Parliament of Romania Chamber of Deputies Committee for information technologies and communications

Similar documents
Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

EU GENERAL DATA PROTECTION REGULATION

ARTICLE 29 DATA PROTECTION WORKING PARTY

EU data protection reform

5853/12 GS/np 1 DG H 2B

EU General Data Protection Regulation (GDPR)

General Data Protection Regulation. Revise the existing directive for the public sector

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Opinion 3/2010 on the principle of accountability

EN United in diversity EN A7-0170/27. Amendment

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

Consultation Paper. Draft Regulatory Technical Standards

EBA/RTS/2017/ December Final Report. Draft regulatory technical standards. on central contact points under Directive (EU) 2015/2366 (PSD2)

The One Stop Shop Working in Practice

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

EBA FINAL draft Regulatory Technical Standards

Discussion Paper on innovative uses of consumer data by financial institutions

(Legislative acts) DIRECTIVE 2014/55/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on electronic invoicing in public procurement

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

European Parliament resolution of 8 March 2011 on the revision of the General Product Safety Directive and market surveillance (2010/2085(INI))

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only.

Finansinspektionen s response at the webb-survey, to the Commission Consultation on FinTech

Independent Regulators Group Rail. IRG Rail

The General Data Protection Regulation: What does it mean for you?

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

European Railway Agency. Impact Assessment Report. Single Safety Certificate

RESPONSE TO THE ESMA S CONSULTATION PAPER ON THE EUROPEAN SINGLE ELECTRONIC FORMAT 18 JANUARY 2016

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

Guidance on the General Data Protection Regulation: (1) Getting started

EBA/CP/2013/12 21 May Consultation Paper

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

EU Free Trade Agreement Proposition. Allowing data flows and respecting data privacy

EUROPEAN UNION. Brussels, 27 March 2013 (OR. en) 2011/0374 (COD) PE-CONS 80/12 CONSOM 164 MI 853 JUSTCIV 382 CODEC 3131 OC 774

Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders

Proposal for the implementation of the authorised representative under Directive 2012/19/EU ( WEEE2 ) July 2013

Data Flow Mapping and the EU GDPR

ARTICLE 29 Data Protection Working Party

epp european people s party

AmCham EU s position on Directive on certain aspects concerning contracts for the supply of digital content

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Sławek Górniak ENISA. 8 th ETSI Security Workshop Sophia Antipolis, 16 th January 2013

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. on certain aspects concerning contracts for the supply of digital content

Arnold Schilder Chairman International Auditing and Assurance Standards Board 529 Fifth Avenue 6th Floor New York, NY

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April

10349/14 GS/np 1 DG D 2B

This document will be the basis for legal-linguistic revision in view of the common position.

Liberalization, Investment, and Regulation: The Key Factors for the Development of the Electronic Communications Market

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL

Comments and suggestions on the Terms of Reference for drafting a Second Optional Protocol to the Cybercrime Convention

New model of governance and accountability of data protection by Union institutions and bodies

10972/14 IV/NC/kp DGB 2

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing

AmCham EU comments on the European Commission s Preliminary Report on the E-Commerce Sector Inquiry

15724/1/17 REV 1 KM/CB/ek 1 DGE2B

1. Context. 1.1 Scope

August THE APPOINTMENT OF THE AUDITOR AND THE DURATION OF THE AUDIT ENGAGEMENT: Striving for a Workable Single Market in the EU

The New EU General Data Protection Regulation and its Consequences for IT Operations and Governance

TOOL #47. EVALUATION CRITERIA AND QUESTIONS

Regulatory framework for electronic communications in the European Union. Situation in December 2009

COUNCIL OF THE EUROPEAN UNION. Brussels, 20 November /08 Interinstitutional File: 2007/0247 (COD)

THE PRINCIPLE OF SUBSIDIARITY

15489/14 TA/il 1 DG E 2 A

New General Data Protection Regulation - an introduction

The Revised Directive on European Works Councils

What is GDPR and Should You Care?

GDPR Webinar 4: Data Protection Impact Assessments

Development of e-government: the EU and Russia experience in comparative perspective

(Non-legislative acts) REGULATIONS

The Sage quick start guide for businesses

GD 2016/0082. Council of Ministers. Considerations relating to a single resident record for the Isle of Man

Mr Sven Giegold Member of the European Parliament European Parliament 60, rue Wiertz B-1047 Brussels. Frankfurt am Main, 02 October 2015

The draft General Data Protection Regulation

The (Scheme) Actuary as a Data Controller

Code of ethics (or conduct) of Cama 1 S.p.a.

