Strasbourg, 15 June / juin 2015 T-PD-BUR(2015)04
(T-PD-BUR)
Compilation of comments received on the Draft explanatory Report of the draft modernised Convention 108 / Compilation des commentaires reçus sur le Projet de Rapport Explicatif du projet de modernisation de la Convention 108.
Directorate General / Direction Générale
Human Rights and Rule of Law / Droits de l’Homme et Etat de droit
TABLE / INDEX
Preliminary remarks / Remarques préliminaires :
Concerning the Modernisation of the Convention 108 in the phrase:
“The modernisation of the Convention is highly topical, as with increasing globalisation of processing of personal data (flows of ubiquitous data) and associated legal uncertainty[SV1] as to the applicable law
Asia-Pacific Economic Cooperation (APEC) - 2004
The APEC Privacy Framework and APEC’s Cross Border Privacy Rules system (CBPRs) were considered when reflecting on the need to increase cooperation among regions and systems, in particular as regards international enforcement and transborder data tranfers [SV2].
Chapter I – General provisions
Article 2 – Definitions
Litt. a – ‘personal data’
16. "Identifiable individual" means a person who can be directly or indirectly identified. An individual is not considered ’identifiable’ if his or her identification would require unreasonable time, effort or means. The determination of what constitutes ‘unreasonable time, effort or means’ should be assessed on a case by case basis, in light of purpose of the processing [SV3]and taking into account objective criteria such as the cost, the benefits of such an identification, the technology used, etc . [SV4]
17. The notion of ‘identifiable’ does not only refer to the individual’s civil or legal identity as such, but also to what may allow to “individualise” or single out (and thus allow to treat differently) one person among others. This “individualisation” can be done for instance by referring to him or her specifically or to a device or a combination of devices (computer, mobile phone, camera, gaming devices, etc.) on the basis of an identification number , a pseudonym[SV5] , biometric or genetic data etc.)
20. The notion of "data subject" also entails the idea that a person has a subjective right with regard to the data about himself or herself, even where this is gathered by others.
20. In the comment under this notion of “personal data, I would here add the comments made at point 32 on living /deceased persons as well on legal persons.
22. Controller” refers to the person or body having the decision-making power concerning the processing whether this power derives from a legal designation or factual circumstances[SV6]. In some cases, there may be multiple controllers or co-controllers (jointly responsible for a processing and/or possibly responsible for different aspects of that processing). The following factors are relevant to assess whether the person or body is a controller: that person or body should have control over for instance the reasons justifying the processing; the processing methods; the choice of data to be processed; and who is allowed to access to it. The controller remains responsible for the data involved in a processing wherever that data are located and independently of who carries out the processing operations. In this respect, persons who are not under the controller’s authority and carry out the processing solely according to the controller’s instructions are to be considered processors.
Litt. d [/e] – ‘recipient’
25. ”Recipient” is an individual or an entity who receives personal data or to whom personal data are made available. Depending on the circumstances[SV7], the controller, the processor, the data subject or a third party may also be a recipient.
Article 3 – Scope
27. This is for instance the case when the controller is established on the territory of that Party, when activities involving data processing are performed in that territory or when services involving data processing are offered to a data subject located on that territory, since the main criteria of definition of the jurisdiction is still linked to the territory[SV8]. The Convention has to be applied when the data processing is carried out within the jurisdiction of the Party, which includes, in respect of the provisions of Article 12, when transborder data flows occur, whether in the public or private sector.
32. While the Convention concerns data processing relating to natural persons the Parties can provide in their domestic laws for an extension of the protection to the data relating to legal persons in order to protect their legitimate interests. The Convention applies to living individuals: it is not meant to apply to personal data relating to deceased persons. However, this does not prevent Parties from extending the protection to deceased persons[SV9] (e.g. to address the increasing needs for protection of the reputation or interests of the deceased person or heirs[SV10]).
Chapter II – Basic principles of data protection
Article 4 – Duties of the Parties
34. The term “law of the Parties” denotes, according to the legal and constitutional system of the particular country, all substantive rules, whether of statute law or case law, which meet the qualitative requirements of accessibility and previsibility (or ‘foreseeability[SV11]’).
Article 5 – Legitimacy of data processing and quality of data
43. The mere silence or inactivity should therefore not constitute consent[SV12]. Consent should cover all processing activities carried out for the same purpose or purposes. The data subject must be fully aware of the implications of his or her decision, and have been, to this end, adequately informed. No influence or pressure (which can be of an economic nature) whether direct or indirect, may be exercised on the data subject.
45. The data subject has the right to withdraw the consent given at any time (which is to be distinguished from the separate right to object to a processing). This will not affect the lawfulness of the data processing that occurred before his or her withdrawal of consent but will prevent from any further processing. [SV13]
Article 6 – Special categories of data
58. The processing of photographs will not systematically be a sensitive processing[SV14] as they will only be covered by the definition of biometric data when being processed through a specific technical mean allowing the unique identification or authentication of an individual. Furthermore, where their processing will aim at revealing racial or health information (see the following point), such a processing will be considered as a sensitive one. [SV15]
59. Some processing can be sensitive when data are processed for specific information they reveal that has, in the circumstances at stake, the potential of harming data subjects. [SV16]While the processing of family names can in some circumstances be void of any risk for the individuals (e.g. common payroll purposes), such a processing could be sensitive, for example when the purpose is to reveal the ethnic origin or religious beliefs of the individuals based on the linguistic origin of their names. Processing data for the information they reveal concerning health includes information concerning the past, present and future, physical or mental health of an individual, and which may refer to a person who is sick or healthy. [SV17]
Article 7 – Data security
61. The controller or where applicable[SV18] the processor should take specific security measures,
Article 8 – Rights of the data subject
75. Littera b. Data subjects should be entitled to know about their personal data processed. While the right of access should in principle be free of charge, the wording of littera b is intended to cover various formulas followed by the legislation of the Party for appropriate cases: communication free of charge at fixed intervals as well as communication against a maximum lump-sum payment, etc. [SV19]
82. Furthermore, it should be noted that the specification of the purpose, the conditions for the legitimacy of the processing, the right of rectification or erasure, together with the provision on the length of time for data storage (article 5.4. littera e[SV20]) coupled with an effective right to object and the right to withdraw consent offer an effective level of protection for the data subject. This set of rights pragmatically corresponds to the effect of what is referred to as a ‘right to be forgotten’.
