Promoting
Freedom and Democracy: a European Perspective
Giovanni Buttarelli
Secretary
General of the Italian Data Protection Authority
Member,
European Data Protection SupervisorsÕ Group
Washington, D.C.
May 20-22, 2004
Dear Friends,
Please allow me without much ado to thank EPIC for having invited me to
contribute to this stimulating event, which invitation I accepted with real
pleasure. Indeed, todayÕs sessions are providing ample proof of what I am
saying.
Considering the title of my presentation, I must tell you that I would
not be so sure that there already exists a well-defined ÒEuropean perspectiveÓ.
In our continent, we do share a European cultural identity, a common
perspective on our countriesÕ future, a single entity that is bound to shortly
be provided with its own Constitutional Charter. However, the challenges raised
by freedom rights and electronic democracy are confronting us day by day with
the need for new choices, and the individual European countries sometimes
address this need with different speed.
Politically speaking, Europe expanded but twenty days ago by 10
additional countries, and our progress as a 25-strong team Ðincluding members
that either joined the Union for the first time or re-joined it after some
timeÐ will be even more stimulating. Sure, it will be fraught with plenty of
pitfalls and difficulties, nevertheless it will still deserve being pursued
with passion and strong-mindedness.
I have been working in the data protection sector for many years, and I
am going to speak from this viewpoint which is, however, not that narrow
Ðindeed, it is fascinating because it has long to do not only with the private
sphere of individuals, but with many fundamental rights and freedoms including
personal dignity and identity, peopleÕs legitimate claim to transparency of
administrative activities, freedom and secrecy of voting, freedom of movement,
and the right to health.
I am sure you are already familiar with many of the things we are doing
in Europe, however it might be useful to outline, with your help, the overall
framework in order to better understand our as well as your perspective.
In Europe, transposition of the two privacy directives can be said to
have been basically completed.
In 2003, the first Report by the European Commission on implementation
of the ÒmainÓ directive (95/46/EC) was also released.
This Report highlighted some differences in the transposition effected
by the individual Member States, however it stated that these divergences did
not impact negatively on the internal market and that there was not, as yet,
the need for amending the text of the Directive itself.
Application of this directive was also the subject of the first two
decisions by the European Court of Justice. One dealt more specifically with an
Austrian case; the Court ruled that data protection provisions were compatible
with those on openness of administrative activities Ðthe case at stake
concerned disclosure of payroll information in respect of some civil servants.
The other one, published in November 2003, was related to a criminal trial held
in Sweden; in addition to making some considerations Ðto be evaluated more in
depthÐ on the relationship between dissemination of personal data on the
Internet and transborder data flows regulations, it contains an important
statement to the effect that safeguards for personal rights and interests are
to be afforded throughout Europe in accordance with high standards. These
safeguards should be reconciled with the free movement principle, however this
reconciliation should not result into diminishing any safeguards that were
already in place prior to adoption of the 95/46 directive.
The third -or fourth- generation laws that are being finalised in these
months have simplified procedures and mechanisms based on the experience
gathered; they are focused more specifically on balancing rights and public
interests as regards electronic cards, secure identification of citizens
accessing public services Ðtherefore, we have to deal with the issue of
proportionality in using biometric data and the various authentication or
verification methods-, and the management of genetic information in tests,
population screenings and research.
Moreover, an important contribution has been given throughout these
years by several decisions issued by national DPAs, whilst the case law of
national judicial authorities on this topic is less rich so far.
Perhaps I am giving you the impression that our approach is merely a
regulatory one, and that our laws are trying Ðand failingÐ to keep pace with
technology. This is not so.
True, in some countries such as Italy there is no longer only a Data Protection Act, but actually a Code containing all the specific and/or general provisions applying to the different sectors. However, we learned how to reconcile our legal tradition with the flexibility that is mandated by these matters. We avail ourselves less of authorisations and more of co-operative prior checking with data controllers; we make increased use of technologically neutral codes of conducts, which we provide with the legal force required for them to be respected, give rise to rights and entitle to damages.
OK Ðyou might sayÐ this is obvious, it is merely the product of the
times we are living in; it is in no way extraordinary and, perhaps, it is not a
feature only applying to Europe.
