucuresti-o-mie-de-persoane-la-protest-10 667857. 44 www.apti.ro. 45 www.apador.org. 46 www.crj.ro.

8.2 National Government Policies

161

from the legal perspective (see Sect. 8.3 for the legal framework), rather than from the policy perspective. As such, most policies further interpreting and detailing the legal framework derive from the DPA rather than from the national government. However, there are sector specific policies in several domains, including finance and health care, which will be discussed in Sect. 8.3. Furthermore, in 2015, the Romanian government approved the National Strategy on the Digital Agenda for Romania 2020 via Government Decision No. 245/2015. This policy document discusses aspects regarding e-governance, interoperability, cybersecurity, cloud computing, big data and social media. Prior to the GDPR, Privacy Impact Assessments (PIAs) were not part of the Romanian data protection legislation. No PIAs were mandatory and there were not rules on how and when they should be executed. Privacy and Data Protection in New Policies The protection of privacy and personal data plays an important role in different fields. In banking, for instance, there are new banking instruments that should be adapted to have a very high level of security to protect data. In human resources, the Labor Code includes rules for employers, especially concerning the large companies that use electronic systems for Enterprise Resource Planning and Customer Relations Management. Other areas include taxes, health care, and marketing. Concepts like Privacy by Design are sometimes discussed in policy documents, for instance, in the Ministry of Communications document on The Digital Agenda for Europe.47 The new technological developments were also considered by the Romanian government in adopting its policy on cybersecurity.48 The National Institute for Research and Development in Informatics, in the project “Research-Development and Innovation in ICT” (2015), discusses a number of aspects regarding big data, Internet of Things, platforms for connected smart objects and privacy. Societal Debate As mentioned above, citizens should be consulted when new laws or regulations are drafted. While there are consultations regarding the protection of personal data,49 the Romanian government is often reactive, not proactive, even though, according to the abovementioned National Strategy on the Digital Agenda for Romania in 2020, the development of cooperation between the public and private sector to ensure cybersecurity is considered a priority for national action. In August 2015, in response to a request regarding the debate on the draft Government Decision approving the implementation of the Integrated Information System of Tourist

47

See www.mcsi.ro/Minister/Agenda-Digitala/Agenda_Digitala. See https://ec.europa.eu/epale/sites/epale/files/strategia-nationala-agenda-digitala-pentru-romania20202c-20-feb.2015.pdf. 49 See, e.g., http://www.romanialibera.ro/politica/institutii/guvernul-ministerul-economiei-va-aveaconsultari-publice-privind-acta–actul-nu-schimba-legea-251870. 48

162

8 Romania

Records, the Ministry of Economy, Trade, and Tourism held a debate on personal data protection. The Romanian data protection authority (ANSPDCP) is consulted very often by government organizations responsible for drafting new legislation. An example of the DPA’s participation in the consulting process includes the modification of Law No. 506/2004.50 Also, the Information Society Ministry requested the position of ANSPDCP regarding the modification of related legislation.51 The Public Finance Ministry requested the position of ANSPDCP regarding the fiscal regulation.52 The Justice Ministry consulted ANSPDCP regarding the public acquisition procedure.53 The Romanian government consulted the DPA regarding voting via mail.54 The National Institute of Statistics sought the comments of ANSPDCP when developing the National Statistics System.55 The Interior Ministry requested the position of the DPA regarding the project of the Government Ordinance concerning the use of passenger’s names in connection with the combating of terrorism.56 The National Tourism Authority consulted ANSPDCP regarding the implementation of the integrated information system for the evidence of tourists.57 ANSPDCP participates often in public debates, such as the debate on “Personal data protection in the context of new technologies” (2015); the European Data Protection Day (2014); “Cloud Computing: Challenges and opportunities from the data protection perspective” (2014); and Conferences (for instance, “Preventing and Combating Cybercrime” (2016); “Ro-Direct” (2015), “The Rule of Law in the Digital Era” (2015); etc.). ANSPDCP also conducted information meetings at several the Public Notaries Chambers. Information Campaigns There are information campaigns regarding privacy and personal data protection that address both citizens and companies. For instance, the Romanian government made available online a manual for the protection of personal data.58 Government officials sometimes present new developments at conferences or provide material online. For instance, at the Computer Show (RoCS 2016) a representative from the Romanian Prime Minister’s Chancellery presented the implications of the GDPR.59

50

See ANSPDCP, Annual Report 2015, pp. 14–16. See ANSPDCP, Annual Report 2015, p. 16. 52 See ANSPDCP, Annual Report 2015, pp. 17–22. 53 See ANSPDCP, Annual Report 2015, p. 23. 54 See ANSPDCP, Annual Report 2015, p. 24. 55 See ANSPDCP, Annual Report 2015, p. 25. 56 See ANSPDCP, Annual Report 2015, pp. 26–30. 57 See ANSPDCP, Annual Report 2015, p. 30. 58 Available at http://igi.mai.gov.ro/api/media/userfilesfile/Informare%20publica/Drepturile% 20persoanelor/manual.pdf. 59 http://www.agerpres.ro/economie/2016/11/23/cucu-cio-office-romania-va-adopta-regulamentulgeneral-pentru-protectia-datelor-in-luna-mai-2018-12-54-32. 51

8.2 National Government Policies

163

The Romanian National Computer Security Incident Response Team (CERT-RO) discusses the threats posed by the new technological developments on its website,60 while the Romanian Information Service (SRI) has published a Self-Protection Guide.61 The Ministry for Public Consultation and Civic Dialog published personal data protection information online.62 Furthermore, the Romanian data protection authority (ANSPDCP) has published numerous press releases, informative materials and case studies.63 Examples of such cases include cases involving retailers, supermarkets, the public prosecutor office, political parties and banks.64

8.3

Laws and Regulations

Implementation of the EU Directive Even before acceding to the European Union, Romania already implemented the EU Directive on the protection of personal data (95/46/EC). This was done by establishing Law No. 677/2001 for the protection of persons concerning the Processing of Personal Data and Free Circulation of Such Data.65 This is the Personal Data Law (PDL). This law does not apply to national security and defense. The PDL closely follows the text and intention of EU Directive 95/46/EC. In fact, in 2004, when Romania was still in the process of accession to the EU, the EU concluded that the implementation of the data protection directive was still lagging behind, for instance, because supervision and enforcement were inadequate (see Sect. 8.5).66 In reaction to this, Romania followed even more closely the instructions of the data protection directive. As a result, the PDL focused on the concept of personal data and described the OECD principles for fair processing of personal data (collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and accountability – mainly addressed in Article 4 and 5 PDL). According to the PDL, citizens have the right to be informed (Article 12 PDL), the right to access (Article 13 PDL), the right to have their personal data changed or update (Article 14 PDL), the right to request removal of their data (Article 14 PDL),

60

https://cert.ro/. Available at www.sri.ro/ghid-de-autoprotectie.html. 62 See Buletin Informativ (2016), available at http://dialogcivic.gov.ro/wp-content/uploads/2016/ 02/BI-ianuarie-2016.pdf. 63 See at http://www.dataprotection.ro/?page=Materiale_informative&lang=ro. 64 See ANSPDCP, Annual Report 2013. 65 www.avp.rp/leg677en.html. See also the official publication in Official Journal of Romania, Part I, No. 790/12 December 2001. 66 EU 2004 Regular report on Romania’s progress towards accession. 61

164

8 Romania

the right to object (Article 15 PDL), and the right to file complaints at the data protection authority (Article 25 PDL) or to refer to a court of law (Article 17 PDL). Since the data protection directive was closely followed, the PDL mostly implements the minimum requirements of the directive. There are no additional provisions and no evident elements of novelty or specificity.67 The only provision that seems to exceed the minimum requirements set forth by the Data Protection Directive is Article 28, which obliges professional associations to elaborate and submit codes of conduct for approval to the supervisory authority. According to the text of the directive, this is not mandatory (Article 27 of the directive). None of the new provisions in the GDPR (like the right to data portability, the right to be forgotten, Privacy Impact Assessments or data breach notifications) were included in the PDL. Although there was no data breach notification obligation in the PDL, prior to the GDPR there already existed such an obligation for the providers of electronic communications services (Article 3 Romanian e-privacy law), see below. Sectoral Legislation As a member of the EU, Romania has also implemented other EU Directives. The EU Directive for telecommunications privacy (1997/66/EC) was implemented in 2001 via Law 676/2001 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector.68 This law was replaced in 2004 by Law 506/2004,69 which implements EU Directive 2002/58/EC (the so-called e-privacy directive). Law 506/2004 was extended by Law 235/2015.70 Law 365/2002 is the implementation of EU Directive 2000/31/EC (the so-called e-commerce directive) and contains provisions regarding the storage of information. Law 238/2009 regulates the processing of personal data by the structures and units of the Ministry of Administration and Interior in the activities of prevention, investigation and counter crime and maintaining public order and applies to the processing of personal data carried out on public policy.71 This law does not apply to processing personal data in the domain of national security and defense. This law underlines that the systems and means for data processing in the field of preventing, investigating and combating crime must be utilized “with the respect of human rights and implementing the principles of legality, necessity, confidentiality, proportionality and only if, through their use, the protection of the data processed is ensured”.72 Furthermore, the regulations in the field of the activity of police officers

Şandru 2013. Published in the Official Journal no. 800 of 14 December 2001. See also http://www.armad.ro/ eng/legislation/law-no-6762001. 69 Published in M.Of. No. 1101/25 Nov. 2004. 70 Published in M.Of. No 767/14 Oct. 2015. 71 http://www.mai-dga.ro/index.php?l=en&t=9; Published in M.Of. No. 405/15 June 2009, republished in M.Of. No. 474/12 July 2012. 72 Article 3 of Law No. 238/2009. 67 68

8.3 Laws and Regulations

165

include provisions connected to the data collection. As a safeguard established by the law, police officers must collect information on potential crimes in a manner that does not “illegally harm or hinder the fundamental rights and freedoms of citizens, their private life, honor and reputation”.73 In addition, when it comes to vulnerable groups, the law expressly provides that the police officer has the duty to show “solicitude and respect”.74 Thus, personal data such as those related to racial origin, religious or political beliefs, or sexual behavior can be collected by Ministry of Interior structures/units, but only for determined cases where such data is necessary in order to undertake the criminal investigation or prosecution, as a result of a crime that occurred.75 For the exchange of information between the tax agency and the public administration authorities, there is the Order of the Finance Minister 1736/2012 and the Order of the Interior and Administration Minister 279/2012 regarding the approval of the framework of the cooperation protocol.76 Government Emergency Ordinance 99/2006 regarding credit institutions and the regulation of the National Bank of Romania (NBR 6/2006) put forward additional rules for the processing of financial data. Failure to comply with these rules may result in written warnings, fines between 0.05% and 1% of the company’s share capital or withdrawal of operating licenses. Breach of confidentiality may be qualified as disclosure of professional secrecy, a criminal offense sanctioned with imprisonment between three months and two years or a fine. Health care legislation sets out specific rules for personal health information. Order 1123/849/2016 of the Ministry of Health and the National Health Insurance House establishes the procedures regarding the use of the medical patient’s electronic file.77 Law 46/2003 on patient’s rights, Law 95/2006 regarding reform of the healthcare sector, and Order 904/2006 of the minister of public health put forward norms for the implementation of good practice rules. Disclosure of a person’s health condition by health insurance companies constitutes a criminal offense in the absence of the insured person’s consent. Sensitive categories of personal data are dealt with in the PDL, Article 7-10 PDL. These special categories of personal data include ethnic or racial origin, political, religious or philosophical beliefs or those of similar nature, trade-union allegiance, as well as personal data regarding the state of health or sex life. Article 10 specifically focuses on personal data regarding criminal offences. Romanian anti-discrimination law prohibits for particular types of decision-making the use of race, nationality, ethnic origin, language, religion, social status, beliefs, sex, sexual orientation, age, disability, chronic disease, HIV positive status, membership of a disadvantaged group or any other criterion. The Romanian

73 74 75 76 77

Article 32 of Law No. 218/2002 on the organizing and functioning of the Romanian Police. Article 41 of Law No. 360/2002 on the status of the police worker. Article 5 of Law 238/2009. Published in M. Of. No. 32, 15 Jan. 2013. Published in M. Of. No. 806/13 Oct. 2016.

166

8 Romania

anti-discrimination law (Ordinance 137/2000) prohibits use of such characteristics, for instance, for decisions regarding hiring employees. Ordinance 137/2000 does not stipulate reasonable accommodation for persons with disabilities, but Act 448/ 2006 on the Promotion and Protection of the Rights of Persons with Disabilities, which has the same personal scope as the Ordinance, establishes the duty to ensure reasonable accommodation in access to various public and private services and facilities and in labor relations.78 Self-regulation and Codes of Conduct In relation to the security of personal data, the Romanian Ombudsman issued Order 52/2002 on approving the minimum safety requirements for personal data processing.79 This order requires data controllers to arrange proper identification and authentication of users (for instance, via user names and passwords), different types of access (need-to-know),80 audit trails of access to personal data, the use of encryption, creating back-up copies and training of personnel. The Romanian Data Protection Authority (ANSPDCP) also published a series of decisions that provide further details on how to process personal data.81 Such decision include, for instance, adequate levels of protection of personal data when transferred to third countries like Argentina, Switzerland and Canada.82 Some decisions regard specific types of data (such as health data),83 or specific technologies (such as video surveillance).84 Decision 90/18-07-2006 regards the categories of operations that could negatively affect personal rights and liberties, Decision 91/18-07-2006 stipulates cases where there is no need to send a notification regarding the processing of personal data and Decision 162/26-02-2008 regards cases where a simplified notification of personal data processing is acceptable.

8.4

Implementation

Generally, organizations need to find their own way how to comply with data protection legislation. Apart from one guide dedicated to CCTV systems installed in blocks of apartment buildings there are no public official guidelines from the

78

Chopin and Germaine-Sahl 2013. Published in M. Of. No. 383/5 June 2002. 80 The need-to-know principle means that users can only access those data that are necessary to complete their tasks. 81 http://www.dataprotection.ro/index.jsp?page=publicated&lang=en. 82 Decisions 172/2007, 174/2007 and 173/2007. 83 Decision 101/2008. 84 Decision 52/2012. 79

8.4 Implementation

167

DPA.85 The DPA’s interpretation of data protection legislation can be deduced only from annual reports86 and other general information materials,87 but in general they also respect the Article 29 Working Party positions. Article 28 PDL obliges professional associations to elaborate and submit codes of conduct for approval to the supervisory authority. However, although according to the law all codes of conduct should be approved by the DPA, there is only one code of conduct that includes privacy and data protection and that is approved by the DPA. This is the code of conduct of the Romanian Association of Direct Marketing.88 Some bigger companies apply information security standards (such as ISO 27 001 and similar) in order to prove they are complying with the data protection legislation. Privacy Officers The PDL does not put forward any requirements to or qualifications for installing privacy officers. There are no sanctions for failing to appoint a privacy officer. Romanian companies usually do not appoint privacy officers.89 For multinationals with subsidiaries in Romania it is more common to appoint privacy officers, but this typically takes place at the level of the parent company level. In many companies privacy and data protection seem to be part of the tasks of the compliance officer or legal department. As such, it is usually not a full-time job. Those Romanian organizations who have appointed privacy officers, typically assign the following tasks to them: advising companies on data protection rights and obligations, and supervising activities related to processing, appropriate notification, management and avoidance of breaches.90 As there is no requirement to register privacy officers, there are no official statistics available on the number of privacy officers in Romania. Security Measures In relation to the security of personal data, the Romanian Ombudsman issued Order 52/2002 on approving the minimum safety requirements for personal data processing. This order requires data controllers to arrange proper identification and authentication of users (for instance, via user names and passwords), different types of access (need-to-know),91 audit trails of access to personal data, the use of

85

Available at http://dataprotection.ro/?page=ghiduri&lang=ro. Available http://dataprotection.ro/?page=Rapoarte%20anuale&lang=ro. 87 Available at http://dataprotection.ro/?page=Materiale_informative&lang=ro. 88 ARMAD - http://armad.ro/, DPA information - http://www.dataprotection.ro/servlet/ ViewDocument?id=622. 89 www.iclg.co.uk. 90 www.iclg.co.uk. 91 The need-to-know principle means that users can only access those data that are necessary to complete their tasks. 86

168

8 Romania

encryption, creating back-up copies and training of personnel. Order 52/2002 does not include any reference to ISO standards or certificates. Specific sectors further focus on security measures. The justice system computerization strategy for the period 2013–2017 aims to increase the security of confidential data and sets procedures for monitoring the security policies for existing LAN and WAN networks and the creation of a disaster recovery operation systems and databases. The Ministry of Administration and Interior issued Instruction 27/2010, containing the rules regarding the organizational and technical measures that must be implemented in the processing of personal data carried out during the prevention, investigation, and combating of criminality and maintaining of the public order activities. The operators are subject, in their work, to the control of the National Supervisory Authority.92 Article 28 of the PDL obliges professional associations to elaborate and submit codes of conduct for approval to the supervisory authority. However, it is not mandatory to include information security measures in these codes of conduct. Furthermore, there are no further rules or guidelines on the implementation of role-based access or the need-to-know principle. The concept of Privacy by Design is relatively new.93 Since Romania is not a frontrunner in privacy and data protection, it is not surprising that Privacy by Design is not a topic of debate in Romania.94 Nevertheless, the concept of Privacy by Design (and other concepts like privacy by default and Privacy Impact Assessments) is taken into account by the supervisory authorities.95 Transparency In general, Romanians show a level of awareness regarding the use of personal information by website owners that is average compared to other EU citizens.96 When dealing with privacy policies, a significant number of Romanians (about 47%) ever decided not to use a website due to its privacy policy. About half of the Romanians never or rarely actually ever read the terms and conditions (49%) or the privacy policy (55%) of a website. If they actually do read the privacy policies, they rarely read the whole text (only 15%, compared to the EU average of 11%). Nevertheless, when reading the text, Romanians feel rather confident that they understand the text mostly or fully (76%, compared to the EU average of 64%).97

92

Published in M. Of. No. 98/12 Feb. 2010. Cavoukian 2009. 94 See also http://hammond-minciu.com/2016/08/10/new-general-data-protection-regulation/. 95 See, e.g., ANSPDCP, Annual Report 2015 at 28; ANSPDCP, Annual Report 2014 at 27, 107; ANSPDCP, Annual Report 2013 at 14. 96 Consent Country Report Romania 2012, p. 4. 97 Consent Country Report Romania 2012, p. 4. 93

8.4 Implementation

169

Lack of information or education may be one of the reasons why less than half of the Romanians change their privacy setting, particularly regarding the protection (i.e., accessibility) of their personal profiles and pictures on social media.98

8.5

Regulatory Authorities and Enforcement

At the same time the new constitution in Romania was established in 1991, also the so-called Avocatul Poporului was established, the national Ombudsman. Privacy and personal data protection were part of the scope of this organization. Only in 1997 the activities of the Avocatul Poporului really got started, but even then few cases regarding privacy and personal data protection were processed.99 In 2004, when Romania still had to accede to the EU, little progress had been made on the implementation of the protection of personal data. The EU concluded that the progress of the implementation was limited and there were considerable concerns regarding the regulatory authority and enforcement. Enforcement activities significantly fell behind in comparison with other member states.100 Assigning the supervision and enforcement of privacy and personal data protection to the Avocatul Poporului was not completely in line with EU Directive 95/ 46/EC, because this directive prescribes that supervision and enforcement should be taken care of by a completely independent and autonomous organization, specifically dedicated to this topic. Although the Romanian Ombudsman is an independent and autonomous organization, it obviously focuses on a much wider range of topics. Already in 2004, the Avocatul Poporului indicated that it had no specialized employees and insufficient structures to perform its tasks regarding privacy and personal data protection.101 In May 2005, a new authority was established, the National Authority for the Control and Supervision of Personal Character Data Processing (ANSPDCP), via Law 102/2005.102 On 1 January 2006 this data protection authority actually replaced the Romanian Ombudsman as enforcement authority. The president of this data protection authority has the rank of minister and the vice-president has the rank of secretary of state or deputy minister.103 Both are appointed by the Romanian senate (the upper house in parliament) for a term of five years.

98

Consent Country Report Romania 2012, p. 39. Manolea 2007, p. 1. 100 EU 2004 Regular report on Romania’s progress towards accession. 101 Manolea 2007. 102 Published in M.Of. No. 391/9 May 2005. 103 Both need to have a minimum of 15 years of experience in their specialisation and need to have a good reputation and a high degree of integrity. Neither a legal education or background nor expertise in the area of human rights and/or privacy and personal data protection is required. 99

170

8 Romania

Supervisory Authorities At the time the Avocatul Poporului was established, legislation created 20 positions for employees that would work on issues regarding privacy and personal data protection. In 2005, only 15 of these positions were actually filled.104 When the ANSPDCP, the data protection authority, was established, a maximum of 50 employees (excluding the president and vice-president of the ANSPDCP) was envisioned in legislation. The data protection authority has an annual budget of approximately 3 million Lei (almost 700,000 euro).105 In recent years, the data protection authority has each year reported a considerable number of vacancies. In 2015, there were nine vacancies (of the maximum number of 50 positions as established in legislation). This shortage of personnel, both in number and in expertise is consistently mentioned in annual reports over the past few years.106 Apart from the ANSPDCP, there is another supervisory authority, namely the National Authority for Management and Regulation in Communications (ANCOM), which has specific competences regarding electronic communications services and providers op telecommunications networks. ANSPDCP has the power to enforce violations of market regulation. The Avocatul Poporului should also have privacy on its radar, but it has been rather quiet in recent years, except for two things. One is a lawsuit the Ombudsman won on the illegitimacy of mandatory registration of prepaid SIM cards before the Romanian Constitutional Court in 2014.107 The other is a case on the regulation on electronic patient’s records it brought before the Romanian Constitutional Court in 2016.108 Main Activities The main activities of the data protection authority are listed on its website. The data protection authority:109 • receives and examines the notifications on the processing of personal data; • authorizes the data processing in the situations stipulated by the law; • can decide, if it ascertains the infringement of this law, the temporary suspension or the cessation of the data processing, the partial or entire erasure of the processed data and can inform the penal bodies or sue; • informs the natural and/or juridical persons about the necessity of complying with the obligations and carrying out the procedures stipulated by Law no. 677/ 2001; 104

Manolea 2007, p. 8. ANSPDCP, Annual Report 2015, p. 103. 106 E.g., ANSPDCP, Annual Reports 2013, 2014, 2015. 107 See https://edri.org/romania-mandatory-prepaid-sim-registration-ruled-unconstitutional/. 108 Press release from 30 November 2016 http://www.avp.ro/comunicate-de-presa/comunicate2016/ comunicat_30noiembrie2016.pdf. 109 http://www.dataprotection.ro/index.jsp?page=about&lang=en. 105

8.5 Regulatory Authorities and Enforcement

171

• keeps and lays at public disposal the register of recording the personal data processing; • receives and solves the complaints, intimations or requests of the natural persons and communicates the given solution or, according to each case, the approaches carried out; • performs preliminary controls, if the data processor processes personal data which are liable of presenting special risks for the persons’ rights and freedoms; • performs investigations, at self-notification or at the reception of complaints or intimations; • is consulted when normative acts regarding the protection of persons’ rights and freedoms, concerning the personal data processing, are drafted; • can make proposals regarding the drafting of normative acts or modifying of normative acts in force, in the field of personal data processing; • cooperates with the public authorities and public administration bodies, centralizes and examines their annual reports regarding the people’s protection concerning the processing of personal data; • issues recommendations and approvals on any matter connected to the protection of the fundamental rights and freedoms, concerning the personal data processing, at any person’s request, including public authorities and public administration bodies; • cooperates with similar authorities from abroad, for mutual assistance, as well as with persons with residence or premises abroad, for the protection of the fundamental rights and freedoms which may be affected by the personal data processing; • carries out other competences stipulated by law. The data protection authority can start investigations ex officio or as a result of a complaint. The DPA may not exercise its investigative powers in case a complaint was previously addressed to a court of law and concerns the same litigating parties and issue. In 2004, there was a considerable increase in activities of the data protection authority. The protection of personal data (and stressing the importance of data controller obligations) was improved via a series of seminars for specific sectors, such as hotels, tourism, internet services, health care, and the financial sector.110 Data protection authorities of 17 Eastern European countries (both EU member states and other countries) have united themselves for closer cooperation. These data protection authorities meet each other two times a year to discuss developments in their respective countries. Also, they established a joint website.111 The data protection authority has the following competences (Article 21): performing audits at data controllers, suspend or discontinue the processing of personal data, partial or total erasure of personal data, starting civil lawsuits, referring cases to police and justice organizations, investigating cases on the basis of complaints or 110 111

Manolea 2007, p. 11. www.ceecprivacy.org.

