Personal Data and Encryption in the European General Data Protection Regulation

Encryption of personal data is widely regarded as a privacy preserving technology which could potentially play a key role for the compliance of innovative IT technology within the European data protection law framework. Therefore, in this paper, we examine the new EU General Data Protection Regulation’s relevant provisions regarding encryption – such as those for anonymisation and pseudonymisation – and assess whether encryption can serve as an anonymisation technique, which can lead to the non-applicability of the GDPR. However, the provisions of the GDPR regarding the material scope of the Regulation still leave space for legal uncertainty when determining whether a data subject is identifiable or not. Therefore, we inter alia assess the Opinion of the Advocate General of the European Court of Justice (ECJ) regarding a preliminary ruling on the interpretation of the dispute concerning whether a dynamic IP address can be considered as personal data, which may put an end to the dispute whether an absolute or a relative approach has to be used for the assessment of the identifiability of data subjects. Furthermore, we outline the issue of whether the anonymisation process itself constitutes a further processing of personal data which needs to have a legal basis in the GDPR. Finally, we give an overview of relevant encryption techniques and examine their impact upon the GDPR’s material scope.

Global Standards: Recent Developments betweend the Poles of Privacy and Cloud Computing

The development of the Internet has made it possible to transfer data ‘around the globe at the click of a mouse’. Especially fresh business models such as cloud computing, the newest driver to illustrate the speed and breadth of the online environment, allow this data to be processed across national borders on a routine basis. A number of factors cause the Internet to blur the lines between public and private space: Firstly, globalization and the outsourcing of economic actors entrain an ever-growing exchange of personal data. Secondly, the security pressure in the name of the legitimate fight against terrorism opens the access to a significant amount of data for an increasing number of public authorities.And finally,the tools of the digital society accompany everyone at each stage of life by leaving permanent individual and borderless traces in both space and time. Therefore, calls from both the public and private sectors for an international legal framework for privacy and data protection have become louder. Companies such as Google and Facebook have also come under continuous pressure from governments and citizens to reform the use of data. Thus, Google was not alone in calling for the creation of ‘global privacystandards’. Efforts are underway to review established privacy foundation documents. There are similar efforts to look at standards in global approaches to privacy and data protection. The last remarkable steps were the Montreux Declaration, in which the privacycommissioners appealed to the United Nations ‘to prepare a binding legal instrument which clearly sets out in detail the rights to data protection and privacy as enforceable human rights’. This appeal was repeated in 2008 at the 30thinternational conference held in Strasbourg, at the 31stconference 2009 in Madrid and in 2010 at the 32ndconference in Jerusalem. In a globalized world, free data flow has become an everyday need. Thus, the aim of global harmonization should be that it doesn’t make any difference for data users or data subjects whether data processing takes place in one or in several countries. Concern has been expressed that data users might seek to avoid privacy controls by moving their operations to countries which have lower standards in their privacy laws or no such laws at all. To control that risk, some countries have implemented special controls into their domestic law. Again, such controls may interfere with the need for free international data flow. A formula has to be found to make sure that privacy at the international level does not prejudice this principle.

Impulses for an Effective and Modern Data Protection System

A substantial reform of data protection law is on the agenda of the European Commission as it is widely agreed that data protection law is faced by lots of challenges, due to fundamental technical and social changes or even revolutions. Therefore, the authors have issued draft new provisions on data protection law that would work in both Germany and Europe. The draft is intended to provide a new approach and deal with the consequences of such an approach. This article contains some key theses on the main legislatory changes that appear both necessary and adequate.

The Political and Judicial Life of Metadata: Digital Rights Ireland and the Trail of the Data Retention Directive. CEPS Paper in Liberty and Security No. 65, May 2014

This paper examines the challenges facing the EU regarding data retention, particularly in the aftermath of the judgment Digital Rights Ireland by the Court of Justice of the European Union (CJEU) of April 2014, which found the Data Retention Directive 2002/58 to be invalid. It first offers a brief historical account of the Data Retention Directive and then moves to a detailed assessment of what the judgment means for determining the lawfulness of data retention from the perspective of the EU Charter of Fundamental Rights: what is wrong with the Data Retention Directive and how would it need to be changed to comply with the right to respect for privacy? The paper also looks at the responses to the judgment from the European institutions and elsewhere, and presents a set of policy suggestions to the European institutions on the way forward. It is argued here that one of the main issues underlying the Digital Rights Ireland judgment has been the role of fundamental rights in the EU legal order, and in particular the extent to which the retention of metadata for law enforcement purposes is consistent with EU citizens’ right to respect for privacy and to data protection. The paper offers three main recommendations to EU policy-makers: first, to give priority to a full and independent evaluation of the value of the data retention directive; second, to assess the judgment’s implications for other large EU information systems and proposals that provide for the mass collection of metadata from innocent persons, in the EU; and third, to adopt without delay the proposal for Directive COM(2012)10 dealing with data protection in the fields of police and judicial cooperation in criminal matters.

