S - Indhold
1 - Forside
2 - Nyheder
3 - Oversigt
4 - Søg

The European Commission´s consultation over a communication on a comprehensive approach on personal data protection

Letter to
The Ministry of Justice
Slotholmsgade 10
1216 København K 

Date of letter: 14. January 2011 2011-111-0063 

1. In a letter dated 20 December 2010 the Ministry of Justice has asked for the Data Protection Agency's remarks on the consultation initiated by the European Commission on the communication "A comprehensive approach on personal data protection in the European Union" of 4 November 2010.

As stated in the communication from the Commission, the Article 29 Working Party has submitted a contribution to the Commission’s consultation in 2009 concerning the legal framework for the fundamental right to protection of personal data. The Article 29 Working Party’s contribution (WP 168), to which the Data Protection Agency refers, is hereby enclosed.

At the present time, in the absence of a more concrete proposal from the Commission, the Data Protection Agency will restrict itself to remarks of a more general nature. It should be noted that it has not been possible to discuss the matter in the Data Protection Council within the given timeframe.

2. Re section "2.1.1. Ensuring appropriate protection for individuals in all circumstances"

The Commission will consider how to ensure a coherent application of data protection rules, taking into account the impact of new technologies on individuals' rights and freedoms and the objective of ensuring the free circulation of personal data within the internal market."

The Data Protection Agency agrees that it must be possible to apply the data protection rules in the many new contexts where personal data is processed in connection with new technologies.

The Data Protection Agency has stated on various occasions that the Agency is concerned about the development whereby the Agency has in recent years noted an increasing number of breaches of data security, among other things due to the increased use of the Internet by authorities and enterprises.
In addition, the Agency has seen cases where authorities have developed solutions or implemented systems without ensuring due observance of the requirements of data protection, etc. set out in the Act on Processing of Personal Data.

The Data Protection Agency has thus stated  that there appears to be a need to put the protection of personal data – including compliance with applicable legislation – on the agenda for all projects, and to make the projects responsible for actually developing the solutions in the desired direction.

3. Re section "2.1.2. Increasing transparency for data subjects"

"The Commission will:
– examine the modalities for the introduction in the general legal framework of a general personal data breach notification, including the addressees of such notifications and the criteria for triggering the obligation to notify."

In the same section the Commission describes a mandatory personal data breach notification introduced on the recent revision of the e-Privacy Directive covering, however, only the telecommunications sector.

Given that risks of data breaches also exist in other sectors (e.g. the financial sector), the Commission will examine the modalities for extending the obligation to notify personal data breaches to other sectors in line with the Commission declaration on data breach notification made before the European Parliament in 2009 in the context of the reform of the Regulatory Framework for Electronic Communications.

This examination will not affect the provisions of the e-Privacy Directive, which must be transposed into national laws by 25 May 2011. A consistent and coherent approach on this matter will have to be ensured.

In its practice, the Data Protection Agency has assumed that the principle of good practices for the processing of data set out in section 5. - (1) of the Act on Processing of Personal Data in certain cases entails an obligation to inform the citizens concerned of a security breach .

The Data Protection Agency finds that a general obligation to notify in all cases would be too far-reaching. In this context the Data Protection Agency furthermore refers to the Article 29 Working Party’s statement of 10 February 2009 on the proposals to amend Directive 2002/58/EC on data protection and electronic communication (the e-Privacy Directive) (WP 159). Here it is stated that notification will also lead to administrative burdens for both the implicated enterprises and the data protection authorities.

It is furthermore the viewpoint of the Data Protection Authority that an obli-gation to notify may not be used as compensation for the controller’s failure to ensure the required data protection in the development and use of new technology. Reference is hereby made to the Article 29 Working Party’s statement on the principle of accountability, WP 173 of 13 July 2010.