Still, there is amazing news coming from our continent Ðthat is, the
right to personal data protection is becoming a statutory requirement.
Several laws in European countries as well as the European Charter of
fundamental rights set out that this is an autonomous right as compared with
the right to privacy, and they committed its safeguard to autonomous,
independent authorities.
In Spain, three decisions issued in 2000 by the Tribunal Constitucional
ruled that the right to data protection was a fundamental, autonomous right.
These decisions add to those issued by the Courts of Cassation Ði.e. the last-instance
courtsÐ in Belgium and Italy, which upheld the direct enforceability of Article
8 of the European Human Rights Convention, that is to say the obligation for
States not to interfere with citizensÕ private sphere to a disproportionate
extent (only think of data retention, for instance) and actually to prevent
other public or private entities from doing so.
The Constitutional Charters of some countries such as Greece and
Portugal have also addressed the right to data protection by solemnly re-affirming
it. But there is a far more important development in store.
I am referring to the forthcoming European Constitutional Charter, which
we hope will be issued within this year and will expressly protect the right to
personal data protection; indeed, two articles in the Charter deal with this
right.
What does all this mean? Why is it so important to us, and why will the
Constitutional Charter of Europe attach specific importance only to this
personal right, compared with the other rights?
Perhaps this question can be answered by considering the cross-sectoral
nature of data protection. There is practically no area in the public or
private domain where it is not necessary to determine how and to what extent
data concerning citizens may be collected and managed.
We have realized that it is no longer possible to deal with this issue
by simply checking whether a certain type of conduct is in breach of privacy or
not.
In the past, it was often remarked that personal data were goods, indeed
valuable goods. This holds true nowadays as well. But, at least in Europe, we
have started regarding them more as a direct projection of the individual self,
as a part of our own physicality, than as an external chattel.
This is ultimately in line with the growing importance attached to
processing operations involving our bodies Ðand I am thinking of location via
mobile phones and satellites, the use of biometric data, or the testing in
progress on underskin chips.
If the habeas data principle is recognised on the
juridical level and given top priority among the values enshrined in
constitutional charters, this is bound to produce effects whenever a balance is
to be struck between this right and other rights and public interests.
It is no dictatorship of data protection what we have on our minds;
still, something has got to change.
Who is in charge of law enforcement has to pay greater attention than in
the past to necessity and proportionality of the huge databases he creates or
matches, to the purposes he is seeking to achieve, the data he requires to
collect, the retention period, the entities accessing these data.
These issues must be addressed regardless of whether the processing does
not cause any concrete breach of privacy, or else concerns data kept securely
or does not envisage any kind of disclosure.
The right to data protection makes citizens masters of the information
concerning them more than it was the case in the past and empowers them to
better challenge the mechanisms implemented in using this information.
In other words, there is a fundamental right to having the rules
complied with even if there is no perceptible breach of oneÕs private sphere.
This, in turn, produces effects on the claims for damages users and consumers
may lodge simply in order to establish the breach of non-pecuniary damage.
Courts will be able to award damages without necessarily considering how
seriously privacy was violated, as it will be enough to assess the gap between
the conduct at stake and the relevant rules.
There will be effects also on the global communication networks,
opening-up of markets and our relationships with third countries Ðtherefore
with the US as well. Indeed, in evaluating whether and how the data may be
exported to countries affording adequate protection, it will be necessary to
take account to a greater extent not only of privacy features, but of the way
in which an individual is protected as a whole Ðthat is to say, by having
regard to all his or her rights and freedoms.
Perhaps, if the European Constitution had already been in force, the
negotiations and dialogue that led ultimately to the Safe Harbor agreement, and
those concerning the much questioned agreement on the transmission of passenger
data by airline companies, would have come to partly different conclusions.
Please bear with me if I am speaking so long on the right to data
protection. I feel I have to apologise not only because I devoted several
minutes to this topic, but because one might draw the conclusion that
everything is fine in Europe and we are in a very festive mood.
In fact, there are contradictory features, ups and downs also in our
approach. Perhaps this is less so in the private sector, where on the whole
positive results could be achieved. If you download the list of the documents
adopted in Brussels by the Data Protection CommissionersÕ Working Party, you
will immediately realise the wide range of issues we have addressed.