172

8 Romania

independently and imposing fines. Various categories of administrative fines exist (Chapter VIII of the data protection law). Fines of 120 to 2325 euro exist for failing to notify data processing activities, incomplete notifications or malevolent notifications. Sanctions of 232 to 5800 euro may be imposed for illegal data processing or violating data subject rights. Non-compliance of rules regarding security and confidentiality may result in fines of 3500 to 11,700 euro. Fines of 230 to 3500 euro exist for not answering questions of the data protection authority or not submitting requested documents to the data protection authority.112 In 2016 the maximum fines were increased. Maximum fines are now, depending on the type of non-compliance, between 1,100 and 22,000 euro. For businesses with an annual turnover of more than 1.11 million euro, the fines may be 2% of the annual turnover. Offenders may be criminally liable, not under data protection law, but under criminal law. For instance, violation of secrecy of correspondence is a criminal offence, sanctioned with imprisonment between six months and three years. Use of Competences According to Article 25 of Law 677/2001, citizens have the right to file a complaint at the data protection authority in case they think that their privacy or protection of personal data is violated. First, citizens have to file a complaint at the data controller, but after 15 days, they can file their complaint at the data protection authority. The data protection authority may listen to both the data subject and the data controller, or representatives of either parties. If the complaint is justified, the supervisory authority is empowered to order the temporary suspension or discontinuation of the data processing and/or the partial or total erasure of the processed data.113 The data protection authority may also notify criminal law enforcement agencies or start a lawsuit.114 In 2013, the DPA received approximately 7,500 notifications.115 In the same year, 36 requests for data transfers outside the EEA were approved by the DPA, out of 67 requests.116 Furthermore, 877 complaints and reclamations were received by the DPA in 2013, resulting in 151 investigations. Sanctions were applied in 190 cases (about one third were fines, about two thirds were warnings), out of a total of 229 investigations conducted by the DPA that same year. Finally, in 2013 the DPA received 1242 requests for guidance to assist with interpreting the laws and regulations. Recently the data protection authority has completed a series of investigation on the extent to which organizations comply with personal data protection laws,

112

See www.uk.practicallaw.com/7-520-9524. Privacy and Human Rights 2004: Romania, part of the Privacy and Human Rights 2004 by Electronic Privacy Information Center and Privacy International – available at http://www.legiinternet.ro/privacy_ro2004.htm. 114 Manolea 2007, p. 7. 115 ANSPDCP, Annual Report 2013. 116 https://clientsites.linklaters.com/Clients/dataprotected/Pages/Romania.aspx. 113

8.5 Regulatory Authorities and Enforcement

173

particularly in government organizations, embassies and consulates, public transport companies, medical centers and hospitals, and schools. The most considerable sanctions were imposed for insufficiently implementing measures regarding security and confidentiality of the data and inadequately informing citizens of how their personal data are processed. On its website, the Romanian DPA publishes the sanctions that were imposed each few months. These publications include mentioning of the name of the organization that was fined, the amount of the fine imposed and the violation that was discovered.117 A typical example reads as follows: in July/August 2016, at SC Vodafone Romania SA “It was ascertain [sic] the following: the non-observance [sic] of the obligation provided by Article 3(1) under the conditions provided by Article 3(3)(b) of Law no. 506/2004, amended and completed, because Vodafone Romania SA did not take sufficient adequate technical and organizational measures in order to ensure the protection of the personal data of certain subscribers against the illegal access or dissemination. For this offence, a fine of 10,000 lei was applied.” In 2015, ANSPDCP received and handled 1,335 complaints (1074 complaints and 175 notices), resulting in fines totaling 679,700 lei (about 150,000 euros), and started 106 verification operations, resulting in fines totaling 441,500 lei (about 98,000 euros).118 The approach of ANSPDCP when it comes to fines is not very consistent. Reputation Only 22% of Romanians have heard about the existence of their national Data Protection Authority. This is one of the lowest in the entire EU (average is 37%).119 Obviously, when citizens do not know the DPA even exists, neither will they be aware of its activities. Companies may have a higher level of awareness of the existence of ANSPDCP and its activities due to existing regulation concerning the protection of personal data. In 2015, there was a significant increase in the number of petitions received by the DPA, which may indicate the data protection authority and its legal powers are much better known than in the beginning period.

References ANSPDCP (2013) Annual Report 2013. Available at: https://www.dataprotection.ro/index.jsp? page=home&lang=en ANSPDCP (2014) Annual Report 2014. Available at: https://www.dataprotection.ro/index.jsp? page=home&lang=en

117

For instance, see: http://www.dataprotection.ro/index.jsp?page=Sanctiuni_aplicate_august_ 2016&lang=en. 118 See ANSPDCP, Annual Report 2015. 119 Eurobarometer 431 2015, p. 52.

174

8 Romania

ANSPDCP (2015) Annual Report 2015. Available at: https://www.dataprotection.ro/index.jsp? page=home&lang=en Cavoukian A (2009) Privacy by Design: The 7 Foundational Principles, Information and Privacy Commissioner of Ontario, Toronto, Ontario, August 2009 Chopin I, Germaine-Sahl C (2013) Developing Anti-discrimination Law in Europe. European Commission, Directorate General for Justice. October 2013 Consent Country Report Romania (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/ Electronic Privacy Information Center and Privacy International (2004) Romania. Privacy and Human Rights. Part of Privacy and Human Rights 2004. Available at http://www.legi-internet. ro/privacy_ro2004.htm Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015 Manolea B (2007) Institutional framework for personal data protection in Romania. See: https:// www.apti.ro/DataProtection_ro.pdf Şandru S (2013) About data protection and data retention in Romania. Masaryk University Journal of Law and Technology. Vol. 7, No. 2, pp. 379–399

Chapter 9

Italy

9.1

General Situation

The Italian constitution, promulgated in 1947, includes a set of fundamental principles (principi fondamentali) and a set of rights and duties of citizens (diritti e doveri dei cittadini). The fundamental principles (Articles 1–12) recognize the dignity of the person, both as an individual and in social groups and ensure that the government must ensure freedom and equality of every citizen. The first set of rights and duties of citizens (Articles 13–28) are the Italian equivalent of a bill of rights. These provisions include the right to the inviolability of the home and personal domicile (Article 14) and the freedom and confidentiality of correspondence and of every other form of communication (Article 15). Any restrictions or limitations to these rights can only be imposed by judicial decisions and in accordance with the guarantees provided by the law. Italy is a signatory to the Universal Declaration of Human Rights (‘UDHR’), the European Convention on Human Rights (ECHR) and the International Covenant on Civil and Political Rights (‘ICCPR’), three legal instruments that contain a right to privacy (in Articles 12, 8 and 17 respectively). Also, Italy has ratified the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. The Constitutional Court established that the ECHR does not have the status of a constitutional law,1 which is in line with the Italian dualistic approach to international law, in which provisions in international treaties need implementation in national law before being directly applicable. Italy was one of the founding members of the EEC, the predecessor of the EU, in 1958. As such, Italy is bound by all EU legislation, including the 1995 Data Protection Directive and the 2009 Charter of Fundamental Rights of the European Union, Articles 7 and

1

Judgments No. 348 and 349, 2007.

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_9

175

176

9 Italy

8 of which relate to the right to privacy and the protection of personal data respectively. Furthermore, Legislative Decree No. 196/2003 (Italian Data Protection Code) provides for safeguards to the right to privacy, by establishing that everyone has the right to protection of the personal data concerning them (Article 1 of the Italian Data Protection Code). Internet Use Italy has a population of more than 60 million inhabitants, of whom it is estimated that 56% have access to Internet services, which is far below the European average (72%). Yet, it appears that when compared to the overall situation in the EU, Italians are more likely to use certain online services than countries that are lower on the index of digital divide. Italy is in the top 10 countries in Europe for usage of online social networks once a week (63%, EU average 57%).2 The same percentage of Italians (63%) regularly use instant messaging or chat websites, which puts Italy in fifth place in the EU ranking.3 Numbers around or below the average for the use of online games (28%, EU average 25%), online banking (40%, EU average 43%), and peer-to-peer exchange of movies or music (23%, EU average 18%) denote the lack of powerful Internet infrastructure and services in Italy. Although Italian citizens are increasingly becoming aware that organizations collect and exploit their personal data,4 they do not seem to act upon it. This perception has been confirmed by some statistical data on the activities performed by the Italian Data Protection Authority (Garante per la protezione dei dati personali, hereafter the ‘Garante’) in 2015.5 In that period, the Garante recorded 24,097 information requests, which is roughly equivalent to the number of 2015 (25,500),6 but a substantial decrease in comparison to 2014 in which it handled 33,201 requests.7 Citizens mostly reported nuisance marketing calls (total number 5,580), followed by complaints about CCTV video surveillance (272 complaints) and job related contacts (248 complaints).8 However, they demonstrated awareness of sensitive issues such as the relationship between data protection and the freedom of expression, as well as the disclosure of photographs – often involving minors – on the web.

2 3 4 5 6 7 8

Eurobarometer 431 2015, p. 109. Eurobarometer 431 2015, p. 110. Based on survey results (see Sect. 1.3.4). Garante 2016, p. 5. Garante 2015, p. 4. Garante 2014, p. 3. Garante 2015, p. 228, Table 10.

9.1 General Situation

177

Companies in that period were mainly concerned with meeting their new obligations under the ‘Cookie law’.9 In line with such concerns, experts surveyed for this research identify compliance with data protection regulations as most companies’ main concern.10 Reputation, as it is deemed an important aspect to gain clients’ trust, seems to play a role in the aftermath of a data breach or a sanction issued by the Garante. Those who wish to keep their good reputation follow the data breach notification obligations and, where applicable, the sanctions imposed. Control According to a recent survey, about 53% of Italians feel to only have partial control over the information they provide online, while 23% of those inquired do not feel in control at all.11 Furthermore, 19% feel as though they have complete control. This seems to indicate that Italy is above the EU average with regard to partial control (EU average 50%) and full control (EU average 15%), and below the average in relation to no control (EU average 31%). Overall, Italians do not seem to be particularly concerned about the lack of control when compared to other EU countries. About 67% of the people indicate concern in this regard. Among Italians, 69% consider providing personal information as an increasing part of modern life, which is slightly below the EU average (71%).12 In this context, about 40% indicate that providing personal data is not a big issue.13 On the other hand, 44% of Italians mind providing personal information in return for free online services.14 Trust When looking at trust in more detail, Italians are generally below the EU average, even though they still are in the top half of the ranking. This is true for sectors such as healthcare and medicine (64%, EU average 74%), public authorities (56%, EU average 66%) and banking and finance (37%, EU average 56%). Trust in shops and stores is 40%, which is perfectly in line with the EU average (40%). In contrast, trust in online businesses like search engines is 28%, which is above the EU average of 24%. In general, Italians seem to believe more in private entities than in government institutions.

9 The ‘Cookie law’ was introduced in Italy with the legislative decree 69 of 28/05/2012 and the Measure of the Garante of 8 May 2014 in the implementation of the Directive 2009/136/EC. It requires companies to have in place different data protection measures according to the cookies’ typology when installing such in users’ browsers. The Garante issued a Clarification Note about this procedure on 5 June 2015. 10 Based on survey results (see Sect. 1.3.4). 11 Eurobarometer 431 2015, p. 10. 12 Eurobarometer 431 2015, p. 29. 13 Eurobarometer 431 2015, p. 32. 14 Eurobarometer 431 2015, p. 40.

178

9 Italy

Protective Actions The number of Italians that has tried to change the privacy settings of their social media profiles is 40% (EU average 57%), one of the lowest rates in the EU, only followed by Hungary.15 Nevertheless, 79% of Italians (compared to EU average 64%) find it easy to make said changes.16 People who do not change the privacy settings indicate that they trust the website to set appropriate privacy settings (20%), do not know how to change the settings (26%), are not worried about having personal data online (27%), do not have time to look at the options (18%), or did not know they could change the settings (16%). National Politics Data protection debates in the Italian parliament take place frequently due to Article 154.1.f of the Italian Data Protection Code (Legislative decree 196/2003, hereafter ‘DPCode’),17 which mandates the Garante to draw ‘the attention of parliament and government to the advisability of legislation as required by the need to protect the rights referred to in Title 2, also in the light of sectoral developments’. Consequently, whenever the processing of personal data is at stake, the Garante is required to comment (by means of formal consultations and the submission of formal position papers) on the data protection implications of a specific piece of legislation.18 In 2015, the Garante rendered 44 opinions covering a variety of topics and public sectors, among which were the processing of data by police and intelligence services, the computerization of public administrative databases and judicial proceedings, taxation issues and health data.19 According to an expert survey conducted for the purposes of this report, (national) security matters have dominated over privacy and data protection concerns in recent years owing to the perceived increased threat of terrorist attacks.20 With regard to data protection rules, the Italian parliament tends to favor regulation more than self-regulation, as is evident from its reasoned opinion on the proposal for the General Data Protection Regulation (GDPR).21 The government is currently working, in close cooperation with the Garante, to take the necessary measures to align national data protection legislation with the GDPR. Furthermore, the Garante has launched information campaigns on the matter (by means of

15

Eurobarometer 431 2015, p. 92. Eurobarometer 431 2015, p. 95. 17 The Code is available in English at the following link: http://194.242.234.211/documents/10160/2012405/Personal+Data+Protection+Code++Legislat.+Decree+no.196+of+30+June+2003.pdf. 18 Based on survey results (see Sect. 1.3.4). 19 Based on survey results (see Sect. 1.3.4). 20 Based on survey results (see Sect. 1.3.4). 21 https://www.huntonregulationtracker.com/files/Uploads/Documents/EU%20Data% 20Protection%20Reg%20Tracker/Reasoned_opinion_Italian_Chamber_of_Deputies.pdf. 16

9.1 General Situation

179

guidelines and infographics) to improve the citizens’ awareness of the upcoming regulation.22 Media Attention In Italy, there is not a specific nationwide debate on privacy or data protection that dominates the media discussion.23 Nevertheless, data protection incidents do make the headlines. The media keeps an eye on the issues pertaining to data protection and the Garante’s activities. The Garante’s media department compiles a database of articles related to its mandate in an effort to comprehensively inform the public. In 2015, it selected approximately 57,200 documents.24 Of these, 14,685 articles originate from Italy’s major newspapers, national magazines, primary local newspapers, online newspapers and blogs that have addressed issues related to privacy. 4,293 articles dealt exclusively with the Garante’s activities. Interviews, speeches and statements by the president and members of the Garante published on paper media numbered 251, while 343 were published online and another 34 were aired on national and local TV and on the radio.25 The Garante however did not include updated numbers in its 2016 report. A privacy-related matter extensively addressed in the media is the hacking into the emails of influential politicians and public institutions.26 Another example that gained the interest of the media dates from September 2016 and involves the release of a revenge porn video. An Italian girl committed suicide after a video clip featuring her went viral.27 Although the debate around the incident focused more on the role of the new technologies and social networks, privacy concerns were raised as well. The Ashley Madison case also had great media exposure. It involved the theft of 25 GB of user data from the commercial website billed as enabling extramarital affairs.28 The Garante cooperated with the competent foreign authorities to assess whether Italian citizens’ personal data were duly processed following the data breach. In August 2017, the online voting platform of the 5 Stars Movement party reported a serious data breach affecting users’ personal data and the internal

22 For instance, by issuing a handbook on privacy at school and the responsible use of apps and social networks. The full list of information campaigns is available only in Italian language here: http://garanteprivacy.it/web/guest/home/stampa-comunicazione/vademecum-e-campagne-informative. 23 Based on survey results (see Sect. 1.3.4). 24 Garante 2015, Section 23.1, p. 187. 25 Garante 2015, Section 23.1, p. 187. 26 http://www.bbc.com/news/world-europe-38568881?intlink_from_url=http://www.bbc.com/ news/topics/0021de37-b64a-46ac-a4bb-5bdbdf0908ec/italy&link_location=live-reporting-story. 27 BBC 2016. 28 https://www.theguardian.com/technology/2015/aug/19/ashley-madison-hackers-release-10gbdatabase-of-33m-infidelity-site-accounts.

180

9 Italy

consultations’ results.29 This event had plenty of media coverage and the Garante in December 2017 published a preliminary measure against the data controller, observing a general failure to comply with the current data protection legislation.30 The entry into force of the new cookie regulation in June 2015 also prompted heated debates.31 The Italian government implemented European Directive 2009/ 136/EC32 by introducing Legislative Decree 69 of 28/05/2012 and delegated to the Garante the identification of binding simplified guidelines.33 The Garante thereafter introduced the Measure of 8 May 2015,34 but several professional media outlets complained that it lacked clarity and technological specifications.35 As a result, the Garante issued a Clarification Note on 5 June 2015,36 including informative material and infographics that rectified the initial problems.37 Data Breaches According to the 2015 report of the Garante, it received 49 data breach notifications formulated by providers of electronic communication services operating in Italy (about the same number as the previous year)38 and 15 notifications for data breaches occurred to public bodies.39 Most of the reported data breaches related to unauthorized access of personal data or accidental loss of contractual documentation. Almost all reported cases involved less than 100 data subjects. A larger number of people was affected only in one case, the results of which are still under investigation at the time of this report.40 In 2015, the Garante examined a total of four cases of major data breaches. In two of them (dated 17 April 2015 and 22

29

Jones and Cinelli 2017. Measure no. 548 of 21 December 2017 by the Garante. http://www.garanteprivacy.it/web/ guest/home/docweb/-/docweb-display/docweb/7400401. 31 http://garanteprivacy.it/cookie. 32 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, and Regulation (EC) No. 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, introduced the obligation for Member States to regulate the usage of cookies on users’ devices. 33 Legislative decree No. 69 of 28/05/2012, Article 1.5. 34 http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3118884. 35 http://it.ibtimes.com/cookie-law-una-legge-che-non-piace-tra-multe-petizioni-e-tantaconfusione-1404832. 36 http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4006878. 37 http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3661249. 38 Garante 2016, Section 13, p. 94. 39 Garante 2016, Section 4, p. 30. 40 Garante 2016, Section 13, p. 95. 30

9.1 General Situation

181

December 2015), the operators had wrongly assessed their duty to notify the data subjects and had therefore failed to do so.41 The Garante initiated non-compliance proceedings on account of the failed data breach notifications in the four larger cases mentioned above. In one of the cases, the operator gave notification of the data breach to the Garante six months after the incident. In the other three cases, the operators themselves made no communication.42 The Garante was informed about the data breach by affected data subjects. In 2016 the Garante imposed 1,818 sanctions due to failure to report a data breach. Of these, all except one are related to a data breach that affected a major telecommunications operator who failed to notify both the Authority and the 1,817 data subjects involved and has been therefore sanctioned.43 A study by Ponemon Institute for IBM found that the average number of records involved in data breaches in Italy is 20,955 (below the global average of 24,089) and that the organizational cost of such kind of incident is on average 2.60 million dollars (€119 cost per stolen or lost record). Also, between the 12 analyzed countries, Italy is the one where human errors are the most responsible for the breaches.44 Civil Rights Organizations In order to issue guidelines and recommendations on specific topics, the Garante regularly publishes “Notices for public consultation” asking for contributions from “anyone who can be interested, even by organizations, academics and researchers”.45 However, these contributions are not binding for the Garante’s decisions. Federprivacy46 – an association of data protection officers and consultants – organizes yearly meetings (‘Privacy Day’) to promote public awareness of privacy and data protection related issues.47 This organization is supported only by membership fees (from 60 euro per year for ordinary members to 800 euro per year for big companies) and donations. The Italian Institute for Privacy organizes meetings between data protection officers of private organizations and members of the Garante to actively discuss possible friction that may occur throughout the implementation process of the GDPR.48

41

Garante 2015, Section 11.7, p. 108. Garante 2015, Section 11.7, p. 108. 43 Garante 2016, Section 23.5.2, p. 144. 44 Ponemon Institute 2017. 45 The same formula is used in every notice for public consultation. A full list is available on the Garante website at http://www.garanteprivacy.it/web/guest/home/ricerca?p_p_id=searchportlet_ WAR_labcportlet&p_p_lifecycle=0. 46 http://www.federprivacy.it/fp/chi-siamo.html. 47 http://www.federprivacy.it/attivita/agenda/agenda-privacy/privacy-day-forum-2016.html. 48 http://www.istitutoitalianoprivacy.it/it/. 42

182

9.2

9 Italy

National Government Policies

National Policies, Privacy Impact Assessments The DPCode and its Annexes include general and sector-specific policy principles.49 The Annexes came into effect after the DPCode,50 and contain the sector-specific aspects of the decree. They are drafted by the Garante and enacted as “Measures by the Garante”, but are expressly referred to in several articles of the DPCode and thereby have a binding effect. Currently, there are nine Annexes, seven of which are intended as Codes of Conduct (CoCs) (letters A.1 to A.7) and which contain sector specific policies: • A.1: Personal data processing in journalistic activities (Measure by the Garante of 29/07/1998); • A.2: Personal data processing for historical purposes (Measure by the Garante of 14/03/2001); • A.3: Personal data processing for statistical purposes in the activities of the National Statistical System (Measure by the Garante of 31/07/2002); • A.4: Personal data processing for statistical and scientific purposes (Measure by the Garante of 16/06/2004); • A.5: Personal data processing for informational systems managed by private subjects related to consumer credit, reliability and timeliness of payment (Measure by the Garante of 16/11/2004); • A.6: Personal data processing for defensive investigation (Measure by the Garante of 6/11/2008); • A.7: Personal data processing for commercial information purposes (Measure by the Garante of 17/09/2015); • B: Technical specifications regarding minimum security measures; • C: Not occasional processing carried out for judicial or police purposes. Annex C should contain two decrees, one by the Ministry of Justice and one by the Ministry of Interior according to Articles 46 and 53 of the DPCode. However, these governmental acts are not approved yet.51 Privacy Impact Assessments are not mandatory in Italy. However, Article 17 of the DPCode mandates the Garante to perform a prior check when data processing operations take place that entail specific risks. Moreover, the Garante regularly issues opinions on sector-specific data processing activities, for instance, on internet and telephone traffic data.52

49

Based on survey results (see Sect. 1.3.4). An exception thereof are the Annexes A.1, A.2 and A.3, which were introduced with the Italian data protection law preceding the DPCode. 51 http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1557209. 52 http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1502599. 50

9.2 National Government Policies

183

Privacy and Data Protection in New Policies The DPCode establishes data protection principles that must be complied with in every sector, both private and public. As a consequence, data protection principles are often considered in the elaboration of policies related to data processing. When it comes to anticipating new technological developments and their implications for future policies, however, it is the Garante and not the Italian government that plays a more active role. The Garante engages with the assessment of specific technological phenomena and their overall data protection implications on a regular basis. For instance, the assessment of the processing of big data by the National Statistical Institute for the purposes of energy consumption followed an initial assessment of the case and an approval by the Garante in 2014. Since then, the Garante has made a habit of sponsoring stakeholder meetings that contribute to the evaluation of big data developments.53 The same approach was applied in relation to initiatives concerning the Internet of Things (IoT) – the Garante initially promoted a public consultation on the matter.54 Furthermore, following the ‘Privacy Sweep Day 2016’, an initiative organized by the Global Privacy Enforcement Network (GPEN), the Garante started a ‘sweep investigation’ on the data protection compliance of data controllers in the context of the Internet of Things.55 With regard to the quantified-self movement, the Garante organized specific meetings to discuss the matter.56 Societal Debate The Italian government’s approach towards privacy matters is understood to be more reactive than proactive.57 Therefore, specific dialogues between political parties and civil rights organizations on privacy-related matters do not take place in a highly structured manner. Evidence for this claim can be found in the previous government’s efforts to enhance the digitalization of public administration and to promote e-Governance tools, while at the same time awarding almost no attention to issues pertaining to personal data protection. Internet consultations have only recently become instrumental for public engagement; the Five Star Movement led this approach by framing its political decisions by considering the outcome of such consultations.58 Internet consultations were also initiated by the Garante to collect information on the use of the Internet of Things.