Article 8bis - Additional obligations
83. In order to ensure that the right to the protection of personal data is effective, additional obligations have to be placed on the controller as well as, where applicable[SV21], the processor(s).
86. Paragraph 2 clarifies that before carrying out the data processing, the controller will have to examine its potential impact on the rights and fundamental freedoms of the data subjects. This examination will also have to take into account the principle of proportionality on the basis[SV22] of the comprehensive overview of the processing (considering what personal data will be processed and for which purpose, how it will be collected, how it will be used, internal flows, disclosures, security measures, etc.). In some circumstances, where a processor is involved in addition to the controller, the obligation to examine the risks may also be imposed on the processor[SV23] and the determination of the existence of such an obligation will be made taking into account the comprehensive overview of the processing.
87. Paragraph 3 specifies that in order to better guarantee an effective level of protection, controllers, and, where applicable[SV24], processors, should see to it that data protection requirements are integrated as early as possible – i.e. ideally at the stage of architecture and system design – in data processing operations through technical and organisational measures.
There should also be easy-to-use tools for data subjects to take their data to another provider of their choice or keep the data themselves (data portability tools). When setting up the technical requirements for default settings, controllers and processors should choose applications and software that have been designed paying due regard to the principle of data minimisation [SV25]and privacy by default.
Chapter III – Transborder flows of personal data
Article 12 – Transborder flows
100. Most of the time, such a situation – a change of jurisdiction and applicable law – occurs when there is a data transfer from a State Party to the Convention to a foreign country. A data transfer occurs when personal data are disclosed or made available with the knowledge of the sender, [SV26]to a recipient subject to the jurisdiction of another State or international organisation
104. In some cases, data flows will be made from a Party simultaneously to several foreign States or international organisations, some of which are Parties to the Convention and some of which are not. In those cases, the Party transferring the data, which has export procedures for non-Parties, may not be able to avoid applying those procedures also to the data destined for a Party, but it should proceed in such a way as to ensure that these procedures are not an obstacle to data transfers to the latter Party is agreed.[SV27]
106. Both paragraphs 2 and 3 apply to all forms of appropriate protection, whether provided by law or by standardised safeguards. The content [SV28]of the law must include the relevant elements of data protection as set forth by this Convention. [SV29]
109. Paragraph 4 enables Parties to derogate, in a particular case, from the principle of requiring an appropriate level of protection and to allow a specific transfer to a recipient which does not ensure such a protection. Such derogations are permitted in limited situations only (with the data subject’s consent or specific interest and/or where there are prevailing legitimate interests provided by law). Such derogations should not be disproportionate [SV30]and should not be used for massive or repetitive data transfers. Where massive or repetitive data transfers are involved, provisions of article 12.3 should apply.
112. In respect of transborder flows of personal data, a specific restriction is allowed in view of protecting freedom of expression, including freedom of the press. Parties may allow exceptions to the provisions of this Article 12 [SV31]on the condition that these exceptions are provided for by law and are necessary in a democratic society to protect the freedom of expression.
Chapter III bis – Supervisory authorities
Article 12bis – Supervisory authorities
114. The effective application of the principles of the Convention necessitates the adoption of appropriate sanctions and remedies (Article 10). Most countries which have data protection laws have set up supervisory authorities to deal with evolving and complex personal data processing in light of organisational, social and societal evolutions. This context requires an external impartial overview, with fast reactive powers and specialised expertise. Such authorities may for instance be a commissioner, a commission, an ombudsman or an inspector general. [SV32]
116. Parties have certain discretion as to how to set up the authorities for enabling them to carry out their task. According to paragraph 2, however, they must have at least the powers of investigation and intervention and the powers to issue decisions and impose administrative[SV33] sanctions.
126. Paragraph 4 clarifies that supervisory authorities cannot effectively safeguard individual rights and freedoms unless they exercise their functions in complete independence. A number of elements contribute to safeguarding the independence of the supervisory authority in the exercise of its functions. These should include: the composition of the authority; the method for appointing its members; the possibility for them to participate in meetings without any authorisation or instruction; the option to consult technical or other experts or to hold external consultations; the duration of exercise and conditions of cessation of their functions; the allocation of sufficient resources to the authority; or the adoption of decisions without being subject to external orders or injunctions.[SV34]
Chapter IV – Mutual assistance
Article 14 – Assistance to data subjects
133. Paragraph 1 ensures that data subjects, whether in a Contracting State[SV35] or in a third country will be enabled to exercise their rights recognised in article 8 of the Convention regardless of their place of residence or their nationality.
Preamble
10. Convention 108, through the principles it lays down and the values it holds enshrines, protects the[SV36] individuals and defines an appropriate environment for the flow of information.
Chapter I – General provisions
Article 1 – Object and purpose
12. The first article is devoted to a description of describes the Convention's object and purpose.
13. This article focuses on the subject of protection: the individuals are to be protected when their personal data are processed. The right to such a[SV37] protection has acquired an autonomous meaning…
14. The guarantees set out in the Convention are extended to every individual regardless of nationality or residence. No discrimination betweenaliens [SV38]and citizens
Article 2 – Definitions
18. Data that appears to be anonymous because it is not accompanied by any obvious identifying data may, nevertheless in particular cases, permit to identify the relatedindividual.
19. When data are made anonymous, all means should be put in place to avoid re-identification of individuals, in particular, all technical means should be secured in order to guarantee that data will remain anonymised. The anonymity of data should be re-evaluated in time as in light of the fast pace of technological development. What could at a point in time be considered ‘unreasonable’ could after some time be considerably facilitated by technology and enable identification with reasonable ease
Litt. e [/f] – ‘processor’
26. ”Processor” is a separate entity acting on behalf of the controller carrying out the processing in the manner that was requested by the controller and for the needs of the controller. An employee of a controller is not a processor. The instructions given by the controller draw establish the limit of what the processor is allowed to do
Article 3 – Scope
27… The Convention has to be applied when the data processing is carried out within the jurisdiction of the Party, which includes, in respect of the provisions of Article 12, when transborder data flows occur, whether in the public or private sector.[SV39]
Chapter II – Basic principles of data protection
Article 5 – Legitimacy of data processing and quality of data
50. The further processing of personal data, referred to in paragraph 4(b), for statistical, historical or scientific purposes is a priori considered as compatible provided that other safeguards exist (such as, for instance, data anonymisation/pseudonymisation, keeping of identifiable form of data only as long as absolutely necessary, rules of professional secrecy, provisions governing restricted access and communication of data for the above mentioned purposes, notably in relation with public statistics and public archives, other technical and organisational data-security measures). and that the operations, by definition, exclude any use of the information obtained for decisions or measures concerning a particular individual. “Statistical purposes” refers to the elaboration of statistical surveys or the production of statistical results. Statistics aim at analysing and characterising mass or collective phenomena in a considered population. Statistical purposes can be pursued either by the public or the private sector. Processing of data for “scientific purposes” aims at providing researchers with information contributing to an understanding of phenomena in varied various scientific fields…..
52. The requirement of paragraph 4(d) that data be not excessive in relation to the purposes for which it is processed reflects the principle of proportionality in two ways: it firstly entails that processing of data should be limited to the minimum necessary in relation to the purpose for which they are processed. ”Not excessive” refers both to the quantity and the quality of personal data. Secondly, data which would be relevant but would entail a disproportionate interference in the fundamental rights and freedoms at stake should not be processed. Such is the case, for instance, in a standard recruitment procedure where it is clearly excessive in relation to the purposes of the processing to collect HIV data of the candidates to the post, while this can be considered as relevant data (in terms of management of futures absences for instance).
Article 6 – Special categories of data
60. Collection of sensitive data without identification data is a safeguard within the meaning of Article 6 of the Convention---). Where there is a legitimate need to collect sensitive data for statistical purposes in identifiable form (so that a repeat survey can be carried out, for example), appropriate safeguards should be to put in place should be: measures to dissociate sensitive data and identification data as from the stage of collection except if not feasible, the necessity to obtain the data subject's explicit consent preceding the survey (the mere fact of providing data could not be regarded as amounting to consent) except if justified by an important public interest, and the abstention of publication and dissemination of personal data.[SV40]
Article 7bis – Transparency of processing
66. Any additional information that is necessary to ensure a fair data processing
68. The controller is not requested required to provide this information
69. When such impossibility is of a practical nature, the data controller shall nonetheless use any available, reasonable and affordable means making it possible to inform data subjects in general or individually as the case may be (for instance when the controller is put in contact with the data subject for any reason, or through the website of the controller, etc.).[SV41]
Article 8bis - Additional obligations
Attention: erratum of the numbering from the point 82.
Article 9 – Exceptions and restrictions
88.89. No exceptions to the principles for protection of personal data are to be allowed[SV43].
Nevertheless, it is permitted in a strictly restrictive manner, for a limited number of provisions, to allow the benefit of derogations when such derogations are provided for by law and are necessary in a democratic society for the specific grounds exhaustively listed in litterae a and b of the first paragraph of Article 9. A measure which is "necessary in a democratic society" must pursue a legitimate aim and thus meet a pressing social need which cannot be achieved by less intrusive means. Such a measure should be proportionate to the legitimate aim being pursued and the reasons adduced by the national authorities to justify it should be relevant and sufficient. Such a measure must be prescribed by an accessible and foreseeable law, which must be sufficiently detailed.
89.90. The necessity of such measures needs to be examined in light of limited legitimate aims only, as is detailed in littera a and b of the first paragraph. Littera a lists the major interests of the State which may require exceptions. These exceptions are very specific to avoid giving Parties unduly wide leeway with regard to the general application of the Convention[SV44]
92.93. Littera b concerns major interests of private parties, such as those of the data subject himself or herself (for example when a data subject’s vital interests are threatened as because the data subject the/she is missing)
Chapter III – Transborder flows of personal data
Article 12 – Transborder flows
98.99. The purpose of the transborder flow regime is to ensure that information originally processed within the jurisdiction of a Party to the Convention (data collected or stored there for instance), when the processing then subsequently appears to be submitted to the jurisdiction of a State which is not Party to the Convention, continues to be processed in line with data protection principles that are appropriate with regard to the present Convention. What is important is that data subjects originally concerned by the data processed within the jurisdiction of a Party to the Convention always remain protected by appropriate data protection principles no matter the particular law applicable to the processing at stake. While there may be a wide variety of systems that different protection nevertheless has to be of a quality sufficient to ensure that human rights are not affected by globalisation and the transborder nature of data flows.[SV45]
100.101 Article 12 only applies only to the export outflow of data, not to its the import
inflow, as for the latter, data are covered by the data protection regime of the recipient Party.
101. 102 …This is the case of member States member of the European Union …
103.104. In some cases, data flows will be made from a Party simultaneously to several foreign States or international organisations, some of which are Parties to the Convention and some of which are not. In those cases, the Party transferring the data, which has export procedures for non-Parties, may not be able to avoid applying those procedures also to the data destined for a Party, but it should proceed in such a way as to ensure that these procedures are not an obstacle to data transfers to the latter Party is agreed.[SV46]
105.106. Both paragraphs 2 and 3 apply to all forms of appropriate protection, whether provided by law or by standardised safeguards. The content [SV47]of the law must include the relevant elements of data protection
111.112. In respect of transborder flows of personal data, a specific restriction exemption is allowed in view of protecting freedom of expression …
Chapter VII – Final clauses
Article 26 – Denunciation
160.161. In accordance with the United Nations Vienna Convention on the Law of Treaties, Article 80 [SV50]allows any Party to denounce the Convention.
Article 5 – Legitimacy of data processing and quality of data
42. Paragraph 2 prescribes two alternate essential pre-requisites to a lawful processing: the individual’s consent or a legitimate basis prescribed by law. Paragraphs 1 and2 [SV53]of Article 5 are cumulative and must be respected in order to ensure the legitimacy of the data processing
43. The data subject’s consent must be freely given, specific, informed and unambiguous. The consent represents a declaration of the individual’s intention: it is the free expression of an intentional choice, given either by a statement or by a clear affirmative action and which clearly indicates in this specific context the acceptance of the proposed processing of personal data. The mere silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. The data subject must be fully aware of the implications of his or her decision, and must have have must have been, to this end, adequately informed by the controller. No influence or pressure (which can be of an economic nature) whether direct or indirect, may be exercised on the data subject.
44. An expression of consent does not waive the need to respect the basic principles for the protection of personal data set in Chapter II of the Convention and the proportionality of the processing for instance still has to be tested .[SV54]
45. The data subject has at any time the right to withdraw the consent given at any time (which is to be distinguished from the separate right to object to a processing).
52. The requirement of paragraph 4(dc) that data be not excessive …
Les propositions de la Commission pour le Contrôle de la Protection des Données à caractère personnel ( CNDP) concernant le Projet de rapport explicatif de la version modernisée de la Convention 108.
4. La CNDP estime que la procédure d’adhésion à la Convention 108 modernisée revêt un caractère quelque peu contraignant en comparaison avec les procédures d’adhésion des Etats aux autres Conventions des droits de l’Homme. Selon elle, l’évaluation du niveau de protection intervient une fois l’adhésion effectuée et non au moment ou avant cette même adhésion.
5. Compte tenu du fait que le texte de la Convention modernisée n’admet pas de réserves, la CNPD suggère que le terme de réserves soit remplacé en bas de page du texte de la Convention, par celui de déclaration ou de déclaration interprétative.
6. Il y a lieu de préciser que concernant l’article 12 relatif aux flux transfrontières des données à caractère personnel, la CNDP considère que la dernière phrase du paragraphe 1 risque de vider de sa substance le principe énoncé au niveau de la première partie de ce paragraphe relatif à la liberté des flux entre les Etats parties à la Convention. En effet, le fait d’exclure de ce principe les « parties obéissant à des règles harmonisées contraignantes et communes à des Etats appartenant à une organisation internationale régionale « risque d’entraver la liberté des flux. Une telle disposition pose, par ailleurs, le problème du respect du principe de la réciprocité.
7. S’agissant de l’article 12.5, il est suggéré de ne pas limiter la notification aux cas énoncés dans ce paragraphe. Cette formulation pourrait limiter la possibilité pour une autorité de contrôle d’exiger la notification de tout transfert pour s’assurer que les conditions exigées sont bien respectées. Une telle mesure est nécessaire pour instituer une culture de la protection des données personnelles au niveau des pays qui disposent d’une législation récente en la matière.
This document was prepared on the basis of the consolidated text of the modernised Convention 108 and the numbering of the articles does not correspond to the draft Amending Protocol of the Convention.
Chapter I – General provisions
Article 2 – Definitions
17. The notion of ‘identifiable’ does not only refer to the individual’s civil or legal identity as such, but also to what may allow to “individualise” or single out (and thus allow to treat differently) one person among others. This “individualisation” can be done for instance by referring to him or her specifically or to a device or a combination of devices (computer, mobile phone, camera, gaming devices, etc.) on the basis of an identification number, a pseudonym[SV62], biometric or genetic data, location data, an IP address, etc.
19. When data are made anonymous, all means should be put in place to avoid re-identification of individuals, in particular, all technical means should be secured in order to guarantee that the individual is not or no longer identifiable data will remain anonymised. The anonymity of data should be re-evaluated in time as in light of the fast pace of technological development. What could at a point in time be considered ‘unreasonable’ could after some time be considerably facilitated by technology and enable identification of the individual with reasonable ease. [SV63]
20. The notion of "data subject" also entails the idea that a person has a subjective right [SV64]with regard to the data about himself or herself, even where this is gathered by others.
Litt. c [/d] – ‘controller’
22. "Controller” refers to the person or body having the decision-making power concerning the processing whether this power derives from a legal designation or factual circumstances. In some cases, there may be multiple controllers or co-controllers (jointly responsible for a processing and possibly responsible for different aspects of that processing). The following factors are relevant to assess whether the person or body is a controller: that person or body should have control over for instance the reasons justifying the processing; the processing methods; the choice of data to be processed; and who is allowed to access to it. The controller remains responsible for the data involved in a processing wherever that data are located and independently of who carries out the processing operations. In this respect, persons who are not under the controller’s authority and carry out the processing on the controller's behalf and solely according to his the controller’s instructions are to be considered processors.
Litt. d [/e] – ‘recipient’
25. ”Recipient” is an individual or an entity who receives personal data or to whom personal data are made available. Depending on thecircumstances[SV65], the controller, the processor, the data subject or a third party may also be a recipient.
26. ”Processor” is any person (other than an employee of the data controller) who processes dataa separate entity acting on behalf and for the needs of the controller and according to his instructions. carrying out the processing in the manner that was requested by the controller and for the needs of the controller. An employee of a controller is not a processor. The instructions given by the controller draw the limit of what the processor is allowed to do. The processor who does not respect thoese instructions is illegally processing the data. Processors who legitimately process data for their own purposes are to be considered as controllers for the processing operations linked to those purposes.
Article 3 – Scope
27. According to paragraph 1, the Convention is to be applied by the Parties to all processing - within the public or private sector alike - subject to the jurisdiction of the concerned Party. The concept of ‘jurisdiction’ is meant to refer to the traditional competences of the State, i.e. prescriptive, adjudicative and enforcement jurisdiction on, in principle, its territory.[1]9 Any data processing carried out by a public sector entity falls directly within the jurisdiction of the Party, as it is the result of the Party’s exercise of jurisdiction. Processing carried out by controllers of the private sector fall within the jurisdiction of a Party when they have a sufficient connexion with the territory of that Party. This is for instance the case when the controller is established on the territory of that Party, when activities involving data processing are performed in that territory or are related to the monitoring of a data subject’s behaviour that takes place within that territory or when the processing activities are related to the offer of services involving data processing are offered or goods to a data subject located on that territory, since the main criteria of definition of the jurisdiction is still linked to the territory of the Party. The Convention has to be applied when the data processing is carried out within the jurisdiction of the Party, which includes, in respect of the provisions of Article 12, when transborder data flows occur, whether in the public or private sector.
28. Making the The scope of the protection dependents on the notion of ‘jurisdiction’ of the Parties, is justified by the objective in order to better standing the test of time and continual technological developments, as well as the evolution of the legal concept of State jurisdiction according to international law and to reinforce the commitment to individuals’ protection. The concept of ‘jurisdiction’ is meant to refer to the traditional competences of the State, i.e. prescriptive, adjudicative and enforcement jurisdiction. 21
29. Paragraph 1bis excludes from the scope of the Convention processing carried out for [purely[SV66]] personal or household activities.[2]2 This exclusion aims at avoiding the imposition of unreasonable obligations on data processing carried out by individuals in their private sphere for activities relating to the exercise of their private life. Personal or household activities are activities which are closely and objectively linked to the private life of an individual and which do not significantly impinge upon the personal sphere of others. These activities have no professional or commercial grounds and exclusively correspond to personal or
household activities such as storing family or private pictures on a computer, creating a list of the contact details of friends and family members, corresponding, etc. The private sphere notably relates to a family, a restricted circle of friends or a circle which is limited in its size and based on a personal relationship or a particular relation of trust.
94.93. The third paragraph leaves open the possibility of restricting the rights with regard to certain data processing carried out for historical, statistical or scientific purposes which pose no identifiable risk to the protection of personal data and where restrictions to the data subject’s rights are justified. For instance, the use of data for statistical work, in the public and private fields alike, in so far as these data are presented in aggregate form and stripped of their identifiers[SV83] enters into that hypothesis provided that appropriate data protection safeguards are in place (see paragraph 51).
109.108. Paragraph 4 enables Parties to derogate, in a particular case, from the principle of requiring an appropriate level of protection and to allow a specific transfer to a recipient which does not ensure such a protection. Such derogations are permitted in limited situations only (with the data subject’s consent or specific interest and/or where there are prevailing legitimate interests provided by law[SV87]). Such derogations should not be disproportionate and should not be used for massive or repetitive data transfers. Where massive or repetitive data transfers are involved, provisions of article 12.3 should apply.
112.111. In respect of transborder flows of personal data, a specific restriction is allowed in view of protecting freedom of expression, including freedom of the press. Parties may allow exceptions to the provisions of this Article 12 on the condition that these exceptions are provided for by law and are necessary in a democratic society to protect the freedom of expression.[SV88] A measure which is "necessary in a democratic society" must pursue a legitimate aim and thus meet a pressing social need which cannot be achieved by less intrusive means. Such a measure should be proportionate to the legitimate aim being pursued and the reasons adduced by the national authorities to justify it should be relevant and sufficient. Such a measure must be prescribed by an accessible and foreseeable law, which must be sufficiently detailed.
Chapter III bis – Supervisory authorities
Article 12bis – Supervisory authorities
114.113.The effective application of the principles of the Convention necessitates the adoption of appropriate sanctions and remedies (Article 10). Most countries which have data protection laws have set up supervisory authorities to deal with evolving and complex personal data processing in light of organisational, social and societal evolutions. This context requires an external, independent and impartial entity overview, with fast reactive powers and specialised expertise
116.115.Parties have certain discretion as to how to set up the authorities for enabling them to carry out their task. According to paragraph 2, however, they must have at least the powers of investigation and intervention and the powers to issue decisions and impose administrative sanctions. [SV89]
122.121.Paragraph 2(e) deals with the awareness raising role of the the supervisory authorities.
Chapter IV – Mutual assistance
Article 14 – Assistance to data subjects
133.132. Paragraph 1 ensures that data subjects, whether in a Contracting State[SV90] or in a third country will be enabled to exercise their rights recognised in article 8 of the Convention regardless of their place of residence or their nationality.
EUROPEAN DATA PROTECTION SUPERVISOR/ LE CONTROLLEUR EUROPEEN DE LA PROTECTION DES DONNEES
Chapter I – General provisions
35. Such binding measures may usefully be reinforced by measures of voluntary regulation in the field of data protection, such as codes of good practice or codes for professional conduct. However, such voluntary measures are not by themselves sufficient to ensure[SV92] full compliance with the Convention.
