Secretary General of the Italian Data Protection Authority
Member, European Data Protection Supervisors’ Group
Please allow me without much ado to thank EPIC for having invited me to contribute to this stimulating event, which invitation I accepted with real pleasure. Indeed, today’s sessions are providing ample proof of what I am saying.
Considering the title of my presentation, I must tell you that I would not be so sure that there already exists a well-defined “European perspective”.
In our continent, we do share a European cultural identity, a common perspective on our countries’ future, a single entity that is bound to shortly be provided with its own Constitutional Charter. However, the challenges raised by freedom rights and electronic democracy are confronting us day by day with the need for new choices, and the individual European countries sometimes address this need with different speed.
Politically speaking, Europe expanded but twenty days ago by 10 additional countries, and our progress as a 25-strong team –including members that either joined the Union for the first time or re-joined it after some time– will be even more stimulating. Sure, it will be fraught with plenty of pitfalls and difficulties, nevertheless it will still deserve being pursued with passion and strong-mindedness.
I have been working in the data protection sector for many years, and I am going to speak from this viewpoint which is, however, not that narrow –indeed, it is fascinating because it has long to do not only with the private sphere of individuals, but with many fundamental rights and freedoms including personal dignity and identity, people’s legitimate claim to transparency of administrative activities, freedom and secrecy of voting, freedom of movement, and the right to health.
I am sure you are already familiar with many of the things we are doing in Europe, however it might be useful to outline, with your help, the overall framework in order to better understand our as well as your perspective.
In Europe, transposition of the two privacy directives can be said to have been basically completed.
In 2003, the first Report by the European Commission on implementation of the “main” directive (95/46/EC) was also released.
This Report highlighted some differences in the transposition effected by the individual Member States, however it stated that these divergences did not impact negatively on the internal market and that there was not, as yet, the need for amending the text of the Directive itself.
Application of this directive was also the subject of the first two decisions by the European Court of Justice. One dealt more specifically with an Austrian case; the Court ruled that data protection provisions were compatible with those on openness of administrative activities –the case at stake concerned disclosure of payroll information in respect of some civil servants. The other one, published in November 2003, was related to a criminal trial held in Sweden; in addition to making some considerations –to be evaluated more in depth– on the relationship between dissemination of personal data on the Internet and transborder data flows regulations, it contains an important statement to the effect that safeguards for personal rights and interests are to be afforded throughout Europe in accordance with high standards. These safeguards should be reconciled with the free movement principle, however this reconciliation should not result into diminishing any safeguards that were already in place prior to adoption of the 95/46 directive.
The third -or fourth- generation laws that are being finalised in these months have simplified procedures and mechanisms based on the experience gathered; they are focused more specifically on balancing rights and public interests as regards electronic cards, secure identification of citizens accessing public services –therefore, we have to deal with the issue of proportionality in using biometric data and the various authentication or verification methods-, and the management of genetic information in tests, population screenings and research.
Moreover, an important contribution has been given throughout these years by several decisions issued by national DPAs, whilst the case law of national judicial authorities on this topic is less rich so far.
Perhaps I am giving you the impression that our approach is merely a regulatory one, and that our laws are trying –and failing– to keep pace with technology. This is not so.
True, in some countries such as Italy there is no longer only a Data Protection Act, but actually a Code containing all the specific and/or general provisions applying to the different sectors. However, we learned how to reconcile our legal tradition with the flexibility that is mandated by these matters. We avail ourselves less of authorisations and more of co-operative prior checking with data controllers; we make increased use of technologically neutral codes of conducts, which we provide with the legal force required for them to be respected, give rise to rights and entitle to damages.
OK –you might say– this is obvious, it is merely the product of the times we are living in; it is in no way extraordinary and, perhaps, it is not a feature only applying to Europe.
Still, there is amazing news coming from our continent –that is, the right to personal data protection is becoming a statutory requirement.
Several laws in European countries as well as the European Charter of fundamental rights set out that this is an autonomous right as compared with the right to privacy, and they committed its safeguard to autonomous, independent authorities.
In Spain, three decisions issued in 2000 by the Tribunal Constitucional ruled that the right to data protection was a fundamental, autonomous right. These decisions add to those issued by the Courts of Cassation –i.e. the last-instance courts– in Belgium and Italy, which upheld the direct enforceability of Article 8 of the European Human Rights Convention, that is to say the obligation for States not to interfere with citizens’ private sphere to a disproportionate extent (only think of data retention, for instance) and actually to prevent other public or private entities from doing so.
The Constitutional Charters of some countries such as Greece and Portugal have also addressed the right to data protection by solemnly re-affirming it. But there is a far more important development in store.
I am referring to the forthcoming European Constitutional Charter, which we hope will be issued within this year and will expressly protect the right to personal data protection; indeed, two articles in the Charter deal with this right.
What does all this mean? Why is it so important to us, and why will the Constitutional Charter of Europe attach specific importance only to this personal right, compared with the other rights?
Perhaps this question can be answered by considering the cross-sectoral nature of data protection. There is practically no area in the public or private domain where it is not necessary to determine how and to what extent data concerning citizens may be collected and managed.
We have realized that it is no longer possible to deal with this issue by simply checking whether a certain type of conduct is in breach of privacy or not.
In the past, it was often remarked that personal data were goods, indeed valuable goods. This holds true nowadays as well. But, at least in Europe, we have started regarding them more as a direct projection of the individual self, as a part of our own physicality, than as an external chattel.
This is ultimately in line with the growing importance attached to processing operations involving our bodies –and I am thinking of location via mobile phones and satellites, the use of biometric data, or the testing in progress on underskin chips.
If the habeas data principle is recognised on the juridical level and given top priority among the values enshrined in constitutional charters, this is bound to produce effects whenever a balance is to be struck between this right and other rights and public interests.
It is no dictatorship of data protection what we have on our minds; still, something has got to change.
Who is in charge of law enforcement has to pay greater attention than in the past to necessity and proportionality of the huge databases he creates or matches, to the purposes he is seeking to achieve, the data he requires to collect, the retention period, the entities accessing these data.
These issues must be addressed regardless of whether the processing does not cause any concrete breach of privacy, or else concerns data kept securely or does not envisage any kind of disclosure.
The right to data protection makes citizens masters of the information concerning them more than it was the case in the past and empowers them to better challenge the mechanisms implemented in using this information.
In other words, there is a fundamental right to having the rules complied with even if there is no perceptible breach of one’s private sphere. This, in turn, produces effects on the claims for damages users and consumers may lodge simply in order to establish the breach of non-pecuniary damage. Courts will be able to award damages without necessarily considering how seriously privacy was violated, as it will be enough to assess the gap between the conduct at stake and the relevant rules.
There will be effects also on the global communication networks, opening-up of markets and our relationships with third countries –therefore with the US as well. Indeed, in evaluating whether and how the data may be exported to countries affording adequate protection, it will be necessary to take account to a greater extent not only of privacy features, but of the way in which an individual is protected as a whole –that is to say, by having regard to all his or her rights and freedoms.
Perhaps, if the European Constitution had already been in force, the negotiations and dialogue that led ultimately to the Safe Harbor agreement, and those concerning the much questioned agreement on the transmission of passenger data by airline companies, would have come to partly different conclusions.
Please bear with me if I am speaking so long on the right to data protection. I feel I have to apologise not only because I devoted several minutes to this topic, but because one might draw the conclusion that everything is fine in Europe and we are in a very festive mood.
In fact, there are contradictory features, ups and downs also in our approach. Perhaps this is less so in the private sector, where on the whole positive results could be achieved. If you download the list of the documents adopted in Brussels by the Data Protection Commissioners’ Working Party, you will immediately realise the wide range of issues we have addressed.
