PDA

View Full Version : EU data monitors outline Facebook ground rules

real6
25-06-2009, 05:29 PM
http://euobserver.com/9/28370

EUOBSERVER / BRUSSELS - Some users of social networking sites such as Facebook, Myspace and Bebo and not just the sites themselves are responsible for ensuring they adhere to European privacy laws, EU data protection enforcers have warned.

All users should also be aware that they should only upload photographs to a social networking site with the consent of people in the image - a requirement that until now almost nobody has adhered to.

Social networking site users need to pay attention to data privacy laws too, not just the owners of the sites (Photo: printing.com)

* Print
* Comment article

Europe's "Article 29 Working Party," a committee of data protection regulators from across the bloc that advises the European Commission on the subject, issued on Wednesday (22 June) its opinion on how European data privacy laws affect the rapidly growing world of social networking.

Much of the recommendations will not surprise observers of the phenomenon.

The regulators' guidelines recommend that sites make full privacy settings the norm, with users having to choose to opt out of them should they so, rather than having to opt in to tighter privacy controls.

As soon as users begin to upload data on themselves or others, they should be warned of the privacy risk and users should also be made clearly aware of what bits of their personal data is being made available to others.

Since the advent of such sites, newspapers have regularly reported on users who through have lost their jobs or otherwise been socially compromised when pictures or other information about them has found its way to employers, parents or partners.

The data regulators also warn that all inactive accounts must be deleted, along with their accompanying data. Family members of people who have died often report difficulties in having their loved ones' profiles taken down.

The working party also recommended that the service providers maintain an easily accessible complaints procedure for dealing with data worries on their home page.

Data on sensitive topics, such as race, religion, political belief or sexual orientation should not be processed or passed on to advertisers, the regulators suggested, and individuals should be allowed to adopt a pseudonym should they so wish.

Additionally, particular care should be taken by service providers with regard to the processing of the personal data of minors.

But it is the definition of a "data controller" that may represent the biggest problem.

The service providers - defined not just as data processors, but data controllers - themselves must take great care in adhering to privacy laws, but there is an exception to this in the case of personal or "household" users.

However, according to the opinion, when users begin to broadcast information very widely or gather data in a similar fashion, via such sites - such as when using Facebook for promoting a product or putting together a church group or organising political campaign, often to people well beyond a circle of direct contacts - then they too in effect become data controllers.

This may have considerable implications for users who organise concerts, human rights letter-writing campaigns or try to sell their homemade jam via the new online technology.

All users, not just those defined as data controllers, should only upload photographs of others once they have their approval.

"The opinion recommends that users should only upload pictures or information about other individuals with the individual's consent," the document reads.

This too could present a problem for most everyday users, who regularly upload pictures of their friends.

Most sites allow people if they have been "tagged" in an uploaded photograph - wherein a name is attached to a face, such as "This is me with Jenny at the 1997 church disco"- to "untag" themselves.

But for EU data protection monitors, this may not be enough.
real6
25-06-2009, 05:34 PM
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf

THE WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE
PROCESSING OF PERSONAL DATA
set up by Directive 95/46/EC of the European Parliament and of the Council of 24
October 19951,
having regard to Articles 29 and 30 paragraphs 1 (a) and 3 of that Directive, and Article
15 paragraph 3 of Directive 2002/58/EC of the European Parliament and of the Council
of 12 July 2002
having regard to Article 255 of the EC Treaty and to Regulation (EC) no 1049/2001 of
the European Parliament and of the Council of 30 May 2001 regarding public access to
European Parliament, Council and Commission documents
having regard to its Rules of Procedure
HAS ADOPTED THE PRESENT OPINION:
1 Official Journal No. L 281 of 23.11.1995, p. 31, available at:
http://europa.eu.int/comm/internal_market/en/media/dataprot/index.htm
-3-
I. INTRODUCTION...................................... .................................................. ............3
II. GENERAL CONSIDERATIONS AND POLICY ISSUES..................................4
III. ANALYSIS OF THE DEFINITION OF “PERSONAL DATA”
ACCORDING TO THE DATA PROTECTION DIRECTIVE...........................6
1. FIRST ELEMENT: “ANY INFORMATION....................................... .....................6
2. SECOND ELEMENT: “RELATING TO” .................................................. ..............9
3. THIRD ELEMENT: “IDENTIFIED OR IDENTIFIABLE” [NATURAL
PERSON] .................................................. .................................................. .............12
4. FOURTH ELEMENT: “NATURAL PERSON” .................................................. ...21
IV. WHAT HAPPENS IF THE DATA FALL OUTSIDE OF THE
DEFINITION?....................................... .................................................. ...............24
V. CONCLUSIONS....................................... .................................................. ............25
I. INTRODUCTION
The Working Party is aware of the need to conduct a deep analysis of the concept of
personal data. Information about current practice in EU Member States suggests that
there is some uncertainty and some diversity in practice among Member States as to
important aspects of this concept which may affect the proper functioning of the existing
data protection framework in different contexts. The outcome of this analysis of a central
element for the application and interpretation of data protection rules is bound to have a
profound impact on a number of important issues, and will be particularly relevant for
topics such as Identity Management in the context of e-Government and e-Health, as well
as in the RFID context.
The objective of the present opinion of the Working Party is to come to a common
understanding of the concept of personal data, the situations in which national data
protection legislation should be applied, and the way it should be applied. Working on a
common definition of the notion of personal data is tantamount to defining what falls
inside or outside the scope of data protection rules. A corollary of this work is to provide
guidance on the way national data protection rules should be applied to certain categories
of situations occurring Europe-wide, thus contributing to the uniform application of such
norms, which is a core function of the Article 29 Working Party.
This document makes use of examples drawn from the national practice of European
DPAs to support and illustrate the analysis. Most examples have only been edited for
proper use in this context.
-4-
II. GENERAL CONSIDERATIONS AND POLICY ISSUES
The Directive contains a broad notion of personal data
The definition of personal data contained in Directive 95/46/EC (henceforth "the data
protection Directive" or "the Directive") reads as follows:
“Personal data shall mean any information relating to an identified or identifiable
natural person (“data subject”); an identifiable person is one who can be identified,
directly or indirectly, in particular by reference to an identification number or to one
or more factors specific to his physical, physiological, mental, economic, cultural or
social identity”.
It needs to be noted that this definition reflects the intention of the European lawmaker
for a wide notion of "personal data", maintained throughout the legislative process. The
Commission's original proposal explained that "as in Convention 108, a broad
definition is adopted in order to cover all information which may be linked to an
individual"2. The Commission's modified proposal noted that "the amended proposal
meets Parliament's wish that the definition of "personal data" should be as general as
possible, so as to include all information concerning an identifiable individual"3, a
wish that also the Council took into account in the common position4.
The objective of the rules contained in the Directive is to protect individuals.
Articles 1 of Directive 95/46/EC and of Directive 2002/58/EC clearly state the ultimate
purpose of the rules contained therein: to protect the fundamental rights and freedoms
of natural persons and in particular their right to privacy, with regard to the processing
of personal data. This is a very important element to take into account in the
interpretation and application of the rules of both instruments. It may play a substantive
role in determining how to apply the provisions of the Directive to a number of
situations where the rights of individuals are not at risk, and it may caution against any
interpretation of the same rules that would leave individuals deprived of protection of
their rights.
The scope of application of the Directive excludes a number of activities, and
flexibility is embedded in the text to provide an appropriate legal response to the
circumstances at stake
Despite the broad concept of ‘personal data' and of 'processing’ contained in the
Directive, the mere fact that a certain situation may be considered as involving 'the
processing of personal data' in the sense of the definition does not alone determine that
this situation is to be subject to the rules of the Directive, in particular pursuant to
Article 3 thereof. Apart from exemptions due to the remit of community law, the
exemptions under Article 3 take into account the technical way of processing (in
manual non-structured form) and the intention of use (for purely personal or household
activities by a natural person). Even where processing of personal data within the scope
of the Directive is involved, not all the rules contained therein may be applicable in the
particular case. A number of provisions of the Directive contain a substantial degree of
2 COM (90) 314 final, 13.9.1990, p. 19 (commentary on Article 2)
3 COM (92) 422 final, 28.10.1992, p. 10 (commentary on Article 2)
4 Common position (EC) No 1/95, adopted by the Council on 20 February 1995, OJ NO C 93 of
13.4.1995, p.20
-5-
flexibility, so as to strike the appropriate balance between protection of the data
subject’s rights on the one side, and on the other side the legitimate interests of data