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2016/0404(COD)

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

TTIP- EU proposal for Chapter: Regulatory Cooperation

DATA PROTECTION AUTHORITY IN POLAND

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT

ECR Group proposals on the revision of the Interinstitutional Agreement on Better Law-Making

Selecting Economic Operators

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

Preparing for the General Data Protection Regulation (GDPR)

September Council of Europe. Privacy and Internet. Loreta Vioiu. Administrator Internet Governance Unit

GSMA comments on the Draft BEREC Report on OTT services (BoR (15) 142)

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

TEXTS ADOPTED. having regard to the Treaties, and in particular to Articles 2, 3, 4 and 6 of the Treaty on European Union (TEU),

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 4 October 2017

Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market

Helsinki European Council (10-11 December 1999) Presidency Conclusions. Introduction

COUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (89) 2 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES

Global Forum on Competition

TEXTS ADOPTED Provisional edition

Roundtable on. Competition Policy and Public Procurement

Council of the European Union Brussels, 15 December 2017 (OR. en)

DER BINNENMARKT IST DER MOTOR DES WIRTSCHAFTSWACHSTUMS

Transcription:

Parliament of Romania Chamber of Deputies Committee for information technologies and communications The reform of the EU Data Protection framework Building trust in a digital and global world 9/10 October 2012-09-24 Questionnaire addressed to national Parliaments 1. The proposed EU Data Protection reform aims to ensure a better protection of the privacy and personal data of European citizens, through increasing the level of harmonization of national legislations. Currently, the EU regulatory framework on data protection is implemented in different manners, in different member states, and this leads to legal uncertainty among the companies activating at European level (and which, in the performance of their economic activities, are subject to the EU legislation on data protection), on one side, and to a non-uniform level of protection with regard to EU citizens privacy and personal data. Under these circumstances, the new regulatory proposals launched by the European Commission bring added value to the existing EU concept of privacy and data protection, through ensuring that, once adopted, they will lead to more legal certainty and to better protection, thus benefiting both citizens and businesses. In addition, the new provisions included in the proposed framework (strengthening the right to be forgotten, giving citizens easier access to their data, consolidating the powers of the national data protection authorities, creating the data protection officer position) are aimed at ensuring that citizens fundamental right to privacy and data protection is exercised in a proper manner and respected as such by all relevant actors. 2. As mentioned above, the increase level of harmonisation of the European national data protection legislations is a legitimate aim, as it can contribute to a better protection of a fundamental human right. However, given that several national parliaments have questioned whether the proposed regulation is fully in line with the subsidiarity and proportionality principle, it is our view that these issues still need to be carefully analised, in order to clarify whether the rules established under the proposed regulation should be directly applicable to member states, as proposed by the European Commission, or whether member states should be given the possibility to transpose them in their national legislations, while taking into account their internal realities.

3. The current legal framework on data protection is not fully adapted to the continuously evolving technological environment. For example, the privacy by design and privacy by default concepts are missing from the existing framework, but the level of use of technological devices whose functionalities have implications for data protection requires the respective concepts to be included into legislation. A strengthened right to be forgotten, the right to data portability and increased authority for the national DPA are other examples of provisions that are not included in the existing legislation, but whose introduction would benefit European citizens. 4. The privacy by design and privacy by default concepts constitute an adequate approach, as they consitute an attempt to adapt the data protection legal framework to the technological developments. It is important that new devices and services are built while taking into account the need to ensure and protect users right to privacy, as opposed to the numerous existing models, in which users are invited to activate privacy options after they start using the service or device. These existing models often lead to citizens rights to privacy being violated, mainly as a consequence of the fact that users are not aware of the way in which they data are used and of the features they could activate in order to better protect themselves. However, it shall be noted that legislation must be technologically neutral and that any further step towards legislating means in which the two concepts should be implemented would represent a violation of this principle. 5. The mentioned rights of data subjects represent a step forward toward ensuring a better protection of the fundamnetal right to privacy and data protection. The right to data portability, the better framed right to be forgotten, the obligations of data controllers with regard to users request for access to data and rectification of data bring more value to the concept of privacy and data protection and are meant to ensure that data subjects are aware of the way in which their data are used and are able to exercise full control over such data, at any moment in time, and irrespective the controller that processes the respective data. 6. The principles underlying the above mentioned rights constitute necesarry provisions whose implementation would lead to a better and more explicit form of protection of these rights. 7. We consider that further analysis should be undertaken with regard to the implementation of data protection rules with regards to data processing by law enforcement authorithies. Also, special attention should be given to already-existing conventions between member states and non-member states. Member states have different national frameworks in which their law enforecement authorities activate, and any new rules imposed on these authorities should take into account these existing frameworks and their specificities. Therefore, the implementation of new data protection rules with regard to the domestic activity of LEA should be made in accordance with national existing frameworks and member states should be given the possibility to choose the most appropriate solution to implement.