Let me quote, for instance, those concerning data protection in the employment sector, unsolicited electronic communications, genetic data, black lists, mechanisms for the lawful cross-border transfer of personal data (contractual clauses, adequacy decisions, corporate rules), invisible processing operations on the Internet, biometrics, direct marketing, and e-government. Some of these instruments have been adopted with the collaboration of experts, field operators, or the public at large.
We are proud and happy that this work could be done by our network, or club, if you like, during several meetings at different levels and in various fora.
After the four hard-working years in which the Working Party was chaired by Italy, we are also going to develop new strategies and the guidelines we will be following in the near future, our priorities, and our expectations as regards both the enhanced co-operation between the Working Party and the European Parliament and the need for the Working Party to be granted increased autonomy and visibility within the framework of Community institutions.
There are plenty of issues in which we are trying to come to suitable solutions in cooperation with the parties concerned. Let me quote the WHOIS-ICANN case, i.e. the attempt we are making –as I explained during the ICANN Rome Conference of March – to implement, at national level, the safeguards referred to in the Working Party’s opinion on WHOIS directories (no. 2/2003). On the other hand, the issues raised, for instance, by application of the Sarbanes-Oxley Act in some European countries are being evaluated to assess compatibility of the registration obligation with some national DP laws.
We are trying to make it simpler, day by day, to work on a subject-matter that is difficult not so much because the rules are too strict or the approach followed relies too heavily on regulation, but because of the complexity of the multifarious situations it is related to.
Things get more mixed-up if we consider the public sector, or rather, part of the public sector –namely, law enforcement activities. We have gone through different phases in this area, and the current phase is all but the most felicitous one.
As you all know, Europe was united initially on the level of commercial exchanges and internal market. We are creating a common space of freedom, security and justice – but we are going by degrees. Citizens’ rights were taken into due consideration in the starting phase, when measures were introduced to compensate for the elimination of several internal borders and facilitate judicial and police co-operation.
The Schengen Information System, Europol databases, Eurojust, Eurodac, the Dublin Convention on Asylum Requests were so many good examples of agreements, in which the presence of many data protection provisions was reconciled successfully with effective security and suppression of criminal offences. The fact that the relevant Conventions provided for the existence of and supervision by joint independent bodies in charge of data protection has ensured that the interests and rights at stake could be balanced from the start.
We are now on the eve of the establishment of the SIS II, which will represent the biggest database for police and judicial purposes in Europe –and perhaps worldwide. The Schengen Joint Supervisory Authority I had the privilege of chairing during the past two years issued this very week an important opinion, which is expected to be discussed already next week by other Schengen related bodies. In this provision, we spelled out the rules to prevent duplication of data contained in other databases, disproportionate use of biometric data, unregulated access to the data for various purposes, and the arising of conflicts with the future Visa Information System.
I feel confident that many of these recommendations – which the European Parliament already took into account in the past few months – will be duly considered.
We also discussed in the Art. 29 WG a draft Regulation (of 18th February 2004) providing for the mandatory inclusion in passports of the digitalised image of the holder’s face and, possibly, of his/her fingerprints in an interoperable format. We provide specific guidance on the purposes of such processing, the authentication and/or verification mechanisms, the proportionality issues and the risks related, inter alia, to identity thefts.
In my view, all this shows that it is possible to develop acceptable solutions based on carefully thought-out initiatives, which benefit from the real co-operation of several institutions.
The same applies, all things considered, to a recent decision by the Council of the European Union, the so-called Spanish proposal, which envisages establishment of a system that is similar to the one in the APIS/PNR case. Unlike the US-EU agreement on PNR data, on which I am going to say some very nasty things quite shortly, this agreement provides that European countries will oblige air carriers to transfer very few data on incoming passengers to our customs authorities for limited-scope purposes related to border controls; these data will have to be deleted within 24 hours from passenger arrival.
Our world is going through a veritable ordeal for the sake of security. These are difficult times, and striking a balance between security and rights has become more demanding.