Article 5 – Legitimacy of data processing and quality of data
52. The requirement of paragraph 4(d) that data be not excessive in relation to the purposes for which it is processed reflects the principle of proportionality in two ways: it firstly entails that processing of data should be limited to the minimum necessary [SV93]in relation to the purpose for which they are processed. ”Not excessive” refers both to the quantity and the quality of personal data. Secondly, data which would be relevant but would entail a disproportionate interference in the fundamental rights and freedoms at stake should not be processed. Such is the case, for instance, in a standard recruitment procedure where it is clearly excessive in relation to the purposes of the processing to collect HIV data of the candidates to the post, while this can be considered as relevant data (in terms of management of futures absences for instance).
Article 6 – Special categories of data
58. The processing of photographs will not systematically be a sensitive processing as they will only be covered by the definition of biometric data when being processed through a specific technical mean allowing the unique identification or authentication of an individual. Furthermore, where their processing will aim at revealing racial or health information (see the following point), such a processing will be considered as a sensitive one. [SV94]
75. Littera b. Data subjects should be entitled to know about their personal data processed. While the right of access should in principle be free of charge, the wording of littera b is intended to cover various formulas followed by the legislation of the Party for appropriate cases: communication free of charge at fixed intervals as well as communication against a maximum lump-sum payment, etc. To ensure a fair exercise of the right of access, the communication “in an intelligible form” applies to the content as well as to the form of a standardised digital communication. The term "expense" means the fee charged to the data subject.[SV98] It should be reasonable in order not to prevent or dissuade data subjects to exercise their rights and should in any case either be equal or inferior to the actual cost of the operation.
19 See Council of Europe Commissioner on Human Rights, “The rule of law on the Internet and in the wider digital world”, Issue Paper, CommDH/IssuePaper(2014)1, 8 December 2014, p. 50-54, pt 3.4. “Within [a contracting state’s] [territory and] jurisdiction”, specially : « A state that uses its legislative and enforcement powers to capture or otherwise exercise control over personal data that are not held on its physical territory but on the territory of another state, for example, by using the physical infrastructure of the Internet and global e-communications systems to extract those data from servers, personal computers or mobile devices in the other state, or by requiring private entities that have access to such data abroad to extract those data from the servers or devices in another country and hand them over to the state, is bringing those data – and in respect of those data, the data subjects – within its “jurisdiction” in the sense in which that term is used in the ECHR […]. » .
21. See Council of Europe Commissioner on Human Rights, “The rule of law on the Internet and in the wider digital world”, Issue Paper, CommDH/IssuePaper(2014)1, 8 December 2014, p. 50-54, pt 3.4. “Within [a contracting state’s] [territory and] jurisdiction”, specially : « A state that uses its legislative and enforcement powers to capture or otherwise exercise control over personal data that are not held on its physical territory but on the territory of another state, for example, by using the physical infrastructure of the Internet and global e-communications systems to extract those data from servers, personal computers or mobile devices in the other state, or by requiring private entities that have access to such data abroad to extract those data from the servers or devices in another country and hand them over to the state, is bringing those data – and in respect of those data, the data subjects – within its “jurisdiction” in the sense in which that term is used in the ECHR […]. » .
22 Court of Justice of the EU, 11 December 2014, (Frantisek) C 212/13: “30. […] the directive does not cover the processing of data where the activity in the course of which that processing is carried out is a ‘purely’ personal or household activity, that is to say, not simply a personal or household activity. 31. In the light of the foregoing considerations, it must be held that […] the processing of personal data comes within the exception provided for in the second indent of Article 3(2) of Directive 95/46 only where it is carried out in the purely personal or household setting of the person processing the data. »
[SV1]Is it uncertain or difficult to determine the applicable law ?
[SV2]This to refer to the increased cooperation between the institutions concerned, e.a. European DPA’s for example and APEC on BCR’s and CBPR for example. As BCR are also “appropriate safeguards” recognized by article 12, we would suggest adding these words at the end of the sentence.
[SV3]We suggest to add in addition to the purpose of the processing, the type of processing (which could be of importance) and the type of data controller as well.
[SV5]In our view, it is important to make clear that the use of a pseudonym ( or any digital identifier – digital identity) does not lead to anonymisation as the data subject can still be identifiable/ “individualized”.
[SV6]WE suggest to add that the assessment is to be made on a case by case basis.
[SV7]We are not sure to understand. Can they also be recipient in the context of the same processing? To add an example might be useful.
[SV8]There seems to be a need to clarify the link with the idea that “The main criteria of definition of jurisdiction is linked to the territory and the paragraph below on the concept of jurisdiction.
[SV9]In our view, data protection legislation does not need to be extended to deceased persons. In the case of deceased persons, their protection has to be/is guaranteed by other legal concepts or legislations ( reputation, dignity, honor etc. for example). In the case of genetic data, if the data relating to a deceased person also relate to their heirs, ten those data are personal data relating to these heirs as living person.
[SV10]We would rather place this comment under the comment of “personal data” (see above).
[SV11]In our view, 2 different ideas are mixed here. First, there is a reference to what is covered by the term “law”. And then the law is qualified as what it needs to be (qualitative requirements): accessible and foreseeable. But, a country could pass a law that would not meet these requirements, still it would be qualified as a law internally. The rest of the text is then clearer and says that the law should be ….
[SV12]Given this comment of the Explanatory report, we do not share the reservation made by the Commission on this aspect ( unambiguous / explicit). In addition to the argument bases on article 11 of the Convention, this explanation clearly refers to a clear and active indication of willingness. What would be the difference with the explicit consent?
[SV13]The idea is to be a bit more explicit on the consequences of a withdrawal of consent.
[SV14]In this comment we have 2 formulation: sensitive data for data that are always to be considered as sensitive and “sensitive processing” when the data are processed for the sensitive information they reveal. In the latter, sensitive data are at stake. We would recommend to be cautious with the terminology of “sensitive processing “. May be processing of sensitive data would be clearer as “sensitive processing” may be interpreted, understood as something else in a more general context.
[SV15]Why, for the sake of clarity, not add an example of when it will not be sensitive. For example, processing of images by a videosurveillance system for security reasons in a shopping area.
[SV16]Why is this idea of harm added? In our view, some data can be processed for the sensitive information they reveal in the benefit of data subjects. Of course, being sensitive, these data may always lead to harm (cf their definition) but it’s a consequence and not part of the definition. Or is a condition of the “sensitive processing”. In our view it would unduly reduce the scope of the protection.
[SV17]Why not adding an example when data will not be considered to be sensitive. For billing purposes for example?
[SV18]Is it “where applicable” or “if any”. In our view security is one of the key obligation of the processor.
[SV19]We would avoid “etc.” as having to pay a fee is the exception in our view. This idea which is mentioned in the first sentence could usefully be repeated.
[SV20]In general, the principle of proportionality plays a role here.
[SV21]If any? Or both if any and where applicable ?
[SV22]We do not perfectly understand this sentence. Could it may be reformulated?
[SV23]By the law or by the data controller himself ?
[SV24]Here again, is it “if any” or “where applicale” or possibly both ?
[SV25]May be the idea of opt-in versus opt-out could be explicitly added here ?
[SV26]What if it occurs without the knowledge of the sender (for example by the processor without being allowed ? Automatically a data breach ?
[SV27]An example could be helpful here.
[SV28]Scope, reach of the law?
[SV29]Or any other better wording that would reflect that the reference is Convention 108.
[SV30]In our view, it is not the derogation that needs to be not disproportionate but the use of it.
[SV31]§§ 1 to 5 ?
[SV32]We would formulate this idea in a different way, referring to the functioning ( a single commissioner, or a collegiate body) and not to whom ( ombudsman for example can be misunderstood as generally speaking an ombudsman does not have competences comparable to the ones of a DPA.
[SV33]The text of the Convention says that DPA’s may impose such sanctions. Accordingly, the report should reflect that and not use the terms “must have” as far as sanctions are concerned.
[SV34]To hire its own staff according to internal rules is also of importance.
[SV35]In other parts of the Convention, the terms “a Party to the Convention” is used.
[SV36]Should state ‘the individual’ (singular) or ‘individuals’ (plural)..This comment applies every place the phrase ‘the individuals’ is used.
[SV37]Should state ‘protection’ rather than ‘a protection’. This applies to every instance where ‘a protection ‘ is used.
[SV38]The word ‘aliens’ is no longer used; ‘third country nationals’ or ‘non-citizens’ would be more appropriate
[SV39]We do not understand this sentence.
[SV40]We do not understand this text.
[SV41]This sentence needs to be clarified; specifically the first phrase is not consistent with the rest of the sentence.
[SV42]We do not understand this text.
[SV43]This sentence is not consistent with the rest of this paragraph. We suggest that you use text along the lines of the text in the explanatory report on the existing Convention 108.
[SV44]We note that there is no reference to judicial independence.
[SV45]We do not understand this sentence.
[SV46]We are not sure what this means – is it intended to say ‘as agreed’?
[SV47]Scope, reach of the law?
[SV48]The word ‘persons’ or ‘individuals’ would be more appropriate.
[SV49]This sentence needs to be clarified.
[SV50]Is this a reference to Article 80 of the Vienna Convention? If it is it should be placed before ‘the United ..’ to ensure greater clarity.
[SV51]The reference to the “controller’s authority” does not seem to be appropriate. Should we refer to persons acting outside the controller’s organization?
[SV52]This sentence seems to contradict the previous one. In the previous one we speak about “illegal processing” in case the processor does not respect the instructions given by the controller. Whereas the second sentence seems to “legitimize” the processing by the data processor for his own purposes (“legitimately”) Can we delete the second sentence?
[SV53]Shouldn’t we include also para 3 among the paragraphs to be read cumulatively? The idea should be that once the processing is founded on a legitimate basis (either law or consent) it should also respect not only the principle of proportionality as set forth by paragraph 1 but also the other data protection principles provided for by paragraph 3
[SV54]44. An expression of consent does not waive the need to respect the basic principles for the protection of personal data set in Chapter II of the Convention and the proportionality of the processing for instance still has to be tested .
[SV55]Is this consistent with paragraph 45 which states that withdrawal of consent is to be distinguished from the separate right to object to a processing?
[SV56]We should include a reference to the safeguards for individuals also in respect of this paragraph as correctly done, in the previous one, for national security, not to give the impression that the exception for economic and financial interests of the State is subject to arbitrariness.
[SV57]Scope, reach of the law?
[SV58]Does it really act as an intermediary?!
[SV59]This sentence should be redrafted:
1) The use of the word “regular reports” may be confusing in respect of the periodical reports that supervisory authorities are obliged to publish according to para 5bis.
2) The reference to paragraph 131 is not clear.
3) We are not sure that the wording “supervisory authorities should have the power to inform the public” is appropriate, since it is more an obligation as provided for by Article 12, para 2 e.
[SV60]“vulnerable categories of people”
[SV61]Paragraph 9 of Article 12 bis states that “The supervisory authorities shall not be competent with respect to processing carried out by bodies when acting in their judicial capacity”.
It would be advisable to include in the EM that although this principle aims at safeguarding the independence of
judges in the performance of their judicial tasks, such exemption should be strictly limited to genuine judicial activities in court cases and not apply to other activities where judges might be involved in, in accordance with national law.