4. Re section "2.1.3. Enhancing control over one's own data"

"The Commission will therefore examine ways of:
– strengthening the principle of data minimisation;
improving the modalities for the actual exercise of the rights of access, rectification, erasure or blocking of data (e.g., by introducing deadlines for responding to individuals' requests, by allowing the exercise of rights by electronic means or by providing that right of access should be ensured free of charge as a principle);
– clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when process-ing is based on the person's consent and when he or she withdraws consent or when the storage period has expired;
– complementing the rights of data subjects by ensuring ’data portability’, i.e., providing the explicit right for an individual to withdraw his/her own data (e.g., his/her photos or a list of friends) from an application or service so that the withdrawn data can be transferred into another application or service, as far as technically feasible, without hindrance from the data controllers."

The Data Protection Agency generally welcomes a strengthening of the legal position of the citizens.

However, the Agency is uncertain whether the Commission’s deliberations are directed at particular areas and/or controllers, or whether the intention is the introduction of universal rights. In all circumstances, the Data Protection Agency must draw attention to the need for any rights to be pursued with the required supervision, which would require an increase in the resources available to the Agency.

Today the Agency already devotes considerable resources to cases concerning issues of this nature with regard to, for example, social networks and Internet fora.

5. Re section "2.1.4. Raising awareness"

"The Commission will explore:
– the possibility for co-financing awareness-raising activities on data protection via the Union’s budget;
– the need for and the opportunity of including in the legal framework an obligation to carry out awareness-raising activities in this area."

The Data Protection Agency agrees that there is generally a need for more awareness of data protection. In its response to the consultation concerning the IT and the Telecommunications Policy Report mentioned above under item 2, the Agency emphasised that together with ICT skills there is also a need for competences and knowledge concerning the protection of personal data and privacy. This applies both to the population generally and to the persons who as employees of enterprises and authorities design solutions or handle personal data on an everyday basis.

6. Re section "2.1.5. Ensuring informed and free consent"

"The Commission will examine ways of clarifying and strengthening the rules on consent."

The Data Protection Agency remarks that pursuant to the Act on Processing of Personal Act as well as the Directive there are a number of cases where authorities and enterprises may process personal data without consent.

The question is whether the Commission intends to define the use of consent in the cases where this is required or applied today, or whether consent must be a precondition for the legality of the data processing to a greater extent than is the case today.

In the light of e.g. the technological development, including the complexity of the technological processes used, for example, for Internet services, the use and requirements of consent as the basis for data processing should, in the view of the Agency, be considered carefully in the various contexts. Reference is hereby also made to the Article 29 Working Party’s WP 168 (en-closed), items 65-69.

7. Re section "2.1.7. Making remedies and sanctions more effective"

"The Commission will:
– consider the possibility of extending the power to bring an action before the national courts to data protection authorities and to civil society associations, as well as to other associations representing data subjects' interests;
– assess the need for strengthening the existing provisions on sanctions, for example by explicitly including criminal sanctions in case of serious data protection violations, in order to make them more effective."

The Data Protection Agency finds that there can be grounds to consider legal remedies and sanctions in general, including in the light of the development in other countries, for example the UK and Norway.

8. Re section "2.2.1. Enhancing the internal market dimension"

"The Commission will examine the means to achieve further harmonisation of data protection rules at EU level."

The Data Protection Agency calls for the Danish government to work for the coming legal basis to allow a high level of data protection to be maintained. In the view of the Data Protection Agency there must be considerable emphasis on ensuring the establishment of a legal basis that does not force the protection of personal data in Denmark down to a lower level than is provided today under current legislation.

As examples of regulations in Denmark that provide a high level of protection the Data Protection Agency can state that, pursuant to the Act on Processing of Personal Data, a Data Protection Order has been issued that details the minimum requirements of the data protection measures to be taken in public authorities’ electronic processing of personal data. In the private sector there is likewise authority to issue an Order on the data protection requirements, but this authority has not been exercised in practice. On the other hand, in concrete cases the Data Protection Authority has utilised the provisions of the Act that allow the Agency to lay down terms in connection with its granting of authorisation to lay down more detailed terms concerning data protection measures, among other things.

In the same way, section 11 of the Act, which in relation to the private sector in particular lays down restrictive regulations on the processing of personal identification numbers, is an example of a Danish regulation with a high level of protection that is not set out in the Directive.
From a Danish viewpoint, a continued high level of protection of the Danish personal identification number is desirable. In view of the increased globalisation there is furthermore a need for protection of this identification number if it is processed by controllers who are subject to the legislation of other member states. Any harmonisation in this area must therefore have the objective that data concerning national identification numbers, such as the Danish personal identification number, is afforded the necessary protection in all EU member states.

A third example is the rules in Chapter 6a of the Act on the Processing of Personal Data concerning the processing of personal data in connection with video surveillance. The regulations have been introduced as part of overall regulation as an expression of the wish to find the right balance between expanded possibilities for video surveillance and the protection of privacy.

The Act on Processing of Personal Data also includes special regulations in other areas that afford a higher level of protection than the directive. One example is section 8 of the Act concerning credit information agencies.

The Data Protection Agency moreover supports that there should be data protection regulations affording a high level of protection in all sectors, and that uniform regulations are desirable, unless concrete circumstances in special areas dictate otherwise.

One example of a well-founded special arrangement is that the regulations of the Danish Act on Processing of Personal Data allow the processing even of sensitive personal data when this is solely for the purpose of statistical or scientific studies of significant public importance, and where such processing is necessary in order to carry out these studies. The Act on Processing of Personal Data also includes special regulations for the protection of such data.

9. Re section "2.2.2. Reducing the administrative burden"

"The Commission will explore different possibilities for the simplification and harmonisation of the current notification system, including the possible drawing up of a uniform EU-wide registration form."

The Data Protection Agency has sought to rationalise the present Danish notification system, but still devotes considerable resources to this area, especially with regard to the private sector, where in by far the majority of cases this is an actual authorisation system.

The expectation that the notification system – at any rate after some time – would ease the work of the Agency compared to the previous register regulations scheme cannot be said to have been realised. On the contrary, the number of new notification cases in the private sector has increased strongly in recent years. At the same time, the system entails a considerable work of up-dating and amending the notifications previously processed.

The Data Protection Agency therefore finds there to be a considerable need for overall consideration of the notification system in relation to other supervisory tasks and activities.

If a type of central EU registration is introduced - which in the view of the Agency would have to be registration of a general nature - it is important that national parallel systems or registration requirements that in terms of content are more far-reaching than common EU registration are not established at the same time.

10. Re section "2.2.4. Enhancing data controllers' responsibility"

"The Commission will examine the following elements to enhance data controllers' responsibility:
– making the appointment of an independent Data Protection Officer mandatory and harmonising the rules related to their tasks and competences, while reflecting on the appropriate threshold to avoid undue administrative burdens, particularly on small and micro-enterprises;
– including in the legal framework an obligation for data controllers to carry out a data protection impact assessment in specific cases, for instance, when sensitive data are being processed, or when the type of processing otherwise involves specific risks, in particular when using specific technologies, mechanisms or procedures, including profiling or video surveillance;
– further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’."

The Data Protection Agency agrees that the aspects stated should be included in the further consideration of this area. As previously stated, the Agency has indicated that there is a need to put the protection of personal data – including compliance with applicable legislation – on the agenda of all projects, and to make the projects responsible for actually developing the solutions in the desired direction.

The Data Protection Agency is aware of positive experiences with data protection officer schemes in Germany, as well as in Sweden and Norway. In view of the experience gained in neighbouring countries the reservations described by the Register Committee (pages 336-37 of Report 1345/1997) do not appear to count decisively against (re)considering such a scheme in some form or other.

11. Re section "2.3. Revising the data protection rules in the area of police and judicial cooperation in criminal matters"

"The Commission will, in particular:
– consider the extension of the application of the general data protection rules to the areas of police and judicial cooperation in criminal matters, including for processing at domestic level while providing, where necessary, for harmonised limitations to certain data protection rights of individuals, e.g., concerning the right of access or to the principle of transparency;
– examine the need to introduce specific and harmonised provisions in the new general data protection framework, for example on data protection regarding the processing of genetic data for criminal law purposes or distinguishing the various categories of data subjects (witnesses; suspects etc) in the area of police cooperation and judicial cooperation in criminal matters;
– launch, in 2011, a consultation of all concerned stakeholders about the best way to revise the current supervision systems in the area of police cooperation and judicial cooperation in criminal matters, in order to ensure effective and consistent data protection supervision on all Union institutions, bodies, offices and agencies;
– assess the need to align, in the long term, the existing various sector specific rules adopted at EU level for police and judicial co-operation in criminal matters in specific instruments, with the new general legal data protection framework."

The Data Protection Agency is in agreement with the statements made and can refer to its previous statements on the need for general EU instruments within the areas of police and judicial cooperation in criminal matters.

12. Re section "2.4. The global dimension of data protection" including the transfer of personal data outside the EU and the EEA area.

"The Commission intends to examine how:
– to improve and streamline the current procedures for international data transfers, including legally binding instruments and ‘Binding Corporate Rules’ in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organisations;
– to clarify the Commission’s adequacy procedure and better specify the criteria and requirements for assessing the level of data protection in a third country or an international organisation;
– to define core EU data protection elements, which could be used for all types of international agreements."

The Data Protection Agency generally agrees that there is a need to improve, and hopefully simplify, the current mechanisms for the international transfer of personal data.

The Data Protection Agency does not, however, recognise the problem referred to by the Commission on page 4 of the communication regarding uncertainty about the allocation of responsibility when outsourcing data processing.

According to the Act on Processing of Personal Data – and the Directive – the vital aspect is the place of establishment of the controller. A Danish enterprise is thus responsible for the data processing that takes place on its behalf, even when it outsources to a processor in another country. Via data processor contracts and instructions the enterprise must ensure compliance with the Act on Processing of Personal Data. Among other things, the enterprise is responsible for fulfilment of the requirements concerning the required security measures to which the enterprise is subject. In cases where the Danish enterprise is subject to conditions set by the Data Protection Agency when granting authorisation the enterprise is also responsible for compliance with these conditions, regardless of whether a processor within or outside Denmark is used. The same applies to a public authority, which is moreover subject to compliance with the Executive order on Security.

Furthermore, the chosen processor must fulfil any requirements to which it might be subject in the country concerned.

With regard to streamlining the current procedures, the Data Protection Agency must again emphasise the importance of further harmonisation not leading to a reduction of the level of protection to which the processing of personal data (with traditions over many years) is subject in this country.

14. Re section "2.5. A stronger institutional arrangement for better enforcement of data protection rules"

"The Commission will examine:
– how to strengthen, clarify and harmonise the status and the powers of the national Data Protection Authorities in the new legal framework, including the full implementation of the concept of ‘complete independence’;
– ways to improve the cooperation and coordination between Data Protection Authorities;
– how to ensure a more consistent application of EU data protection rules across the internal market. This may include strengthening the role of national data protection supervisors, better coordinating their work via the Article 29 Working Party (which should become a more transparent body), and/or creating a mechanism for ensuring consistency in the in-ternal market under the authority of the European Commission."

As stated above under item 7, the Data Protection Agency finds that there can be reason to consider the issue of legal remedies and sanctions in general.
This should also be seen in the context that the preparatory work to the Act on Processing of Personal Data states that the supervisory authority should in the first instance aim at conducting its activities via general guidelines and as service-oriented advisory services and guidance, rather than regulation pri-marily concentrated on decisions in individual cases in a traditional legal re-course system.

The Agency’s opportunities to enforce the data protection regulations thus rest on the legal remedies granted to the Agency by law, but in particular the resources made available to the Agency for its overall handling of its tasks.

It should be noted that the Data Protection Agency has competence with regard to both public authorities and private controllers, and that the Agency has advisory, supervisory and enforcement tasks – often of considerable complexity – in an area that is subject to rapid growth as a consequence of the increasing digitization of society.