1 data protection and privacy rights - outline of the e-learning course council of europe help in...
TRANSCRIPT
1
Data protection and privacy rights - outline of the e-learning course
Council of EuropeHelp in the 28
Dorota GłowackaHelsinki Foundation for Human Rights
University of Lodz
INTRODUCTION
3
Main challenges
Threats to data protection are linked to the development of new technologies which are always faster than legislation
Threats coming from both public authorities as well as private companies
Different sources of law, different legal regimes
Fundamental Right Agency (FRA) report: „Access to data protection remedies in EU Member States”
General conclusion: the effectiveness of data protection and redress mechanisms is considerably low.
Main barriers for effective redress mechanisms inter alia:
1) low awareness and lack of education on data protection issues among data subjects 2) limited access to effective legal aid (low awarness among legal professionals)
Need for training of legal professionals in the area of data protection and the right to privacy
2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
979712 796
986 1049 11141272
15931879
2472
A number of complaints lodged to the In-spector General for Personal Data Protection
in Poland
Source: Statistics and reports on the website of the Inspector General for Personal Data Protection, http://www.giodo.gov.pl/138/j/en/
Objectives of the course• Understanding the key principles of data protection and privacy rights
• Knowing different legal systems protecting the right to privacy and personal data
• Understanding the legal framework concerning data protection and privacy rights
• Understanding the case law of the ECtHR and the CJEU and its domestic implementation
• Understanding the role of international and national actors
• Understanding the interplay between law and technology
• Identifying the source of law which is applicable in a specific case
• Being able to apply the source of law
• Understanding the role of legal professionals in
protecting personal data in the daily work
STRUCTURE OF THE COURSE
Structure of the course
• 10 modules • 3 parts:
I. Introduction + basic knowledge
II. The most problematic areas
III. Enforcement
Module 1:
• Introduction
• Pratcical problems
Modules 2-3:
• Legal framework (CoE and EU law, hard law + soft law, role of European courts and their jurisprudence, main actors)
• Key concepts: data protection v. privacy
• Introduction to data protection law (material and territorial scope, terminology, key principles and rules)
I. Introduction + basic knowledge
European standards
EU system:
• Charter of Fundamental Rights• Data Protection Directive• CJEU jurisprudence• WP29 opinions• EDPS opinions
CoE system
• ECHR• Convention 108• ECtHR jurisprudence• Soft law by CoE
institutions
II. The most problematic areas
Module 4: Data protection/privacy rights and health
• Protection of medical data as sensitive data (regulatory framework, main principles, jurisprudence)• Challenges related to electronic medical records • Anonymisation and pseudonymisation in health, clinical trials • New technologies, wearables, internet of things in health sector Module 5: Data protection/privacy rights and media
• Balancing freedom of expression and the right to privacy• Special role of media, protection of journalistic sources of information• Challenges related to online media (managing online newspapers’ archives,
restrictions of access to media content via search engines, liability for the third- party content, journalistic use of unverified Internet sources)
• Personal data protection and media (journalistic exemption)
Module 6: Data protection/privacy rights - e-communications and marketing
• Confidentiality of on electronic communications • Privacy policies, cookies regime• Profiling, selling of data • Spam • Data retention • Cybersecurity
Module 7: Data protection/privacy rights and disruptive technology • Surveillance technology (CCTV, drones, GPS etc.) • Internet of things, cloud computing, big data Module 8: Data protection/privacy rights in the work place
• Notion of privacy in a professional field• Surveillance of communication in a workplace, processing employees’ data
(consent as a basis for processing?)• Protection of whistleblowers • Professional secrecy
III. Enforcement
Modules 9 – 10:
• Data subjects’ rights• Legal remedies available to victims of violations of the right to
privacy/data protection (civil, criminal and administrative law regimes) and sanctions for breaches
• Role of Data Protection Authorities • Transboarder data flows (principles of transferring data to
third countries, Safe Harbor and other grounds for transferring data)
GENERAL CONTENT RULES
Excerpts from the course
[work in progress]
Module Structure: OverviewI. Freedom of
expression (FoE) and media
Scope and limitations of FoE
FoE and a special role o media
Key ECtHR standards: Article 10 v. Article 8
II. Challenges related to online
media
Managing online newspapers’ archives
Restrictions of access to media content via
search engines
Liability for the third- party content
Journalistic use of unverified Internet
sources
III. Personal data processing and
media
Journalistic exemption
MODULE: PRIVACY, DATA PROTECTION AND MEDIA
Learning Objectives
Legal professional will be able to
• Describe the data protection and privacy issues related to the processing of data in the workplace
• Understand the relevant case law of the ECtHR and of the CJEU on the rights at issue
• Interpret and apply rules properly
Module:
Privacy in a workplace
I. FREEDOM OF EXPRESSION AND
MEDIA
Module:
Privacy, data protection and media
I. Freedom of expression (FoE) and media
Art. 10 ECHR
Art. 11 ChFR
One of the rights likely to come into conflict with the right to data protection is freedom of expression which is protected both by ECHR (Article 10) and the Charter of Fundamental Rights (Article 11). When such conflict occurs, courts need to strikes a right balance in order to establish the pre-eminence of one right over the other.
Module:
Privacy, data protection and media
I. Freedom of expression (FoE) and media
Art. 10 ECHR
Art. 11 ChFR
One of the rights likely to come into conflict with the right to data protection is freedom of expression which is protected both by ECHR (Article 10) and the Charter of Fundamental Rights (Article 11). When such conflict occurs, courts need to strikes a right balance in order to establish the pre-eminence of one right over the other.