53

http://garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/5846360. http://garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3898704. 55 http://garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4877134. 56 http://garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3693403. 57 Based on survey results (see Sect. 1.3.4). 58 The Five Star Movement is a political party founded in 2009 by the former comedian Beppe Grillo and the entrepreneur Gianroberto Casaleggio. For the first time in Italy, candidates for the political election of 2013 were chosen online by the members of the party; the same happened in the following European and local elections. The party used online consultations to expel several members when not complying with its guidelines. Official website: http://www.movimento5stelle.it. 54

184

9 Italy

Information Campaigns Information campaigns on data protection that are directly or indirectly supported by the Italian government are rare. One of the recent well-known initiatives was introduced by the Ministry of Home Affairs together with the Ministry of Education, Universities and Research and the Italian Police, and included an information campaign on the use of the Internet and social media and the consequences of cyberbullying.59 The DPA, in its turn, has a major role in increasing awareness towards data protection and privacy rights, and it does so by regularly organizing seminars or publishing papers.60 These, however, mostly aim to inform professionals and the industry on how to comply with data protection laws and do not directly address citizens’ concerns. In 2016 the informational activity of the Garante mostly focused on the explanation of the General Data Protection Regulation.61 The campaigns that do address citizens mainly focus on the protection of minors.62 The Garante published a small guide named “Privacy at school”, which covered issues in the so-called “school 2.0”, new forms of communication on the Internet and prevention of cyberbullying.63

9.3

Laws and Regulations

Implementation of the EU Directive EU Directive 95/46/EC was first implemented by the Protection of Individuals and Other Subjects with regard to the Processing of Personal Data Act (Law no. 675/ 96). However, in 2004 the Consolidation Act regarding the Protection of Personal Data (Data Protection Code - Legislative Decree No. 196 of 30 June 2003, the DPCode) replaced the initial act.64 In contrast to its predecessor that mainly regulated specific data processing, the DPCode aimed to unify the data protection framework. It also contains conduct guidelines for journalistic, historical, scientific or statistical activities. From the adoption of the first privacy Law no. 675/96 until 2011, when a new multipurpose act (Law no. 214/2011) changed the definitions of

59

http://www.istruzione.it/allegati/2016/Piano_azioni_definitivo.pdf. http://garanteprivacy.it/web/guest/home/stampa-comunicazione/vademecum-e-campagneinformative. 61 Garante 2016, Section 25.1, p. 168. 62 Based on survey results (see Sect. 1.3.4). 63 Garante 2016, Section 25.3, p. 169. 64 The full text in English is available here: http://194.242.234.211/documents/10160/2012405/ Personal+Data+Protection+Code+-+Legislat.+Decree+no.196+of+30+June+2003.pdf. 60

9.3 Laws and Regulations

185

“personal data” and “data subject”, all the data protection provisions applied to both natural and legal persons. From that moment on, the scope of the law had been narrowed down exclusively to natural persons.65 Furthermore, the DPCode contains rules and measures concerning the controllers of processing operations executed with the help of electronic tools in view of performing system administrators’ tasks.66 Thus, the directive was implemented with additional provisions.67 Sectoral Legislation The ePrivacy Directive 2009/136/EC,68 which obliges member states to introduce new regulation on secure processing and cookies, was transposed into Italian law in the course of 2012, in particular by legislative decree No. 69/2012, which introduced the ‘personal data breach’ concept into the Italian legal landscape and set forth the obligations to be fulfilled by providers of publicly available electronic communications services in case of such data breaches (see Article 32-bis of the DPCode).69 The obligation includes, for this type of provider, a notification of the data breach without any further delay to the Garante (Article 32-bis 1), and eventually to the affected users if the breach is likely to adversely affect the personal data or privacy of a subscriber or individual (Article 32-bis 2). The DPCode defines sensitive data in Article 4 d as: personal data requiring special precautions on account of its nature. Sensitive data is any data that can disclose a person’s racial origin or ethnicity, religious or other beliefs, political opinions, membership of parties, trade unions and/or associations, health, or sex life.70

Furthermore, the DPCode considers “judicial data” (Article 4 e) sensitive data as well. The latter is defined as: personal data disclosing that certain judicial measures have been taken in respect of a person such as to require their inclusion into that person’s criminal record (e.g. final criminal convictions; paroling; residency and/or movement restrictions; measures other than custodial detention). The fact of being a defendant and/or the subject of criminal investigations falls within the scope of this definition as well.71

65

Vecchi and Marchese 2016. http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1628774. 67 Based on survey results (see Sect. 1.3.4). 68 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, and Regulation (EC) No. 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. 69 Legislative decree No. 69 of 28/05/2012, Articles 2, 3 and 4. 70 http://www.garanteprivacy.it/web/guest/home_en/data-protection-and-privacy-glossary. 71 http://www.garanteprivacy.it/web/guest/home_en/data-protection-and-privacy-glossary. 66

186

9 Italy

In 2015, the Special Commission of the Chamber of Deputies for the Rights and Duties on the Internet adopted a Declaration of Internet Rights that contains, among others, directives on personal data protection (Article 5), a right to informational self-determination (Article 6), a provision on anonymity (Article 10), and a right to be forgotten (Article 11).72 The declaration is intended as a guide for future legislative endeavors.73 In November 2017, the Italian Parliament approved law no. 167 of 2017 (“Legge Europea 2017”) which introduced the obligation for telecommunication operators to retain telephone and internet data up to 6 years. According to several commentators, this law is in clear conflict with the case law of the Court of Justice of the European Union.74 On 13 November 2017, the European Data Protection Supervisor Giovanni Buttarelli expressed that the new Italian law fails to respect the European approach to data protection.75 The President of Garante, Antonello Soro, stated that “the decision to raise data retention to 6 years it is not understandable and ignores not just the case law of the Court of Justice of the European Union but also the common sense”.76 Many parts of it can be found in the GDPR as well. Self-regulation and Codes of Conduct The Italian institutional system does not support the decentralized regulation of privacy. Except for the government and parliament, the Garante is the only body authorized to make binding regulations and recommendations on data protection. As prescribed by Articles 12 and 154(1) e of the DPCode, the Garante encourages and promotes the adoption of codes of conduct. In 2010, the former Minister of the Interior, Mr. Maroni, proposed a bill including the “Self-regulatory code for the protection of the dignity of the person on the Internet” following recommendation 2160/2008 of the European Parliament.77 The Code aimed, among others, to protect persons against racial, gender, social and religious hatred online. Even though not directly mentioned in the Code, a right to privacy and confidentiality was included in the preamble of the Memorandum of Understanding between the Government and the other parties.78 However, the bill was never adopted and the Government has taken no further initiatives to promote self-regulation in personal data protection.

72 Full text of the Declaration is available at http://www.camera.it/application/xmanager/projects/ leg17/commissione_internet/TESTO_ITALIANO_DEFINITVO_2015.pdf. 73 Website of the Special Commission for rights and duties on the Internet http://www.camera.it/ leg17/1174. 74 Hermes Center 2017. 75 Frediani 2017. 76 Privacy Italia 2017. 77 http://www.ilsole24ore.com/fc?cmd=document&file=/art/SoleOnLine4/Norme%20e% 20Tributi/2010/05/bozza-definitiva-codice-autodisciplina.pdf?cmd=art. 78 http://www.ilsole24ore.com/fc?cmd=document&file=/art/SoleOnLine4/Norme%20e% 20Tributi/2010/05/bozza-definitiva-Protocollo-Codice-Autodisciplina.pdf?cmd=art.

9.4 Implementation

9.4

187

Implementation

When it comes to abiding data protection standards within organizations, codes of conduct play an important role. In line with Articles 12 and 154(1) e of the DPCode, the Garante encourages the adoption of codes of conduct and professional practices for specific sectors. The Garante assist in the drafting processes and makes sure the proposed codes comply with the applicable data protection laws. Codes of Conduct, adopted by the Garante with a Measure pursuant to Articles 12 and 154(1) e, are considered an integral part (as Annexes) of the DPCode and are therefore binding.79 For instance, by adopting the Measures No. 203 of 17 April 2014, the Garante prescribed certain steps as an integral part of the Codes of Conduct revision process. The steps are of particular relevance when designing Codes of Conduct relating to “Personal data processing for informational systems managed by private subjects related to consumer credit, reliability and timeliness of payment”.80 Moreover, Article 12(3) stipulates that observing the provisions set forth in the relevant code of conduct is a prerequisite for compliant data protection processing. A list of all Codes of Conduct can be found on the Garante’s website.81 Over the years, the Italian DPA has also adopted numerous decisions and guidelines,82 which provide clarification on data protection principles and guidance for their concrete application in different sectors.83 These decisions are largely based on EU data protection law as interpreted by the CJEU (as, for instance, in the Google Spain case)84 and Article 29 Working Party opinions.85 An example of such an activity is the General Application Order Concerning Biometrics.86

79

See above under Sect. 9.2. http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3070048. 81 A list of the codes of conduct is available on the Garante website at http://www.garanteprivacy. it/home/provvedimenti-normativa/normativa/normativa-italiana. See above under Sect. 9.2. 82 “Decisions” are judgments made in response to different kinds of complaints reported to the Garante (see below under Sect. 9.5). “Guidelines” are general indications given by the Garante in relation to specific kind of processing in order to guarantee a correct application of the principles of the DPCode (a list of the issued guidelines is available at http://www.garanteprivacy.it/web/guest/ home/docweb/-/docweb-display/docweb/1772725). 83 For an example of such decisions see: http://www.garanteprivacy.it/web/guest/home_en/maindecisions. 84 http://curia.europa.eu/juris/fiche.jsf?id=C%3B131%3B12%3BRP%3B1%3BP%3B1% 3BC2012%2F0131%2FJ&pro=&lgrec=en&nat=or&oqp=&dates=&lg=&language=en&jur=C% 2CT%2CF&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C% 252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&td=%3BALL&pcs= Oor&avg=&mat=or&parties=google%2Bspain&jge=&for=&cid=495953. 85 Based on survey results (see Sect. 1.3.4). 86 http://garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3590114. The full list of the general decisions is available here http://garanteprivacy.it/web/guest/home/ docweb/-/docweb-display/docweb/3755203. 80

188

9 Italy

Privacy Officers Under the DPCode there was no requirement to appoint a Data Protection Officer (DPO).87 Although this did not mean that organizations in the private sector did not appoint DPOs on a voluntary basis, it is difficult to estimate the number of DPOs, as there is no obligation to register a DPO or to notify the Garante upon an individual appointment. Moreover, there are no particular knowledge or expertise requirements for DPOs. However, the Garante started already prior to the GDPR recommending a DPO appointment to organizations that manage electronic patient records.88 Larger organizations tend to appoint a DPO already prior to the GDPR. However, oftentimes DPOs are not truly independent in the exercise of their function. Furthermore, in the majority of cases their responsibilities are just a part of their overall tasks and activities within the respective company.89 It should also be noted that recent trends indicate that larger Italian organizations prefer to hire an external data protection consultant to deal with their data protection obligations.90 Security Measures Organizations are required to ensure their full compliance with the obligations set forth by the DPCode. Implementing Privacy by Design (PbD) measures and particular data protection principles that are endorsed by the DPA’s decisions may contribute to this. However, as PbD methodologies are not legally compulsory, these have only recently started to catch the attention of companies and are slowly starting to be implemented.91 With regards to particular security measures, Article 31 et seq. of the DPCode are of particular relevance.92 Information security is implemented by means of ISO certificates and codes of conduct.93 Data controllers may be sanctioned in the case of non-compliance with the minimum security measures described in Annex B of the DPCode.94 For instance, role-based access is prescribed as a compulsory measure in Annex B, 13: “Authorization profiles for each person or homogeneous set of persons in charge of the processing shall be set out and configured prior to the

87

Based on survey results (see Sect. 1.3.4). http://194.242.234.211/documents/10160/0/Linee+guida+in+materia+di+dossier+sanitario++Allegato+A.pdf. 89 Based on survey results (see Sect. 1.3.4). 90 Based on survey results (see Sect. 1.3.4). 91 Companies have only recently begun to consider PbD due to the entry into force of Article 25 of the GDPR. 92 Provisions on data and systems security, also containing procedures to follow in case of data breaches. 93 Based on survey results (see Sect. 1.3.4). 94 Technical specifications concerning minimum security measures, http://www.garanteprivacy.it/ web/guest/home/docweb/-/docweb-display/docweb/1557184. 88

9.4 Implementation

189

start of the processing in such a way as to only enable access to the data that are necessary to perform processing operations.” Transparency About half of the Italian people never or rarely read a website’s terms and conditions (45%) or privacy policies (50%). Those who read the privacy policies rarely read the whole text (Italy 11%, EU average 10%), although they are quite confident that – when reading it – the text is mostly or fully understood (Italy 65%, EU average 64%).95 Furthermore, the majority of Italians (83%) believe that websites collect users’ personal data without notification.96 This sentiment is corroborated by the findings of an expert inquiry, which indicates that privacy settings are usually set to collect as much personal data as possible.97 The lack of particular transparency initiatives by organizations when it comes to the collection and processing of personal data is believed to have its cause in a particular attitude of the public. In this regard, Italians tend to focus on the role of the institutions and largely ignore individual roles and responsibilities.98

9.5

Regulatory Authorities and Enforcement

Supervisory Authorities The Garante is the independent authority set up to protect fundamental rights and freedoms in connection with the processing of personal data and to ensure respect for individual dignity. Although some of the Garante’s tasks are delegated to the regions, there are no data protection authorities or bodies at a regional level. The Garante is a collegial body made up of four members (President, Vice president and two members) that are elected by parliament every seven years on non-renewable terms. The current Garante members were elected in 2012. The Italian data protection authority is comprised of a total of 123 employees.99 Its budget for 2016 amounted to €19.9 million (compared to €19.2 million in 2015). Half of this budget has been provided by the Italian government, while the other half has been allocated by other independent authorities as prescribed by law.100

95

Consent Country Report on Italy 2012, p. 4. “Il valore della privacy nell’epoca della personalizzazione dei media” Survey by CENSIS, 7/ 10/2012, p. 6. 97 Based on survey results (see Sect. 1.3.4). 98 “Il valore della privacy nell’epoca della personalizzazione dei media” Survey by CENSIS, 7/ 10/2012, p. 10. 99 http://194.242.234.211/documents/10160/7610771/Dotazione+organica+al+1%C2%B0 +febbraio+2018. 100 Garante 2016, Section 27.1, p. 184. 96

190

9 Italy

Main Activities The DPA is regulated by Title II of the DPCode. Its tasks are laid down in Article 153 et seq. of the DPCode and include the following: • Overseeing compliance with the data protection provisions; • Handling claims, reports and complaints by citizens; • Banning or blocking processing operations that cause serious harm to individuals; • Controlling, also on the citizens’ behalf, the data processing operations of the police and intelligence services; • Carrying out on-the-spot inspections to access databases directly; • Reporting to the judicial authorities on serious breaches; • Raising public awareness of privacy legislation; • Promoting the adoption of codes of practice for various industry sectors; • Granting general authorizations for the processing of certain data categories; and • Participating in international activities, with particular regard to the work of the joint supervisory authorities of Schengen, Europol and the Customs Information System. The specific powers of inquiries and controls of the Garante are regulated in Articles 157 et seq. DPCode, while Articles 161 et seq. DPCode list sanctions that assist the enforcement of data protection principles. Furthermore, the DPCode provides three options for data subjects to address a complaint to the Garante: • Formal appeal: regulated in Articles 145 to 151 DPCode, it is an alternative to ordinary justice. It cannot be applied if there is litigation pending in regular courts on the same issue. A formal appeal also prevents the data subject from resorting to the ordinary justice system for the same matter after the DPA has been involved. With a formal appeal, the Garante can block the data processing and order the controller to pay the costs of the appeal. • Complaint (Reclamo): embedded in Articles 142 and 143 of the DPCode. These are detailed complaints on unlawful processing that may be submitted by data subjects or their representatives in an informal way. • Reports (Segnalazioni): regulated in Article 144 DPCode, these are informal complaints that can, however, be followed up by the DPA with further investigations. The Garante has been active from its inception in 1997 and has, in particular, devoted much attention to drafting sectorial codes of conduct. The Garante advises both public institutions, including parliament and the government, as well as citizens and private entities that need clarification on privacy and data protection matters. In order to ensure the consistency of new legal instruments with data protection principles, the Garante provides mandatory opinions on draft legislation. Furthermore, following Article 154 of the DPCode, the Garante can draw the

9.5 Regulatory Authorities and Enforcement

191

attention of the government to the need for regulatory measures in the data protection sector. The Garante’s website (www.gpdp.it) contains a full range of information on the decisions and opinions they issued, along with the relevant primary and secondary legislation (in Italian). A periodical newsletter reports on the Garante’s activities and the main developments in the field of data protection.101 Use of Competences In 2016, the Garante handled about 4,600 inquiries, claims and reports relating to insurance companies, telemarketing, consumer credit, video surveillance, credit and banking, internet, journalism, health care and welfare services.102 A total of 277 complaints was decided upon. These mainly concerned banks and financial companies, marketing companies, publishing houses, public administrative bodies and public service outsourcing, as well as business information services. The Garante further issued 20 opinions upon the request of the government and parliament on a variety of issues, including personal data usage by police and intelligence services, the computerization of public administrative databases and judicial proceedings, and health data.103 As for public outreach, more than about 24,000 requests for information were handled, in particular, relating to unsolicited marketing calls, video surveillance and data protection in the workplace. A total number of 2,369 notifications were received in 2016.104 In the same year, the Garante carried out 282 inspections, some of them with the help of the Privacy Squad of Italy’s Financial Police. The targeted organizations included software houses providing support to police investigations and the judiciary, call centers in the telemarketing industry, and money transfer companies. As for the public sector, the DPA’s inspections appear to have focused mostly on taxation and the revenue agency with particular regard to security measures, internal audits, and e-health applications.105 The administrative violations found in 2016 total 2,339, which appears to be an increase of about 40% compared to the year before, even though the number of inquiries, claims, reports, complaints and requests for information generally decreased. A substantial portion of them are related to unlawfully processed data due to the lack of consent, the failure of electronic communications service providers to notify data breaches, providing no or flawed information to users on the processing of their personal data, etc.106 Regardless of the substantial increased 101

For instance, the newsletter dated 14 February 2017 concerns the indiscriminate monitoring of employees’ emails and smartphones, telemarketing and electronic passport. The archive of all issued newsletters is available on the Garante website at http://www.garanteprivacy.it/web/guest/ home/ricerca?p_p_id=searchportlet_WAR_labcportlet&p_p_lifecycle=0. 102 http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/5570645. 103 Garante 2016. 104 Garante 2016. 105 Garante 2016. 106 Garante 2016.

192

9 Italy

amount of violations found, the administrative fines levied totaled about €3.29 million, against the €3.35 million collected in 2015. The Garante lodged reports with judicial authorities in 53 cases – in particular due to the failed adoption of minimum security measures, which was the case in 66% of the submitted reports.107 Information on the outcome of those submissions is not available. Moreover, it is impossible to obtain exact numbers on the amount of lawsuits involving data protection in Italy: the categorization used in statistics by the Ministry of Justice puts these in the same class as many other lawsuits. Reputation As the Garante has the power to impose sanctions upon companies, the latter are much more aware of the Garante and its activities than citizens. Organizations that monitor the Garante’s decisions and follow data protection developments closely, tend to turn to the data protection authorities for advice. Consequently, in their interaction with the Garante there is much less fear of sanctions compared to other entities which do not voluntarily engage with it on a regular basis.108 Citizens see the Garante as a point of reference when an assessment of the processing of their personal data is needed.109

References BBC (2016) Tiziana Cantone: Suicide following years of humiliation online stuns Italy. BBC.com, see http://www.bbc.com/news/world-europe-37380704 Consent Country Report Italy (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/ Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015 Frediani C (2017) Garante privacy Ue: “Sulla protezione dei dati l’Europa è leader”. Lastampa.it. http://www.lastampa.it/2017/11/13/esteri/garante-privacy-ue-sulla-protezione-dei-dati-leuropaleader-edTINi7G4UzW0KvDtM6emL/pagina.html Garante (2014) Garante per la Protezione dei Dati Personali, Relazione Annuale (Annual Report) 2014 Garante (2015) Garante per la Protezione dei Dati Personali, Relazione Annuale (Annual Report) 2015 Garante (2016) Garante per la Protezione dei Dati Personali, Relazione Annuale (Annual Report) 2016 Hermes Center (2017) Italy extends data retention to six years. Edri.org, 29 November 2017, https://edri.org/italy-extends-data-retention-to-six-years/ Jones G, Cinelli A (2017) Hacking attacks: a pre-election setback for Italy’s 5-Star Movement. Reuters.com, see https://www.reuters.com/article/us-italy-politics-5star/hacking-attacks-a-preelection-setback-for-italys-5-star-movement-idUSKBN1CA1TM

107 108 109

Garante 2016, p. 197, Table 7. Based on survey results (see Sect. 1.3.4). See above under Sect. 9.1.

References

193

Ponemon Institute (2017) Cost of Data Breach Study – Global Overview, IBM Security, https:// www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN Privacy Italia (2017) In vigore la legge che impone la Data Retention a 6 anni. PrivacyItalia.eu. 12 December 2017. See https://www.privacyitalia.eu/vigore-la-legge-impone-la-data-retention6-anni/5463/ Vecchi D, Marchese M (2016) Chapter 15 – Italy. The Privacy, Data Protection and Cybersecurity Law Review, 3rd edn. Law Business Research

Chapter 10

Conclusions

The previous eight chapters provided answers to the five subquestions of this research. The general situation regarding privacy and personal data protection in each country was described and national government policies, laws and regulations, implementation and regulatory authorities and enforcement were investigated. As indicated in Chap. 1 (see Table 1.1), within these five topics of comparison, a total of 23 aspects (labels) were used to cluster the answers. In this chapter, the key question of this research (“What is the position of different countries with regard to the protection of personal data in comparison with other EU member states?”) will be answered. Section 10.1 compares the eight selected countries with each other on each aspect. Section 10.2 integrates these findings and describe an approximate general ranking of the countries.

10.1

Comparing Countries

10.1.1 General Situation All the countries examined are signatories to international and European legal instruments that include the right to privacy, such as the Universal Declaration of Human Rights (UDHR, Article 12), the International Covenant on Civil and Political Rights (ICCPR, Article 17), the European Convention on Human Rights (ECHR, Article 8), and the Charter of Fundamental Rights of the European Union

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8_10

195

196

10 Conclusions

(Articles 7 and 8). In France,1 Romania and the Netherlands, there is a monistic approach towards international law, meaning that international and national law are considered as one legal system in which provisions in international treaties have direct applicability in national law, without requiring further implementation. In Germany,2 the UK,3 Ireland,4 Sweden,5 and Italy,6 there is a dualistic approach towards international law, meaning that international and national law are considered as separate legal systems and provisions in international treaties require implementation in national law before being applicable. With regard to their constitutional law – apart from the UK, which has no written constitution7 – all countries investigated include privacy rights in their constitution in regards to respecting their home and correspondence. The constitutions of the Netherlands, Sweden, and Romania contain explicit provisions on the right to privacy. In the UK and France, the right to privacy is laid down in other legislation (the Human Rights Act8 and the Code Civil,9 respectively). In the other countries, i.e., Germany,10 Ireland,11 and Italy,12 the right to privacy is construed by courts on the basis of other constitutional rights. Internet Use When focusing more specifically on informational privacy and personal data protection, several aspects on the use and perception of personal data were selected to provide the general context and setting for each of the countries in this research. The Eurobarometer 431 report (see Sect. 1.3.4) provides a lot of details. A summary of these data is provided in Table 10.1.