controllers, third parties and the public interest which may be present. Some examples
of such provisions are contained in Article 6 (retention period depending on data being
necessary), 7.f (balance of interest to justify processing), last paragraph of 10 (c) and
11.1 (c) (information to the data subject where necessary to guarantee fair processing),
or 18 (exemptions from notification requirements), just to mention a few cases.
The scope of the data protection rules should not be overstretched
An undesirable result would be that of ending up applying data protection rules to
situations which were not intended to be covered by those rules and for which they
were not designed by the legislator. The material exemptions under Article 3
mentioned above and the clarifications in recitals 26 and 27 of the Directive show how
the legislator wanted to see data protection applied.
One limitation concerns the way of processing data. It is useful to recall that the
reasons for enacting the first data protection laws in the seventies stemmed from the
fact that new technology in the form of electronic data processing allows easier and
more widespread access to personal data than the traditional forms of data handling.
Consequently data protection under the Directive aims at protecting such forms of
processing which are typical for a higher risk of “easy access to personal data” (recital
27). The processing of personal data by non-automatic means is only included within
the scope of the Directive where the data form part of a filing system or are intended to
form part of such system (Article 3).
Another general limitation for the application of data protection under the Directive
would be processing of data under circumstances, where means for identifying the data
subject are not “likely reasonably to be used” (recital 26), an issue which will be
discussed later.
But unduly restricting the interpretation of the concept of personal data should also
be avoided.
In those cases where a mechanistic application of every single provision of the
Directive would at first sight lead to excessively burdensome or perhaps even absurd
consequences, it must be first checked 1) whether the situation falls within the scope of
the Directive, in particular in accordance to Article 3 thereof; and 2) where it falls
within its scope, whether the Directive itself or national legislation adopted pursuant to
it do not allow for exemptions or simplifications with regard to particular situations in
order to achieve an appropriate legal response while ensuring the protection of the
individual’s rights and of the interests at stake. It is a better option not to unduly
restrict the interpretation of the definition of personal data but rather to note that there
is considerable flexibility in the application of the rules to the data.
National Data Protection Supervisory Authorities play an essential role in this respect
in the framework of their missions of monitoring the application of data protection law,
which involves providing interpretation of legal provisions and concrete guidance to
controllers and data subjects. They should endorse a definition that is wide enough so
that it can anticipate evolutions and catch all “shadow zones” within its scope, while
making legitimate use of the flexibility contained in the Directive. In fact, the text of
the Directive invites to the development of a policy that combines a wide interpretation
-6-
of the notion of personal data and an appropriate balance in the application of the
Directive’s rules.
III. ANALYSIS OF THE DEFINITION OF “PERSONAL DATA”
ACCORDING TO THE DATA PROTECTION DIRECTIVE
The definition in the Directive contains four main building blocks, which will be
analyzed separately for the purposes of this document. They are the following ones:
- “any information”
- “relating to”
- “an identified or indentifiable”
- “natural person”
Those four building blocks are closely intertwined and feed on each other. However,
for the sake of the methodology to be followed in this document, each of these items
will be dealt with separately.
1. FIRST ELEMENT: “ANY INFORMATION
The term “any information” contained in the Directive clearly signals the willingness
of the legislator to design a broad concept of personal data. This wording calls for a
wide interpretation.
From the point of view of the nature of the information, the concept of personal data
includes any sort of statements about a person. It covers "objective" information, such
as the presence of a certain substance in one's blood. It also includes "subjective"
information, opinions or assessments. This latter sort of statements make up a
considerable share of personal data processing in sectors such as banking, for the
assessment of the reliability of borrowers ("Titius is a reliable borrower"), in insurance
("Titius is not expected to die soon") or in employment ("Titius is a good worker and
merits promotion").
For information to be 'personal data', it is not necessary that it be true or proven. In
fact, data protection rules already envisage the possibility that information is incorrect
and provide for a right of the data subject to access that information and to challenge it
through appropriate remedies5.
From the point of view of the content of the information, the concept of personal data
includes data providing any sort of information. This covers of course personal
information considered to be “sensitive data” in Article 8 of the directive because of its
particularly risky nature, but also more general kinds of information. The term
"personal data" includes information touching the individual’s private and family life
“stricto sensu”, but also information regarding whatever types of activity is undertaken
by the individual, like that concerning working relations or the economic or social
behaviour of the individual. It includes therefore information on individuals, regardless
5 Rectification could be done by adding contrasting comments or by using the appropriate legal
remedies, such as appeal mechanisms
-7-
of the position or capacity of those persons (as consumer, patient, employee, customer,
etc).
Example No. 1: Professional habits and practices
Drug prescription information (e.g. drug identification number, drug name, drug
strength, manufacturer, selling price, new or refill, reasons for use, reasons for no
substitution order, prescriber's first and last name, phone number, etc.), whether in the
form of an individual prescription or in the form of patterns discerned from a number
of prescriptions, can be considered as personal data about the physician who prescribes
this drug, even if the patient is anonymous. Thus, providing information about
prescriptions written by identified or identifiable doctors to producers of prescription
drugs constitutes a communication of personal data to third party recipients in the
meaning of the Directive.
This interpretation is supported by the wording of the Directive itself. On the one hand,
it has to be considered that the concept of private and family life is a wide one, as the