Still, I do not believe that some of the challenges arising in connection with law enforcement are related exclusively to the aftermath of 9/11.
Perhaps one might argue that the difficult international situation makes it easier to choose hasty solutions that are unsuitable because they actually entrust technology and databases with the task of devising solutions for problems requiring wholly different, broad-minded approaches.
In particular, we have still two games to play:
a) On the 1st July of this year, the Council of Europe’s Convention on Cybercrime will enter into force. This Convention was signed three years ago by 38 countries, including United States, Canada and Japan, and has been ratified so far by only 6 countries –all of them from Eastern Europe (Albania, Croatia, Estonia, Hungary, Lithuania and Romania). Considerable attention should be paid by NGOs to ratification of this Convention, which undoubtedly contains sensible measures to co-ordinate international repression of criminal offences committed via either the Internet or other electronic networks; however, there is also the risk that the tools it envisages to fight cybercrime –ranging from data retention to interception techniques– will be shaped in way that is not acceptable to a democratic society.
The EU data protection commissioners explained their views in a very detailed opinion (no. 4 of 2001), which was not fully taken into account in drafting the final text of the Convention.
It is highly likely that the flaws and benefits of this Convention will be enhanced, as the case may be, depending on the way it is transposed in each country. I’m not going to comment our opinion in detail; however, I must dwell a bit longer on the risks resulting from the vagueness of some concepts, the discrepancies existing in the different legal systems as regards the definitions of “ordre public”, the circumstance that the contracting Parties may make very different choices at national level and nevertheless be bound by the Convention to provide mutual assistance. Other dangers for electronic citizenship rights are related to the fact that, theoretically speaking, non-Member countries are not obliged to comply with stringent obligations such as those resulting from Strasbourg Convention no. 108, the Recommendations issued by the Council of Europe, the Charter of Nice and, more recently, the European Constitutional Charter. Furthermore, it should perhaps be clarified why major countries such as the US have not yet ratified this Convention –are they unwilling to be bound by the guarantees laid down in the Convention, or is it because ratification entails making several highly complex decisions?
Thus, a public debate is necessary on the uniform democratic features that should be retained during the transposition process.
I said that we are facing two challenges. The second one has to do with data retention.
b) Proposals to introduce uniform, mandatory data retention are regularly tabled in Europe, however following an initial discussion they are never put into practice. After 9/11, some European countries such as France, Spain and Belgium introduced laws allowing, via different mechanisms, retention of Internet-related data for a maximum period of 1 year. However, the 2002 directive on privacy in electronic communications re-affirmed the principles upheld by the case law of the European Court of Human Rights concerning proportionality and necessity.
In February of this year, the Italian Parliament unanimously rejected a decree introduced by Government to require as much as 5-year retention of Internet data; furthermore, Parliament passed a different instrument to enhance the safeguards applying to the retention of telephone traffic data for the prevention of criminal offences.
But, as soon as a crisis situation re-surfaces at international level, new initiatives are undertaken such as that of some States that proposed the adoption of a framework decision to oblige the 25 EU Member States to retain, for at least 12 months and without specifying the upper limit, a wide gamut of data including traffic, location, and subscriber data. The purposes of such retention would not be limited to the fight against terrorism and relate vaguely to “prevention and suppression of offences”.
Finally, a negative outcome may feature in the ultimate developments of a story that is embittering us not so much on account of the decisions taken, but because of the precedent it will come to be.
I am referring to the US-EU agreement on the transfer of data concerning passengers flying to or from the United States, which was adopted in Brussels on 17th May despite the firm contrary stance taken by the European Parliament and the request for clear-cut guarantees made by the European data protection authorities. I am sure that many of you know that in December, the Belgian Commission pour la protection de la vie privée had found that United Airlines, Continental Airlines and Delta Airlines had violated some principles of the Belgian data protection law.
On 21st April last, the European Parliament had rejected, once again, the draft US-EU agreement and requested the Court of Justice to issue a preliminary ruling on its legal basis as well as on compliance with Article 8 of the European Human Rights Convention.
