OPINION OF THE T-PD BUREAU

Strasbourg, 10 June / juin 2015

T-PD(2015)04Mos_Addendum

CONSULTATIVE COMMITTE OF THE CONVENTION

FOR THE PROTECTION OF INDIVIDUALS WITH REGARD
TO AUTOMATIC PROCESSING OF PERSONAL DATA

(T-PD)

LE COMITÉ CONSULTATIF DE LA CONVENTION POUR LA PROTECTION
DES PERSONNES A L’ÉGARD DU TRAITEMENT AUTOMATISÉ

DES DONNÉES A CARACTÈRE PERSONNEL

(T-PD)

Information on the recent developments at national level in the data protection field

Information sur les développements récents intervenus dans le domaine
de la protection des données au niveau national

Directorate General Human Rights and Rule of Law /

Direction Générale droits de l'Homme et Etat de droit

TABLE OF CONTENTS / TABLE DES MATIERES

ALBANIA / ALBANIE.. 3

IRELAND / IRLANDE.. 13

LATVIA / LETTONIE.. 15

LIECHTENSTEIN.. 17

THE FORMER YUGOSLAV REPUBLIC OF MACEDONIA / L’EX-RÉPUBLIQUE YOUGOSLAVE DE MACÉDOINE.. 18

AUSTRALIA / AUSTRALIE (AFP / APF) 27

ALBANIA / ALBANIE

REPORT TO THE T-PD COMMITTEE

COVERING THE PERIOD

MAY 2014 - MAY 2015

MAIN DEVELOPPMENTS IN THE FIELD OF PERSONAL DATA PROTECTION AT THE OFFICE OF THE INFORMATION AND DATA PROTECTION COMMISSIONER

During the period May 2014 - May 2015, the institutional activity of the Office of the Commissioner focused primarily on the protection of personal data and then also on the other important pillar, the right to information.

The Office of the Commissioner bears now the designation: “Information and Data Protection Commissioner” and counts in its powers the monitoring and guaranteeing of two constitutional human rights, the right for personal data protection and the right to information. Regarding the activities related to developments in the field of personal data protection, we would like to inform you on the following:

Ø Legal activity in the framework of enforcement of the Law on Personal Data Protection.

§ Adoption of bylaws

Important developments occurred in the context of enrichment of legal activity were achieved through the adoption of by-laws, Instructions or guidelines interpreting Law No. 9887, dated 10.03.2008 “On personal data protection” as amended. During this period 4 instructions were adopted by the Commissioner, currently published in the Official Gazette.

1. Instruction No.95, dated 07.04.2014 “On the definition of institutions and bodies receiving personal data from the civil status service, as well as on the manner, the type and amount of information that they shall obtain” jointly drafted by the Information and Data Protection Commissioner with the Ministry of Interiors. This Instruction determines institutions having access in the registrar of civil status, the legal framework applying to this case, the purpose of usage of personal data, their amount and type. This act’s finalization came after an intensive work that both institutions initiated in 2012.

2. Instruction No. 40, dated 13.06.2014 “On usage of internet service and official electronic mail in public institutions in the context of personal data protection”.

The purpose of this Instruction is the determination of binding rules applying to public institutions and the appropriate structures, managing information systems in terms of internet usage and electronic mail in workplace for employees.

3. Instruction No. 41, dated 13.06.2014 “On permission of certain categories of international transfers of personal data in a country not disposing of an adequate level of data protection”.

This instructions purpose is to determine the binding rules applying to public and private controllers regarding cases of international transfers in countries not disposing of an adequate level of personal data Protection.

4. Instruction No. 42, dated 22.07.2014 on “Data processing of employment applicants”.

This instruction’s purpose if to determine the binding rules regarding personal data processing during employees’ recruitment period either in public institutions or private ones.

- Within a join working group with the Ministry of Justice, a draft/instruction on anonymization of personal data in court rulings published on web portals was prepared. The adoption of this draft-act is still being expected.

§ Other important acts

Aiming the unification of legislation and determination of standards with best practices, instructions were drafted and approved; legal opinions were issued relating to draft/legal acts and bylaws, filed at the IDP Commissioner. Pursuant to Law No.9887, dated 10.03.2008 “On personal data protection”, as amended, the Authority of the Commissioner has drafted and submitted to the Assembly of Albania, the Annual Report on the activities of the Information and Data Protection Commissioner for 2014.

§ Some Instructions/guidelines adopted:

- Instruction on “Protection of personal data in the Code of Ethics”;

- “Guidelines for Public Authorities on draft/acts related to personal data, in the context of Article 31/1/a of Law no. 9887, dated 10.03.2008”.

- “Instruction on protection of personal data in cloud computing services ”

- “Instruction on International Transfer of Personal Data”.

In the context of alignment with international standards a material was drafted on the explication of the notion of “Consent” based upon the opinion of Article 29 Working Party.Its interpretations help law enforcement authorities have a clear picture of meaning and usage of this notion, by reflecting its different aspects in order to be implemented and practiced case by case.

Different leaflets and explanatory papers were considered as an awareness tool and put into use in meetings, trainings and occasional contacts. The leaflet on “Transparency in public administration and personal data protection”, recommends state institutions to develop internal policies related to requests for access in official documents. While, the leaflet on “Law 119/2014 “On the right to information”, whose publication was backed by the Open Society for Albania Foundation explains some of the right and obligations of the new law on the right to information.