1

Constitution de la République française (Constitution du 4 octobre 1958), Article 55. Kommers 2012. 3 Atkin and Atkin 1997, p. 45. 4 Review of implementation of the United Nations Convention against Corruption, Ireland: Executive Summary, CAC/COSP/IRG/2015/CRP.12 (1 June 2015), § 1.1. 5 Hermida 2004, p. 141. 6 With verdicts nr. 348 and 349 of 2007, the Constitutional Court clarified that only European Union laws have direct applicability, whilst other international laws require to be implemented by national laws or be object of a constitutional check by the same Court. See also Cartabia 2007. 7 Blick and Blackburn 2012. 8 Human Rights Act 1998 (c42). 9 Le Code civil des Français, Article 9. 10 Mikrozensus, 27 BVerfGE 1, 6 (1969). See also Dörr and Aernecke 2012, p. 114. 11 McGee v. Attorney General [1974] IR 284; Kennedy and Arnold v. Attorney General [1987] IR 587. 12 In Italy, before the obligations imposed by EU Directive 95/46/EC, the right to privacy was first introduced by the Court of Cassation in 1975 (Corte di Cassazione, sez. III civile, sentenza 27/05/ 1975, n. 2129) on the basis of different rights granted by the Constitution. See also Granara, D. (2015) Il fronte avanzato del diritto alla riservatezza. Riv. it. dir. pubbl. com (2015): 3–4. 2

10.1

Comparing Countries

197

Table 10.1 Internet use (at least once a week) of certain services within the EU. The lowest and highest numbers are not for all EU member states, but only for the eight countries selected in this research.a Lowest

EU average (%)

Social media Germany (46%) 57 Chatting Netherlands (43%) 53 Online banking Romania (16%) 43 Online phone calls Germany (18%) 27 Online gaming Germany (17%) 25 Online shopping Romania (10%) 17 a Based on Eurobarometer 431 2015, pp. 109–112

Highest Ireland (66%) Italy (63%) Netherlands (75%) Ireland (43%) Romania (40%) United Kingdom (41%)

When looking at internet use, 57% of EU citizens use social networks at least once a week. Of the countries investigated, citizens in Ireland and Sweden use the Internet the most and only France and Germany are below this average.13 Instant messaging and chat websites [sic] are used at least once a week by 53% of EU citizens. Of the countries investigated, only Italy is above this average, whereas the other countries are below this average.14 Online banking is used at least once a week by 43% of EU citizens. The Netherlands, Sweden, Ireland and the UK are above this average, whereas Germany, France, Romania, and Italy are below this average.15 Phone calls and video messaging over the Internet are used at least once a week by 27% of EU citizens. The Netherlands and Germany are below this average and the other countries investigated are above this average.16 Online games are used at least once a week by 25% of EU citizens. The UK, Sweden, and Germany are below this average, the other countries investigated are above this average.17 Online shopping is used at least once a week by 17% of EU citizens. The UK and Ireland are above this average, and the other countries investigated are below this average.18 In general, there is frequent use of the Internet across the EU. Control over Personal Data When asked about how much people feel in control over their personal data, 15% of EU citizens indicate that they feel completely in control. Romania, Sweden, the Netherlands, and Germany are below this average, whereas the UK, Ireland, France, and Italy are above this average.19 In general, feelings of control are rather low. When asked about the level of concern people have regarding their personal data,

13 14 15 16 17 18 19

Eurobarometer Eurobarometer Eurobarometer Eurobarometer Eurobarometer Eurobarometer Eurobarometer

Survey Survey Survey Survey Survey Survey Survey

431 431 431 431 431 431 431

2015, 2015, 2015, 2015, 2015, 2015, 2015,

p. p. p. p. p. p. p.

109. 110. 110. 111. 111. 112. 10.

198

10 Conclusions

concern is relatively high in the UK and Ireland, medium in Germany, Italy, and France, and relatively low in the Netherlands, Romania, and Sweden.20 In general, levels of concern are quite high throughout the EU. Levels of acceptance, i.e., accepting that your personal data are processed as part of modern life, are quite high across the EU at 71%. Only Italy, France and Romania are below this average.21 Nevertheless, a large minority considers the processing of personal data to be a big issue (EU average 35%). Only Romania and France are below this average.22 When asked how comfortable people are with personalized information and advertising, only an average of 6% feel this is acceptable. An average of 53% across all EU member states feels fairly uncomfortable or very uncomfortable with this. Ireland, the UK, Italy, and Romania are less uncomfortable than this average, whereas Sweden, Germany, the Netherlands, and France are more uncomfortable than this average.23 Table 10.2 provides an overview of the different indicators for control and levels of concern, acceptance and discomfort with a lack of control. For some countries there seems to be a relation between low levels of perceived control over personal data, low levels of concern (such as the Netherlands, Romania, and Sweden), and low levels of discomfort (such as the Netherlands, Sweden and Germany). The low levels of concern may indicate a realist attitude and a large amount of confidence regarding the collection and processing of personal data. However, the low levels of discomfort may also indicate a rather apathetic attitude towards personal data. The common law countries, Ireland and the United Kingdom, seem to be in a whole different category, in which perceived levels of control over personal data are relatively high, together with high levels of concern and discomfort. This may be at odds, as people who (perceive to) have control over concerning or discomforting situations may be triggered to take action. The lack of actions may be due to the so-called privacy paradox, indicating that people say they are concerned about privacy but refrain from taking protective measures.24 Awareness Surveys results on awareness differ, as they focus on different topics awareness can be about. Also, awareness is difficult to measure, as asking for awareness about something may actually create awareness about it. Hence, when it comes to awareness, different indicators can be compared. A general aspect of awareness regarding the protection of personal data is the awareness of the use of personal information by website owners (for various purposes, such as contacting users via e-mail, but also to personalize the contents of websites or advertisements). The percentage of people that are aware of this is shown in Fig. 10.1. In this respect,

20 21 22 23 24

Eurobarometer Survey Eurobarometer Survey Eurobarometer Survey Eurobarometer Survey Norberg et al. 2007.

431 431 431 431

2015, 2015, 2015, 2015,

p. p. p. p.

13. 29. 32. 40.

10.1

Comparing Countries

199

Table 10.2 Level of (perceived) control over personal data, level of concern (on not having complete control), level of acceptance, the extent to which providing personal data is not a big issue, and level of discomfort with personalized information and advertising.a The lowest and highest numbers are not for all EU member states, but only for the eight countries selected in this research Lowest Perceived (complete) control

Germany (4%) Concern about not having complete control Sweden (41%) Acceptance Romania (48%) Providing personal data is part of modern life France (23%) Discomfort with personalized information and Germany advertising (64%) a Based on Eurobarometer 431 2015, p. 10, 13, 29, 32 and 40

EU average (%)

Highest

15

Ireland (20%)

67

Ireland (79%)

71

Netherlands (86%) Netherlands (48%) Ireland (39%)

35 53

there are high levels of awareness across the EU. Awareness in Romania, the Netherlands, Italy, and Germany is above average. Another indicator for awareness is the extent to which citizens actually experienced privacy violations. This is shown in Fig. 10.2, in which a score between 1 and 7 could be given (1 = never, 7 = very frequently). The UK and Ireland are below the EU average, whereas the Netherlands, Romania, Italy, France, and Germany are above the EU average.25 Data for Sweden is not available. In general, it can be concluded that in the entire EU, citizens do not experience privacy violations very often. However, this does not necessarily imply that very few privacy violations actually take place; it may be the case that privacy violations are not noticed, observed or experienced as such. As privacy policies are intended to contribute to transparency regarding the collecting and processing of personal data, a third indicator for awareness is the extent to which people consult and understand the contents of privacy policies (or the terms and conditions if these provide such information). However, a large amount of people rarely, or never, read these documents. Nevertheless, large amounts of people feel they understand the entire text or large parts of the texts in these documents.26 Figure 10.3 shows percentages of people who indicate to mostly or fully understand privacy policies. In general, many EU citizens feel they understand privacy policies. Obviously, these data do not show whether these people actually do understand the privacy policies. Also, it was not examined whether the privacy policies provide accurate information on personal data collection and processing practices.

25 26

CONSENT 2012. Jensen et al. 2005.

200

10 Conclusions

100 90

83

80 70

71 60

74

84

89

77

65

60 50 40 30 20 10 0

Fig. 10.1 Percentage of people that are aware of the use of personal information by website owners. Based on the CONSENT survey (2012) (CONSENT 2012. No data available for Sweden)

4

3.5

3.36 3.15

3

2.89 2.6

2.92

3.01

3.05

2.63

2.5

2 United Kingdom

Ireland EU average Netherlands Romania

Italy

France

Germany

Fig. 10.2 How often citizens actually experienced privacy violations (1 = never, 7 = very frequently) (Based on the CONSENT country reports. No data was available for Sweden)

10.1

Comparing Countries

201

100 90 80 70 60

65

64

68

72

76

76

59 54

50 40 30 20 10 0

Ireland

United EU average Kingdom

Italy

France Netherlands Germany

Romania

Fig. 10.3 Percentage of people indicating they mostly or completely understand privacy policies (Based on the CONSENT country reports. No data was available for Sweden)

Although these are a few other characteristics indicating awareness, such as awareness about the use of cookies and security issues, it can be argued that awareness across the EU regarding the processing of personal data is rather high. U.S. privacy law professor Daniel Solove has argued that privacy policies have too many hurdles as an instrument to create awareness, inform people about personal data processing and putting them in control.27 First, people do not typically read privacy policies; the information provided is often very extensive; it would likely take a great deal of time to read every privacy policy and to make a decision based on the information therein. It was estimated that if people actually read all of the privacy policies presented to them, it would take them 244 hours annually.28 This may explain findings of empirical studies indicating that people simply consent whenever confronted with a consent request.29 Such consent mechanisms are thus likely to be ineffective and their value may be disputed. Second, if people do read privacy policies, they may not understand them, as the information provided may be too difficult. In many situations, the text is highly legalistic in nature or contains technical details beyond the comprehension of the average user. Third, if people read and understand the policies, they often lack sufficient background knowledge to make an informed decision. While an abbreviated, plain-language policy may be quick and easy to read, it is often the hidden details that may carry most significance.30 Related to this issue is the asymmetry in power distribution. Those who collect and process the data have technological expertise that the 27 28 29 30

Solove 2013. McDonald and Cranor 2008. Custers et al. 2013, Custers et al. 2014. Toubiana and Nissenbaum 2011.

202

10 Conclusions

average user usually lacks.31 Fourth, if people read privacy policies, understand them and can make an informed decision, they are not always offered a choice that reflects their preferences. In fact, these difficulties with privacy policies have resulted in some authors concluding that privacy policies are not primarily aimed at data subjects, but rather at data protection authorities, lawyers and other officials.32 In any case, it may be argued that the fact that few people actually read privacy policies shows disengagement of data subjects.33 Trust The level of trust that people have towards the use of their personal data by organizations may be determined by measuring the perceived risks of providing such personal data online. Such risks may include becoming a victim of fraud, fraudulent use of online identities, personal data being used without a data subject’s knowledge, personal data sharing with third parties without a data subject’s consent, personal data being used in different contexts (‘function creep’), unsolicited commercial offers, personal safety being put in danger, loss of personal data, reputation damage, becoming a victim of discrimination (including price discrimination), and misunderstanding of a person’s views and behaviors.34 To illustrate the levels of trust in the countries examined in this research, we selected two of the most prominent perceived risks of providing personal data online: becoming a fraud victim (Fig. 10.4) and reputation damage (Fig. 10.5). On average within the EU, becoming a fraud victim is considered the highest of all of the risks mentioned above (50%). Reputation damage is considered a relatively low risk (EU average 7%). Protective Actions Internet users may take several actions to further protect their personal data. A typical example is to change privacy settings. Once personal data is disclosed, it can easily be copied and disseminated.35 At the same time, it may be difficult to track all copies in a later stage when someone wants to remove particular personal data that are online.36 This makes it difficult to enforce the so-called ‘right to be forgotten’37 (or the ‘right to erasure’, see Article 17 of the GDPR). Hence, it may be

31

Acquisti and Grosslags 2005; LaRose and Rifon 2007. Hintze 2017. 33 Schermer et al. 2014. 34 Eurobarometer 431 2015, p. 102. 35 Custers 2016. 36 Koops 2011. 37 In the landmark case Case 131/12 Google Spain v AEPD and Mario Costeja Gonzales issued on 13 May 2014, the Court of Justice of the European Union made it clear that the right to be forgotten is encompassed in the fundamental right to privacy. See also Kuner 2014. 32

10.1

100 90 80 70 60 50 40 30 20 10 0

Comparing Countries

40

41

203

46

47

50

53

56

61

62

Fig. 10.4 Percentage of the population that have a perceived risk of becoming a fraud victim when providing personal data online (Based on Eurobarometer 431 2015, p. 102. Providing personal data online in this context means actively sharing personal data, for instance, when completing forms. It does not include leaving behind digital traces (‘data exhaust’) of which people are unaware)

14 12

10

10 8

7

6 4 2

4

4

11

12

8

5

2

0

Fig. 10.5 Percentage of the population that have a perceived risk of reputation damage when providing personal data online (Based on Eurobarometer 431 2015, p. 102)

helpful to disclose personal data only to a limited number of people and only for a limited number of purposes, in order to avoid function creep.38

38

Custers and Ursic 2016.

204

100 90 80 70 60 50 40 30 20 10 0

10 Conclusions

71

71

70

69

62

57

54

51 40

Fig. 10.6 Percentage of people that have ever tried to the change privacy settings of their personal profile on social media platforms (Based on Eurobarometer 431 2015, p. 92)

In Fig. 10.6, percentages of people that have ever tried to change privacy settings of their personal profile on social media platforms are shown for each country that is examined. Because this requires the explicit action of data subjects, it could be argued that these levels are quite high. At the same time, however, these statistics do not show how often people try to change privacy settings. Neither do they show whether the desired options were available nor whether the efforts to change privacy settings were actually successful. Another typical protective action that people can and do take is disabling cookies. In Fig. 10.7, the percentage of people who disable cookies (with a baseline of people who are aware of cookies) are shown for each country that is examined. It should be noted that this does not imply that these people always disable cookies. Often, disabling cookies means that a website is not accessible or offers (significantly) reduced functionality. The percentages shown in Fig. 10.7 indicate the number of people that disables cookies occasionally, or disable certain types of cookies (e.g. third-party cookies), or disable cookies that perform a particular function (e.g. tracking cookies), or disable cookies using any combination of the above. Other protective measures that data subjects and internet users can take to further safeguard their privacy and personal data include blocking pop-ups, using opt-in and opt-out possibilities, blocking particular e-mail addresses, checking for spyware and deleting search histories. Running regular software updates may also improve personal cybersecurity and, as such, enhance privacy and personal data protection. Such ‘cyber hygiene’ seems to be gaining ground, together with increasing awareness (see ‘awareness’ above). In addition, an increasing number of companies offering online messaging services, including some provided by social media

10.1

Comparing Countries

205

100 90

81

80 70 60

60

60

France

Romania

68

68

Italy

EU average

69

72

72

50 40 30 20 10 0 Ireland Netherlands

United Kingdom

Germany

Fig. 10.7 Percentage of people that disables cookies when they are aware of them (Based on CONSENT country reports. No data available for Sweden)

platforms, by default encrypt communications end-to-end, without any requirement from users to turn on such a protective functionality.39 National Politics The extent to which there is an active debate on privacy and data protection in national politics varies among countries. Even when there is an active political debate in a country, the focus of the debate and the perspectives given are sometimes different. In Ireland40 and Romania,41 there is hardly any political debate on privacy and the protection of personal data. There is some political debate on this issue in France, but the strongest debates are found in the Netherlands, Germany,42

39 For instance, WhatsApp (owned by Facebook) and iMessage (by Apple) offer end-to-end encryption by default. Others, such as Messenger (by Facebook), Allo (by Google), and Skype (owned by Microsoft) offer an end-to-end encryption option. See Kurt Wagner, April Glaser, and Rani Molla, “The apps to use if you want to keep your messages private”, Recode (Apr. 15, 2017), https://www.recode.net/2017/4/15/15297316/apps-whatsapp-signal-imessage-hacking-hackers-messagesprivacy, and Peter Bright, “Skype finally getting end-to-end encryption”, Ars Technica (Jan. 18, 2018), https://arstechnica.com/gadgets/2018/01/skype-finally-getting-end-to-end-encryption/. 40 An exception is the Cyberbullying Bill in 2013, see http://oireachtasdebates.oireachtas.ie/debates% 20authoring/debateswebpack.nsf/(indexlookupdail)/20131106*W?opendocument#W03000. 41 An exception is the proposed Cyber Security Act in 2015, see: https://privacy.apti.ro/2015/01/ 29/romanian-cybersecurity-law-sent-to-the-constitutional-court/ This legislative proposal was declared unconstitutional in January 2015, see: https://privacy.apti.ro/2015/01/29/icing-on-thecake-romanian-cybersecurity-law-unconstitutional/. 42 A typical example Is the debate on camera surveillance, see Eddy 2016.

206

10 Conclusions

Focus on privacy vs security

PoliƟcal debate

Netherlands France Italy

Focus on

United Kingdom

economy

Sweden

Focus on

Sweden

human rights

Germany

Hardly any

Ireland

poliƟcal debate

Romania

Fig. 10.8 Extent of the active political debate on privacy and personal data protection in the selected countries and the focus of the political debate where present [Source The authors]

Sweden,43 the United Kingdom, and Italy. In some countries, such as the Netherlands and Italy, the debate is also initiated by supervisory authorities which have the legal right to advise on legislative proposals in which the processing of personal data plays a role. The focus of the political debates on privacy and the protection of personal data varies according to the country, see Fig. 10.8. In the Netherlands, France, and Italy, the debate is often on the balance between privacy on the one hand and (national) security on the other hand. The political debate in the United Kingdom is much more focused on the (digital) economy. This is also the case in Sweden, but the debate on the digital economy is also intertwined with the issue of what constitutes the proper construction of an open and democratic society. Hence, apart from economic aspects, societal and human rights aspects also play a role in the Swedish political debate. In Germany, the focus of the political debate is much more on human rights. Furthermore, there seems to be increasing consensus in Germany towards more protection for privacy and personal data. Media Attention In many of the countries investigated, there is media attention for privacy and data protection issues. There is a high level of media attention in the Netherlands, Germany, France, the United Kingdom, and Ireland, although the topics addressed vary. For instance, media attention in Ireland has focused on the court case of privacy activist Max Schrems against Facebook (the EU headquarters of Facebook 43

Münch 2013.

10.1

Comparing Countries

207

Table 10.3 Level of media attention for privacy and presence of Big Brother Awards Netherlands Germany Sweden United Kingdom Ireland France Romania Italy [Source The authors]

Media attention

Big Brother Awards

High High Medium High High High Low Medium

Yes Yes No Yes No Yes No Yes

are located in Ireland).44 In France, media attention focuses on the privacy of public figures, including politicians. In Sweden and Italy, there is some media attention, but it is not as extensive as in other countries. In Romania, there is hardly any media attention for these topics. Media attention in the United Kingdom is high and even appears to be increasing (Table 10.3). A typical, albeit more indirect indicator for media attention may also be the so-called Big Brother Awards, which are annual ‘awards’ for people, companies, or government institutions whose initiatives violate privacy. Obviously, the Big Brother Awards may either be the cause or the result of media attention for privacy. These awards exist (or have existed) in 17 countries and of the countries investigated, France, Germany, Italy,45 the Netherlands, and the United Kingdom have annual Big Brother Awards. Ireland, Romania, and Sweden do not have Big Brother Awards.46 Data Breaches Before the GDPR came into force, there were not many EU member states that had general data breach notification laws. The GDPR harmonizes this by making data breach notifications mandatory (see Articles 33 and 34 of the GDPR). Apart from these provisions, all EU member states have implemented the e-Privacy Directive in national legislation, including the provisions on data breach notifications for the providers of electronic communication services.47 Before the GDPR, only two of the countries investigated in this research had data breach notification laws. These countries were Germany, with legislation since 2009, and the Netherlands, with legislation since 2016. For an overview, see Table 10.4.

44

CJEU 6 October 2015, case C-362/14, Facebook/Schrems, ECLI:EU:C: 2015:650. The last edition of the Italian Big Brother Awards was held in 2012. See http://bba. winstonsmith.org. 46 https://en.wikipedia.org/wiki/Big_Brother_Awards. 47 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). 45

208

10 Conclusions

Table 10.4 Data breach notification requirementsa National legislation on data breach notifications?

Comments

Germany Yes Article 42a BDSG, since 2009b Netherlands Yes Article 34a WBP, since 2016 Ireland No The DPA has issued guidelines Sweden No United Kingdom No France No Romania No Italy No a Based on https://www.dlapiperdataprotection.com/index.html?c=SE&c2=&t=breach-notification b https://dejure.org/gesetze/BDSG/42a.html

Although most countries had no legal obligations to notify data breaches before the GDPR came into force, in many countries there were private or public organizations that kept lists of data breach incidents. For instance, in the Netherlands, before the revision of the Data Protection Act in 2016, the civil rights organization Bits of Freedom already kept a list of major incidents, although this practice was discontinued before the DPA took over. In Germany, there is a list of data breaches available online that is not maintained by the DPAs – the DPAs in Germany keep their own, separate lists.48 In some countries (like the United Kingdom and Italy), it is possible to notify the supervisory authorities that a data breach has occurred (although this is not mandatory) and in some countries (such as France) the DPA also publicly responds to data breaches that have come to light. In all of the countries investigated, there have been significant data breaches in recent years. However, due to the lack of legal obligations to notify data breaches in most countries, it is difficult to compare numbers.49 In the Netherlands, there were 5693 data breaches in 2016.50 Because all EU member states have mandatory data breach notifications as of May 2018 under the GDPR, a comparison on this aspect will be possible in the near future. The basic idea behind mandatory data breach notifications is that of naming and shaming: the presumed mechanism is that disclosure of data breaches (to data subjects, DPAs, or the general public) would cause reputational damage to data controllers, who, in order to avoid such damage, would improve security measures.

48

https://www.projekt-datenschutz.de/news. In Germany remarkable data breaches are published on the website https://www.projektdatenschutz.de/news?page=3, but a complete overview is not available. In 2016, a total of 86 incidents were published. In Italy, the DPA received 49 data breach notifications in 2015, but these numbers cannot be used in any comparison, because there is no legal obligation to notify of data breaches in Italy. 50 AP 2017, p. 7. 49

10.1

Comparing Countries

209

Some experts have already started to doubt these presumed mechanisms.51 The naming and shaming might have a limited effect when there are many thousands of data breaches that are notified. News on data breaches did not cause significant reactions among the general public in any of the countries investigated. There were no public protests and there was little public outrage regarding major data breaches. Civil Rights Organizations In all of the countries investigated, civil rights organizations are present that advocate for privacy rights online. These include national organizations as well as national branches of international organizations. The latter category includes, for instance, Amnesty International and the International Commission of Jurists (ICJ), both of which promote human rights. In this research we focused on civil rights organizations that specifically focus on the protection of privacy and personal data. Such organizations exist in all of the countries that were investigated, but their budgets and influence vary significantly. On one end of the spectrum are the countries with organisations with limited budget and influence. In Sweden, the DFRI (Föringen för Digitala Fri- och Rättigheter) has no staff, but it has approximately 80 volunteers and an annual budget of approximately 10,000 euros.52 They indicate that their influence is limited. In Romania the situation is similar: there are civil rights organizations, but their public support and influence is limited. In Italy, the Italian Institute for Privacy (IIP), funded by private donors and the European Union,53 is mostly a study and advocacy center; there also exists Federprivacy, which is the association for data protection officers and consultants. In the Netherlands, Bits of Freedom, Privacy First, and other organizations are relatively small and have annual budgets of approximately 100,000 euros. Despite their limited size and budgets, they manage to attract media attention frequently. In Ireland, Digital Rights Ireland has a budget of less than 100,000 euros and is composed of volunteers. Nevertheless, Digital Rights Ireland does have an impact, given the litigation they do, most notably in their case on the EU data retention directive (EU directive 2006/24/EC), which the CJEU declared invalid in 2006.54 On the other side of the spectrum are the countries that have organizations with significant budgets and much more influence. In Germany, there are many civil rights organizations (including the following: Verbraucherzentralen, the German Privacy Association, Netzwerk Datenschutzexpertise, the Association for Data Protection and Data Security, and Stiftung Datenschutz). Some of these organizations also have considerable budgets. For instance, Stiftung Datenschutz received a starting budget of 10 million euros from the federal government when it was

51

See also Schneier 2009. https://www.dfri.se/dfri/. 53 European Union funds the IIP inside the Horizon 2020 funding programme for the Privacy Flag project. See http://www.istitutoitalianoprivacy.it/it/chi-siamo/. 54 Case C-293/12. Court of Justice of the European Union. 8 April 2014. 52

210

10 Conclusions

established in 2013.55 The German civil rights organizations are known as influential with regard to legislative proposals and the public debate. In the United Kingdom, there are also professional civil rights organizations, such as Big Brother Watch and Privacy International. Privacy International is known worldwide (for instance, for its global privacy rankings) and has an annual budget of approximately 1.4 million GBP.56 They publish high quality research reports (including for the United Nations) and have considerable influence on the political and societal debate. In France, there are many civil rights organizations, but the most well-known and recognized player is La Quadrature.57 Compared to German and UK organizations, La Quadrature has a much smaller budget (the annual budget was 320,000 euros in 2017), but they can be considered professional and influential regarding the public debate.

