Automatic inter-state exchange of data: Safeguarding data protection and fundamental rights Giuseppe Busia Secretary General of the Italian Data Protection Authority Article 29 Working Party 1
The Article 29 Working Party Independent European advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC Brings together representatives of data protection authorities of the European Union and a representative of the Commission Its main tasks (Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC) are: to examine any question covering the application of the national measures adopted under the two Directives in order to contribute to the uniform application of such measures; to give the Commission an opinion on the level of protection in the Community and in third countries; to advise the Commission on any proposed amendment of the Directives, on any additional or specific measures to safeguard data protection rights and on any other proposed Community measures affecting such rights and freedoms; to give an opinion on codes of conduct drawn up at Community level; to make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the Community Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 2
Reconciling interests: fight to tax evasion and fundamental rights The legitimate fight against tax evasion should be pursued with full respect for individuals fundamental rights, namely the right to private life and the protection of personal data as required by European and International legal instruments: Treaty on the Functioning of the European Union: Article 16 Charter of Fundamental Rights (Articles 7 and 8) European Convention on Human Rights: Article 8 Convention for the Protection of Individuals with regard to Automatic processing of Personal Data - Convention 108/1981 OECD Privacy Guidelines Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 3
CRS: challenges for data protection Personal data related to a large amount of individuals Exponential increase of the risks inherent to the data Automatic exchange (on annual basis) Need for a clear definition of the purpose Need for necessity and proportionality Need for transparency and data subjects rights Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 4
CJEU Data Retention Judgment CJEU Judgment of 8 April 2014 (Case C-293/12 and C-594/12) declared the Data Retention Directive to be invalid. The Court found that the Directive: entails a wide-ranging and particularly serious interference with the fundamental rights to privacy and to the protection of personal data; fails to sufficiently circumscribe such interference to ensure that it is limited to what is strictly necessary for the purpose of fighting serious crime, thereby leaving it too open for Member States to decide on the scope of data retention; fails to define the guarantees surrounding data retention, i.e. objective criteria to determine the retention periods, appropriate technical and organisational security measures and conditions for the access and use of the data by competent national authorities. Consequences for automatic processing of data: National legislators, authorities and institutions should be aware of the principles stated by the CJEU, which apply a fortiori to those processing operations designed to monitor behaviors which do not have a criminal connotation, also in view of avoiding the negative consequences of further invalidations. Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 5
Data Protection principles (1) Legal basis: Multilateral/bilateral agreements should contain substantive data protection provisions (not a mere reference to DP tools). Moreover, national procedures (involvement of Parliament, DPA) should be respected to create adequate, clear and foreseable legal basis (Article 6a of Directive 95/46) Data transfers: Transfers from the EU to third countries are only allowed if said third countries ensure an adequate level of protection (Article 25 of Directive 95/46). Legitimate transfers may also take place if based on the specific legal basis foreseen by Article 26 (e.g. the transfer is necessary on important public interest grounds, provided that such an interest is clearly defined and overrides the data subject s right to privacy). WP29 Opinion (WP114): repeated, mass or structural transfers of personal data should be governed by appropriate agreements which should be legally binding and fully take into account the data protection safeguards. Purpose limitation: Any inter-state agreeement should clearly identify the purposes for which data are collected and validly used (Article 6b of Directive 95/46). What s «tax evasion»? (legal acts, illegal acts, serious financial crimes?) Necessity and proportionality: Need to prove the necessity of the processing and that the required data are the mininum necessary for attaining the purpose (Article 6c of Directive 95/46) Data Retention: Any decision to retain data must be subject to appropriate differentiation, limitations, exceptions (see Data Retention Judgment). Need to define appropriate data retention timing (Article 6e of Directive 95/46) 6
Data Protection principles (2) Transparency: Clear information should leave data subjects in a position to understand what is happening to their personal data and how to exercise their rights. Any restriction or exemption to transparency rules should be limited and justified, respecting the strict criteria of Article 13 of Directive 95/46 Data subjects rights: Appropriate mechanisms for an easy exercise of rights (any restriction should be limited and justified: article 13 of Directive 95/46) Controllership: Data controllers (and data processors) should be clearly identified. A correct allocation of controllership is a crucial step to ensure compliance and data subjects rights (Article 2d and 2e of Directive 95/46). Controllers should choose processors providing sufficient guarantees (Article 17.3 of Directive 95/46) Onward transfers: Data controllers should ensure guarantees for onward transfers in particular ensuring that data are not used for other purposes without appropriate safeguards Security measures: Strict security measures to avoid accidental or unlawful destruction or unauthorised disclosure/access and other unlawful form of processing (Article 17.1 of Directive 95/46) Privacy impact assessment: Members states should consider to implement an agreed Privacy Impact Assessment to ensure that DP safeguards are addressed, and a consistent standard is applied for the practical implementation of CRS Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 7