Data protection specialists discussed matters related to the European Union data protection reform
At the end of January 2015, the Estonian Data Protection Inspectorate invited Estonian data protection specialists to the Parliament’s conference hall to discuss matters related to the European Union data protection reform as well as the application of personal data protection in the development of information technology and the media. Presentations were given by Marju Lauristin, Member of the European Parliament, Merili Oja, counsellor at the Ministry of Justice, Taavi Kotka, deputy secretary general of the Ministry of Economic Affairs and Communications, and Priit Hõbemägi, journalist and lecturer at Tallinn University.
Speeches were also given by Julia Antonova, counsellor of the Ministry of Justice at the Permanent Representation of Estonia to the EU, Odyn Vosman, adviser for the Chancellor of Justice, Nele Parrest, Deputy Chancellor of Justice, Viljar Peep, Director General of the Estonian Data Protection Inspectorate, and Helen Kranich, adviser for the Chancellor of Justice.
Marju Lauristin spoke about addressing data protection problems in the European Parliament, pointing out three main documents, which are the Data Protection Regulation (DPR) which is a general regulation that determines the single data protection system in the EU, and sets the principles, rules, organization, supervision and sanctioning for data protection; the Data Protection Directive (DPD) – the single framework for the laws used in the legal and law enforcement systems of the Member States that regulate the handling, storing and transmitting personal data; and the directive regulating the storing and transmitting of air passenger name record data (the European PNR). According to Lauristin, the DPR and DPD form a complete package and need to be adopted at the same time, preferably within this year.
Lauristin’s presentation also touched upon the conflicts in values related to data protection, and listed the subjects interested in data protection law. She also introduced the principles agreed to at the EU level. The most important of those are: a single European data protection system is necessary; a person’s private life and privacy are core values that will not be compromised on; the data subject’s permission is needed for collecting and use of personal data; the data subject has a right to get information about the data collected about them and the use of such data; exceptions are set according to justified public interest, necessity regarding creative interest, freedom of speech, or scientific or historical needs or criminal proceedings or security. Definitions are seen as problematic (e.g. security interests, public interest), the scope of the directive, the application of the Pan-European data protection system when it comes to division of competences, local organization and resources, as well as the openness of cross-border cooperation, the US-EU relations and the compliance of the regulations with the development logic of the information society.
Merili Oja spoke about the current state of the EU data protection reform, paying special attention to who will be running the proceedings in national and cross-border data protection violation cases after the reform is implemented. The draft package was introduced in 2012, the current plan is to reach an agreement in the Council during Latvia’s presidency by June of 2015. The trialogue between the European Parliament, Council and Commission should start in the 2nd half of 2015. The General Data Protection Regulation is directly applicable, which means that the Personal Data Protection Act will become largely invalid. However, the regulation also includes directive-like provisions that need to be adopted. There is a 2 year transition period.
The data subject can file a complaint at a data protection supervisory authority in their home country, country of employment or country of violation; a compensation claim can only be filed in the subject’s home country. National proceedings mean that the Data Protection Inspectorate processes cases according to the draft regulation under three competences: territorial competence or solving cases on their own territory; functional competence or solving cases of the public sector; and substantive competence or solving a case regarding a specific data subject on their own territory.
In the case of cross-border proceedings we are talking about the so-called single contact point mechanism (so-called one stop shop) – the data processor is established in more than one Member State and processes data in at least one of its locations of operations, and the processing work in one Member State has substantial influence over more data subjects than just those of that Member State. The exception is if a specific case has to do with just that Member State’s data subject. In case of disputes, the European Data Protection Board is authorised to make binding decisions. According to Oja, the main objective of this complicated system is reducing the burden and simplifying the activities of entrepreneurs, efficiency and legal clarity of cross-border proceedings, but also legal clarity for the data subject and following the subsidiarity principle.
In his presentation, Taavi Kotka introduced aspects of privacy and trade secrets protection in the context of IT innovation. Kotka claims that developments in technology have reduced personal privacy. This process is irreversible save for the occurrence of large catastrophes, but it can be contained within certain limits. Kotka spoke about ID card data and the different possibilities for its use, bringing in his presentation examples of various understandings, doubts and fears outside Estonia. Kotka challenged social scientists to perform in-depth analyses of the efficiency of the ID card and its digital signature function, how it has influenced society and the fears that accompany it. At the moment, no scientific research of the above is available in this country.
Kotka also spoke about the dangers of data protection being influenced by, for example, terrorism; hysteria always produces extremism.
The presenter implied that there is a need to collect data in order to improve the economy, pointing out how value added tax receipt has improved when the Tax Board has comprehensive information about purchase and sales transactions. He warned that in order to protect business secrets, this kind of data must be stored and protected very carefully, because if any leaks occur, a complete ban on collecting such data will have to be implemented.
From the positive side, he brings out giving authority to the data subject regarding third persons’ interest in their data. Kotka stressed that securing the control mechanisms for the use of people’s data and raising their awareness are the best ways to reconcile innovative development with the level of privacy protection that people expect.
Priit Hõbemägi discussed data protection matters from the context of the functioning of the media and exemplified his presentation with specific cases. The presentation was motivated by the right to be forgotten that has sparked a lot of discussion lately and the opposing wish and need of the society to remember certain events. Hõbemägi proposed that the Data Protection Inspectorate and the Estonian Newspaper Association could cooperate to amend the information meant for the readers in the newspapers’ imprint with recommendations to contact the Data Protection Inspectorate for assistance and clarification in case of publication of personal data. Hõbemägi claims that readers are largely unaware of how to protect their data, a state of affairs that the media takes advantage of. He said that the topic of data protection did not become an issue before the Internet age. Hõbemägi admitted that the press does not want to deal with stories that have already appeared due to the pressure to publish new stories quickly. For this reason the press has not been very active in giving out information regarding assistance with personal data protection. A few decades ago, corrections and apologies were an issue for the printed press only as this was also the complainants’ wish. Today, this attitude has changed and publishing corrections on web pages has proven problematic, similarly there is also no appropriate regulation for this for the television and radio media. According to Hõbemägi, however, there is a need for such regulation. Hõbemägi says that dealing with data protection matters is in no way the main issue for the editorial staff. The main problems are the disintegration of the old business model, for which no substitute has been found, the reorganization of staff and looking for options to show newspaper content on different smart devices. Hõbemägi claimed that when we look at the wider picture of the cases of data protection in the press, we can clearly see two separate groups that want their data removed more often – politicians and criminals.
Hõbemägi believes that the right to be forgotten and the right to know are in constant conflict in the journalistic context, where overwhelming public interest becomes decisive and the question then is how overwhelming public interest is defined and who defines it. The question has not been settled yet.
Hõbemägi noted that opposition from the press is understandable when it comes to making data unfindable. Approaches to the press are different. The part of media that is solely focused on entertainment is also considered to be press. Hõbemägi stressed that the press is actually the part of media that is responsible, has a strong self-regulation mechanism, only employs trained journalists and where the facts are checked. The press documents events and makes them re-readable, and becomes sensitive when someone tries to remove data from articles after the fact. The press sees this as an attempt to re-write history. It is important to differentiate public figures from ordinary people.
Hõbemägi also spoke about the way giant corporations, such as Google and Facebook, can manipulate with people by using algorithms which are kept secret. Hõbemägi believes that the European draft Data Protection Regulation does not take the development of technology into account, but is only based on the current situation. In this context, the right to be forgotten seems to be a short-sighted approach which results in the impoverishment of history and creating so-called blank spots. The presenter believes that in today’s Estonia, there is balance in this respect.
Public Relations Adviser
Estonian Data Protection Inspectorate