10.1.2 National Government Policies National Policies and Privacy Impact Assessments A new requirement in the GDPR (as compared to the Data Protection Directive) is that of Data Protection Impact Assessments (DPIAs), which is laid down in Article 35 GDPR. The concept of a DPIA stems from that of Privacy Impact Assessments, which are tools to systematically identify and assess the likeliness and impact of privacy related risks of new projects, policies, practices, legislation, etc. Under the GDPR, such assessments are mandatory in situations where there is high risk to the rights and freedoms of natural persons. Mapping the risks of infringements of privacy and other civil rights, often referred to as a Privacy Impact Assessment (PIA), may be a complicated task, because it is not always clear what concepts like privacy and the right to privacy comprise, let alone how to quantify the impact on them in language comparable to terms like effectiveness and efficiency. Currently, even a generally agreed upon starting-point and approach is missing for performing PIAs.58 We consider PIAs and DPIAs as risk assessments.59 Within the scope of this book, risks are potential negative consequences with regard to the personal sphere of life and the protection of the fair processing of personal data. Such risks depend, on the one hand, on the likeliness that they may materialize and, on the other hand, on the impact they may have once they materialize. It should be noted that even when risks never materialize, they may still exist, just as living on a volcano that has never erupted nevertheless constitutes a risk. In short, risks are defined as probability multiplied by 55 56 57 58 59

https://stiftungdatenschutz.org/ueber-uns/vermoegen/. This budget is generated by private donations and governments, but not by companies. https://www.laquadrature.net/. An excellent start is Wright and De Hert 2012. See also IACP 2009.

10.1

Comparing Countries

211

impact. Hence, a PIA or DPIA is a tool not only to identify privacy risks, but also to assess the probability and impact of each identified risk.60 A PIA or DPIA assesses risks for residents or data subjects and perhaps also societal risks, but not business risks for data controllers.61 It is important to note that PIAs or DPIAs are not to be considered as merely compliance tools.62 Everyone has to comply with the law, so interpreting PIAs and DPIAs as a statement that the GDPR has to be complied with could be considered redundant.63 Although there are many examples of PIAs and DPIAs that simply map compliance with all legal provisions (e.g., is there a legal basis for data processing, etc.), these are flawed tools, as they do not meet the requirements of Article 35 of the GDPR. A PIA or DPIA is explicitly not a legal instrument, but rather an ethical instrument,64 to create awareness about risks to the rights and freedoms of people (and to subsequently address these risks by avoiding or mitigating them).65 There was no EU-wide legal obligation to perform PIAs prior to the GDPR. However, several countries had implemented legal obligations to perform PIAs in certain situations. In France, Article 34 of the French Data Protection Act creates a legal obligation for data controllers to map the risks of processing personal data.66 However, this obligation to perform PIAs does not apply to newly proposed legislation or regulations. Note that such an obligation for PIAs in regards to new legislation is also absent in the GDPR. Apart from this legislation, other countries have implemented regulations or rules that involve obligations to perform PIAs to some extent. In the Netherlands, the obligations more or less complement those found in France: there is no legal obligation for data controllers to perform PIAs, but the national government is subjected to the obligation to perform PIAs for new legislative proposals and for the implementation of new information systems. This obligation is based on a motion that originated in the parliament (accepted by both the parliament and the government) in which PIAs are required for designing new legislation where the processing of personal data is relevant. The contents of this motion were subsequently implemented in policy documents of the national government. As the GDPR neither mandates nor prohibits this, the obligation for PIAs for legislative proposals in the Netherlands will probably continue to exist under the GDPR.

60

WP29 2017. Note that risks for citizens and data subjects (especially when materialized, for instance, after data breaches) may influence the reputation of a data controller and, as such, constitute business risks for data controllers. 62 De Hert, Kloza and Wright 2012. 63 Although technologies may contribute to improve compliance, see Bamberger 2010. 64 Wright 2011. 65 In regular risk management, risks can also be transferred, for instance, to insurance companies. When dealing with privacy risks, risk transfer is usually not an option. 66 Loi numéro 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, see https://www.cnil.fr/sites/default/files/typo/…/Act78-17VA.pdf. 61

212

10 Conclusions

Table 10.5 Privacy impact assessments Legislative obligation?a

Other regulations/ obligations?

Model/standard available?

Guidance by the DPA?

Netherlands

No

Yesc

No

Germany Sweden United Kingdom Ireland

No No No

Yesb (parliamentary motion) No No Yes (DPA policy rules for governments) No (but the DPA has announced policy rules)e No No Yes (DPA policy rules)

Yes (for RFID) No Yes

Nod No Yes

No

No

No

Yes Yes France Yesf Romania No No No Italy No No No [Source The authors] a Prior to or in addition to the GDPR obligations b However, this is only for new legislation, and not for data controllers c A plethora of models is available d The federal DPA (BfDI) does not offer guidance. However, there are guidelines for specific technologies. For example, see Privacy Impact Assessment Guideline for RFID Applications, available at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ElekAusweise/PIA/ Privacy_Impact_Assessment_Guideline_Langfassung.pdf?__blob=publicationFile&v=1 e Data Protection Commissioner (undated). The GDPR and You: Preparing for 2018. https://www. dataprotection.ie/docimages/documents/The%20GDPR%20and%20You.pdf f However, this is only for data controllers, and not for new legislation. See Article 34 of the French Data Protection Act

In other countries, such as in the UK and Italy, the data protection authorities have created policy rules for executing PIAs or are creating such policy rules (as in Ireland). In some countries, documentation (including models and standards) for performing PIAs is available, and in a few countries the Data Protection Authorities (DPAs) offer guidance. For an overview, see Table 10.5. A remarkable development is that in all countries investigated, many private companies are now offering services to perform such assessments and this number seems to be further increasing. The overview in Table 10.5 shows different pictures for the countries that are compared. France seems to be the frontrunner with regard to Privacy Impact Assessments and is the only country with a legal obligation for PIAs prior to the GDPR. Mandating PIAs may increase both awareness of privacy and data protection issues and compliance with privacy and data protection legislation. However, this can only be achieved when implementation of PIAs is sufficiently facilitated, for instance, by providing appropriate models and standards as well as some form of guidance by DPAs. Many PIAs lack practical applicability,

10.1

Comparing Countries

213

completeness, understandability, usability, and user-friendliness.67 Either better documentation or further DPA guidance (preferably both) may address these issues. Privacy and Data Protection in New Policies The DPAs in all countries investigated showed efforts to ensure that privacy and data protection is taken into account in new policies. The DPAs of all eight countries are consulted when new legislation is drafted that affects privacy and data protection. The supervisory authorities are particularly consulted on the question of whether legislative proposals are in compliance with existing legislation regarding privacy and personal data and on the question of whether the legislative proposals can actually be enforced by the DPAs. The governments of all eight countries investigated also try to anticipate to new developments, such as big data, the Internet of Things, the quantified-self movement, etc. Privacy by Design is also often mentioned in this respect as an important topic and as a potential solution to some of the problems in privacy and data protection. All of the countries examined have initiated think tanks, platforms, research projects or similar initiatives on these new developments and how to anticipate to them. Although there are considerable differences between the countries investigated, it can be concluded that there is a lot of paperwork and little practice in this regard. For instance, the term Privacy by Design is regularly mentioned in all of the countries as a key concept, but practical examples are rarely available or nonexistent. Apparently, there is little understanding of how to concretize and implement this concept in practice. To some extent, the United Kingdom is an exception to this, where there is at least a clear vision that the concept of Privacy by Design should be closely connected to Privacy Impact Assessments: performing PIAs (which, when understood broadly, are a risk or justification analysis) should deliver design requirements for new systems and regulation. Societal Debate In several of the countries investigated, the government plays an active role in societal debate. This is the case in the Netherlands, Germany, Sweden, the United Kingdom and France. In Ireland, the active role of the government in the public debate is limited, and in Romania and Italy, the government is mainly reactive rather than proactive. In these countries, there is only a (very) limited dialogue between the government and civil rights organizations, and between the government and citizens. In relation to new legislation, it is particularly remarkable that in some countries the government chooses to have a dialogue with (or to consult) interest groups (such as in Germany, Sweden, and Ireland), whereas in other countries the government chooses to have a dialogue with (or to consult) citizens via internet consultations (such as in the Netherlands, the United Kingdom, France, and Italy). Table 10.6 provides an overview.

67

See, for instance, Versmissen et al. 2016.

214

10 Conclusions

Table 10.6 Role of the government in societal debate and the form of consultation Active role of the government Netherlands Yes Germany Yes Sweden Yes United Yes Kingdom Ireland Limited France Yes Romania No Italy No [Source The authors]

Consultation of (primarily) citizens or (primarily) interest groups? Citizens Interest groups Interest groups Citizens Interest groups Citizens N/A (No consultation) Citizens

Information Campaigns Supervisory authorities in the field of privacy and personal data protection usually consider it their task to provide information to residents, companies and governments about the domain they are supervising. For this reason, they provide different kinds of materials on their websites, such as brochures, factsheets, reports and other types of documentation. In some countries, such as in the United Kingdom and Ireland, the DPAs also provide educational materials for schools. Apart from this, governments in several countries also initiated information campaigns. In the Netherlands and the United Kingdom, a relatively large number of information campaigns were conducted, both online and via television. There were also information campaigns in Ireland and France. The Netherlands are frontrunner when it comes to using apps for providing further information on privacy and data protection. Germany, Sweden, Romania, and Italy are less active in terms of information campaigns and focus more on providing information materials. It is remarkable that in several countries the focus is on information campaigns for (or about) minors. Apart from the abovementioned educational materials in the United Kingdom and Ireland, there is a great deal of attention on minors in Italy, especially regarding cyberbullying. The DPA in the Netherlands does not appear to focus on this target group68 although it recently published a training module to train older primary school children on privacy and personal data protection.69 There is no data available on the effectiveness of the information campaigns and information materials in the countries investigated. The Netherlands can be considered a frontrunner on this aspect, in terms of the number of information campaigns, the multimedia approach (both online and via television) and the interactive approach (such as via the use of apps). 68

The GDPR strengthens the protection of personal data of minors, which will probably result in more focus of DPAs for this target group in the near future. 69 https://autoriteitpersoonsgegevens.nl/lespakket.

10.1

Comparing Countries

215

10.1.3 Laws and Regulations Implementation of the EU Directive Although the GPDR has further harmonized privacy and data protection across the EU since 2018, the ways in which, as well as the extent to which, the 1995 EU directive was implemented in EU member states show interesting differences in attitudes towards privacy and data protection. The deadline for implementing EU directive 95/46/EC in national law was at the end of three years from the adoption of the directive, i.e. in 1998.70 Five countries did not meet this deadline, four of which are among the countries investigated in this research: France, the Netherlands, Germany, and Ireland (the fifth was Luxembourg). However, after several extra years, all of those countries had implemented the directive. In 2004, France was the last country to do so. After having been implemented, the relevant national legislation has been revised in many countries. An overview is provided in Table 10.7. Important revisions in the Netherlands took place in 2012 and 2016, when administrative burdens were lowered, maximum fines were increased, and data breach notification laws were introduced. In Germany, important revisions took place in 2003 and 2009, when registration of personal data processing activities with the DPA was simplified and the position of privacy officers was changed. In Romania, the data protection law was changed in 2005 because it was established that the previous implementation did not meet the criteria of the EU directive. Implementation of EU directives requires a minimum level of implementation and thus there is harmonization to a large extent. All of the investigated countries met the minimum levels of implementation, although it took two rounds in Romania and the legislation in Ireland was still in tension with the Data Protection Directive (see Sect. 6.3) prior to the GDPR. EU member states are allowed to implement more provisions, offering additional protection for privacy and personal data. However, only some countries implemented such additional provisions. Typical examples are breach notification laws in the Netherlands, data protection audits in Germany, privacy by design methods in the UK,71 and special provisions for health care data and for children in France. An overview is provided in Table 10.7. Sectoral Legislation Many countries have introduced sectoral legislation (on top of the DPD and GPDR) that further protects the processing of personal data in specific sectors. Since this concerns a large amount of legislation for many different sectors, it is not possible within the scope of this research to provide an exhaustive overview here. To illustrate this, there are already more than 300 sectoral laws and regulations that

70 71

See Article 32(1), EU Directive 95/46/EC. Trilateral Research & Consulting 2013.

216

10 Conclusions

Table 10.7 Implementation of EU Directive 9546/ECa

Netherlands Germany Sweden United Kingdom Ireland

Implementation

Important updates

2001 2001 1998 1998

2012, 2016 2003, 2009 2007 2000

Minimum implementation?

Minimum + data breach notifications Minimum + provisions on several extra issuesb Minimum + further elaboration Minimum + best practices like PIAs and Privacy by Design methods 2003 N/A Minimum was not met in several areas (see Sect. 6.3) France 2004 2011 Minimum + additional protection for health data and children Romania 2001 2005 Minimum + obligation to consult DPAs for codes of conduct Minimum + additional provisions for data Italy 1996 2003c controllers a This is primarily based on information provided at: http://ec.europa.eu/justice/data-protection/law/ status-implementation/index_en.htm b For instance, there are provisions relating to pseudonymization, data thrift and data avoidance, video surveillance, and data protection audits c This update went into force in 2004

deal with the protection of personal data in Sweden alone. Typical sectors for which such legislation on personal data has been enacted available in many countries include health care, telecommunications, finance, criminal law, and the public sector. Almost all of the countries investigated have sectoral legislation in these areas, especially in areas where sensitive personal data are processed.72 And even if there is no sectoral legislation, in many cases there are guidelines, codes of conduct, or other forms of soft law on the processing of personal data. An overview is provided in Table 10.8. The overview in Table 10.8 shows that all of the countries investigated have sectoral legislation for personal data in the areas of health care (except in the United Kingdom, where there exists a code of conduct), telecommunications, finance (except in the Netherlands, where there exists a code of conduct), criminal law (except in Italy and Ireland, the latter of which has a code of conduct) and government data (although access rights are limited in Italy). The processing of personal data in criminal law is particularly interesting because in April 2016, EU Directive 2016/680 was adopted by the European Parliament and Council together with the General Data Protection Regulation

72

Sensitive personal data, such as health care data, may constitute increased risks to privacy and related issues. See, for instance, Custers 2005.

10.1

Comparing Countries

217

Table 10.8 Sectoral legislation for the protection of personal data Health care

Telecom

Finance

Criminal Law

Government dataa

b

Netherlands Yes Yes No Yes Yes Germany Yes Yes Yes Yes Yes Sweden Yes Yes Yes Yes Yes Yes Yes Yes Yes United Kingdom Noc Yes Ireland Yes Yes Yes Nod France Yes Yes Yes Yes Yes Romania Yes Yes Yes Yes Yes Partialf Italy Yes Yes Yes Noe [Source The authors] a This is primarily based on information provided at: https://en.wikipedia.org/wiki/Freedom_of_ information_laws_by_country b In the Netherlands there is a code of conduct for the processing of personal data by financial institutions: http://wetten.overheid.nl/BWBR0033201/2010-04-26 c In the United Kingdom there is a code of conduct: Subject access code of practice, available at: https://ico.org.uk/media/for-organisations/documents/1065/subject-access-code-of-practice.pdf d In Ireland there is a code of conduct for the police, see: http://www.garda.ie/Controller.aspx? Page=136&Lang=1 e Such a provision was expected in Annex C of the DPCode, but it was never realized f Chapter V of Law No. 241 of 7 August 1990 provides access to government documents, but the requesting person needs to have a direct interest and cannot be a third party. For government institutes, Title III of Chapter II of the DPACode is also applicable, but this does not directly relate to governmental data

(GDPR). This Directive73 regulates the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties. In short, this encompasses the processing of personal data by all organizations involved in the criminal law sequence of events (the criminal law chain), such as the police, public prosecution services, courts, and prison system. The GDPR is the lex generalis, whereas Directive 2016/680 can be considered as the lex specialis for personal data in criminal law. The GDPR is an EU regulation and, as such, directly binding on all EU citizens, companies and government organizations, whereas directives require (mandatory) implementation into national legislation of member states. The history of Directive 2016/680 runs mostly parallel to that of the GDPR. The GDPR primarily builds on and extends the EU Data Protection Directive (DPD) from 1995.74 This Directive, in turn, was mostly based on provisions in Convention 108 of the Council of Europe (also referred to as the Treaty of 73 DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. 74 For further reading, see Bygrave 2002; Kuner 2012; Hornung 2012.

218

10 Conclusions

Strasbourg) from 1981.75 The Council of Europe also published a recommendation that supplements Convention 108 for the use of personal data by the police in 1987.76 In this recommendation, it is further specified who should have access to police data, under which conditions police data can be transferred to authorities in third countries, how data subjects can exercise their data protection rights, and how independent supervision should be organized. These recommendations, however, are not legally binding and many member states have not fully implemented them. In 2001, the Council of Europe adopted the Convention on Cybercrime, which includes provisions that regard to the processing of police data.77 This Convention regulates, among other things, the protection of personal data and international cooperation, including the exchange of personal data in criminal law cases between authorities of different countries. Since the processing of criminal law data is beyond the scope of the DPD (Directive 95/46/EC), there was little harmonization within the EU in this domain for over two decades.78 After the terrorist attacks of 11 September 2001 in the United States, the European Parliament repeatedly requested a legal instrument for the so-called third pillar of the European Union, Police and Judicial Co-operation in Criminal Matters.79 However, little progress was made.80 Only in 2008 did the EU publish Framework Decision 2008/977/JHA on the protection of personal data processing in the framework of police and judicial cooperation in criminal matters.81 This Framework Decision is also based on the principles in Convention 108 and the Data Protection Directive. The aim of the Framework Decision is, on the one hand, the protection of personal data that are processed for the prevention, investigation, detection, and prosecution of crimes and the execution of criminal penalties. and, on the other hand, the facilitation and simplification of police and judicial cooperation between member states. Finally, a series of legal instruments that aim to advance the cooperation and sharing of information between member states should be mentioned, such as the Prüm Treaty82 (for exchanging DNA data, fingerprints and traffic data), the Schengen Information System83 (SIS, for international criminal investigation information), the Visa Information System84 (VIS, for visa data, including

75 76 77 78 79 80 81 82 83 84

Council of Europe 1981. Council of Europe 1987. Council of Europe 2001. Pajunoja 2017. With the Treaty of Lisbon the official pillar structure of the EU was abandoned in 2009. Gonzales Fuster 2014, p. 220. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:350:0060:0071:en:PDF. EU Council Decision 2008/615/JHA; Prüm Decision, 23.6.2008. EU Council Decision 2007/533/JHA, SIS-II, 12.6.2007. EU Regulation 767/2008, VIS Regulation, 9.7.2008.

10.1

Comparing Countries

219

biometrical data), the Customs Information System (CIS)85 and Eurodac86 (for fingerprints of asylum seekers and stateless people). Also, the institutional regulations for Europol, Eurosur and Eurojust contain provisions for the exchange of criminal law information between member states. In 2012, the European Commission presented the first draft for a directive that would further harmonize the processing of personal data in criminal law matters.87 After that, a debate started between the European Parliament, the Commission and the Council, which lasted three years. In 2016, the legislative proposal was adopted, after amendments were made, in its current version as EU Directive 2016/680. In this Directive, the deadline for implementation in national legislation was after two years, in May 2018. Directive 2016/680 repeals the current Framework Decision 2008/977/JHA as of that date. It should be mentioned that the scope of the Framework Decision is limited to processing data that are transferred to other member states, whereas the scope of the Directive also includes the processing of criminal law data for domestic purposes.88 The aim of Directive 2016/680 is, similar to the previously mentioned framework decision, on the one hand, the protection of personal data that are processed for the prevention, investigation, detection, and prosecution of crimes as well as the execution of criminal penalties and, on the other hand, the facilitation and simplification of police and judicial cooperation between member states and, more in general, the effective addressing of crime. Although the deadline for the implementation of EU Directive 2016/680 was in May 2018, many member states did not meet this deadline or were very late.89 Only Germany and Austria implemented the directive well before the deadline. In Germany, the Act to adapt data protection law to Regulation (EU) 2016/679 and to implement Directive (EU) 2016/680 (DSAnpUG-EU) of June 2017 was adopted by

85

EU Council Decision 2009/917/JHA. EU Regulation 2725/2000 concerning the establishment of Eurodac for the comparison of fingerprints for the effective application of the Dublin Convention, OJ 2000 L 316, 11.12.2000 and EU Regulation 407/2002, laying down certain rules to implement Regulation 2725/2000 concerning the establishment of Eurodac for the comparison of fingerprints for the effective application of the Dublin Convention, OJ 2002 L 62, 28.2.2002. 87 See COM(2012) 9 Final, available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri= CELEX:52012PC0010. 88 Salami 2017. 89 Apart from the countries investigated in this book, there are also examples of other EU member states. In Greece, a legislative law committee was established immediately after the GDPR and Directive 2016/680 were published. However, this committee had not completed its work by its deadline in May 2017 and was granted extension of the deadline until December 2017. Other countries made more progress. For instance, in the Czech Republic, a new data protection act that also implements Directive 2016/680 was published by the government in August 2017 and entered the legislative procedure. In Austria, the legislature passed the national Data Protection Amendment Act 2018 (Datenschutz-Anpassungsgesetz 2018) in June 2017. This Act implements Directive 2016/680 in a separate chapter. See https://www.lw.com/admin/Upload/Documents/ FINAL-GDPR-Implementation-Tracker.pdf. 86

220

10 Conclusions

the Bundestag with the approval of the Bundesrat.90 In Austria, an implementation law has been adopted by parliament and entered into force on 25 May 2018.91 However, regardless of delays, not all member states have had to make the same effort, as some EU member states already had legislation in place for the processing of personal data in criminal law (which only needed minor adjustments), whereas other member states had no legislation at all in this area. For instance, in the Netherlands, there are two acts, one for the protection of personal data processed by the police (Wet politiegegevens, WPG) and one for the protection of personal data processed by the Public Prosecution Service (Wet justitiële en strafvorderlijke gegevens, WJSG). This legislation is further elaborated in two decrees on police data and judiciary data, respectively. This framework is similar to that of EU directive 95/46/EC and also already resembled EU Directive 2016/680 to some extent. In Germany, the protection of personal data in criminal law is regulated in the Bundesgrenzschutzgesetz 1994 (the German Police Act).92 In Sweden, the Police Data Protection Act (1998:622) regulates how the police may process personal data. This Act also states that the police are competent to keep criminal records and DNA information. A new act, the Police Data Protection Act (2010:361) came into force on 1 March 2012.93 In France, there is an act in force since 2014 that provides the French police and intelligence agencies increased investigation competences, including the collection of data without a court warrant.94 In the United Kingdom, the processing of personal data in criminal law is regulated in the Criminal Justice and Data Protection Protocol.95 In Ireland, the processing of personal data in criminal law is regulated in a code of conduct (An Garda Síochána).96 In Romania, there is specific legislation (Law 238/2009) for the processing of personal data in criminal law. Furthermore, the Police Act (Law 218/ 2002) offers supplementary provisions.97 Only in Italy are there no specific laws or regulations for the protection of personal data in criminal law (apart from the general legislation for criminal investigation and the GDPR).98 In summary, most countries investigated have legislation in place, either in the form of specific acts (such as in the Netherlands) or as part of an act that concerns the police (such as in Germany, Sweden and Romania). Some countries have regulated this at a lower level (such as a code of conduct in Ireland) or not at all (such as in Italy). 90

https://iapp.org/media/pdf/resource_center/Eng-trans-Germany-DPL.pdf. http://www.ris.bka.gv.at/Dokumente/BgblAuth/BGBLA_2017_I_120/BGBLA_2017_I_120. pdf. 92 http://policehumanrightsresources.org/wp-content/uploads/2016/08/Federal-Police-ActGermany-1994.pdf. Subsection 2, Part 1 addresses collecting data. Part 2 deals with processing and use of data. 93 https://polisen.se/Global/…/Polisen_en_presentation_110506.pdf, p. 17. 94 http://www.hldataprotection.com/tags/france/. 95 Criminal Justice and Data Protection (Protocol No.36) Regulations 2014, SI 2014/3141. 96 http://www.garda.ie/Controller.aspx?Page=136&Lang=1. 97 Law No. 218/2002 on the organizing and functioning of the Romanian Police. 98 Koops 2016, p. 34. 91

10.1

Comparing Countries

221

Focus on selfregulaƟon

Mix of government regulaƟon and selfregulaƟon

Sweden

Netherlands

Romania

United Kingdom

Germany

Italy

Focus on government regulaƟon

Ireland

France Fig. 10.9 Self-regulation versus government regulation [Source The authors]

Self-regulation and Codes of Conduct Article 27 of EU Directive 95/46/EC prescribes that member states should encourage the use of codes of conduct and self-regulation. Sweden and the UK are countries with a long tradition of self-regulation and have developed legislation and regulation accordingly. Countries like the Netherlands, Germany, Ireland and France typically use a combination of self-regulation and government regulation. In the Netherlands and Germany, the DPAs are sometimes consulted by parties that are drafting codes of conduct, but the numbers of codes of conduct that the DPAs were consulted for are very low. In both countries, establishing codes of conducts is considered as a long, tedious, and costly process with few concrete advantages. Romania and Italy typically focus on government regulation. For an overview, see Fig. 10.9.