Let me quote, for instance, those concerning data protection in the
employment sector, unsolicited electronic communications, genetic data, black
lists, mechanisms for the lawful cross-border transfer of personal data
(contractual clauses, adequacy decisions, corporate rules), invisible
processing operations on the Internet, biometrics, direct marketing, and
e-government. Some of these instruments have been adopted with the
collaboration of experts, field operators, or the public at large.
We are proud and happy that this work could be done by our network, or
club, if you like, during several meetings at different levels and in various
fora.
After the four hard-working years in which the Working Party was chaired
by Italy, we are also going to develop new strategies and the guidelines we
will be following in the near future, our priorities, and our expectations as
regards both the enhanced co-operation between the Working Party and the
European Parliament and the need for the Working Party to be granted increased
autonomy and visibility within the framework of Community institutions.
There are plenty of issues in which we are trying to come to suitable
solutions in cooperation with the parties concerned. Let me quote the
WHOIS-ICANN case, i.e. the attempt we are making Ðas I explained during the
ICANN Rome Conference of March Ð to implement, at national level, the
safeguards referred to in the Working PartyÕs opinion on WHOIS directories (no.
2/2003). On the other hand, the issues raised, for instance, by application of
the Sarbanes-Oxley Act in some European countries are being evaluated to assess
compatibility of the registration obligation with some national DP laws.
We are trying to make it simpler, day by day, to work on a
subject-matter that is difficult not so much because the rules are too strict
or the approach followed relies too heavily on regulation, but because of the complexity
of the multifarious situations it is related to.
Things get more mixed-up if we consider the public sector, or rather,
part of the public sector Ðnamely, law enforcement activities. We have gone
through different phases in this area, and the current phase is all but the
most felicitous one.
As you all know, Europe was united initially on the level of commercial
exchanges and internal market. We are creating a common space of freedom,
security and justice Ð but we are going by degrees. CitizensÕ rights were taken
into due consideration in the starting phase, when measures were introduced to
compensate for the elimination of several internal borders and facilitate
judicial and police co-operation.
The Schengen Information System, Europol databases, Eurojust, Eurodac,
the Dublin Convention on Asylum Requests were so many good examples of
agreements, in which the presence of many data protection provisions was
reconciled successfully with effective security and suppression of criminal
offences. The fact that the relevant Conventions provided for the existence of
and supervision by joint independent bodies in charge of data protection has
ensured that the interests and rights at stake could be balanced from the
start.
We are now on the eve of the establishment of the SIS II, which will
represent the biggest database for police and judicial purposes in Europe Ðand
perhaps worldwide. The Schengen Joint Supervisory Authority I had the privilege
of chairing during the past two years issued this very week an important
opinion, which is expected to be discussed already next week by other Schengen
related bodies. In this provision, we spelled out the rules to prevent
duplication of data contained in other databases, disproportionate use of
biometric data, unregulated access to the data for various purposes, and the
arising of conflicts with the future Visa Information System.
I feel confident that many of these recommendations Ð which the European
Parliament already took into account in the past few months Ð will be duly
considered.
We also discussed in the Art. 29 WG a draft Regulation (of 18th
February 2004) providing for the mandatory inclusion in passports of the
digitalised image of the holderÕs face and, possibly, of his/her fingerprints
in an interoperable format. We provide specific guidance on the purposes of
such processing, the authentication and/or verification mechanisms, the
proportionality issues and the risks related, inter alia, to identity thefts.
In my view, all this shows that it is possible to develop acceptable
solutions based on carefully thought-out initiatives, which benefit from the
real co-operation of several institutions.
The same applies, all things considered, to a recent decision by the
Council of the European Union, the so-called Spanish proposal, which envisages
establishment of a system that is similar to the one in the APIS/PNR case.
Unlike the US-EU agreement on PNR data, on which I am going to say some very
nasty things quite shortly, this agreement provides that European countries
will oblige air carriers to transfer very few data on incoming passengers to
our customs authorities for limited-scope purposes related to border controls;
these data will have to be deleted within 24 hours from passenger arrival.
Our world is going through a veritable ordeal for the sake of security.
These are difficult times, and striking a balance between security and rights
has become more demanding.
Still, I do not believe that some of the challenges arising in
connection with law enforcement are related exclusively to the aftermath of
9/11.
Perhaps one might argue that the difficult international situation makes
it easier to choose hasty solutions that are unsuitable because they actually
entrust technology and databases with the task of devising solutions for
problems requiring wholly different, broad-minded approaches.
In particular, we have still two games to play:
a) On the 1st
July of this year, the Council of EuropeÕs Convention on Cybercrime will enter
into force. This Convention was signed three years ago by 38 countries,
including United States, Canada and Japan, and has been ratified so far by only
6 countries Ðall of them from Eastern Europe (Albania, Croatia, Estonia,
Hungary, Lithuania and Romania). Considerable attention should be paid by NGOs
to ratification of this Convention, which undoubtedly contains sensible
measures to co-ordinate international repression of criminal offences committed
via either the Internet or other electronic networks; however, there is also
the risk that the tools it envisages to fight cybercrime Ðranging from data
retention to interception techniquesÐ will be shaped in way that is not
acceptable to a democratic society.
The EU data protection commissioners explained their views in a very
detailed opinion (no. 4 of 2001), which was not fully taken into account in
drafting the final text of the Convention.
It is highly likely that the flaws and benefits of this Convention will
be enhanced, as the case may be, depending on the way it is transposed in each
country. IÕm not going to comment our opinion in detail; however, I must dwell
a bit longer on the risks resulting from the vagueness of some concepts, the
discrepancies existing in the different legal systems as regards the
definitions of Òordre publicÓ, the circumstance that the contracting Parties
may make very different choices at national level and nevertheless be bound by
the Convention to provide mutual assistance. Other dangers for electronic
citizenship rights are related to the fact that, theoretically speaking,
non-Member countries are not obliged to comply with stringent obligations such
as those resulting from Strasbourg Convention no. 108, the Recommendations
issued by the Council of Europe, the Charter of Nice and, more recently, the
European Constitutional Charter. Furthermore, it should perhaps be clarified
why major countries such as the US have not yet ratified this Convention Ðare
they unwilling to be bound by the guarantees laid down in the Convention, or is
it because ratification entails making several highly complex decisions?
Thus, a public debate is necessary on the uniform democratic features
that should be retained during the transposition process.
I said that we are facing two challenges. The second one has to do with
data retention.
b)
Proposals to introduce uniform, mandatory data
retention are regularly tabled in Europe, however following an initial
discussion they are never put into practice. After 9/11, some European
countries such as France, Spain and Belgium introduced laws allowing, via different
mechanisms, retention of Internet-related data for a maximum period of 1 year.
However, the 2002 directive on privacy in electronic communications re-affirmed
the principles upheld by the case law of the European Court of Human Rights
concerning proportionality and necessity.
In February of this year, the Italian Parliament unanimously rejected a
decree introduced by Government to require as much as 5-year retention of
Internet data; furthermore, Parliament passed a different instrument to enhance
the safeguards applying to the retention of telephone traffic data for the
prevention of criminal offences.
But, as soon as a crisis situation re-surfaces at international level,
new initiatives are undertaken such as that of some States that proposed the
adoption of a framework decision to oblige the 25 EU Member States to retain,
for at least 12 months and without specifying the upper limit, a wide gamut of
data including traffic, location, and subscriber data. The purposes of such
retention would not be limited to the fight against terrorism and relate
vaguely to Òprevention and suppression of offencesÓ.
Finally, a negative outcome may feature in the ultimate developments of
a story that is embittering us not so much on account of the decisions taken,
but because of the precedent it will come to be.
I am referring to the US-EU agreement on the transfer of data concerning
passengers flying to or from the United States, which was adopted in Brussels
on 17th May despite the firm contrary stance taken by the European
Parliament and the request for clear-cut guarantees made by the European data
protection authorities. I am sure that many of you know that in December, the
Belgian Commission pour la protection de la vie privŽe had found that United
Airlines, Continental Airlines and Delta Airlines had violated some principles
of the Belgian data protection law.
On 21st April last, the European Parliament had rejected,
once again, the draft US-EU agreement and requested the Court of Justice to
issue a preliminary ruling on its legal basis as well as on compliance with
Article 8 of the European Human Rights Convention.
