Database Reference
In-Depth Information
7.4 Data Protection Law
In Europe there are two main bodies of law that address profiling for purposes
other than national security and law enforcement.
2
They are the Data protection
directive (1995/46/EC) and the ePrivacy directive (2002/58/EC), which was
amended in 2009 by Directive 2009/136/EC. The Data protection directive deals
with the use of 'personal data' in general, whereas the ePrivacy directive deals
with the use of unique identifiers and tracking technologies that can be used to fa-
cilitate profiling (e.g., cookies).
European data protection law has its roots in the OECD principles on privacy
protection and the transborder flow of personal data and the Council of Europe
treaty on personal data protection.
3
It aims to strike a balance between the (infor-
mational) privacy of the data subject and the free flow of information. The Data
protection directive does this by providing a harmonised framework for the secure
and legitimate exchange of personal data throughout Europe.
4
The Data protection directive states that personal data must be processed fairly
and lawfully and only for specified, explicit and legitimate purposes. To ensure
fair and lawful processing the data protection sets a number of rules for the proc-
essing of personal data. These include -amongst others- obligations to keep the
data secure, ensure its quality, inform the data subject, register the process in a
public register, and grant the data subject access to the data.
In order for the provisions of the Data protection directive to be applicable, data
must first be qualified as 'personal data'. Personal data is described in article
2(a) as:
“any information relating to an identified or identifiable natural person ('data
subject'); an identifiable person is one who can be identified, directly or indi-
rectly, in particular by reference to an identification number or to one or more
factors specific to his physical, physiological, mental, economic, cultural or social
identity”
An individual is considered 'identified' when that individual can be distinguished
from all other members of a group.
5
Identification is commonly achieved through
2
The use of profiling techniques for law enforcement purposes is governed -for the most
part- by the law of criminal procedure, which differs from member state to member state.
Though they differ from country to country, all laws that govern profiling must be in ac-
cordance with the rules set forth in article 8 of the European Charter of Human Rights
(ECHR).
3
Council of Europe Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data (Convention ets. no. 108, Strasbourg 28-1-1981).
4
Early December 2011, a draft version of a new general Regulation on data Protection pre-
pared by the European Commission leaked (version 56, 29 November 2011). Relevant
provisions include more strict rules on profiling (article 18) and the inclusion of online
identifiers such as cookies in the definition of personal data. Given the fact that this Regu-
lation is still in the drafting phase it is not discussed further in this chapter.
5
Opinion Nº 4/2007 on the concept of personal data, Article 29 Working Party, p. 12.
Search WWH ::
Custom Search