What drives the European Parliament? The Case of the General Data Protection Regulation. Bruges Political Research Papers 47/2015.

This paper evaluates which factors influence the European Parliament’s decision-making, based on a case study: the 2012 proposal for a General Data Protection Regulation. Following a ‘competitive testing’ approach, six different hypotheses are successively challenged in order to explain why the EP adopted a fundamental rights- oriented position. The first three factors relate to the internal organization of the EP’s work, i.e. the role played by the lead committee, by the rapporteur and by secretariat officials. The last three factors are external-related, i.e. lobbying activities, outside events and institutional considerations. Based on the empirical findings, it is argued that even though the EP’s position is due to a range of various factors, some of them prove to be more relevant than others, in particular the rapporteur and lead committee’s roles. New institutionalism theories also provide a comprehensive explanation for the EP’s willingness to achieve a fundamental rights oriented outcome.

The issue of data protection and data security in the (pre-Lisbon) EU third pillar

The key functional operability in the pre-Lisbon PJCCM pillar of the EU is the exchange of intelligence and information amongst the law enforcement bodies of the EU. The twin issues of data protection and data security within what was the EU’s third pillar legal framework therefore come to the fore. With the Lisbon Treaty reform of the EU, and the increased role of the Commission in PJCCM policy areas, and the integration of the PJCCM provisions with what have traditionally been the pillar I activities of Frontex, the opportunity for streamlining the data protection and data security provisions of the law enforcement bodies of the post-Lisbon EU arises. This is recognised by the Commission in their drafting of an amending regulation for Frontex , when they say that they would prefer “to return to the question of personal data in the context of the overall strategy for information exchange to be presented later this year and also taking into account the reflection to be carried out on how to further develop cooperation between agencies in the justice and home affairs field as requested by the Stockholm programme.” The focus of the literature published on this topic, has for the most part, been on the data protection provisions in Pillar I, EC. While the focus of research has recently sifted to the previously Pillar III PJCCM provisions on data protection, a more focused analysis of the interlocking issues of data protection and data security needs to be made in the context of the law enforcement bodies, particularly with regard to those which were based in the pre-Lisbon third pillar. This paper will make a contribution to that debate, arguing that a review of both the data protection and security provision post-Lisbon is required, not only in order to reinforce individual rights, but also inter-agency operability in combating cross-border EU crime. The EC’s provisions on data protection, as enshrined by Directive 95/46/EC, do not apply to the legal frameworks covering developments within the third pillar of the EU. Even Council Framework Decision 2008/977/JHA, which is supposed to cover data protection provisions within PJCCM expressly states that its provisions do not apply to “Europol, Eurojust, the Schengen Information System (SIS)” or to the Customs Information System (CIS). In addition, the post Treaty of Prüm provisions covering the sharing of DNA profiles, dactyloscopic data and vehicle registration data pursuant to Council Decision 2008/615/JHA, are not to be covered by the provisions of the 2008 Framework Decision. As stated by Hijmans and Scirocco, the regime is “best defined as a patchwork of data protection regimes”, with “no legal framework which is stable and unequivocal, like Directive 95/46/EC in the First pillar”. Data security issues are also key to the sharing of data in organised crime or counterterrorism situations. This article will critically analyse the current legal framework for data protection and security within the third pillar of the EU.