[SV62]It is important to make clear that the use of a pseudonym ( or any digital identifier – digital identity) does not lead to anonymisation as the data subject can still be identifiable/ “individualized”.
[SV63]It would be useful to distinguish between anonymous data which is not covered by the Convention and pseudonymous data which should be.
[SV64]To be checked against the case law of the ECHR
[SV65]This is not clear: can those entities be also a recipient in the context of the same processing. It would be useful to add an example.
[SV66]Use of this term depends on outcome of EU reservation with regard to Article 3.1bis (which remains between square brackets in the text of the revised Convention).
[SV67]Same comment as before
[SV68]Extension of data protection legislation to deceased persons does not seem to be justified. In the case of deceased persons, their protection has to be/is guaranteed by other legal concepts or legislations ( reputation, dignity, honor etc. for example). In the case of genetic data, if the data relating to a deceased person also relate to their heirs, ten those data are personal data relating to these heirs as living person.
[SV69]Two different ideas seem to be mixed here. First, there is a reference to what is covered by the term “law”. And then the law is qualified as what it needs to be (qualitative requirements): accessible and foreseeable. But, a State could pass a law that would not (or not fully) meet these requirements and still it would qualify as a law according to its legal and constitutional system..
[SV70]Article 5.4.b does not limit further processing only to public statistics or public archives.
[SV71]Acceptance of this paragraph in the Explanatory Memorandum was a condition for the EU to lift its reservation on Article 5.4.c
[SV72]A risk analysis does not represent a security measure, but such analysis only leads to the realization that other security measures are necessary.
[SV73]Needs to be specified
[SV74]This is applicable to almost all pictures, as generally one can see from a picture to which race a person belongs.
[SV75]Article 6 applies to processing of sensitive data and not to "sensitive processing".
[SV76]Notion of "harm" is not a condition of an interference with data subjects' right to personal data protection
[SV77]It might be useful to add an example of non-sensitive data.
[SV78]This is not clear: do we want to refer to pseudonymous data or to anonymous data? In the latter case it is not even covered by the Convention.
[SV79]The example seems to refer only to automated processing. This should be made clear.
[SV80]This explanation is a condition for the lifting of EU reservation on Article 8bis.2
[SV81]By law or by the data controller himself?
[SV82]It would be useful to provide an example of data protection by default based on the idea of opt-in versus opt-out.
[SV83]It does not seem to qualify as personal data anymore.
[SV84]What if it occurs without the knowledge of the sender (for example by the processor without being allowed ? Automatically a data breach ?
[SV85]An example could be helpful here.
[SV86]Scope, reach of the law?
[SV87]It should be clarified that the specific interests and the prevailing legitimate interest are not those of the recipient State.
[SV88]Scope of paragraph 7 is unclear and generates serious legal uncertainty. Which exceptions are allowed? To which provisions? To the principle that a Party bound by harmonized rules of protection shared by States belonging to an international organization may prohibit or subject to special authorization the transfer of data to another Party in para 1? To the principle established in para 2 that the transfer of data may only take place where an appropriate level of protection is secured or rather to the derogation set out in para 4 that a transfer may take place if the data subject has given explicit consent? Are exceptions allowed to the principle that supervisory authorities have the right to request for information on transfers under para 5? This paragraph of the Explanatory Memorandum does not address any of the above questions.
[SV89]Is the intention to apply administrative sanctions also to public authorities?
[SV90]In other parts of the Convention, the terms “a Party to the Convention” is used.
[SV91]In order to avoid confusion between anonymous data and pseudonimysed data, it should be clearly stated that it is impossible to reidentify the data subject on the basis of anonymous data. In cases where it is not clear whether the data have been fully/irreversibly anonymised or not, the data should be covered by the provisions of the Convention.
See EDPS' additional comments of 15 March 2013 on the data protection reform package for the definition of anonymous data and pseudonimysed data: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2013/13-03-15_Comments_dp_package_EN.pdf
[SV92]We welcome the use of the word "ensure" in place of "secure".
ENSURE: Make certain that something will occur or be the case; make certain of obtaining or providing something; legislation to ensure equal opportunities for all.
SECURE: Certain to remain safe and unthreatened; protect against threats; make safe.
[SV93]We welcome the reference to the clear limitation of the data processed to the minimum necessary (minimization principle).
[SV94]Note that the consideration of biometric data as sensitive data may imply practical implementation difficulties. While in some cases, it should be subject to additional safeguards, in other cases it could be comparable to other ‘non sensitive’ personal data, such as a name and/or a physical description of a person.
In the EU proposed Regulation, for example, biometric data is not ‘sensitive’ but certain types of processing of biometric data are subject to a privacy impact assessment. (Note also that the European Parliament has added biometric data to the list of sensitive data, while the Council has not).
[SV95]The logic underpinning the processing should also be added.
[SV96]adapted to the relevant data subjects (in a child friendly language where necessary for instance)
[SV97]We welcome the references to the retention periods and to transfers to third countries (consistent with EU proposed Regulation).
[SV98]The rectification or erasure, if justified, must be free of charge
[SV99]It should be made clearer that paras 91 to 94 are an illustration of what constitute legitimate grounds.
The explanatory report should specify that even though a derogating measure genuinely satisfies a legitimate aim listed in litterae a and b, it does not automatically mean that the measure in question is actually necessary and proportionate. The proportionality and necessity of an interference should systematically be assessed on a case-by case basis.
See Digital Rights Ireland Judgment and Working Party 29's Working Document on surveillance of electronic communications for intelligence and national security purposes, esp. point 4.3.3 on the scope of restrictions to the fundamental rights to respect for private life and data protection (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp228_en.pdf
[SV100]Scope, reach of the law?
[SV101]The final explanatory report should specify that derogations only apply on a case by cases basis. In case of structural, repetitive or massive transfers, adequate safeguards should be put in place.