Three opinions had been rendered by the European data protection authorities between October 2002 and January of this year, in which several criticisms were made. The European Commission did not work along the line of true institutional co-operation with the European Parliament, and imposed its own time schedule.
Now, the European Internal Market Commissioner, Mr. Bolkenstein, is telling the press that the Commission has obtained several guarantees and that no negotiated solution is ever perfect. The question is that no veritable negotiation has ever been carried out. For the sake of the States’ superior interest, the attempt to devise balanced solutions meeting the demand for adequate safeguards coming from several entities was relinquished.
Indeed, the agreement recognises, on the one hand, the importance of respecting fundamental rights and freedoms, whilst on the other hand it does not afford in concrete safeguards for these rights. Equally effective results in terms of security could have been achieved without also violating Member States’ competences as provided for in Article 7. This was a sad chapter in the history of data protection.
Perhaps this agreement will become effective, however the last word has not yet been spoken. Whenever an agreement as important as this one is imposed from above and is not felt to be a shared achievement, it is like a stillborn child for some institutions and citizens. Which also applies to the Safe Harbor Agreement, whose enforcement rate is, in my view, as good as non-existent compared with the frequency with which standard contractual clauses are used.
Fortunately, this story is counterbalanced by others, which are equally complex although a bit more encouraging –such as the one concerning Directive 2004/48 on intellectual property, which was published on 30th April last. Indeed, some improvements were made over the initial drafts especially thanks to the European Parliament.
For instance, if I interpreted the text correctly, Section 512 h of the Digital Millennium Copyright Act provides that a “subpoena order to a service provider” may be granted “for identification of an alleged infringer” following a request lodged with the court’s clerk, i.e. without assessing its proportionality.
Conversely, Article 8 of the Directive now provides that the competent court may order that information be disclosed on the alleged infringer of copyright exclusively on the basis of a justified, proportionate request as well as within the framework of a proceeding already in place in connection with such alleged infringement.
As already pointed out by some associations, it will be in any case necessary to keep an eye at national level on the transposition of this Directive on account of the need to impose proportionate punishments as well as because of the rather vague and broad concept of “intellectual property” used in the Directive –which entails the possibility of punishing not so serious cases of infringement.
And now, I find I have to conclude my presentation by referring to the role played by NGOs and our future perspective.
We need to establish stronger ties and improve the exchange of information with you, to enhance your involvement in decision-making, to get continuously spurred by you so that DPAs can always play their role of watchdogs effectively as well as in full independence. And mind you, the public is aware that independence is a fundamental prerequisite for our authorities –a complaint was recently lodged with the European Commission by a citizen claiming that some DP authorities would not be really independent in their evaluations.
I am aware that there has been some scepticism as to the real impact of decisions such as the Belgian one, or of other recent initiatives such as the Dutch one of March 2004, where nevertheless it could be ascertained that some data concerning Dutch passengers on Northwest Airlines flights had been supplied to NASA for the scientific purpose of developing a method for identifying potential terrorists.
Let us start from cases such as this one to make things even better. In this attempt, we are supported by the findings of a survey carried out by the European Commission in the last few months and published on the Eurobarometer’s website; this survey took the pulse of European citizens and found that over 60% of them were still concerned or very concerned about their privacy, whilst 90% considered it necessary that a law should regulate this matter.
You should require DPAs to be supplied with adequate powers and resources and improve their dialogue with citizens. You should require DPAs to play their role, which is to establish whether a given activity is proportionate or not. Conversely, it is up to politics to assume the responsibility of providing different guidelines in order to perform the balancing of interests.
Above all, let us try and understand what steps can be taken to strengthen common principles at intercontinental level. The Charter of Venice, which was adopted in 2000 during the 22nd International Conference on privacy, suggested an approach to achieve globally binding guidelines. Let us start from here. After four years, there are many more global networks and reasons to do so.
Thank you for your attention.