1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This Article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.
2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary
Module:
Privacy, data protection and media
I. Freedom of expression (FoE) and media
Art. 10 ECHR
Art. 11 ChFR
One of the rights likely to come into conflict with the right to data protection is freedom of expression which is protected both by ECHR (Article 10) and the Charter of Fundamental Rights (Article 11). When such conflict occurs, courts need to strikes a right balance in order to establish the pre-eminence of one right over the other.
1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.
2. The freedom and pluralism of the media shall be respected.
Module:
Privacy, data protection and media
I. Freedom of expression (FoE) and media
o FoE includes the freedom to 1) hold opinions and to 2) receive and 3) impart information and ideas.
o As a matter of principle, the protection of FoE extends to all forms of expression (through written statements, paintings, films or photographs), disseminated by any individual, group or type of media.
Click on the buttons below to find out more about the scope of the FoE in the light of the ECtHR jurisprudence.
Scope of FoE Limitations of FoE
Political, comercial and
artistic expression
Extreme expression
Freedom of information
Module:
Privacy, data protection and media
Political, comercial and artistic expression
Article 10 protects to the grate extent political expression and expression in matter of legitimate public interest (Lingens v. Austria).
The artistic expression (Müller and Others v. Switzerland) and commercial speech (Markt Intern Verlag GmbH v. Germany) are also guaranteed under Article 10. However, according to the ECtHR, with regard to these matters domestic authorities enjoy a broader margin of appreciation. The ECtHR’s scrutiny is therefore less strict than with regard to the political speech.
Module:
Privacy, data protection and media
II. Challenges related to online media
1.Managing online newspapers’ archives
In this part you will find the key human rights standards in the area of online media developed in the ECtHR and CJEU jurisprudences.
Go through all the sections by clicking „Next” or review a specific problem by clicking on one of the buttons below.
4. Journalistic use of unverified Internet sources
3. Liability for the third-party content
2.Restrictions of access to media content via search engines
Module:
Privacy, data protection and media
2. Restrictions of access to media content via search engines
In the case Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González CJEU found that the accessibility of irrelevant or outdated information concerning an individual on the internet may be – under certain conditions – restricted by delisting it from the search results.
Facts ECtHR’s judgment
The case concerned removal from the Google’s search results references to information available in the internet archives of one of the Spanish newspapers. The information regarded outdated financial liabilities of Mr. Gonzales and was published at the request of Spanish authorities in 1998. The newspaper refused to remove the information from its website even though Mr. Gonzales claimed the debt was not valid anymore and the information was no longer relevant. The individual then redirected his request for erasure to Google asking it not to show links to the newspaper in its search results when his name was entered as a search term in the search engine. Google refused. Eventually the case went to the Spanish court which asked the CJEU for a preliminary ruling on the matter.
Main concepts Implications
Module:
Privacy, data protection and media
Key ECtHR standards: Article 10 v. Article 8
The most common instances of interference with the right to private life by media are publications which target one’s reputation (such as libel, defamation, insult), disclosing facts from private life or person’s image. Below you will find the key standards developed by the ECtHR which may help with finding the right balance between FoE and right to privacy in such cases.
Practical tip
In FoE cases the ECtHR examines the type of expression (political, commercial, artistic, etc.), the means by which the expression is disseminated (personal, written media, television, etc.), and its audience (adults, children, the entire public, a particular group). All these factors have implications for the final assessment of the case.
Protection of unpopular or offensive ideas Facts v. value judgments
Privacy and public figuresProportionality of
sanctions
Module:
Privacy, data protection and media
Proportionality of sanctions
The imposition of disproportional sanctions for the exercise of the FoE may lead to a so called “chilling effect”. The chilling effect may likely discourage the author from making criticism of that kind again in future and deter them from contributing to a public debate (Lingens v. Austria). The character of sanctions is therefore an important factor in deciding whether the interference with the Article 10 was “necessary in a democratic society”.
Example
According to the ECtHR especially the criminal penalties should be subject to a strict scrutiny. The imposition of criminal sanctions for defamation, even if they are relatively light, may still cause a chilling effect (Długołęcki v. Poland). However this may also apply to disproportionately large damages awarded in the course of civil proceedings (in Tolstoy Miloslavsky v United Kingdom the applicant was ordered to pay £1,500,000 in damages for defamation - the sum awarded was three times the size of the highest libel award ever imposed in the country before).
Too severe sanctions
Chilling effect
Module:
Privacy, data protection and media
Key takeaways +
Additional readings
Question 1
Right to privacy is protected both under the CoE’s European Convention of Human Rights and by the EU’s Charter for Fundamental Rights whereas personal data is protected only under the Charter.
TRUE
FALSE
Module:
Legal framework
Question 1
Right to privacy is protected both under the CoE’s European Convention of Human Rights and by the EU’s Charter for Fundamental Rights whereas personal data is protected only under the Charter.
TRUE
FALSE
CORRECT FEEDBACK
Even though personal data protection is not explictly mentioned in the ECHR (as it is in the Charter of Fundamental Rights) it is accepted due to the ECtHR’s jurisprudence that it is covered by the Article 8 of the Convention protectiing private and familiy life, home and correspondence.
Module:
Legal framework