8. LEA access to data held by private companies should be subject to judicial control. Thus, LEA access to personal data shall be permitted only with authorisation from a judicial authority and only where sufficient evidence exist that the data subject has commited a crime. In addition, the data subject should be informed in due time with regard to the fact that his data have been accesed by LEA. 9. In our view, the compliance with the rules proposed under the new framework would place significant administrative and financial burdens on private data controllers. For example, the idea of a data protection officer as mandatory for large enterprises in the private sector, as well as the obligation for the controllers to inform third parties which are processing the personal data that have been made public by the controllers about data subject requests to erase any link to or copy or replication of that personal data would have serious administrative and financial implications for the controllers. While we also acknowledge the fact that privacy and data protection are fundamental human rights that need to be fully protected and respected, it is our view that this protection can be ensured without imposing significant additional burdens on the controllers. We therefore consider that some of the new obligations to be imposed on controllers can be further analyzed in order to determine whether they can be reviewed in such a way as to limit the additional burdens to what is strictly necessary for ensuring an adequate level of data protection. 10. Article 51 of the proposed Regulation provides that, where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States. This provision is meant to ensure unity in application of data protection rules at the entire EU level, with respect to all citizens whose data are subject to processing by one controller acting in several states. It also offers more legal certainty to the controller, which will now know exactly what rules are applicable and what authority is responsible for supervising the application of such rules. However, this may generate difficulties for national DPA, who would have to deal with cases in which the processing of personal data has happened in another member state and in which the controller will have to apply decisions in another member states, under circumstances that may not be familiar to the DPA in question. The implementation of such decisions in a MS other than the MS in which the decisions were taken would require for the deciding DPA to be able to monitor the implementation of the respective decisions and to cooperate with national authorities in the other member state. Also, EU citizens may face difficulties with regard to cases which they would have to address to DPAs established in another member state not only linguistic, but also cost-related barriers. These barriers may be addressed through establishing a better cooperation between national DPA, so that a citizen may be able to address to the responsible DPA through the DPA established in his/her own country, who would act as a middle man facilitating the communication between the two parties. 11. See the answers to question 4. 12. The proposed sanction mechanisms are adequate and proportional. However, their implementation by the national DPA would require new resources to be made available

to the authority. The introduction of new rights for data subject and the role of the DPA to supervise the implementation of these rights, to monitor the activity of data controllers and to take actions in case of non compliance would bring new attributions to the DPA, and, thus, new challenges which the DPA needs to be prepared to face. 13. The consistency mechanism requires that a national DPA asks for the opinion of the European Data Protection Board and the Commission before adopting a measure that falls under certain categories clearly delimited in the proposed framework. This mechanism is aimed to ensure that the national DPAs apply the regulatory framework in a consistent and coherent manner. This would contribute towards ensuring unity in the application of the EU legislation. This provision has the advantage of contributing to a better protection of citizens right to privacy and data protection and to avoiding cases in which national DPA may act abusively against certain controllers. It does not undermine the independence of national DPAs, as it is only a mechanism meant to ensure that the DPA are fully abiding to the EU legal framework. In addition, the DPA concerned by a opinion submitted by the European Data Protection Board with regard to a certain measure is free to decide where it maintains or amend its initial decision. 14. As mentioned above, in view of the new provision of the proposed regulatory framework and the new responsibilities to be imposed upon national DPAs, the national DPA would need to be enhanced with additional resources meant to ensure a proper functioning and fulfillment of its increasingly important role. These resources concern both the financial aspect, as well as the staff number and the level of professional competence of the staff. It is thus important for the DPAs to develop strong policies on training or hiring of subjectmatter experts, especially in the ITC field, in order to have the right competences to deal with technological advances. 15. Data protection rules vary considerably at international level, with some states/regions granting higher level of protection to citizens right to privacy and data protection. Under these circumstances, it is essential that national and European authorities ensure that European citizens rights are protected when their data are transferred outside the EU borders. Therefore, the provisions regarding the fact that transfer may take place where the Commission has decided that the third country ensures an adequate level of protection are meant to ensure the appropriate protection of EU citizens. In cases where the transfer is made to a country with regard to which the Commission has not decided whether it ensures an adequate level of protection, this transfer may take place if the controller has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument. The detailed provisions regarding these appropriate safeguards, as well as the cases in which authorization is needed for the transfer create an adequate framework under which cross border personal data transfer are subject to clear data protection rules. 16. The proposed international data transfer rules do not undermine the protection of EU citizens rights. The fact that the cross border transfers are no longer subject to notification to national DPA do not mean that the transfer can be made in all cases, and without adequate safeguards. On the contrary, new mechanisms are put in place meant to ensure an adequate level of protection of the transfer data, but under a framework that is less burdensome for controllers. If the European Commission has decided that certain countries and organizations have adequate level of data protection, then a notification to the national DPA would have no effect but to overload the authority with notification and

to impose meaningless burdens on controllers. Where the Commission has not made such decisions, there are clear rules regarding the appropriate safeguards that need to be adduced by the controller. Valerian Vreme - Deputy

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback