20110110 Aktion Freiheit statt Angst: suggestions for data protection

10.01.2011 Aktion Freiheit statt Angst: suggestions for data protection

Statement on the general concept of the European Union towards Data Protection

As part of the discussion process for the amendment to the Directive on Data Protection in Europe, Aktion Freiheit statt Angst e.V. (action alliance Freedom not Fear) has submitted a proposal on some issues.

The complete documents in .pdf format

Zu diesem Artikel in deutsch

Short version

In the following we want to draw your attention to some points in your concept. To our mind these points need to be carefully considered and treated with special attention.

Importance of the EU Directive on Data Protection

The EU directive on data protection has already played an important role in the creation of a common minimum European standard of data protection. This will be true for the future. But just as now there will be states in Europe which see from their national characteristics the need for advanced data protection standards. For further time the directive should allow this, and should in no way define an upper limit for data protection in Europe. Inspired by local needs, only then new ideas can be tested and flow into a further European regulation.

The “right to be forgotten” on the Internet

Strengthening the interests and rights of consumers, we support all measures that create and promote the "right to be forgotten" on the internet.

This includes:

No transfer or sale of the customer’s data
Deletion of data after the termination of a business relationship
Automatic deletion of personal traffic data (IP addresses, cookies, ...) as soon as it is no longer needed for technical purposes
No linking of data from different business relationships (see notes on strict earmarking)
Investigation of new technological possibilities for "temporary data" (automatic deletion after a specified TTL, access to data only throughout time codes.

No silent consent to data storage

Unfortunately in the draft submitted by the Commission the Opt-Out process is being propagated. Thus a person is usually not asked in advance whether his data should be stored or not. If the customer does not want the data to be stored he or she must be active on his or her own.

At this point change is absolutely necessary. Only an Opt-In process can ensure that personal data is stored only with the actual/real agreement of both parties concerned.

In this context we would like to emphasize that special attention needs to be paid to the voluntary nature of an agreement for the storage of a customer’s data. As stated in the concept (p. 9), we see major differences in the regulations of the European states and we think that they have to be unified in the direction of a "guarantee for the need of the customer’s agreement without any forced compliances and with a complete knowledge of the facts". In any case this rule has to provide sanctions for violations against it.

On the other hand, an obligation with respect to inform the customer about the stored data and the purposes the data will be used, should be enforced from the data base owners. Of course the information about the customer’s data needs to be for free and easily understood.

Strict earmarking

The processing of personal data always requires a well-defined purpose. This purpose has to be set before the first recording of the data is done and has to be announced to the persons concerned. Only under these circumstances the person can agree "in knowledge of the facts" (see above). Furthermore the stored data has to be reprocessed for this (!) agreed purpose only. Most important is that it should not be allowed to combine the data with data collected from other purposes.

Data Mining

Due to our position to strict earmarking, we also think that the use of personal data in data mining processes must be prohibited. As the German “Datenschutzbeauftragten von Bund und Ländern” (privacy officers of the Federation and German federal countries) have already stated in March 2000,2) personal data should never be linked with other databases or other data than the one that was agreed on by the customer when the data was stored. In a resolution at that time they underlined the following: "According to the fundamental rights of earmarking, personal data can only be processed within the limits of the purposes authorized by law or mutual agreement. The storage of personal data in a general-purpose data warehouse detaches it from its original purpose and means a storage on hoard without earmarking".

This especially affects the customer’s data within the private sector. However this also counts for the data processed by governmental agencies. On this principle an agreement across Europe has to be reached and this solution should be established within the European data protection law.

No differential treatment of police data (europol, eurojust)

In Chapter 2.3 you have correctly pointed out that the data protection regulations of the various European States according to the police and judicial cooperation vary widely. In addition, the existing European regulations have so far failed to achieve an improvement of data protection in this area. With the introduction of the Lisbon Treaty there now is a possibility to enforce a common solution.

Therefore the following tasks are urgent:

The contents of the Framework Decision 2008/977/JHA 3) have to be valid to the data processing within the individual countries, too and not only for the data exchange.
The agreed content has to be developed beyond the existing minimum standards. Especially, within the work of the police and judicial authorities the principles of strict earmarking have to be applied (see above).
There must be a strict separation between the data of certain groups (offenders, suspects, witnesses, victims). It has to be guaranteed that their data is only used for well defined purposes.
Also for the retention of police data time limits for the period of storage should be established.
It should be understood that the compliance of the EU privacy policy within the security sector has to be controlled by the EU data protection officer and/or by the different privacy officers of the European countries.

In addition, under a European directive on freedom of information it has to be guaranteed that citizens can also get information about the actions of police and security agencies. Narrow-minded exceptions, as occurred in the German Freedom of Information Act must not be repeated at European level.

With the introduction of the Lisbon Treaty common European regulations within the security sector are now possible. Therefore we would call to adapt the "sector-specific EU regulations on police and judicial cooperation regarding criminal matters" not(!) "on long term" but as quickly as possible to the new European data protection regulations (p.17).

Further Remarks

In the following we want to confirm some of your claims/findings from our point of view and hope that they will be found in the new privacy law regulations as well.

- Cloud Computing

We also see a risk in Cloud Computing. The user does not have an overview of who comes into possession of his data, what happens to them and in which countries they might be transferred. It should be controlled whether the work of European providers of such services accompanies with the European Data Protection Directive and especially which data will be processed outside Europe.

On the other hand, the dangers of cloud computing should be pointed out to the consumers as well. In this context we welcome the intention of the "co-financing of educational activities about data protection by the EU budget" (p. 9). In many of our practical workshops on data security and privacy on the PC and on the Internet we noticed a widespread lack of technical background knowledge within the population. Thus there is a non-observance of mostly simple ways for more privacy (deleting cookies, installing virus protection and firewalls,...).

- Notes on privacy violation

It is necessary to require that any private company and any public body shall be obliged to inform the owner of data if they notice a violation of personal data.

- IP addresses are identifiable personal data

Of course, IP addresses are personal data because together with the provider’s database one can trace down the IP address to a direct person at any time.

- Genetic data are sensitive data

We also believe that genetic data are sensitive data and thus should be carefully treated and especially protected.

- Independence of the Data Protection Officer

Of course, a data protection officer must act independently. For privacy officers in companies and governmental agencies it must be ensured that they can work independently and without the influence of their employers.

For data protection officers working for companies as well as for public agencies it must be guaranteed that they have the means to fulfil necessary inspections to a level he or she considers as necessary.

Links

1 Aktion Freiheit statt Angst e.V.; https://www.aktion-freiheitstattangst.org/de/articles/aktivitaeten.htm
2 Resolution of the 59. Conference of Data Protection Supervisor Bund/Länder ,March 14./15. 2000; http://www.datenschutz-mv.de/dschutz/beschlue/ent59.html
3 Framework Decision 2008/977/JI of the Council, Nov. 27. 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (ABl. L 350 of Dec 30. 2008, p. 60)