§ Issuing of opinions on draft/legal acts and bylaws

Pursuant to the responsibilities that the law on personal data provides related to delivering opinions on draft/legal acts, during the reporting period opinions were issued regarding 10 draft/laws, the draft/law “On some additions and amendments to Law No. 8454, dated 04.02.1999 “On the ombudsman”, the draft/law “On asylum on the Republic of Albania”, the draft/law “On deposit insurance”, the draft/law “On Internal Control Service of the Ministry of Internal Affairs”; the draft/law “On weapons”, draft/law “”On physical private security”; proposals for amendments to the Law No. 9109, dated 17.07.2003 “On the profession of attorney in the Republic of Albania”, proposals for amendments to the Law No. 8901, dated 10.10.2002 “On personal number of citizens”; draft/law “Administrative Procedural Code of the Republic of Albania”; draft/law “On Military Police in Armed Forces of the Republic of Albania”.

Draft-Laws “On an addition to the Law No. 7850 dated 29. 07. 1994 “Civil Code of the Republic of Albania” as amended and “On some amendments to Law No. 8116, dated 29. 03. 1996 “Code of Civil Procedures of the Republic of Albania”, as amended, etc.

Opinions were issued on some draft/bylaws, draft/decision of Council of Ministers, “On determination of the format and manner of collection and reporting of data from public or private providers of healthcare”; “Convention of the Council of Europe on counterfeiting of medical products and similar crimes involving threats to public health”, draft/decision on “Approval in principle of the Agreement between the Government of the Republic of Albania and the Government of Slovak Republic on co-operation in combating terrorism, organized crime, illegal trafficking of narcotics, psychotropic substances and drugs precursors and other crimes” etc.

§ Co-operation agreements

The IDP Commissioner has scored achievements also in the inter-institutional relations plan. In this period, co-operation agreements were signed between the Information and Data Protection Commissioner with:

The Order of Pharmacists of Albania;

The Order of Physicians of Albania;

The Italian Authority for Personal Data Protection;

The purpose of this agreement is the promotion of co-operation for continuous exchange of experience in carrying joint inspections/supervisions to Italian controllers/companies operating in the territory of the Republic of Albania and who process personal data.

High Inspectorate for Declaration and Audit of Assets and Conflict of Interest (ILDKPKI)

In the framework of the Agreement signed with the Authority for Personal Data Protection of the Republic of Kosovo (National Agency for the Protection of Personal Data – Kosovo), information was exchanged and cooperation was implemented in addressing complaints. Currently, complaints referred by the counterpart Authority are under examination process regarding territoriality, which relate to Albanian citizens and controllers operating within the territory of the Republic of Albania.

A series of bilateral meeting took place, bringing real contribution in improving the collaborative practices among IDP and other Public Authorities.

Fulfilment of the important obligation of controllers to notify

In this framework as a first step with expectations is the intensive continuation of the full identification process of controllers and processing entities, their awareness, their introduction with the Law No. 9887, dated 10.03.2008, “On personal data protection”, as amended, as well as the fulfilment of the legal obligation to notify the Office of the Commissioner regarding the actual state of personal data processing.

This process was extended either through delivering information notices, asking subjects, thereby to fulfil their legal obligation to notify, or through seminars organized for this purpose. Controllers were assisted on how to complete the Notification Form and for any queries in this regard.

During this period from the list of registered subjects of the National Registration Centre were filtered and identified 802 subjects, to whom sensitizing notices were sent along with around 600 sensitizing e-mails using the electronic addresses registered at the National Employment Service.

Also, a priority of the Office of the Information and Data Protection Commissioner has been the full identification and processing of controllers processing data electronically for marketing purposes, “Call Centres”, raising their awareness, their introduction with the Law as well as the implementation of the legal obligation of notification.

In this context, a detailed assessment of the current situation of companies whose object of activity is “Call Centre” was carried out, providing necessary information from the National Registration Centre of the Republic of Albania, on all controlling entities which stated their object of activity in this field.

Based upon their object of activity, we identified as follows:

278 entities stating among all activities, their activity in the field of “Call Centre”;

180 entities stating their activity mainly in the field of “ Call Centre”;

97 entities stating their activity solely in the field of “Call Centre”.

Currently, for 25 entities among controllers processing personal data stated above, administrative investigation were carried out.

Managing the notifications and the registration of controllers.

As a result of the awareness-raising strategy, being in the same time a legal obligation, during this period, at the Commissioner’s Office 527 controllers have notified, of which 15 non-profit organizations, 30 public entities and 482 private entities, resulting in a total of 4757 notifications. We’ve proceeded with the registration and online publication in the Public’s Open Registry of notifications that resulted in carrying out personal data processing in compliance with the requirements of Articles 5 and 6 of the Law No. 9887, dated 10.03.2008 “On personal data protection”, as amended.

The number of controllers registered in this period is 528, of which 15 non-profit organizations, 28 public entities and 485 private entities, resulting in a total of 4707 registered entities.

Based on Article 23 of the Law No. 9887, dated 10.03.2008 “On personal data protection”, as amended, we have processed via the request for additional information 102 declarations resulting incomplete, unclear, to further verify the legitimacy of data processing by notifying controllers, as well as in the context of submission of requests for authorization from the Commissioner, for sensitive data processing and international transfers of personal data.

Moreover, through examination of notification forms, 4 practices were initiated, aiming to verify the legitimacy of international transfers of personal data, which led to the completion of information provided by the controllers as well the initiation from their side of the procedures for requesting the Commissioner’s Authorization for international transfers of data in countries not ensuring an adequate level of personal data protection. Corrections, additions or authorizations granting was reflected in the Electronic Registrar of Controllers.

Administration of the communication channel

We’ve kept permanent contact with the personal data protection officers of controllers, mainly those in public sector, in order to update them immediately regarding acts issued by the Commissioner and also for any communication or required assistance. In this period we’ve aimed mainly the awareness-raising of this category regarding this obligation that every public controller should meet.

Policy and the Outcome of Supervision

The Office of the Commissioner estimates the higher importance of inspections and administrative controls process to public and private controllers, in the framework of compliance with the legislation on personal data protection and the guarantee of the right of personal data subjects. Deploying controls and inspections constitutes a permanent commitment of the Office of the Commissioner.

Its supervisory role on the reporting period was successfully implemented by the Office of the Commissioner through audits, inspections, carried out upon initiative (ex-officio) or based upon complaints of personal data subjects.

Managing of Complaints

In this period of time the IDP Commissioner has received 83 complaints (16 more than previous reporting period), requests for information and concerns related to possible breaches to personal data by different controllers (public of private). Some among these requests were not in compliance with the Law on personal data protection while for 48 complaints measures were taken in guiding subjects to exercise their right as stipulated in the law and in every case, according to concrete specification, inspection orders were issued and appropriate verifications were carried out on the field.

Objects of complaints examined by the Commissioner’s Office were as follows:

Disclosure of personal data in the media and in the official web pages of controllers in the internet;

Obtaining of consent for operating direct marketing;

Exercise of the right of access and rectification/deletion of personal data;

Disclosure of personal data in court rulings, etc.

The complaints reach the Office of the Commissioner not only officially but also via electronic mail, to: [email protected] or via the toll-free number. Such thing has enabled faster and more direct communication. In any case, after that further review was performed, highlighted e-mails were administered officially.

During the processing of complaints, particular care was assigned aiming to effectively examine them by providing the appropriate assistance to data subjects, guiding them toward ways and actions to be followed in order to exercise their rights provided in law. Furthermore, we aimed to conduct complete and effective investigations, consisting in proportionate decisions, based upon the reaction of controllers and public interest.

Controls and administrative inspections upon initiative (ex-officcio) of the Commissioner’s Office.

Pursuant its supervisory policies, the IDP Commissioner exercised in this period 235 controls and authentic administrative inspections or of verification. These administrative controls and inspections were diverse, including those of general object, specific object (mainly those based upon complaint) and focusing upon particular sectors (depending on public sensibility), of controllers and fields with impact in public opinion, such as the insurance companies, ministries and banks. The overall aim of the Commissioner’s Office was the verification of compliance with the personal data protection legislation in particular sectors, the evidence of the nature of the issues and offering of assistance in the framework of implementation and compliance with the legal obligations.

The inspections conducted to insurance companies and banks were infringements of legal provisions were found, in the framework of the obligation to inform data subjects and guarantee of personal data security in the relations of these controllers with third parties (processors).

Moreover, the IDP Commissioner carried online inspections with special focus on personal data processing on the controller’s web pages, privacy policies, informing of personal data subject, ways of obtaining consent from personal data subjects, disclosure of personal data, storage and archiving of data collected from the webpage of the controller, etc.

Due to technological progress, a large part of services from public and private controllers take place online. The performance of online inspections is considered as a solution to increase awareness of controllers upon the importance of respecting the rules related to privacy, their obligation to inform personal data subjects related to their right pursuant to the law on personal data protection. In this context, among all, it is imperative that the controller publishes on his internet web page the “privacy policies” (set of rules), in order to inform personal data subjects and those persons visiting the webpage upon the modalities of personal data processing, security measures and the protection of privacy, their right and the obligations of controllers. At the same time, another modality to raise awareness was considered the awareness of personal data subjects and persons who visit pages, upon the importance of privacy protection and the rights that they have in this field.

Administrative Sanctions (Fines)

Pursuant to the legal powers, in any case where serious and repeated infringements to the law were found, the Commissioner has imposed sanctions. In total 41 administrative sanctions (fines) were imposed. We note that there is an increasing number of fines imposed, not only due to the fact that controllers in some cases were found in recurrence of failure to apply obligations stipulated by the law, but also as a fact of the organization of inspections in order to verify the application of recommendations issued by the Office of the Commissioner, resulting in failure to observe these obligations.

These infringements sanctioned refer mainly to the failure to meet the obligation to inform personal data subjects by the controllers, to the obligation related to the security measure to take for personal data security and confidentiality, to the obligation to anticipate clauses, dispositions related to personal data protection in contractual agreements with third parties and to the obligation related to complete and update the “notification form” to the Office of the Commissioner. The fines imposed by the Office of the Commissioner were perceived pursuant to the law as well as in respect of the principles of legitimacy, transparency in the decision-taking process and the right of parties to be heard. In all the cases, before issuing the final verdict, hearing sessions were organized with the controllers.

International Transfer

Special focus was assigned to the requests for international transfers of personal data. 6 (six) files were reviewed and 5 decisions were taken, not including opinions issued to the banking system in the framework of personal data transfers of clients, as a result of application of requirements of the American FATCA Law (in total 10 cases). The Procedures of international transfers dispose of a faster mechanism for their examination, due to the approval of the new instruction and the guidelines which guides and facilitates the modality to be observed by the controllers in cases of requests for data transfers. The standard used is up to date and adopted following best international practices.

Fulfilment of obligations in the framework of Progress-Report of 2014

In the framework of fulfilment of obligations set in the Progress-Report of 2014, (Chap. 4.23, Judicial-pg.57) where was stipulated that, “media breaches frequently the right personal data protection” and also based upon numerous complaints in connection with the breaches of privacy by the media, the Office of the Information and Data Protection Commissioner has collaborated with the “Authority of Audio-visual media” (AMA) and the Albanian Institute of Medias requiring from them to take measures against medias violating the law. In this context, the IDP Commissioner has proposed the start of co-operation and organization of joint meetings with stakeholders operating in the field of audio-visual media and with AMA being the regulatory body. Among other things, some of the issues relating to the right balance between freedom of speech and personal data protection were addressed. It is being negotiated with other stakeholders such as the Association of Journalists, in order to organize in institutional and coordinated way the approach with regard to the Media and the guarantee for data protection in this field. A Draft-Cooperation Agreement was prepared between the Office of the Commissioner and AMA and the process of its adoption is on the way.

Furthermore, the continuous cooperation with the Ministry of Justice is in place through the working party set on “Anonymization of personal data in court rulings published in the official web pages of the judicial system”, Currently the draft-instruction is prepared for the the achievement of this goal, while its approval is still pending.

Awareness-raising

Awareness-raising seminar with representatives of local administration in the cities of Korça and Pogradec.

In May, the Office of the Commissioner organized two seminars with representatives of public administration in the cities of Korça and Pogradec aiming to raise awareness among public stakeholders on the right for personal data protection and enforcement of relevant legal framework in Albania.

Representatives of the Office of the Commissioner during a meeting with pupils of the secondary school “Muharrem Çollaku” in Pogradec provided advices regarding protection from cyber attacks affecting individual privacy, through secure passwords, use of antivirus, spywares etc.

Training of data protection officers in cooperation with the Albanian School of Public Administration (ASPA). In this framework, the in-depth training of data protection officers of public controllers continues through modules administered by them. Currently, 65 persons are certified in this field.

The Office of IDP Commissioner continued with the sensitization of different groups including controllers of data and citizens.

In this regard, frequent awareness-raising meetings were organized, seminars and trainings for local administration officials, press releases were delivered, interviews for written and visual media as well as meetings with pupils and students from various faculties. An important event was the participation of the Commissioner’s Office in the 17^th Book Fair “Tirana 2014”. In this activity, awareness materials were introduced to the public, as for instance leaflets and brochures. During the days of the Fair, 30.000 citizens visited the Commissioner’s where they received information related to personal data protection from the staff of the Commissioner as well as sensitizing materials.

With the aim to raise awareness of personal data controllers, related to practices of international personal data transfers, the Office of the Commissioner organized a seminar with representatives of the banking system, telecommunications and public authorities, transferring personal data in French speaking countries. A special invitee in this event was the French expert, responsible of international transfers sector of the counterpart French Authority, Mme. Gufflet, who introduced the participants with the standards facilitating the implementation of binding corporate rules related to international transfer and presented as well few practical cases of their implementation.

On the occasion of 28 January 2014, International Day of Personal Data Protection, the Information and Data Protection Commissioner along with representatives of the EU delegation in Albania, welcomed at the Information Centre of European Union a group of students in order to discuss related to personal data and privacy protection.

In March, the Office of Information and Data Protection Commissioner in collaboration with the Albanian Association of Banks organized a seminar entitled “Processing of Personal data of employees in banking sector”. Participants in this seminar were from departments of Human Resources of second level banks. During this event, representatives of the Office of the Commissioner updated the attendees with the lately legal and bylaws amendments and discussed related to different issues encountered in the enforcement of the Law on personal data protection in banking system.

The Information and Data Protection Commissioner participated in the presentation of the Report “Monitoring of Transparency and Behaviour of Judicial Administration toward the Public” organized by the Albanian Institute of Political Studies and the Open Society for Albania Foundation. Among other things, the Commissioner introduced the participants with statistics and concrete problems that the Office of the Commissioner has encountered during the process of enforcement of the above mentioned Law.

The Office of Information and Data Protection Commissioner organized on 25^th and 26^th of May a training seminar at the premises of the Academy of Security of the State Police. 20 personnel from various management levels of this institution attended the seminar. The representatives of Commissioner’s Office addressed in the workshop specific issues relating to collection, processing, storing and security standards of personal data of citizens in everyday’s work and exercise of legal functions by State Police employees.

Reports and international/European activities

In October the Commissioner reported to the Assembly of Albania related to the observations of the 2014 Progress-Report of EU on Albania as well as related to the actions to initiate according to these recommendations.

In November a report was delivered in the framework of drafting of the National Strategy for Development and Integration 2014-2020, on section “Human Rights”. According to our institutional mission, we identified the goals to achieve and the related financial costs.

In the context of the Experts Mission visit (European Commission’s Evaluation Mission) “Peer Mission Review”, a full report was delivered upon every information and topic required. The purpose of these meetings was the field verification and evaluation of principal reforms to independent institutions in the framework of Albania’s integration in the European. 36 recommendations addressed to the Office of the Commissioner were identified, which remain to be considered and implemented by relevant institutions.

A questionnaire on medical data sent by the Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD) was completed and delivered via electronic mail along with the questionnaires completed by other medical institutions.

The Office of Information and Data Protection Commissioner participated in various international events

31^st Plenary Meeting of the Consultative Committee of the Convention for the Protection of Individuals from Automatic Processing of Personal (T-PD)”, along with the European Conference of Data Protection Authorities held from 2 to 5 June in Strasburg.

Along with a study visit of the Information Commissioner Office of United Kingdom (ICO) on 22 – 24 September in England, the Office of the Commissioner profited from the opportunity to carry out an inspection of the Albanian Embassy in United Kingdom (UK).

Regional Conference “Freedom of Public Information – Development of practices in Western Balkans Region” – Prishtina/ Kosovo, 18 September, wherein the Office of the Commissioner delivered a presentation.

36^th International Conference of Data Protection and Privacy Commissioners held in Mauritius, on 13-16 October 2014.

International “Privacy, innovation and surveillance: what ethical framework for Europe?” Conference, held in the HQ of UNESCO, in Paris, 8 December 2014, wherein an important resolution was approved.

“Privacy enforcement: lessons learned from current implementations and future perspectives” held in Krakow of Poland, on 12 December along with a bilateral meeting of the IDP representative and GIODO’s on 11 December, in order to take forward to organization of 2015 Meetings of CEEDPA in Albania.

“Round Table” and International Conference on “Privacy in the Digital Age” – 25-26 January 2015, Prishtina – Republic of Kosovo. The Office of the Commissioner delivered presentations in both activities.

Global Conference on Cyberspace 2015, held in The Hague, on 16-17 April 2015.

VII Meeting of the Sub-committee on Justice, Freedom and Security, EU-Albania – 21-22 April 2015 – Brussels, Belgium,

European Conference of Data Protection Authorities hosted by the Information Commissioner’s Office of United Kingdom (ICO) which took place from 18 to 20 May 2015. The Office of the Commissioner delivered a presentation and invited all counterpart European authorities to participate in the XXVII case Handling Workshop which will take place in Albania. This event will serve as a platform for direct exchange of experiences and concrete cases in the field of personal data and privacy protection. This event will be held for the first time in our country.

Other developments in the field of international cooperation and promotion of the Authority.

In order to approximate with the counterpart authorities and international bodies, the English and French versions of the official web page were prepared and lunched, aiming to reflect the principal activities of the Commissioner’s Office. Press releases and informative documents were translated and published on the web page.

The Office of the Commissioner, with the status of member of the French Speaking Association of Data Protection (AFAPDP) organized on 15 December, a 1 day seminar for the introduction of Binding Corporate Rules of French speaking countries area (RCEF) to the French economic actors operating in the territory of the Republic of Albania and transferring personal data to and from French speaking countries, from different sectors, such as banking, insurance, etc. The event was attended as well by fellow colleagues from the Kosovo counterpart authority. The Seminar was addressed by representatives of the Commissioner’s and the Head of BCR Sector of the National Commissioner of Informatics and Liberties of France (CNIL).

On 29^th and 30^th of April 2015, the Office of Information and Data Protection Commissioner, organized the international event 17^th Meeting of CEEDPA 2015 (Central and Eastern Europe Data Protection Authorities), in the city of Durrës. The meeting brought together 16 representatives from Authorities, European Union and Council’s bodies. Invited guests were also authorities’ non members of the network, such as Italy and Morocco, as well as Kosovo, for the latter a membership declaration was introduced and approved. Another Declaration relating to the regional cooperation with practical features was drafted by the Office of the Commissioner and it is still being discussed for a later approval. The 17^th Meeting of CEEDPA were addressed by the Speaker of the Parliament, the Minister for Innovation and Public Administration, the Ambassador of Netherlands in Albania as well as by the Assistant European Data Protection Supervisor.

The Office of Information and Data Protection Commissioner joined in an application consortium for a project in the Erasmus + Program in the field of personal data protection in tourism industry. Various application documents were completed along with an ECAS account created for this purpose. The application was presented as completed within the deadline set on 31 March 2015.

Regarding the Opinion “On the implications for data protection of mechanisms for automatic inter-state exchanges of data for administrative and tax purposes”

The Information and Data Protection Commissioner being a member of the Consultative Committee (T-PD) and pursuant to Convention No. 108 of the Council of Europe, dated 28.01.1981 “For the Protection of Individuals with Regard to Automatic Processing of Personal Data and the national legislation in its powers, has sent through an official note the Opinion of the T-PD “On the implications for data protection of mechanisms for automatic inter-state exchanges of data for administrative and tax purposes” translated in Albanian language, to various state institutions and published it as well on the official webpage www.idp.al.

Through this official initiative, IDP urged state institutions to consider and evaluate this opinion when preparing draft-acts through which inter-state automatic exchanges of personal data for administrative and tax purposes are incurred. Moreover, for cases when state institutions signed or implemented acts affecting the activity in this field, the IDP Commissioner has required them to consider their revision in light of this opinion, if that is feasible.

The reaction of institutions such as the Assembly of Albania, Ministry of Justice, Ministry of Health, Ministry of Social Welfare and Youth, Ministry of Defence, Ministry of Transports and Infrastructure, Ministry of Foreign Affairs, Ministry of Urban Development, Ministry of Culture, General Prosecution, Authority of Financial Supervision, Authority of Audio-Visual Medias, Albanian Energy Regulator, Institute of Social Insurance, etc. was immediate, demonstrating the appropriate importance of inclusion of main important principles of personal data protection governing processing.

In addition, in order to provide practical cases, according to the principles stipulated in the national law on personal data protection but also in the Opinion of the T-PD, the Social Insurance Institute has fulfilled the task assigned by the Office of the Commissioner, according to which, the Social Insurance Institute (ISSH) in collaboration with the Ministry of Social Welfare and Youth, in the Agreement signed with the Government of the Republic of Turkey “On social protection” has drafted an Appendix related to general principles of personal data processing, their exchange and made them part of the highlighted agreement.

Moreover, the Ministry of Social Welfare and Youth has signed or has several agreements with different countries in process, where a specific provision is envisaged, which protects and guarantees the rights for protection and legal processing of citizens’ data, being subject of these agreements. In this context, monitoring and enforcement of this opinion will continue being part of the activities of the Albanian Information and Data Protection Commissioner.

IRELAND / IRLANDE

Appointment of Minister for Data Protection

On 15 July 2014, Deputy Dara Murphy was appointed as Minister of State with responsibility for European Affairs and Data Protection. Reflecting the importance attached to data protection and the wider digital economy by the Irish Government, Ireland became the first country in the EU to allocate specific responsibility for data protection to a Minister.

Government Roadmap

A Government decision on 7 October 2014 approved a roadmap, aimed at ensuring optimal data protection standards in the digital economy. It was agreed that Minister of State Murphy would oversee the implementation of the roadmap, thereby ensuring a “whole of government” perspective on data issues.

To support this initiative, a Data Protection Unit was established in the Department of the Taoiseach (Prime Minister) in November 2014.

Inter-Departmental Committee on data-related issues

Arising from the roadmap, it was agreed that an Inter-departmental Committee on data-related issues would be established. The Committee brings together the key officials with responsibility for data protection in each Government Department. The Committee has created the ideal platform for the sharing of good practice and assisting in the delivery of more effective public services through the improved use of data.

Government Data Forum

The roadmap further agreed that Government needs to participate in, and lead as appropriate, dialogue with business and civil society. Minister of State Murphy and officials have met with a large number of key players in the data protection area, including representatives of industry, civil society, academia and the civil and public sectors.

This engagement is being formalised with the establishment of a Data Forum, which will include representatives from industry, civil society and academia. Amongst other tasks, it is intended that the Forum will focus on the opportunities and challenges that arise from the growth in the digital economy; the societal implications of the generation and use of personal data; and the balance to be struck between safeguarding personal information, privacy and fundamental rights with economic development, as well as the benefits for individuals from the use of data.

Office of the Data Protection Commissioner

Ms Helen Dixon was appointed Data Protection Commissioner in September 2014 following the retirement of the former Data Protection Commissioner Mr Billy Hawkes.

The budget of the Office of the Data Protection Commissioner (ODPC) was doubled for 2015, being increased from €1.6m to €3.65m. This has allowed the Commissioner to begin the process of recruiting an additional 18 new staff.

Additionally, a new office in Dublin is being sourced for the ODPC, to complement the existing Portarlington office.

Activities of Office of the Data Protection Commissioner

Complaints

During 2014, the Office of the Data Protection Commissioner opened 960 complaints for investigation.

Complaints from individuals in relation to difficulties gaining access to their personal data held by organisations accounted for almost 55% of the overall complaints investigated during 2014. With 521 complaints in this category, this represented a record high number of complaints concerning access requests.

Complaints in 2014 about unsolicited marketing communications under the Privacy in Electronic Communications Regulations (S.I. 336 of 2011) saw a decrease compared to recent years with a total of 176 opened for investigation. The Office is confident that its active prosecution strategy in this area has contributed to the overall decline in this category of complaint.

The Office prosecuted nine entities in 2014 for a total of 162 offences, spanning both the Data Protection Acts, 1988 & 2003 and the Privacy in Electronic Communications Regulations (S.I. 336 of 2011).

In 2014 the Commissioner made a total of 27 formal decisions. 28 of these fully upheld the complaint, 2 partially upheld the complaint and 7 rejected the subject of the complaint.

Data Security Breaches

In 2014, the Office of the Data Protection Commissioner dealt with 2,188 Data Security Breach notifications. This is an increase of 681 notifications compared to the previous year. The figure of 2,188 breach notifications includes 65 notifications made via the new online reporting mechanism laid down in European Commission Regulation 611/2013 which sets out specific rules for the notification of data security breaches by Telecommunications and Internet Service Providers.

In line with the desire of the Office to work effectively with other Data Protection Authorities, a joint investigation into a breach notification made to the Office by Adobe Software Systems Ireland was instigated in 2013 in conjunction with the Office of the Privacy Commissioner in Canada and the Office of the Australian Information Commissioner. The Office of the Data Protection Commissioner in Ireland concluded its investigation in 2014 and issued a report to Adobe containing its findings and recommendations.

Audits

The Office of the Data Protection Commissioner audited 38 organisations during 2014. In August 2014, a revised ‘Guide to the Audit Process’ was published. This guidance was originally published in 2009.

A key area of investigation in 2014 was inappropriate access to state databases by agents appointed by organisations engaged in the pursuit of debts. A series of audits of credit unions, private investigators, accountants and liability adjusters were undertaken and a number of prosecutions taken as a result of the audit findings. The Audit Team also embarked upon a programme of audits of shopping centres with specific regard to CCTV cameras and the requirement for a CCTV policy to be in place. In addition, one of the largest data brokers in the state was audited in order to ensure its compliance with the principles of fair obtaining and processing as well as direct marketing regulations. In terms of the public sector, an emphasis was placed on citizen-facing services. Finally, a desk-based audit of 20 mobile apps was conducted as part of a GPEN Global Internet Privacy Sweep themed ‘Mobile Privacy.’

LATVIA / LETTONIE

Major developments in the data protection field in Latvia

Riga, 5 June 2015

Regarding the main developments, there is a new function assigned to Data State Inspectorate – certification and supervision of credit information bureaus, according to the Law on Credit Information Bureaus. More information on the practical aspects of the implementation of this function will be provided in the next main developments report.

In order to facilitate personal data protection in practice, there are new regulations in force – Cabinet of Ministers Regulation No.216 of 12 May 2015 “Elaboration and Submission of Personal Data Processing Compliance Report” (text available in Latvian - http://likumi.lv/doc.php?id=274002). These regulations determine which documents should be elaborated by the controller once evaluating the actual personal data processing and its compliance with the provisions of legal acts. The evaluation should be done by the controller:

1) before personal data processing for a new purpose;

2) before implementing amendments to personal data processing that influence the rights or interests of data subjects in the field of personal data protection;

3) based on the own initiative of the controller;

4) upon the request of Data State Inspectorate.

In 2014 there were 907 prior-checkings carried out and 430 investigations regarding the conformity of personal data processing to the requirements of Personal Data Protection Law. In total 1337 control activities were carried out (in 2013 – 677 control activities).

In 2014 there were 523 complaints received from the inhabitants (in 2013 – 362) regarding the possible infringements of Personal Data Protection Law. There were 60 administrative offence cases considered and in 40 cases there have been sanctions applied – in 24 cases fines were applied (the total amount of fines – 30 350 EUR; the biggest fine – 2845.00 EUR) and 16 warnings have been issued.

In 2014 mainly the complaints have been received regarding the following issues:

1) Personal data processing without legal ground (including the cases when the employers have submitted the data of employees to the State Revenue Service without legal ground, thus the employees submitted complaints as they have never been employed with employer concerned, or the employer did not supply the State Revenue Service with the updated information regarding employee; video surveillance without the legal ground and without the notification to Data State Inspectorate);

2) Disproportionate amount of personal data processed for the specific purpose;

3) Information not provided to the data subjected regarding the carried out/ foreseen personal data processing.