European Court on Human Rights has made clear6. On the other hand, the rules on
protection of personal data go beyond the protection of the broad concept of the right
to respect for private and family life. It should be noted that the Charter of
Fundamental Rights of the European Union enshrines the protection of personal data in
Article 8 as an autonomous right, separate and different from the right to private life
referred to in Article 7 thereof and the same is the case at national level in some
Member States. This is consistent with the terms of Article 1.1, aimed at protecting
“the fundamental rights and freedoms of natural persons, and in particular [but not
exclusively] their right to privacy”. Accordingly, the Directive makes particular
reference to the processing of personal data in contexts outside of the home and family,
like that provided for by labour law (Article 8.2 (b)), criminal convictions,
administrative sanctions or judgements in civil cases (Article 8.5) or direct marketing
(Article 14 (b)). The European Court of Justice7 has endorsed this broad approach.
Considering the format or the medium on which that information is contained, the
concept of personal data includes information available in whatever form, be it
alphabetical, numerical, graphical, photographical or acoustic, for example. It includes
information kept on paper, as well as information stored in a computer memory by
means of binary code, or on a videotape, for instance. This is a logical consequence of
covering automatic processing of personal data within its scope. In particular, sound
and image data qualify as personal data from this point of view, insofar as they may
represent information on an individual. In this regard, the particular reference to sound
and image data in Article 33 of the Directive has to be understood as a confirmation
6 Judgement of the European Court of Human Rights in the case Amann v Switzerland of 16.2.2000,
§65 : "[...] the term “private life” must not be interpreted restrictively. In particular, respect for
private life comprises the right to establish and develop relationships with other human beings;
furthermore, there is no reason of principle to justify excluding activities of a professional or business
nature from the notion of “private life” (see the Niemietz v. Germany judgment of 16 December 1992,
Series A no. 251-B, pp. 33-34, § 29, and the Halford judgment cited above, pp. 1015-16, § 42). That
broad interpretation corresponds with that of the Council of Europe’s Convention of 28 January 1981
[...]"
7 Judgment of the European Court of Justice C-101/2001of 6.11.2003 (Lindqvist), §24: "The term
personal data used in Article 3(1) of Directive 95/46 covers, according to the definition in Article 2(a)
thereof, any information relating to an identified or identifiable natural person. The term undoubtedly
covers the name of a person in conjunction with his telephone coordinates or information about his
working conditions or hobbies".
-8-
and clarification that this sort of data is indeed included within its scope (provided all
the other conditions are fulfilled), and that the Directive applies to them. In fact, that is
a logical assumption for the provision contained in this Article, which seeks to assess
whether the rules of the Directive provide appropriate legal responses in those areas.
This is further clarified by Recital 14, stating that "given the importance of the
developments under way, in the framework of the information society, of the techniques
used to capture, transmit, manipulate, record, store or communicate sound and image
data relating to natural persons, this Directive should be applicable to processing
involving such data". On the other hand, it is not necessary for the information to be
considered as personal data that it is contained in a structured database or file. Also
information contained in free text in an electronic document may qualify as personal
data, provided the other criteria in the definition of personal data are fulfilled. E-mail
will for example contain 'personal data'.
Example No. 2: Telephone Banking:
In telephone banking, where the customer's voice giving instructions to the bank are
recorded on tape, those recorded instructions should be considered as personal data.
Example No. 3: Videosurveillance
Images of individuals captured by a video surveillance system can be personal data to
the extent that the individuals are recognizable.
Example No. 4: a child's drawing
As a result of a neuro-psychiatric test conducted on a girl in the context of a court
proceeding about her custody, a drawing made by her representing her family is
submitted. The drawing provides information about the girl's mood and what she feels
about different members of her family. As such, it could be considered as being
“personal data”. The drawing will indeed reveal information relating to the child (her
state of health from a psychiatric point of view) and also about e.g. her father's or
mother’s behaviour. As a result, the parents in that case may be able to exert their right
of access on this specific piece of information.
Special reference should be made here to biometric data These data may be defined as
biological properties, physiological characteristics, living traits or repeatable actions
where those features and/or actions are both unique to that individual and measurable,
even if the patterns used in practice to technically measure them involve a certain
degree of probability. Typical examples of such biometric data are provided by
fingerprints, retinal patterns, facial structure, voices, but also hand geometry, vein
patterns or even some deeply ingrained skill or other behavioural characteristic (such
as handwritten signature, keystrokes, particular way to walk or to speak, etc...)
A particularity of biometric data is that they can be considered both as content of the
information about a particular individual (Titius has these fingerprints) as well as an
element to establish a link between one piece of information and the individual (this
object has been touched by someone with these fingerprints and these fingerprints
correspond to Titius; therefore this object has been touched by Titius). As such, they
can work as "identifiers". Indeed, because of their unique link to a specific individual,
biometric data may be used to identify the individual. This dual character appears also
-9-
in the case of DNA data, providing information about the human body and allowing
unambiguous and unique identification of a person.
Human tissue samples (like a blood sample) are themselves sources out of which
biometric data are extracted, but they are not biometric data themselves (as for instance
a pattern for fingerprints is biometric data, but the finger itself is not). Therefore the
extraction of information from the samples is collection of personal data, to which the
rules of the Directive apply. The collection, storage and use of tissue samples
themselves may be subject to separate sets of rules8.