The reform of the European Energy Tax Directive reform : effect on prices

[spa] Para hacer frente a los riesgos relacionados con la contaminación atmosférica, es ampliamente aceptada la necesidad de instrumentos de política encaminados a reducir las emisiones. La intervención tiene por objeto reducir las conductas contaminantes y incentivar una conducta más respetuosa y el uso de tecnologías más eficientes. La Unión Europea cuenta con dos importantes mecanismos económicos para el control de emisiones a escala europea: la directiva sobre los impuestos energéticos, un instrumento de fiscalidad ambiental aprobado en 2003 que afecta el precio de los productos energéticos, y el sistema de comercio de los derechos de emisiones, introducido en 2005, que afecta directamente a la cantidad de emisiones de CO2. En 2011, la Comisión Europea propuso una nueva versión de la directiva sobre los impuestos energéticos. El objetivo principal de la propuesta es aumentar la eficacia del instrumento a través de una mayor presión fiscal sobre los productos energéticos y de coordinar este instrumento de fiscalidad medioambiental con el sistema de comercio de los derechos de emisiones, para establecer una señal de precio de CO2 coherente para todos los sectores. Sin embargo, en mayo de 2012 el Parlamento Europeo bloqueó la propuesta de la nueva versión del impuesto, y el proceso de actualización se detuvo. La preocupación principal parecía ser el efecto de dicha propuesta en la competitividad, en particular para los sectores que serían los más afectados dado el uso intensivo de los productos energéticos, como el sector del transporte. El objetivo de este estudio es analizar el efecto que la reforma de la directiva sobre los impuestos energéticos podría tener sobre el nivel de precios, en particular en los países de la Unión Europea donde esta reforma implicaría un aumento de los impuestos energéticos. Utilizando datos del proyecto “World Input-Output Database”, la principal conclusión es que el nuevo sistema de impuestos energéticos tendría un impacto muy bajo sobre los precios. Por lo tanto, dado que los precios no serían fuertemente afectados por la reforma, no habrá inconvenientes para la competitividad y implicaciones en términos de distribución, pero, por otro lado, este resultado también implica una baja capacidad de esta reforma para provocar cambios en el consumo y la producción hacia menos presiones ambientales.

The reform of the European Energy Tax Directive reform : effect on prices

[spa] Para hacer frente a los riesgos relacionados con la contaminación atmosférica, es ampliamente aceptada la necesidad de instrumentos de política encaminados a reducir las emisiones. La intervención tiene por objeto reducir las conductas contaminantes y incentivar una conducta más respetuosa y el uso de tecnologías más eficientes. La Unión Europea cuenta con dos importantes mecanismos económicos para el control de emisiones a escala europea: la directiva sobre los impuestos energéticos, un instrumento de fiscalidad ambiental aprobado en 2003 que afecta el precio de los productos energéticos, y el sistema de comercio de los derechos de emisiones, introducido en 2005, que afecta directamente a la cantidad de emisiones de CO2. En 2011, la Comisión Europea propuso una nueva versión de la directiva sobre los impuestos energéticos. El objetivo principal de la propuesta es aumentar la eficacia del instrumento a través de una mayor presión fiscal sobre los productos energéticos y de coordinar este instrumento de fiscalidad medioambiental con el sistema de comercio de los derechos de emisiones, para establecer una señal de precio de CO2 coherente para todos los sectores. Sin embargo, en mayo de 2012 el Parlamento Europeo bloqueó la propuesta de la nueva versión del impuesto, y el proceso de actualización se detuvo. La preocupación principal parecía ser el efecto de dicha propuesta en la competitividad, en particular para los sectores que serían los más afectados dado el uso intensivo de los productos energéticos, como el sector del transporte. El objetivo de este estudio es analizar el efecto que la reforma de la directiva sobre los impuestos energéticos podría tener sobre el nivel de precios, en particular en los países de la Unión Europea donde esta reforma implicaría un aumento de los impuestos energéticos. Utilizando datos del proyecto “World Input-Output Database”, la principal conclusión es que el nuevo sistema de impuestos energéticos tendría un impacto muy bajo sobre los precios. Por lo tanto, dado que los precios no serían fuertemente afectados por la reforma, no habrá inconvenientes para la competitividad y implicaciones en términos de distribución, pero, por otro lado, este resultado también implica una baja capacidad de esta reforma para provocar cambios en el consumo y la producción hacia menos presiones ambientales.

Data protection at the cost of economic growth? ECRI Commentary No. 11, 16 November 2012

The Data Protection Regulation proposed by the European Commission contains important elements to facilitate and secure personal data flows within the Single Market. A harmonised level of protection of individual data is an important objective and all stakeholders have generally welcomed this basic principle. However, when putting the regulation proposal in the complex context in which it is to be implemented, some important issues are revealed. The proposal dictates how data is to be used, regardless of the operational context. It is generally thought to have been influenced by concerns over social networking. This approach implies protection of data rather than protection of privacy and can hardly lead to more flexible instruments for global data flows.