One of the issues where Data State Inspectorate indicated a need for conceptual solution in order to minimize the risk regarding illegal personal data processing is related to the complaints regarding incorrect data of the employees in the tax payers register held by State Revenue Service. There has been a tendency for such complaints to increase. Individuals found out that their data have been wrongfully submitted to State Revenue Service when they wanted to receive some social benefits (like unemployment benefit) but were refused of such as according to the information of State Revenue Service these persons still had been employed with the specific employee that they were not aware of. When Data State Inspectorate carried out the investigations regarding this issue in most cases the controller (the employer) could not be reached at the legal address of the controller and the controller did not provide the necessary information for the investigation. Data State Inspectorate will continue its work on this issue in order to foster personal data protection in Latvia.

In comparison to 2013 the number of complaints regarding the video surveillance have increased as well as the video surveillance is used more broadly in daily lives, including those cases when individuals use video surveillance to protect their own property.

The number of complaints regarding the processing of personal data on the internet has not decreased as well. In 2014 Data State Inspectorate has investigated the cases when personal data was published on the internet illegally, in some cases it was done by the third parties to whom the controller has transferred the persona data.

Ensuring supervision of Law on Information Society Services (in context of unsolicited commercial messages) according to the Article 12 chapter 1, in 2014 Data State Inspectorate received 293 inquiries regarding the unsolicited commercial messages. According to the Information Society Services Law, Article 13 chapter 6, Data State Inspectorate has a duty to carry out an investigation if an individual has received at least 10 unsolicited commercial messages within one year from one service provider and if the service receiver has submitted a written complaint to Data State Inspectorate regarding that. In 2014 Data State Inspectorate carried out 5 such investigations. Comparing with 2013, the number of complaints/ inquiries on this subject has not changed significantly. Once submitting the complaint the individuals mainly indicated that the service provider does not provide the un-subscription possibility in order not to receive the unsolicited commercial messages in the future.

In 2014 Data State Inspectorate took 802 decisions regarding the personal data processing notified by the controller and in 218 cases the controllers notified regarding the changes to personal data processing. The number of personal data processing that was notified to Data State Inspectorate was so high due to the legal sectorial requirements for the merchants that sell alcoholic beverages – the video surveillance had to be installed by the controller and the data had to be stored for no less than 7 days. Thus Data State Inspectorate has received 60 % personal data notifications more than expected. In order to facilitate the understanding of the requirements that derive from the Personal Data Protection Law regarding the video surveillance, Data State Inspectorate ensured regular consultations regarding the personal data processing and protection and regarding the controller’s duty to ensure the data subject’s rights and elaborated a standard form for personal data processing.

In order to foster mutual cooperation in the field of personal data protection, Data State Inspectorate of Latvia participated at the annual meeting of the personal data protection supervision authorities of the three Baltic States in Parnu, Estonia ( 26-27 February 2015). The decision was made to perform an annual joint inspection of personal data protection in 2015 in the retail sector regarding the processing and protection of employees’ personal data. In 2014 such a joint investigation was carried out in SPAs and recreational facilities in 2014.

Data State Inspectorate has determined following priorities for the year 2015:

1) To carry out prior-checkings in the risk areas:

- Processing of sensitive personal data;

- video surveillance;

- personal data transfer to “third countries”;

- processing on genetic personal data.

2) To elaborate recommendation on the personal data processing regarding the credit information;

3) Facilitate the cooperation between data protection institutions of other EU member states with a purpose to improve personal data protection in Latvia (especially regarding the personal data processing within the digital single market and by smart information technologies) as well as to get ready for mutual cooperation that is foreseen within the EU Data Protection Reform;

4) To ensure the licensing and supervision of credit information bureaus.

Data State Inspectorate of Latvia

Address: Blaumana street 11/13-15

Riga, LV-1011

LIECHTENSTEIN

Country report

Principality of Liechtenstein

Legal developments

Several articles of the data protection ordinance were amended and entered into force in July 2014. Amongst others, the implementation of special measures regarding technical and organisational measures are now more clearly formulated. The data processing shall be structured in such a manner that, data subjects are able to exercise their rights (intervenability), the processing of the data of data subjects for purposes other than the original purpose is impossible or only possible with great effort (unlinkability) and the processing can be reviewed, examined, and assessed with reasonable effort (transparency).

Other developments

The automatic exchange of tax related data has been on top of the agenda of the Data Protection Office. Following the text adopted by the T-PD last year, the Article 29 Working Party took up this topic in the summer of last year. The ongoing-work is complex and is mainly done in the Financial Matters Subgroup, where the Data Protection Office, as an observer, has taken over an active role. Work is on going. On substance, parallels can be drawn to the “Data Retention” Judgment of the CJEU. Therefore, several questions arise, notably concerning proportionality and data transfers to third countries.

The Data Protection Office followed the ongoing work concerning the data protection reform in Brussels within the given resources. It furthermore participated in the meeting of Cahdata within the Council of Europe.

Awareness-raising activities

At the occasion of the European Data Protection Day, a public event was organized together with the University of Liechtenstein on the subject “Internet of Things – When objects take decisions for us”.

In addition to the Data Protection Day, a recommendation regarding the Internet of Things was published.[1]

For more information, please consult the Internet site of the Data Protection Office on www.dss.llv.li (in German only).