Three opinions had been rendered by the European data protection
authorities between October 2002 and January of this year, in which several
criticisms were made. The European Commission did not work along the line of
true institutional co-operation with the European Parliament, and imposed its
own time schedule.
Now, the European Internal Market Commissioner, Mr. Bolkenstein, is
telling the press that the Commission has obtained several guarantees and that
no negotiated solution is ever perfect. The question is that no veritable
negotiation has ever been carried out. For the sake of the StatesÕ superior
interest, the attempt to devise balanced solutions meeting the demand for
adequate safeguards coming from several entities was relinquished.
Indeed, the agreement recognises, on the one hand, the importance of
respecting fundamental rights and freedoms, whilst on the other hand it does
not afford in concrete safeguards for these rights. Equally effective results
in terms of security could have been achieved without also violating Member
StatesÕ competences as provided for in Article 7. This was a sad chapter in the
history of data protection.
Perhaps this agreement will become effective, however the last word has
not yet been spoken. Whenever an agreement as important as this one is imposed
from above and is not felt to be a shared achievement, it is like a stillborn
child for some institutions and citizens. Which also applies to the Safe Harbor
Agreement, whose enforcement rate is, in my view, as good as non-existent
compared with the frequency with which standard contractual clauses are used.
Fortunately, this story is counterbalanced by others, which are equally
complex although a bit more encouraging Ðsuch as the one concerning Directive
2004/48 on intellectual property, which was published on 30th April
last. Indeed, some improvements were made over the initial drafts especially
thanks to the European Parliament.
For instance, if I interpreted the text correctly, Section 512 h of the
Digital Millennium Copyright Act provides that a Òsubpoena order to a service
providerÓ may be granted Òfor identification of an alleged infringerÓ following
a request lodged with the courtÕs clerk, i.e. without assessing its
proportionality.
Conversely, Article 8 of the Directive now provides that the competent
court may order that information be disclosed on the alleged infringer of
copyright exclusively on the basis of a justified, proportionate request as
well as within the framework of a proceeding already in place in connection
with such alleged infringement.
As already pointed out by some associations, it will be in any case
necessary to keep an eye at national level on the transposition of this
Directive on account of the need to impose proportionate punishments as well as
because of the rather vague and broad concept of Òintellectual propertyÓ used
in the Directive Ðwhich entails the possibility of punishing not so serious
cases of infringement.
And now, I find I have to conclude my presentation by referring to the
role played by NGOs and our future perspective.
We need to establish stronger ties and improve the
exchange of information with you, to enhance your involvement in
decision-making, to get continuously spurred by you so that DPAs can always
play their role of watchdogs effectively as well as in full independence. And
mind you, the public is aware that independence is a fundamental prerequisite
for our authorities Ða complaint was recently lodged with the European
Commission by a citizen claiming that some DP authorities would not be really
independent in their evaluations.
I am aware that there has been some scepticism as to the real impact of
decisions such as the Belgian one, or of other recent initiatives such as the
Dutch one of March 2004, where nevertheless it could be ascertained that some
data concerning Dutch passengers on Northwest Airlines flights had been
supplied to NASA for the scientific purpose of developing a method for
identifying potential terrorists.
Let us start from cases such as this one to make things even better. In
this attempt, we are supported by the findings of a survey carried out by the
European Commission in the last few months and published on the EurobarometerÕs
website; this survey took the pulse of European citizens and found that over
60% of them were still concerned or very concerned about their privacy, whilst
90% considered it necessary that a law should regulate this matter.
You should require DPAs to be supplied with adequate powers and
resources and improve their dialogue with citizens. You should require DPAs to
play their role, which is to establish whether a given activity is
proportionate or not. Conversely, it is up to politics to assume the
responsibility of providing different guidelines in order to perform the
balancing of interests.
Above all, let us try and understand what steps can be taken to
strengthen common principles at intercontinental level. The Charter of Venice,
which was adopted in 2000 during the 22nd International Conference
on privacy, suggested an approach to achieve globally binding guidelines. Let
us start from here. After four years, there are many more global networks and
reasons to do so.
Thank you for your attention.
Giovanni
Buttarelli