10.1.4 Implementation Privacy Officers In most of the countries examined it was not mandatory to have privacy officers before the GDPR came into force. However, under the GDPR, many organizations now have an obligation to appoint privacy officers. It is estimated that worldwide,

222

10 Conclusions

approximately 75,000 privacy officers will be needed.99 These privacy officers are not only required within the EU, but also in other countries, when companies cooperate or trade with organizations located in the EU. Out of the countries investigated, privacy officers were only mandatory before the GDPR came into force in Germany, where privacy officers were required for organizations with 10 or more employees. Additionally, in 1970, Germany became the first country in the world where a person actually fulfilled the role of privacy officer.100 Since privacy officers are not mandatory in most countries, there are no statistics available about their numbers. In some countries, the DPA offers registration possibilities. There are over 700,000 privacy officers registered in Germany, 16,400 in France,101 7,513 in Sweden, and 722 in the Netherlands.102 For the other countries no data were available. In Romania there are virtually no privacy officers. Obviously, more privacy officers may be expected in countries with larger populations. When comparing the numbers per capita, Germany still has the most privacy officers, followed by Sweden and then France. For an overview, see Table 10.9. Security Measures One of the main principles for the fair processing of personal data is that of taking appropriate security safeguards, against unauthorized or unlawful processing and against the accidental loss, destruction, or damage of personal data. This is also mandatory under Article 5.1.f of the GDPR and includes both technical and organizational measures. However, it is not always clear when security safeguards may actually be considered appropriate or adequate. Therefore, the supervisory authorities in most of the countries examined have developed guidelines for the security of personal data. Furthermore, security standards by ISO (International Organization for Standardization) are regularly used. Table 10.10 provides an overview of which countries have guidelines for security and in which countries the DPAs issue certificates, seals, or give quality valuations for adequate security levels. In some countries, such as Romania and Italy, there are minimum requirements for security. In other countries, such as in the Netherlands, Ireland and France, the guidelines for security are more descriptive in nature, indicating how security should look like, rather than prescribing minimum requirements. In Sweden and the

99 http://www.v3.co.uk/v3-uk/news/2477538/gdpr-will-require-at-least-75-000-data-protectionofficers. 100 Datenschutzgesetz [Data Protection Act], Oct. 7, 1970, HESSISCHES GESETZ-UND VERORDNUNGSBLATT I. 101 https://clientsites.linklaters.com/Clients/dataprotected/Pages/France.aspx. 102 https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/functionaris-voor-de-gegevensbescherming.

10.1

Comparing Countries

223

Table 10.9 Privacy officers just before the GDPR came into force Mandatory privacy officers?

Number of registered privacy officers

Number of privacy officers per million inhabitants

Germany Yes >700,000a 8593 762 Sweden No 7,513b c 247 France No 16,400 42 Netherlands No 722d United No No data N/A Kingdom Ireland No No data N/A Italy No No data N/A Romania No Virtually none Virtually none [Source The authors] a Estimate: in Germany there are 3.647.326 companies, 80% of which are SMEs. https://www. destatis.de/EN/FactsFigures/NationalEconomyEnvironment/EnterprisesCrafts/EnterprisesCrafts. html. As a minimum estimate, there are more than 700,000 companies with privacy officers. The number is likely to be higher, though, given that SMEs also include companies with more than 10 employees b In 2015, Sweden had registered 7,513 companies with privacy officers, but only 4,756 persons were actually taking on the role. In Sweden, employees can be a privacy officer for several companies at the same time c In 2015 d In 2016

Table 10.10 Security measures Guidelines for security

Certification/seals/quality valuations by the DPA

Netherlands Yes Noa Germany Yes Yes Sweden No Nob United No Yes (in preparation) Kingdom Ireland Yes No France Yes Yes Romania Yes No Italy Yes No [Source The authors] a NEN/ISO norms can be certificated, but only by private parties b NEN/ISO norms can be certificated, but only by private parties

224

10 Conclusions

United Kingdom, guidelines for security do not exist (although ISO standards can always be used of course). In Germany, there is a dedicated government organization that focuses on information security, the Bundesamt für Sicherheit in der Informationstechnik (BSI),103 which develops its own standards. None of the other countries investigated have similar government organization. It is remarkable that in some countries the supervisory authorities issue certificates, seals, or quality valuations to data controllers that are able to prove to have taken adequate security measures. This is currently the situation in Germany and France, and this practice is in preparation in the United Kingdom. Sweden, Ireland, Romania, Italy and the Netherlands do not have such practices. Transparency In general, transparency regarding the processing of personal data is limited.104 It is generally assumed that data controllers are offering transparency on the personal data they are processing and for which purposes via privacy policies, terms & conditions, or both.105 However, the problem is that people do not read these privacy policies (the EU average of people who read the entire text is 11%).106 Reading privacy policies is very time consuming: research shows that reading all privacy policies would take an average person 244 hours annually.107 At the same time, people are only prepared to spend between one and five minutes on per policy.108 Even the people who make an effort to read privacy policies may have troubles with the (oftentimes highly) legalistic and technological text. In some cases, clear and brief privacy policies are available, but these raise the question as to how much information they really offer.109 There were no large differences found with regard to transparency among the countries investigated. This makes it difficult to identify best practices. Nevertheless, lack of transparency is a significant problem as it complicates an individual’s use of data subject rights. This relates to a much broader problem that is based in the complexity of technology.110 In short, this boils down to the fact that it is difficult to explain the complexity of data processing in clear and plain language; when trying to use simple explanations, the complexity is reduced in a way that may no longer adequately reflect the reality of data processing.

103 104 105 106 107 108 109 110

In English: Federal Office for Information Security (FOIS). Custers, Van der Hof and Schermer 2014. Custers et al. 2013. CONSENT 2012, p. 4. McDonald and Cranor 2008. Van den Berg and Van der Hof 2012. Toubiana and Nissenbaum 2011. See also Custers, Van der Hof and Schermer 2014; Custers 2016.

10.1

Comparing Countries

225

Table 10.11 Budgets and number of employees of each DPA Budget (in millions of euros)

Number of employees (FTE)

Germany (2016) 13.7 (federal)a 110 (federal) 442c UK (2016) 26.5b Italy (2015) 19.2 121 France (2016) 19.0 192 Netherlands (2015) 8.1 73 60 Ireland (2017) 7.5d Sweden (2014) 4.6 40 Romania (2015) 0.7 41 [Source The authors] a The budgets of the 16 state level DPAs are not included in this number b The annual budget in 2016 was 23 million British pounds c Of this number, 409 employees were employed full-time d This was the budget in 2017. However, the budget for the Irish DPA has increased significantly in recent years: in 2016 the budget was 4.7 million euros, in 2015 the budget was 3.65 million euros and in 2017 the budget was 1.9 million euros

10.1.5 Regulatory Authorities and Enforcement Supervisory Authorities All countries investigated have a data protection authority (DPA) dedicated to privacy and personal data protection. Only in Romania was this task (initially) committed to the national ombudsman, but after an EU audit, a separate supervisory authority was established.111 Budgets and number of employees differ significantly between countries, however. Table 10.11 shows an overview of the annual budgets of the DPAs in each country and the number of employees that serve at each DPA. For Germany, this comparison is difficult to make, because apart from the federal DPA, there are also 16 state-level DPAs. When these state-level figures are also taken into account, Germany would rank at the top of both lists. The larger countries (Germany, the UK, Italy, and France) obviously have committed the largest budgets to their DPAs. However, a fairer comparison would be to compare the budgets in relation to each country’s GDP, which is shown in Fig. 10.10. There are some observations that can be made from Fig. 10.10. First, it seems that the majority of the countries have similar budgets assigned to their DPA (in relation to their GDP). The relative budgets for France, Sweden, the UK, Italy, and

111 Manolea 2007, p. 1. See also COM(2004) 2004 Regular Report on Romania’s progress towards accession, 657, Brussels: European Commission, p. 62. https://ec.europa.eu/ neighbourhood-enlargement/sites/near/files/archives/pdf/key_documents/2004/rr_ro_2004_en.pdf.

226

10 Conclusions

3 2.5 2 1.5 1 0.5 0

Romania

France

Sweden

UK

Italy Netherlands Ireland

Fig. 10.10 Budget of national DPAs in relation to GDP (UK, the median value, was set at 1 for ease of comparison) (Germany was left out of this comparison, because only data for the federal DPA are available. When including the DPAs at the state level, Germany would show numbers significantly above any other country in this comparison)

the Netherlands are all in the same range. If the state-level figures in Germany were included (i.e., the federal DPA and 16 state-level DPAs), it would rank the highest. The most remarkable country in this comparison is Ireland. The budget for the Irish DPA has increased significantly in recent years: the 2017 budget is nearly four times the size of the 2014 budget.112 The budget of Romania is the lowest, both in absolute and relative terms. When looking at Table 10.11, it can be concluded that the number of employees serving at each DPA is closely related to the available budget. Only Romania and the UK manage to employ considerably more workers within the available budgets. In Italy, the number of employees of the DPA is relatively low in comparison to the DPA’s budget. Additionally, when looking at the number of employees, it is not entirely fair to compare absolute numbers. Again, larger countries would appear to do better than smaller countries. Hence, Fig. 10.11 shows the number of employees of each DPA in comparison to the number of inhabitants. Main Activities The DPAs in all of the countries investigated focus on a similar range of activities. These activities are clustered around topics such as supervising, advising, and

112 Data Protection Commissioner of Ireland, ‘Data Protection Commissioner welcomes Budget 2017 increase in funding’, https://www.dataprotection.ie/docs/13-10-2016-Data-ProtectionCommissioner-welcomes-Budget-2017-increase-in-funding/i/1601.htm.

10.1

Comparing Countries

227

14 12 10 8 6 4 2 0

Italy

Romania

France

Sweden Netherlands UK

Ireland

Fig. 10.11 Number of DPA employees in relation to the number of inhabitants (FTEs per million people) (Germany was left out of this comparison because only data for the federal DPA are available. When including the DPAs at the state level, Germany would show numbers significantly above any other country in this comparison)

providing information. Most DPAs maintain extensive websites with large amounts of information materials. When looking at the enforcement powers of the DPAs before the GDPR came into force, all of them had several powers and options for sanctioning violations of data protection laws. In the Netherlands and Romania, as well as partially in Italy,113 the DPAs had the possibility to impose (maximum) sanctions that depended on the annual turnover of companies, a type of sanction that is applicable in all EU member states since the GDPR came into force.114 In absolute numbers, maximum fines are highest in France (at 3 million euros) and lowest in Romania (at 22,000 euros).115 Criminal sanctions are also possible in most countries, with maximum prison sentences ranging between six months and five years.116 An overview is provided in Table 10.12.

113 All sanctions imposed by the Italian Data Protection Law can be multiplied by four when the standard amount would be ineffective because of the economic conditions of the offender. Article 164 bis (2), Italian Data Protection Code (Legislative decree 196/2003). 114 GDPR, Article 83(4) and (6). 115 Other maximum fines that can be imposed by DPAs are: Netherlands 820,000 euro, Germany 300,000 euro, Sweden 105,000 euro, Ireland 100,000 euro and Italy 300,000 euro. https://iapp.org/ media/pdf/resource_center/BM-2016-Global-Enforcement-Report.pdf. 116 The maximum sentence is 6 months in the Netherlands, 1 year in Ireland, 2 years in both Germany and Sweden, 3 years in both Romania and Italy, and 5 years in France. https://iapp.org/ media/pdf/resource_center/BM-2016-Global-Enforcement-Report.pdf.

228

10 Conclusions

Table 10.12 Competencies and activities of the DPAs Maximum fines by DPAs (in euros)a

Criminal law (maximum prison sentence)b

Number of questions/ notifications

Number of investigations

Number of complaints

Yes (max. 6 months)

8,799

197

303c

Germany

820,000 or 10% of the turnover 300,000

6,687

No data

3.699

Sweden

105,000d

12,000

No data

United Kingdom

580,000f

Yes (max. 2 years) Yes (max. 2 years) Yes (max. unknown)

No data

Ireland

100,000

16,300 (notifications) +204,700 (questions) 41,000g

214+ 223e 5,100

34

2,642

France

3,000,000

No data

421

7,908

Romania

22,000 or 2% of the turnover

229

1,074

Italy

300,000

7,500 (notifications) +1242 (questions) 24,097

282

2,369

Netherlands

Yes (max. 1 year) Yes (max. 5 years) Yes (max. 3 years)

Yes (max. 3 years)

[Source The authors] https://iapp.org/media/pdf/resource_center/BM-2016-Global-Enforcement-Report.pdf b https://iapp.org/media/pdf/resource_center/BM-2016-Global-Enforcement-Report.pdf c This is the number of mediations. The Dutch DPA does not register and process complaints. Citizens can make notifications, however, which are represented in the fourth column of Table 10.12 d 1 million Swedish crowns e There were 214 complaints and 223 qualifying questions f 500,000 British pounds g 15,500 emails, 20,000 phone calls and 5,500 items via post a

Use of Competencies We also tried to compare the number of questions, notifications, investigations and citizen complaints handled by the DPAs and the numbers of sanctions imposed. However, only limited data was available for this and the data that are available are hard to compare. For instance, some countries report the number of questions, notifications, and complaints separately, whereas others report them together. We acknowledge that it may sometimes be difficult to categorize a phone call or e-mail message as a question, notification, or complaint. Additionally, the number of investigations is difficult to compare, as some investigations of a DPA may be small-scale and only take a few weeks, whereas other investigations may take

10.1

Comparing Countries

229

60 50 40 30 20 10 0

Fig. 10.12 Percentage of people that are aware of their DPA (Based on Eurobarometer 431 2015, p. 52.)

several months or even years and involve large teams. The available figures are shown in Table 10.12. Nonetheless, there are some general tendencies that may be observed. For instance, the German DPAs are now inclined to use stricter enforcement, although in the past few fines were imposed. In the Netherlands, a similar tendency can be observed. Over the past few years, the Dutch DPA has hired an increasing number of employees with a background in litigation, and has indeed litigated an increasing number of cases. Reputation The extent to which supervisory authorities are known to the public and their reputation can influence the levels of compliance. In terms of reputation, residents are most aware of their country’s DPA in Sweden (51%) and the Netherlands (50%). The DPAs in the UK (27%) and Romania (22%) are the least known. The EU average is 37%. An overview is shown in Fig. 10.12. Within the scope of this research, it was not possible to determine the reputation of each individual DPA. It is therefore not clear in which countries the DPA is feared or in which countries the cooperation with DPAs is experienced as pleasant and constructive by data controllers. There may be a strong connection between the levels of enforcement, the levels of fines imposed and the reputation of DPAs. As such, the increased levels of fines under the GDPR may alter the reputation of DPAs in the near future.

230

10.2

10 Conclusions

Ranking the Results

In this research, the main question to be answered (see Chap. 1) was: What is the position of different countries with regard to the protection of personal data in comparison with other EU member states? The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind in specific aspects. Within the group of countries compared in this research, Germany is the frontrunner in most aspects, and Italy and Romania are at the other end of the spectrum for many aspects. Most of the other countries perform around or above average, depending on the particular aspect that is considered. For instance, the Netherlands is a leader regarding data breach notification laws and Privacy Impact Assessments. Ireland has recently become the frontrunner regarding the budgets for its data protection authority (DPA) and the number of employees serving at the DPA. At the same time, the Irish people are the least aware of the use of personal information by website owners. In Ireland and Romania, there is hardly any political debate on privacy and data protection issues. The political debate in Sweden may not be the fiercest, but it could be characterized as perhaps the broadest, in the sense that economic aspects, societal aspects, and human rights aspects all play a role in the Swedish political debate, whereas most other countries only focus on only one of these aspects. In terms of media attention for privacy and data protection issues, Sweden and Italy have lower levels of media attention and Romania has very little media attention, but other countries show high levels of media attention. Civil rights organizations are more professional, better equipped, and more influential in the UK and Germany and, to a lesser extent, in France. However, in countries like Sweden and Romania, civil rights organizations have limited budgets and influence. For instance, the Swedish organization DFRI mainly operates on the basis of volunteers. Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) were not mandatory in most countries, prior to the GDPR. An exception, to some extent, is France, where a legal obligation for data controllers to map the risks of processing personal data already existed. However, PIAs are not mandatory for new legislation or regulation in France. In the Netherlands, the situation is more or less the opposite: data controllers were not under any obligation to perform PIAs prior to the GDPR, but the national government has the duty to perform PIAs for legislative proposals that involve the processing of personal data (which is not required in the GDPR). In other countries, like the UK and Italy, the data protection authorities have issued guidelines for executing PIAs. In some countries, like the UK and France, models and standards for PIAs are available, and guidance is offered by the DPAs. Differences in the implementation of the data protection directive into national legislation are very small in the countries investigated: although EU member states

10.2

Ranking the Results

231

are allowed to implement more provisions than those mentioned in the EU data protection directive, only a few countries implemented such additional provisions for further protection. Typical examples are breach notification laws in the Netherlands, data protection audits in Germany, privacy by design methods in the UK, and special provisions for health care data and children in France. Many countries introduced additional, more specific, sectoral legislation in many areas, however. Germany has by far the largest number of privacy officers and is the only country in which a legal obligation existed prior to the GDPR to appoint a privacy officer in particular situations. Romania has virtually no privacy officers. Since privacy officers were not mandatory in most countries prior to the GDPR, there are no data available to compare. Moreover, transparency on personal data processing practices is low in all countries investigated. The resources of the DPAs are comparable in many of the countries investigated, but the DPAs in Germany and Ireland have relatively (i.e., in comparison to their GDP) the largest budgets. Romania has the smallest budget. Most of the DPAs manage to get comparable amounts of employees for their budgets. Only Romania and the UK manage to employ considerably more employees within the available budgets. In Italy, the number of employees of the DPA is relatively low in comparison to the DPA’s budget. In comparison to the number of people in each country, Ireland and Germany have the most employees serving in their DPAs. The research results presented in this book offer many opportunities for policymakers, legislators, data controllers and data protection authorities throughout Europe and abroad to learn from experiences, practices and choices made in other countries. It shows that although the protection of personal data was largely harmonized within the EU by Directive 95/46/EC, many differences existed in the actual protection of personal data. Even though the protection of personal data is further harmonized by the General Data Protection Regulation (GDPR) since 2018, it may be expected that differences in national laws and practices will continue to exist. Hence, we believe this research should be replicated after the GDPR has been in force for a few years.

References Acquisti A, Grosslags J (2005) Privacy and Rationality in Decision Making. IEEE Security and Privacy, 3 (1): 26–33 AP (2017) jaarverslag 2016. AP, The Hague Atkin J, Atkin B (1997) Akehurst’s Modern Introduction to International Law. Harper Collins, London Bamberger KA (2010) Technologies of Compliance: Risk and Regulation in a Digital Age. Texas Law Review Blick A, Blackburn R (2012) Mapping the Path to Codifying - or not Codifying - the UK’s Constitution, Series paper 2. Centre for Political and Constitutional Studies, King’s College London

232

10 Conclusions

Bygrave LA (2002) Data Protection Law. Approaching its rationale, logic and limits. Information Law Cartabia M (2007) Le sentenze gemelle: diritti fondamentali, fonti, giudici ([Osservazione a] Corte cost., sent., 24 ottobre 2007 n. 349). Giurisprudenza costituzionale 52.5 (2007): 3564–3574 CONSENT (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/ Council of Europe (1981) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, No. 108, 28.01.1981 Council of Europe (1987) Police Data Recommendation Rec(87)15, 17.9.1987 Council of Europe (2001) Convention on Cybercrime CETS No. 185, 23.11.2001 Custers BHM (2005) The Risks of Epidemiological Data Mining. In: Tavani H (ed) Ethics, Computing and Genomics: Moral Controversies in Computational Genomics. Jones and Bartlett Publishers, Inc., Boston Custers BHM (2016) Click here to consent forever. Expiry dates for informed consent. Big Data & Society, pp. 1–6 Custers BHM, Ursic H (2016) Big data and data reuse: a taxonomy of data reuse for balancing big data benefits and personal data protection. International Data Privacy Law 6(1): 4–15 Custers BHM, Van der Hof S, Schermer B, Appleby-Arnold S, Brockdorff N (2013) Informed Consent in Social Media Use. The Gap between User Expectations and EU Personal Data Protection Law. SCRIPTed, Journal of Law, Technology and Society, Volume 10, Issue 4, pp. 435–457 Custers BHM, Van der Hof S, Schermer B (2014) Privacy expectations of social media users: The role of informed consent in privacy policies. Policy & Internet 6(3): 268–295 de Hert P, Kloza D, Wright D (2012) Recommendations for a privacy impact assessment framework for the European Union. PIAF project Deliverable D3, Brussels/London, November 2012 Dörr D, Aernecke E (2012) A never ending story: Caroline v Germany. In: Dörr D, Weaver RL (eds) The right to privacy in the light of media convergence. De Gruyter, Berlin Eddy M (2016) Reports of Attacks on Women in Germany Heighten Tension Over Migrants. The New York Times, 5 January 2016 Eurobarometer Survey 431 (2015) Attitudes on Data Protection and Electronic Identity in the European Union. Brussels, June 2015 Gonzales Fuster G (2014) The Emergence of Personal Data Protection as a Fundamental Right of the EU. Springer, Heidelberg Hermida J (2004) Legal basis for national space legislation. Kluwer, Dordrecht Hintze M (2017) In Defense of the Long Privacy Statement (February 8, 2017). Maryland Law Review, 76 Md. L. Rev. 1044. Available at SSRN: https://ssrn.com/abstract=2910583 Hornung G (2012) A General Data Protection Regulation for Europe? Light and Shade in the Commission’s Draft of 25 January 2012. 9 SCRIPTed 64-81, Series 10, Kluwer Law International, The Hague IACP (2009) Privacy Impact Assessment Report for the Utilization of License Plate Readers. International Association of Chiefs of Police, Alexandria, VA Jensen C, Potts C, Jensen Chr (2005) Privacy practices of Internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies 63, no. 1–2 (2005): 215, 223 Kommers DP (2012) The Constitutional Jurisprudence of the Federal Republic of Germany. Duke University Press, Durham NC Koops BJ (2011) Forgetting Footprints, Shunning Shadows. 8 SCRIPTed, 3, 5, Kluwer Law International, The Hague Koops BJ (2016) Criminal Investigation and Privacy in Italian Law (21 December 2016). TILT Law & Technology Working Paper Series, version 1.0, December 2016, p. 34. Available at SSRN: https://ssrn.com/abstract=2888422 or http://dx.doi.org/10.2139/ssrn.2888422 Kuner C (2012) The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law (2012). Privacy and Security Law Report

References

233

Kuner C (2014) The Court of Justice of the EU Judgment on Data Protection and Internet Search Engines. LSE Legal Studies, Working Paper No. 3/2015 LaRose R, Rifon N (2007) Promoting i-Safety: Effects of Privacy Seals on Risk Assessment and Online Privacy Behaviour. Journal of Consumer Affairs, 41 (1): 127–49 Manolea B (2007) Institutional framework for personal data protection in Romania. See https:// www.apti.ro/DataProtection_ro.pdf McDonald AM, Cranor LF (2008) The cost of reading privacy policies. I/S Journal for Law and Policy for the Information Society. http://www.aleecia.com/authors-drafts/readingPolicyCostAV.pdf Münch M (2013) Do as the Swedes do? Internet policy and regulation in Sweden – a snapshot. Internet Policy Review, 2(2). DOI: https://doi.org/10.14763/2013.2.127 Norberg PA, Horne DR, Horne DA (2007) The Privacy Paradox: Personal Information Disclosure Intentions versus Behaviors. Journal of Consumer Affairs, Vol. 41, No.1, pp. 100–126 Pajunoja LJ (2017) The Data Protection Directive on Police Matters 2016/680 protects privacy The evolution of EU´s data protection law and its compatibility with the right to privacy. Master Thesis, University of Helsinki Salami EA (2017) The Impact of Directive (EU) 2016/680 on the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties and on the Free Movement of Such Data on the Existing Privacy Regime. http://dx.doi.org/10.2139/ssrn. 2912449 Schermer BW, Custers BHM, van der Hof S (2014) The crisis of consent: how stronger legal protection may lead to weaker consent in data protection. Ethics and Information Technology 16(2): 171–182 Schneier B (2009) State Data Breach Notification Laws: Have They Helped? Information Security, January 2009 Solove DJ (2013) Privacy self-management and the consent dilemma. Harvard Law Review, 126, 1880–1903 Toubiana V, Nissenbaum H (2011) An Analysis of Google Logs Retention Policies. Journal of Privacy and Confidentiality 3 (1): Article 2 Trilateral Research & Consulting (2013) Privacy impact assessment and risk management Report for the Information Commissioner’s Office, 4 May 2013. https://ico.org.uk/media/1042196/ trilateral-full-report.pdf Van den Berg B, van der Hof S (2012) What happens to my data? A novel approach to informing users of data processing practices. 17 First Monday Versmissen JAG, Terstegge JHJ, Siemers KM, Tran TH (2016) Evaluatie Toetsmodel PIA Rijksdienst. Privacy Management Partners, Utrecht WP29 (2017) Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. Article 29 Data Protection Working Party, WP248, 4 April 2017 Wright D (2011) A framework for the ethical impact assessment of information technology. Ethics and Information Technology, Vol. 13, No. 3, September 2011, pp. 199–226 Wright D, de Hert P (2012) Privacy Impact Assessment. Springer, Dordrecht

Appendix A Questionnaire

This questionnaire consists of five substantive parts and one part with general questions. Please provide answers to as many questions as possible, also when you cannot answer questions with a lot of detail or when answers are based on your expert knowledge rather than based on specific scientific research. In case you have detailed or supplementary information in reports or on specific websites, you can also send us these reports (or parts thereof) or links to relevant websites directly, but please indicate which parts answer which questions. Do not worry if these sources are not in English, we can take care of translating any relevant parts as long as you indicate where we should be looking. In case you cannot answer a question, please skip this question. If you know of any people who may be able to answer these questions, we would appreciate it if you would notify us and send contact details to […]. The aim of our research is to look at country specific approaches towards the protection of personal data. Please refer to national laws and regulations as much as possible, as referring to EU personal data protection law will not reveal the distinctions we are looking for. Part I – General Situation In order to provide a general description regarding the situation on protection of personal data in your country we would like information on the following topics: 1.1 What is the general situation regarding personal data protection? What is the level of awareness of citizens and companies regarding personal data protection? Do citizens know which organizations are collecting their personal data and for which purposes? Are citizens aware of their rights? What is the importance of personal data protection according to citizens and companies? Is compliance the main concern for companies, does reputation play a role or are there other arguments to value data protection? Do citizens feel in control regarding what happens to their personal data? What actions do citizens take to protect their personal data and how often? (like taking security measures, using privacy settings, request for removal of their data, refuse consent for data processing and file complaints at companies and/or data protection authorities). © T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8

235

236

Appendix A: Questionnaire

1.2 What is the role of national politics regarding personal data protection? How often is personal data protection a subject of debate in the national parliament of your country? What are the viewpoints of the major political parties in your country on privacy and personal data protection? When debating privacy versus security, what is more important? Do they favor regulation or self-regulation? Is there a dialogue between political parties and civil rights organizations? What is the general policy on privacy and data protection of the current government? Please provide any policy documents, like coalition agreements or cabinet programs. Are there any recent developments in policies? Are there information campaigns on privacy or data protection initiated by the government or others?

1.3 Is there media attention for privacy and personal data protection? Which topics related to privacy and data protection are discussed in the media? Is there a nationwide debate on privacy or data protection? How often are these topics in the media and in which media? What is the attitude of these news items towards privacy and data protection?

1.4 Have there been incidents regarding privacy and personal data protection? Have there been incidents like data breaches, data leaks, lawsuits, and economic damage? Were there large or smaller incidents with high impact? Please describe the most relevant cases. What were the reactions to these incidents? Have citizens or organizations protested with regard to personal data protection? If so, how many people were involved and what were their concerns?

1.5 What is the role of civil rights organizations? Which civil rights organizations are active and how large is their support? What role do they take (e.g., protesting or facilitating debates)? Do civil rights organizations actually influence government policies? Are they consulted when new legislation is prepared? Are these organizations well-known among citizens and companies? How many complaints and of what types do they receive?

Part II – National Government Policies In order to describe national government policies regarding the protection of personal data in your country we would like information on the following topics: 2.1 What is the national government’s policy regarding personal data protection? Is there a general policy? Are there sector specific policies? Are risk analyses or Privacy Impact Assessments (PIAs) mandatory? How and when should PIAs be executed?

2.2 What is the role of privacy and personal data protection when creating new policies? How does the government anticipate on new developments like big data, internet of things, quantified self, etc.? Is privacy by design used? Do privacy and personal data protection play a role in policy-making in other domains?

2.3 Which role does the national government take in the societal debate on privacy and personal data protection? Does the government take an active or a reactive approach towards the societal debate? Is there a dialogue between the government and civil rights organizations? Does the government take opinions of citizens and companies into account when creating new policies and legislation (e.g. via internet consultations)?

Appendix A: Questionnaire

237

2.4 Does the government provide information on personal data protection? Are there information campaigns on privacy or data protection initiated by the government or others? Do these campaigns address citizens or companies or both? Does the government subsidize projects for creating further awareness?

Part III – Laws and regulations In order to describe national laws and regulations regarding personal data protection in your country we would like information on the following topics: 3.1 Which laws and regulations constitute the implementation of EU Directive 95/46/EC? Is the EU Directive implemented only at the level of minimum requirements or are there additional provisions? Are there any tensions between this legislation and other existing legislation?

3.2 Which other laws and regulations see to the protection of personal data? Are there any sector specific laws and regulations relevant to personal data protection? Does this legislation concern sensitive categories of personal data?

3.3 Are there any other types of regulation applicable? Are there any forms of decentralized regulation? Does self-regulation exist? Is self-regulation encouraged by the national government?

Part IV – Implementation In order to describe the practical implementation of legislation and policies regarding the protection of personal data in your country we would like information on the following topics: 4.1 How is the protection of personal data ensured in practice in organizations? Do organizations use self-regulation or codes of conduct? Are DPAs consulted regarding self-regulation or codes of conduct? How are codes of conduct enforced? How do organizations protect personal data (apart from information security)? Are internal policies connected to standards (like ISO standards, DPA guidelines, etc.)?

4.2 How many organizations (both government agencies and companies) have privacy officers? How is the role of privacy officer implemented? Is this a full-time job or a task of an employee with other tasks? What are the authorities of the privacy officer? Does the privacy officer have an independent position? What are the activities of the privacy officer?

4.3 What technological and organizational measures are implemented by organizations to protect personal data? Is the protection of personal data monitored within organizations? Are principles of Privacy by Design and need-to-know (role-based access) implemented? How is information security implemented (e.g., ISO certificates, codes of conduct)?

238

Appendix A: Questionnaire

4.4 How much transparency is there regarding data collection and processing? Do citizens read and understand privacy policies? Do organizations offer personalized privacy settings? How do organizations try to be transparent about collecting and processing personal data?

Part V – Regulatory Authorities and Enforcement In order to describe the role of regulatory authorities and the enforcement of regulations regarding the protection of personal data in your country we would like information on the following topics: 5.1 What are the relevant regulatory/supervisory authorities (including DPAs) in the area of personal data protection and on which domains do they focus? Are there any specific target groups for the regulatory authorities? What are the budget and the number of employees of each regulatory authority?

5.2 What is the role of the regulatory authorities (including DPAs)? What are the main activities of the regulatory authorities (e.g., dealing with complaints, raising public awareness, monitoring compliance, providing advice, etc.)? What are their priorities? Is there a dialogue between the authorities and organizations under supervision? When do the authorities decide to start an investigation and when to impose sanctions? Do the authorities advice on proposed legislation? Do the authorities support citizens? What are the competences of the regulatory authorities (e.g., imposing fines, administrative sanctions, etc.)?

5.3 How do the regulatory authorities (including DPAs) use their competences? How many complaints do the authorities receive? What types of complaints are these? In how many cases is there an act of enforcement (e.g., fines, administrative sanctions, etc.)? What sanctions are imposed? How many civil and criminal lawsuits are there in which the regulatory authorities do not play a role? What is the outcome of such lawsuits?

5.4 How do citizens and companies see the regulatory authorities? Do citizens/companies know the regulatory authorities and are they aware of their activities? How do citizens/companies see the regulatory authorities? Do companies fear data protection authorities?

Part VI – General Questions 6:1 Do you know of literature that answers (several of) these questions for your country or any of the other countries mentioned? 6:2 Do you know of any comparisons between EU countries on one or more of the topics in this questionnaire? 6:3 Do you know any experts in your country that we should contact? If so, we would welcome contact details. 6:4 Do you have any contacts at your national or local Data Protection Authority that we can contact for this research?

Appendix B Consulted Experts and Organizations

The following experts and organizations provided information on the situation regarding the protection of privacy and personal data in their respective countries that was essential for this research. Netherlands • Koosje Verhaar Autoriteit Persoonsgegevens (Dutch Data Protection Authority) Germany • Sebastian Eschrich Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (German Federal Data Protection Authority) • Prof. Dr. Thomas Hoeren Institut für Informations-, Telekommunikations- und Medienrecht Münster University Sweden • Johanna Carlsson Division for Constitutional Law Sweden • David Törngren Division for Constitutional Law Sweden

Ministry of Justice

Government Offices of

Ministry of Justice

Government Offices of

United Kingdom • Alain Kapper Information Commissioner’s Office (UK Data Protection Authority) • Andrew Charlesworth LLB University of Bristol © T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8

239

240

Appendix B: Consulted Experts and Organizations

Ireland • Dr. TJ McIntyre University College Dublin • Dr. Paul Lambert Trinity College Dublin France • Emmanuel Laforet Adjoint au chef de bureau du droit constitutionnel et du droit public général Direction des Affaires civiles et du Sceau, Ministère de la justice Romania • Prof. univ. dr. Ioana Vasiu Babeș-Bolyai University, Cluj-Napoca • Bogdan Manolea APTI – Asociația pentru Tehnologie și Internet (Association for Technology and Internet) • Oana Luisa Dumitru National Supervisory Authority for Personal Data Processing (Romanian Data Protection Authority) Italy • Paolo Balboni European Privacy Association • Garante per la protezione dei dati personali (Italian Data Protection Authority)

Bibliography

Andersson Elffers Felix (2017) Organisatorische vertaling Verordening & Richtlijn gegevensbescherming, Utrecht: Andersson Elffers Felix. https://autoriteitpersoonsgegevens.nl/sites/ default/files/atoms/files/eindrapportage_aef.pdf. Andersson Elffers Felix (2013) Media-analyse identiteitsmanagement, Utrecht: AEF. http://www. aef.nl/aef-onderzoekt-identiteitsmanagement-in-europa. AP (2016) Jaarverslag 2015, Den Haag: AP. AP (2017) Jaarverslag 2016, Den Haag: AP. https://autoriteitpersoonsgegevens.nl/sites/default/ files/atoms/files/ap_jaarverslag_2016.pdf. Bamberger, K.A. and Mulligan, D.K. (2015) In Privacy on the Ground: Driving Corporate Behavior in the United States and Europe. The MIT Press. Bapat, A. and Smith, A. (2017) United Kingdom Data Protection 2017. International Comparative Legal Guides. https://iclg.com/practice-areas/data-protection/data-protection-2017/unitedkingdom#chaptercontent12. Barry, A. (2013) Ireland ‘should consider laws that would jail cyber bullies’. TheJournal.ie. https://www.thejournal.ie/cyber-bullying-ireland-1162881-Nov2013/. Bauman, T. (2014) Ireland: The Country that Sets Big Tech’s Internet Privacy Policies. The Sovereign Investor Daily. http://thesovereigninvestor.com/asset-protection/ireland-sets-bigtech-internet-privacy-policies/. Bennefeld, C. (2016) So ungeschützt sind deutsche Surfer im Netz, Handelsblatt.com, http://www. handelsblatt.com/technik/sicherheit-im-netz/datenschutz-in-deutschland-so-ungeschuetzt-sinddeutsche-surfer-im-netz/14592766.html. Biermann, K. and Jacobsen, L. (2013) Eine Datenschutzbeauftragte, die Daten nicht schützen will, Zeit Online, http://www.zeit.de/digital/datenschutz/2013-12/datenschutzbeauftragte-vosshoffbundestag-gewaehlt. Big Brother Watch (2012) Protecting Civil Liberties: The 2015 Big Brother Watch Manifesto. Big Brother Watch. Big Brother Watch (2012) The Price of Privacy: How local authorities spent £515m on CCTV in four years. Big Brother Watch. Blick, A. (2012) Mapping the Path to Codifying - or not Codifying - the UK’s Constitution: The Existing Constitution, Series paper 2. Centre for Political and Constitutional Studies, King’s College London. Boddewyn, J.J. (1985) The Swedish Consumer Ombudsman System and Advertising Self-Regulation, The Journal of Consumer Affairs, Vol. 19, No. 1, pp. 140–162.

© T.M.C. ASSER PRESS and the authors 2019 B. Custers et al., EU Personal Data Protection in Policy and Practice, Information Technology and Law Series 29, https://doi.org/10.1007/978-94-6265-282-8

241

242

Bibliography

Bohan, A. and Carney, A. (2017) Ireland Data Protection 2017. International Comparative Legal Guides. https://iclg.com/practice-areas/data-protection/data-protection-2017/ireland#chapterc ontent1. Bongers, F., Jager, C.J., & Velde, R. te (2015) Big data in onderwijs en wetenschap, Utrecht: Dialogic. Bordessa, E. (2018) ICO data security statistics highlight need for increased staff awareness. https://www.itgovernance.co.uk/blog/ico-data-security-statistics-highlight-need-for-increasedstaff-awareness/. Borking, J.J.F.M. (2010) Privacyrecht is code: Over het gebruik van privacy enhancing technologies (proefschrift, Universiteit Leiden) Deventer: Kluwer. Braunmühl P. von (2015) Regulierte Selbstregulierung im Datenschutz, https://berlinerdatenschutzrunde.de/node/145. Brockdorff, N. (2012) Quantitative Measurement of End-User Attitudes Towards Privacy. Work Package 7 of Consent. http://www.consent.law.muni.cz/. Cabinet Office (2008) Cross Government Actions: Mandatory Minimum Measures. http://www. cabinetoffice.gov.uk/sites/default/files/resources/cross-gov-actions.pdf. Carney, A. and Bohan A. (2016) Chapter 14 – Ireland. The Privacy, Data Protection and Cybersecurity Law Review, Third Edition. Law Business Research. Cavoukian, A. (2009) Privacy by Design: The 7 Foundational Principles, Information and Privacy Commissioner of Ontario, Toronto, Ontario, August 2009. CBP (2008) Informatiebeveiliging in ziekenhuizen voldoet niet aan de norm, Den Haag: CBP. CBP (2010) Onderzoek van het College bescherming persoonsgegevens (CBP) naar bestandskoppelingen door de SIOD voor de ontwikkeling van risicoprofielen, z2009-00672, Mei 2010, Den Haag: CBP. CBP (2013) Beveiliging van persoonsgegevens. Den Haag: CBP. CENSIS (2012) Il valore della privacy nell’epoca della personalizzazione dei media. CentERdata (2016) Tilburg University, Study on consumers’ attitudes towards Terms and Conditions, final report. Publications Office of the EU, Luxembourg 2016, https://doi.org/10. 2818/950733. Chopin, I. and Germaine-Sahl, C. (2013) Developing Anti-discrimination Law in Europe. European Commission, Directorate General for Justice. October 2013. Commission of the European Communities (EC) (2009) Commission recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification, Brussels, 2009. Competition & Markets Authority (2015) The commercial use of consumer data: Report on the CMA’s call for information. https://www.gov.uk/government/uploads/system/uploads/ attachment_data/file/435817/The_commercial_use_of_consumer_data.pdf. Council of Europe (2001) The implications for Council of Europe Member States of the Ratification of the Rome Statute of the International Criminal Court, Progress Report, Sweden, consult/icc 37. Cullen, P. (2009) Bord Gáis Failed to Say Stolen Laptop Data Not Encrypted. The Irish Times. http://www.irishtimes.com/news/bord-g%C3%A1is-failed-to-say-stolen-laptop-data-notencrypted-1.787045. CONSENT (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy. https://www.consent.law.muni.cz/. Cuijpers, C.M.K.C. (2006) Verschillen tussen de Wbp en richtlijn 95/46/EG en de invloed op de administratieve lasten- en regeldruk, 22 juni 2006. See www.actal.nl. Custers, B.H.M. (2016) Etnisch profileren is wettelijk verboden en dat moet zo blijven. Trouw, 7 juni 2016, p. 17. Custers, B.H.M., Oerlemans, J.J., Vergouw, S.J. (2015) Het gebruik van drones; een verkennend onderzoek naar onbemande luchtvaartuigen, Meppel: Boom Lemma Uitgevers. Custers B.H.M., J.J. Oerlemans & Pool R.L.D. (2016) Ransomware, cryptoware en het witwassen van losgeld in Bitcoins, Strafblad 14(2): 87–95.

Bibliography

243

Custers, B., Van der Hof, S., Schermer, B., Appleby-Arnold, S., and Brockdorff, N. (2013) Informed Consent in Social Media Use. The Gap between User Expectations and EU Personal Data Protection Law, SCRIPTed, Journal of Law, Technology and Society, Volume 10, Issue 4, pp. 435–457. Custers, B., Van der Hof, S., Schermer, B. (2014) Privacy Expectations of Social Media Users: The Role of Informed Consent in Privacy Policies, Policy & Internet, Vol. 6, No. 3, pp. 268–295. Custers B.H.M. & Zwenne G.J. (2009) Aandachtspunten voor het College Bescherming Persoonsgegevens, Openbaar Bestuur 19(8): 14–17. Custers B.H.M. & Ursic H. (2016) Big data and data reuse: a taxonomy of data reuse for balancing big data benefits and personal data protection, International Data Privacy Law 6(1): 4–15. Custers, B.H.M., and Bachlechner, D. (2018) Advancing the EU Data Economy; Conditions for Realizing the Full Potential of Data Reuse, Information Polity, https://doi.org/10.3233/ip170419. Data Protection Commissioner (2013) Global Privacy Enforcement Network Internet ‘Privacy Sweep’. https://www.dataprotection.ie/documents/GPEN2013.pdf. Data Protection Commissioner (2016) Data Protection Commissioner welcomes Budget 2017 increase in funding. https://www.dataprotection.ie/docs/13-10-2016-Data-ProtectionCommissioner-welcomes-Budget-2017-increase-in-funding/1601.htm. Data Protection Commissioner (2016) Annual Report of the Data Protection Commissioner of Ireland. https://www.dataprotection.ie/docimages/documents/DPC%20AR2015_FINAL-WEB. pdf. Data Protection Commissioner (undated) The GDPR and You: Preparing for 2018. https://www. dataprotection.ie/docimages/documents/The%20GDPR%20and%20You.pdf. DDMA (2016) Hoe Nederlanders denken over data en privacy, Amsterdam: DDMA. Deegan, G. (2016) Cyber attack victim firm Loyaltybuild in Clare has €18m loss. Irish Examiner. http://www.irishexaminer.com/business/cyber-attack-victim-firm-loyaltybuild-in-clare-has18m-loss-379472.html. DellEMC (2014) EMC Privacy Index, https://www.emc.com/campaign/privacy-index/index.htm. Department for Business, Innovation and Skills (2014) Personal Data: Review of the midata voluntary programme. https://www.gov.uk/government/uploads/system/uploads/attachment_ data/file/327845/bis-14-941-review-of-the-midata-voluntary-programme-revision-1.pdf. Department of the Taoiseach (2016) Minister Dara Murphy highlights Ireland’s preparations for new EU-wide data protection rules in keynote address. http://www.taoiseach.gov.ie/eng/ Taoiseach_and_Government/About_the_Ministers_of_State/Minister/MoS_Murphy_s_Press_ Releases/Dara.html. Digital Rights Ireland Limited (2016) Income and Expenditure Account for the year ended 31 December 2015. Dörr, D. and Aernecke, E. (2012) A never ending story: Caroline v Germany. In D. Dörr and R.L. Weaver (eds.) The right to privacy in the light of media convergence, Berlin: De Gruyter. Dubbeld, L. (2007) Functionarissen voor de gegevensbescherming: onzichtbare privacybeschermers, Privacy & Informatie, 2007, aflevering 2, pp. 69–70. Dutton, W.H., and Blank, G. (2013) Cultures of the Internet: The Internet in Britain. Oxford Internet Survey 2013. http://oxis.oii.ox.ac.uk/reports. Eddy, M. (2016) Reports of Attacks on Women in Germany Heighten Tension Over Migrants. The New York Times. 5th January 2016. Edwards, E. (2014) Loyaltybuild Reopens for Business after Huge Data Breach. The Irish Times. http://www.irishtimes.com/news/consumer/loyaltybuild-reopens-for-business-after-huge-databreach-1.1722266. Edwards, E. (2016) Civil Service Payroll System to Be Audited Following Data Breach. The Irish Times. http://www.irishtimes.com/news/ireland/irish-news/civil-service-payroll-system-to-beaudited-following-data-breach-1.2691360.

244

Bibliography

Edwards, E. (2016) Data Protection Commissioner Helen Dixon accuses lawyers of “digital ambulance chasing”. The Irish Times. http://www.irishtimes.com/business/technology/dataprotection-commissioner-helen-dixon-accuses-lawyers-of-digital-ambulance-chasing-1. 2712459. Edwards, E. (2016) Independence of Data Protection Commissioner questioned. The Irish Times. https://www.irishtimes.com/business/technology/independence-of-data-protectioncommissioner-questioned-1.2513682. Essen, J. van (2014) CBP een waakhond zonder tanden? Mr-online, 1 December 2014. http:// www.mr-online.nl/opinie/432-wetgeving/25169-cbp-een-waakhond-zonder-tanden. European Commission (2010) Data protection: Commission requests UK to strengthen powers of national data protection authority, as required by EU law. http://europa.eu/rapid/press-release_ IP-10-811_en.htm?locale=en. European Commission – Seventh Framework Programme (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy – Italy Report. European Commission – Seventh Framework Programme (2012) Consumer sentiment regarding privacy on user generated content (UGC) services in the digital economy – Germany Report. European Union (2015) Special Eurobarometer 431 “Data protection”. European Union Agency for Fundamental Rights (2010) Data Protection in the European Union: the role of National Data Protection Authorities (Strengthening the fundamental rights architecture in the EU II) http://fra.europa.eu/sites/default/files/fra_uploads/815-Data-protection_en.pdf. Expertgroep EZ (2016) Licht op de digitale schaduw; verantwoord innoveren met big data, Den Haag: ministerie van economische zaken. Fitzsimons, L. and Sherry, S. (2017) Brexit: the impact on General Data Protection Regulation, Eversheds Sutherland, http://www.eversheds-sutherland.com/global/en/what/articles/index. page?ArticleID=en/Data-Protection/brexit_impact_on_gdpr_170616. Frediani, C. (2017) Garante privacy Ue: “Sulla protezione dei dati l’Europa è leader”. Lastampa.it. http://www.lastampa.it/2017/11/13/esteri/garante-privacy-ue-sulla-protezione-dei-dati-leuropaleader-edTINi7G4UzW0KvDtM6emL/pagina.html. Garante per la Protezione dei Dati Personali (2014) Relazione annuale 2014. Garante per la Protezione dei Dati Personali (2015) Relazione annuale 2015. Garante per la Protezione dei Dati Personali (2017) Relazione annuale 2016. Groot, H. de (1625) De iure belli ac pacis. Pariisis: Apud Nicalaum Buon. Hawkes, B. (2016) The Irish DPA and Its Approach to Data Protection. In D. Wright and P. De Hert (eds.) Enforcing Privacy. Cham: Springer International Publishing. Hermida, J. (2004) Legal basis for national space legislation. Dordrecht: Kluwer. Hermes Center (2017) Italy extends data retention to six years. Edri.org. https://edri.org/italyextends-data-retention-to-six-years/. HM Government (2013) Information Economy Strategy. https://www.gov.uk/government/ publications/information-economy-strategy. HM Government (2016) Cyber Security Regulation and Incentives Review, December 2016. Department for Culture Media & Sport. https://www.gov.uk/government/uploads/system/ uploads/attachment_data/file/579442/Cyber_Security_Regulation_and_Incentives_Review.pdf. Hoffmeister, F. (2002) International agreements in the legal order of the candidate countries, in: A. Ott and K. Inglis (eds) Handbook on European Enlargement, The Hague: Asser Press, p. 209. Mirko Hohmann, Deutschland 4.0? Germany’s Digital Strategy Over the Next Four Years, https:// www.cfr.org/blog/deutschland-40-germanys-digital-strategy-over-next-four-years. Holvast, J. (2005) ‘Interview met Jacob Kohnstamm’, Privacy & Informatie, 2005-3, pp. 114–119. Hooghiemstra, T.F.M. (2002) Privacy bij ICT in de zorg. Bescherming van persoonsgegevens in de informatie-infrastructuur voor de gezondheidszorg. Den Haag: Cbp, A&V 2002 nr. 26. Hooghiemstra, T., Oud, J., Radema, M., Spruit, M., en Wielaard, P. (2016) Onderzoek naar de beveiliging van patiëntgegevens, Den Haag: PBLQ. Zie: https://www.rijksoverheid.nl/ documenten/rapporten/2016/12/01/onderzoek-naar-de-beveiliging-van-patientgegevens.

Bibliography

245

Hornung, G. (2012) A General Data Protection Regulation for Europe? Light and Shade in the Commission’s Draft of 25 January 2012 (2012) 9 SCRIPTed 64–81. House of Commons, Science and Technology Committee (2014) Responsible Use of Data, Fourth Report of Session 2014–15. https://www.publications.parliament.uk/pa/cm201415/cmselect/ cmsctech/245/245.pdf. House of Commons, Science and Technology Committee (2016) The big data dilemma: Government Response to the Committee’s Fourth Report of Session 2015–16, Fifth Special Report of Session 2015–16. https://www.publications.parliament.uk/pa/cm201516/cmselect/ cmsctech/992/992.pdf. Hulshof, M., en Veen, M. van der (2017) 21 ideeën voor een beter internet, Volkskrant, 17 juni 2017. http://www.volkskrant.nl/media/21-ideeen-voor-een-beter-internet*a4501135/. Information Commissioner’s Office (undated) The Information Commissioner’s response to the European Commission’s consultation on the legal framework for the fundamental right to protection of personal data. http://ec.europa.eu/justice/news/consulting_public/0003/contributions/ public_authorities/ico_uk_en.pdf. Information Commissioner’s Office (2013) Data Protection Regulatory Action Policy. Information Commissioner’s Office (2014) Conducting privacy impact assessments: code of practice. https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf. Information Commissioner’s Office (2015) Data protection rights: What the public want and what the public want from Data Protection Authorities. https://ico.org.uk/media/about-the-ico/ documents/1431717/data-protection-rights-what-the-public-want-and-what-the-public-wantfrom-data-protection-authorities.pdf. Information Commissioner’s Office (2016) Information Commissioner’s Annual Report and Financial Statements 2015/16. https://ico.org.uk/media/about-the-ico/documents/1624517/ annual-report-2015-16.pdf. Information Commissioner’s Office (2016) Consultation on ICO’s Privacy notices code of practice: summary of responses. https://ico.org.uk/media/about-the-ico/consultations/1625139/ ico-privacy-notices-code-of-practice-consultation-summary-20161006.pdf. Inspectie SZW (2015) Suwinet 2015; Vervolgonderzoek ‘veilig omgaan met elkaars gegevens’, Den Haag: Inspectie SZW, zie https://www.inspectieszw.nl/...veilig-omgaan-met-elkaarsgegevens/Suwinet-2015.pdf. IPSOS (2014) Nederlander minder onverschillig over privacy, 11 maart 2014. http://site.ipsosnederland.nl/politiekebarometer/Berichten/PersBericht_1264_Nederlander_minder_onverschillig_ over_privacy.html. Ipsos MORI (2012) Stakeholder Perceptions 2012, Prepared for the ICO. https://ico.org.uk/media/ about-the-ico/documents/1042371/stakeholder-perceptions-2012.pdf. Irish Independent Staff (2015) Data Office Still Underfunded despite €1m Boost in Budget. Independent.ie. http://www.independent.ie/business/technology/news/data-office-still-underfundeddespite-1m-boost-in-budget-34126722.html. Italian Chamber of Deputies (2012) Reasoned Opinion on Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Janssen, H.L. (2003) Constitutionele interpretatie, dissertatie UM, Den Haag: SDU 2003. Jigsaw Research (2008) Information Commissioner’s Office Stakeholder Perceptions Study. https://ico.org.uk/media/1042339/ico-stakeholder-perception-study-research-report.pdf. Jones, G and Cinelli, A (2017) Hacking attacks: a pre-election setback for Italy's 5-Star Movement. Reuters.com. https://www.reuters.com/article/us-italy-politics-5star/hacking-attacks-a-preelection-setback-for-italys-5-star-movement-idUSKBN1CA1TM. Kelleher, D. (2015) Privacy and Data Protection Law in Ireland, 2nd ed. Haywards Heath: Bloomsbury Professional. Kennedy, E. (2008) Victims of BoI Laptop Theft Treble to 31,500. Independent.ie. http://www. independent.ie/irish-news/victims-of-boi-laptop-theft-treble-to-31500-26442003.html.

246

Bibliography

Kerkmann, C. (2015) Transatlantische Daten-Blockade, Handelsblatt.com, http://www. handelsblatt.com/my/technik/it-internet/attacke-auf-google-und-co-transatlantische-datenblockade/12506476.html. Keulen, E. van (2016) Zorgen om privacy (infographic) 10 juni 2016. http://www.emerce.nl/ research/zorgen-om-privacy. Koch, J.M. (2016) Germany, in: Alan Charles Raul, The Privacy, Data Protection and Cybersecurity Law Review (3rd edn, 2016). Kommers, D.P. (2012) The Constitutional Jurisprudence of the Federal Republic of Germany. Durham NC, Duke University Press. Koning, B. de (2016) Welke partij heeft zijn beloftes over privacy het meest waargemaakt? De Correspondent, 6 februari 2016. Kool, L., Timmer, J., Royakkers, L. en Van Est, R. (2017) Opwaarderen; Borgen van publieke waarden in de digitale samenleving. Den Haag: Rathenau Instituut. Zie https://www.rathenau. nl/nl/file/2797/Opwaarderen_Rathenau_Instituut.pdf. Koops, B.J., Roosendaal, A., Kosta, E., Lieshout, M. van, en Oldhoff, E. (2016) Privacy Impact Assessment Wet op de inlichtingen- en veiligheidsdiensten 20XX, Delft: TNO. See https:// www.rijksoverheid.nl/documenten/rapporten/2016/02/12/privacy-impact-assessment-wet-opde-inlichtingen-en-veiligheidsdiensten-20xx. Kuner, C. (2012) The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law (6 February 2012) Bloomberg BNA Privacy and Security Law Report, 1–15. Labour (2016) Standing Up for Ireland’s Future: Labour Manifesto 2016. https://www.labour.ie/ download/pdf/labour_manifesto_2016.pdf. Lavery, P. (2018) Ireland issues Data Protection Bill to implement the GDPR. Privacy Laws & Business, Issue 151, February 2018. Lewis, P. (2011) You're being watched: there's one CCTV camera for every 32 people in UK. The Guardian. https://www.theguardian.com/uk/2011/mar/02/cctv-cameras-watching-surveillance. Lieshout, M. van, Kool, L., Bodea, G., Schlechter, J., & Schoonhoven, B. van (2012) Stimulerende en remmende factoren van Privacy by Design in Nederland, Delft: TNO. Lillington, K. (2015) Strong data protection laws better for EU than sniping. The Irish Times. https://www.irishtimes.com/business/technology/strong-data-protection-laws-better-for-euthan-sniping-1.2185370. Logue, F. (2016) Data protection chief must not distance herself from complainants. The Irish Times. http://www.irishtimes.com/business/technology/data-protection-chief-must-notdistance-herself-from-complainants-1.2750669. Long, W.R.M., Scali, G., and Blythe, F. (2017) United Kingdom, in: Alan Charles Raul, The Privacy, Data Protection and Cybersecurity Law Review (4th edn, 2017). Manolea, B. (2007) Institutional framework for personal data protection in Romania, p. 1. https:// www.apti.ro/DataProtection_ro.pdf. Martijn, M., en Tokmetzis, D. (2016) Je hebt wel iets te verbergen. Amsterdam: De Correspondent BV. McConnell, D. (2015) Labour brings two separate bills targeting online bullying. Independent.ie. http://www.independent.ie/irish-news/politics/labour-brings-two-separate-bills-targetingonline-bullying-31149776.html. McGeveran, W. (2016) Friending the Privacy Regulators. Arizona Law Review, 58, 959–1025. https://papers.ssrn.com/abstract=2820683. McIntyre, T.J. (2014) The State Must Be More Mindful of Your Private Data. Independent.ie. http://www.independent.ie/opinion/the-state-must-be-more-mindful-of-your-private-data30524449.html. McIntyre, T.J. (2014) Why Ireland Must Protect Privacy of Irish Emails and Internet Usage from Surveillance. The Irish Times. http://www.irishtimes.com/opinion/why-ireland-must-protectprivacy-of-irish-emails-and-internet-usage-from-surveillance-1.2044384.

Bibliography

247

McIntyre, T.J. (2015) Europe Has Failed in Duty to Protect Citizens over Web Privacy Threat. Independent.ie. http://www.independent.ie/opinion/comment/europe-has-failed-in-duty-to-protectcitizens-over-web-privacy-threat-31589481.html. MerrionStreet.ie (2015) Minister Murphy launches Government Data Forum. MerrionStreet.ie. http://merrionstreet.ie/en/News-Room/Releases/Minister_Murphy_launches_Government_Data_ Forum_.html. Ministerie van Economische Zaken (2016) Aanbieding rapport expertgroep big data en privacy, brief van de minister van economische zaken aan de Tweede Kamer, 4 oktober 2016. Ministerie van Onderwijs, Cultuur en Wetenschap (2016) Big data in onderwijs, cultuur en wetenschap, brief van de minister van onderwijs, cultuur en wetenschap aan de Tweede Kamer, 28 juni 2016. Ministerie van Veiligheid en Justitie (2016) Kabinetsstandpunt over het WRR-rapport Big Data in een vrije en veilige samenleving, brief van de minister van veiligheid en justitie aan de Tweede Kamer, 11 november 2016. Mirani, L. (2013) The reason American tech firms like Ireland isn’t just the low taxes. Quartz. https://qz.com/124133/the-reason-american-tech-firms-like-ireland-isnt-just-the-low-taxes/. Mulligan, J. (2014) Massive Data Breach at Paddy Power Bookmakers. Independent.ie. http://www. independent.ie/business/irish/massive-data-breach-at-paddy-power-bookmakers-30474614.html. Mulligan, D.K. and Bamberger, K.A. (2015) Privacy on the Ground in the United States and Europe, MIT Press. Neuerer, D. (2017) Bundesregierung zerstreitet sich über Datenschutz, Handelsblatt.com, http:// www.handelsblatt.com/politik/deutschland/merkel-gegen-datensparsamkeit-bundesregierungzerstreitet-sich-ueber-datenschutz/19237484.html. Norberg, P.A., Horne, D.R., and Horne, D.A. (2007) The Privacy Paradox: Personal Information Disclosure Intentions versus Behaviors, Journal of Consumer Affairs, Vol. 41, No. 1, pp. 100– 126. O’Brien, R., Holden, M. and Hosenball, M. (2013) British spy agency taps cables, shares with NSA: Guardian, Reuters, http://www.reuters.com/article/us-usa-security-britain-idUSBRE95 K0ZV20130621. Oerlemans, J.J., Custers, B.H.M., Pool, R.L.D., & Cornelisse, R. (2016) Cybercrime en witwassen; bitcoins, online dienstverleners en andere witwasmethoden bij banking malware en ransomware. Den Haag: Boom Juridische Uitgevers. O’Keeffe, C. (2016) New laws to combat online abuse such as cyberbullying and revenge porn. Irish Examiner. http://www.irishexaminer.com/ireland/new-laws-to-combat-online-abusesuch-as-cyberbullying-and-revenge-porn-422963.html. Olsthoorn, P. (2016) Big data voor fraudebestrijding, The Hague: WRR. Ottes, L. (2016) Big Data in de zorg, The Hague: WRR. Pateraki A. (2017) Germany Data Protection 2017 – Free Access, https://iclg.com/practice-areas/ data-protection/data-protection-2017/germany#chaptercontent1. Pintens, W. (1998) Inleiding tot de rechtsvergelijking, Leuven: Universitaire Pers Leuven. Politie (2016) Verbeterplan Wet politiegegevens en Informatiebeveiliging. Zie: https://www. rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2016/05/27/tk-bijlage-verbeterplanwet-politiegegevens-en-informatiebeveiligign/tk-bijlage-verbeterplan-wet-politiegegevensen-informatiebeveiligign.pdf. Ponemon Institute (2017) Cost of Data Breach Study – Global Overview, IBM Security. Privacy First (2015) Visie op privacy 2.0, visiedocument, Amsterdam: Privacy First. See: https:// www.privacyfirst.nl/index.php?option=com_k2&view=item&layout=item&id=117&Itemid=156. Privacy First (2016) Jaarverslag 2015, Amsterdam: Privacy First, juni 2016. Privacy International (2015) Audited Financial Statements and Trustees’ Report for the year ended 31 January 2015. https://privacyinternational.org/sites/default/files/Audited%20Financial% 20Statement%202014-2015.pdf. Privacy International (2015) The right to Privacy in Sweden, stakeholder report for the UNHRC Universal Periodic Report, 2nd cycle 2012–2016 (21st session, January 2015 for Sweden).

248

Bibliography

Privacy Italia (2017) In vigore la legge che impone la Data Retention a 6 anni. PrivacyItalia.eu. https://www.privacyitalia.eu/vigore-la-legge-impone-la-data-retention-6-anni/5463/. Regan, P. M. (2002) Privacy and commercial use of personal data: policy developments in the US, Rathenau Institute Privacy Conference, Amsterdam, Jan 2002. Regeerakkoord (2012) Bruggen slaan, regeerakkoord VVD-PvdA, 29 oktober 2012. Romano C. (2015) Cookie Law, una legge che non piace. Tra multe, petizioni e tanta confusion, http://it.ibtimes.com/cookie-law-una-legge-che-non-piace-tra-multe-petizioni-e-tanta-confusione1404832. Roosendaal, A., Ooms, M., Hoepman, J.H. (2015) Een raamwerk van indicatoren voor de bescherming van persoonsgegevens; Nederland ten opzichte van andere landen. Delft: TNO (WODC) 2015. Roosendaal, A., Nieuwenhuis, O., Ooms, M., Bouman-Eijs, A., en Huijboom, N. (2015) Privacybeleving op het internet in Nederland, Den Haag: TNO, p. 39. Sandee, R. (2014) Het zwarte gat van de internetconsultatie, SC Online, 28 oktober 2014. Zie: http://www.sconline.nl/achtergrond/het-zwarte-gat-van-de-internetconsultatie. Şandru, S. (2013) About data protection and data retention in Romania, Masaryk University Journal of Law and Technology. Vol. 7, No. 2, pp. 379–399. Schendel, S. van (2016) Het gebruik van Big Data door de mivd en aivd, The Hague: WRR. Schneier, B. (2009) State Data Breach Notification Laws: Have They Helped? Information Security, January 2009. Schröder, C. (2015) Die Unsichtbare, Zeit Online, http://www.zeit.de/2015/51/andrea-vosshoffdatenschutz-telekommunikation. Schulze Greiving, V., Kulve, H. te, Konrad, K., Kuhlman, S., Pinkse, P. (2016) Nanotechnologie in dienst van veiligheid en justitie, Twente: Universiteit Twente - Department of Science, Technology and Policy Studies (STePS). Siggins, L. (2016) Private investigator fined €7,500 over data protection breaches. The Irish Times. https://www.irishtimes.com/news/ireland/irish-news/private-investigator-fined-7-500-overdata-protection-breaches-1.2824210. Sloot, B. van der, Broeders, D., & Schrijvers, E. (2016) Exploring the Boundaries of Big Data, Amsterdam: Amsterdam University Press. Sloot, B. van der, Schendel, S. van (2016) International and comparative legal study on Big Data, The Hague: WRR. Taylor, C. (2016) Ireland seen as contender for data-driven investments. The Irish Times. https:// www.irishtimes.com/business/technology/ireland-seen-as-contender-for-data-driveninvestments-1.2870112. Teeffelen, K. van (2015) Organisaties zijn banger voor reputatieschade bij schending privacy, Trouw, 29 april 2015. Tolboom, M., & Mazor, L. (2006) Bekendheid en beleving informatieplicht onder burgers; kwantitatief onderzoek onder burgers, Amsterdam: TNS-NIPO Consult, p. 15. Törngren, D. (2010) Department of Constitutional Law, Ministry of Justice Sweden, Memorandum 23 april 2010, Questionnaire for Member States on the implementation of Directive 95/46/EC. Trilateral Research & Consulting (2013) Privacy impact assessment and risk management: Report for the Information Commissioner’s Office. https://ico.org.uk/media/1042196/trilateral-fullreport.pdf. Ursic H. & Custers B.H.M. (2016) Legal Barriers and Enablers to Big Data Reuse – A Critical Assessment of the Challenges for the EU Law, European Data Protection Law Review 2(2): 209–221. Van der Leest (2014) We zijn allemaal naakt, Joop, 3 september 2014. Zie http://www.joop.nl/ opinies/we-zijn-allemaal-naakt. Vecchi, D and Marchese, M (2016) Chapter 15 – Italy. The Privacy, Data Protection and Cybersecurity Law Review, Third Edition. Law Business Research.

Bibliography

249

Vedder, A.H., and Custers B.H.M. (2009) Whose responsibility is it anyway? Dealing with the consequences of new technologies. In: Sollie P., Duwell M. (red.) Evaluating new technologies: Methodological problems for the ethical assessment of technology developments. New York: Springer. 21–34. Veld, P., Meijer, A., Schurink, M (2017) De Digidelta: samen versnellen; evaluatie van de nationale commissaris digitale overheid. Den Haag: ABDTopconsult. Zie https://www. rijksoverheid.nl/documenten/rapporten/2017/04/18/rapport-evaluatie-nationaal-commissarisdigitale-overheid. Versmissen, J.A.G. Terstegge, J.H.J., Siemers, K.M., en Tran, T.H. (2016) Evaluatie Toetsmodel PIA Rijksdienst. Utrecht: Privacy Management Partners. Vodafone (2016) Big Data: A European Survey on the Opportunities and Risks of Data Analytics. http://www.vodafone-institut.de/bigdata/links/VodafoneInstitute-Survey-BigData-Highlightsen.pdf. Vries, J. de (2013) Blijf af van onze privacy, Trouw, 14 juni 2014, see: http://www.trouw.nl/tr/nl/ 4324/Nieuws/article/detail/3459001/2013/06/14/Blijf-af-van-onze-privacy.dhtml. Weckler, A. (2015) German Jeers at Irish Data Privacy May Help Us. Independent.ie. http://www. independent.ie/business/technology/news/german-jeers-at-irish-data-privacy-may-help-us31266778.html. Weckler, A. (2015) Tsunami of Data Breaches Strikes Irish Companies as Half Report Incidents. Independent.ie. http://www.independent.ie/business/technology/tsunami-of-data-breachesstrikes-irish-companies-as-half-report-incidents-34382305.html. Weckler, A. (2015) Safe Harbour Is Gone but Europe Is Still Afraid to Tackle the US on Privacy. Independent.ie. http://www.independent.ie/business/technology/safe-harbour-is-gone-buteurope-is-still-afraid-to-tackle-the-us-on-privacy-31591450.html. Werry, N., Kirschbaum, B., and Koch, J.M. (2017) Germany, in: Alan Charles Raul, The Privacy, Data Protection and Cybersecurity Law Review (4th edn, 2017). William Fry and Forbes (2016) Europe for Big Data. http://www.williamfry.com/docs/defaultsource/reports/william-fry-europe-for-big-data-report.pdf?sfvrsn=0. Winter, H.B., Jong, P.O. de, Sibma, A., Visser, F.W., Herweijer, M., Klingenberg A.M., en Prakken, H. (2009) Wat niet weet, wat niet deert, Een evaluatieonderzoek naar de werking van de Wet bescherming persoonsgegevens in de praktijk, Groningen. Woods, T. (2012) How the Catholic Church Built Western Civilization. Regnery Publishing, Inc., pp. 5, 141–142. Wright, D., en Hert, P. de (2012) Privacy Impact Assessment, Heidelberg: Springer. WRR (2016) Big data in een vrije en veilige samenleving, Amsterdam: Amsterdam University Press. Zeeuw, J. de (2009) De FG en de evaluatie van de WBP, Privacy & Informatie, afl. 2, april 2009, pp. 91–93. Zwenne, G.J., Duthler, A.W., Groothuis, M., Kielman, H., Koelewijn, W., en Mommers, L. (2007) Eerste fase evaluatie Wet bescherming persoonsgegevens, Den Haag: WODC.