THE FORMER YUGOSLAV REPUBLIC OF MACEDONIA /
L’EX-RÉPUBLIQUE YOUGOSLAVE DE MACÉDOINE

dolgo angliski

REPUBLIC OF MACEDONIA

DIRECTORATE FOR PERSONAL DATA PROTECTION

bul. “Goce Delcev” 18, 1000 Skopje, Republic of Macedonia; tel: +389 2 3230 635; fax: +389 2 3230 635; www.dzlp.mk

Country Report – Directorate for Personal Data Protection, Republic of Macedonia

(June 2014 – June 2015)

Institutional developments:

PROJECTS

1.1 Technical assistance for strengthening the organizational and institutional capacities for protection of personal data

The main goal of this project was further strengthening of the organizational and institutional capacity of the Directorate for Personal Data Protection for better and more effective protection of privacy on social networks, improving the services of social networks in terms of protection of the right to privacy, raising public awareness about the right to privacy when using the Internet, as well as strengthening their knowledge regarding contemporary technological developments and emerging issues related to privacy as cloud computing. With this project, the Directorate for Personal Data Protection provided the support from the Norwegian authorities for personal data protection by creating better mechanisms for the protection of personal data on social networks, raising awareness about privacy and technological development, and capacity building of the Directorate for Personal Data Protection by providing a more efficient way to protect personal information on the Internet and social networks.

During the implementation of the first component of the project related to protection of personal data in social networks, as part of the Directorate rapid intervention team was established in order to respond to the requests of citizens whose personal data or privacy is misued on social networks. The second component of the project was aimed for employees of the Directorate, controllers and processors of personal data, to gain knowledge in Cloud computing and data protection. Within this component analysis of the organizational and institutional capacities for protection of personal data, as well as Survey to measure the level of awareness for cloud computing companies in Macedonia were made, which are now available on the website of the Directorate. Within the project, a delegation from Directorate for Personal Data Protection Director led a study visit to Norway authority for protection of personal data.

In November 2014, two-day final conference of the project dedicated to the challenges of social networks related to privacy and cloud computing was organized. The occasion was used to promote Manual for the manner of handling complaints and requests for determining a violation of the right to privacy and data protection, in context of social networks and work in "cloud".

1.2 Project “Privacy Lessons”

In the period from September 15 to December 1, 2014, the Directorate for Personal Data Protection in partnership with the City of Skopje, the OSCE Mission in Macedonia and Foundation Metamorphosis-for Internet and Society implemented the project "Class privacy".

As the main instigator of the idea of starting such a project was undoubtedly the increased number of complaints received about personal data abuse on social networks, for invasion of privacy, as well as statistics that proves the lack of privacy policies by children, parents, teachers, the indicative use of hate speech, expression of lies in cyberspace among different ages and nationalities.

Towards the successful planning and implementation of the planned activities of the project, DPDP approached to partnership with the OSCE Mission in Skopje Department of rule of law, the Metamorphosis Foundation for Internet and Society and the City of Skopje as a responsible for 21 secondary schools in its area where it was planned to implement activities.

During the implementation of the project lectures were conducted in all 21 secondary schools in the territory of Skopje, where students had the opportunity to familiarize themselves with the terms personal data, privacy, protection on social networks, spreading hate speech, which should register if they suspect the abuse of personal data, for video surveillance in schools, for their rights, but also obligations to store their, and others' personal data. Particular interest was shown by the students about examples of the practice of the Directorate for Personal Data Protection, as well as issues of setting up video surveillance in school and / or classroom, examples of practice for teachers of Personal Data Protection, prevention of hate speech on the Internet.

Apart from the lectures at all secondary schools special information corners with brochures, flyers, content, information on how to act if their personal data is misused, hate speech, etc. were placed.

The project will contribute to a sustainable cooperation with the Ministry of Education and Science and the Bureau for Development of Education, developing a comprehensive approach to the introduction of the right to privacy in the curriculum, encouraging not only youth, but also teachers and parents to participate in the creation new curricula by sharing experiences and views with good building practices, raise awareness about the protection of personal data of all target groups (institutions, students, teachers and parents). For this purpose, it is crucial to continue these activities, not only on the territory of Skopje, but also on national level.

1.3 Campaign “The key to good service is In Your Hands"

On 10th November, 2014 the Directorate for Personal Data Protection and EVN Macedonia started the project "The key to good service is In Your Hands".

The aim is to raise awareness among citizens about the need to update their personal data as users of the EVN Macedonia, as well as their obligations to provide personal data in the context of the exemptions from the application of the Law on protection of personal data.

It is believed that with this project, the DPDP with EVN will achieve harmonized protection of citizens' personal data, and emphasize the need to update the collection of personal data among providers of public services, with a goal of better protection and improvement of the service.

The Directorate for Personal Data Protection with this project also promoted its official mascot "PRIVATKO" that will be used in various campaigns, publications, conferences, congresses, seminars, promotional events in order to raise public awareness on the personal data protection.

1.4 Campaign “You’re safe”

In the period from 16 to 28 May 2014, the Directorate for Personal Data Protection in partnership with 13 insurance companies and two brokerage companies, supported by the National Bureau of Insurance Supervision Agency realized the campaign "The must have! The campaign was aimed at raising awareness among insured about the degree of protection to the processing of their personal data by all entities in the insurance sector, in order to increase the scope of the insured as life and non-life insurance in the Republic of Macedonia, on the rights and obligations for protection of personal data when the contract for insurance (life and non-life) is made.

As a result of the conducted campaign "You’re safe! - By the Directorate for Personal Data Protection in collaboration with partners of the campaign a manual for the protection of personal data in the sector – insurance was prepared.

1.5 Celebration of the European Day for the Protection of Personal Data- January 28^th

The Directorate for Personal Data Protection celebrated the European Day of Data Protection, January 28, by organizing national conference to present the results of the completed project "Sustainable system for continuous primary and secondary education in the principles of protection of personal data", funded by the European Union through the IPA 2009^th. Representatives from the Ministry of Education, Bureau of Educational Development, the EU Delegation in Macedonia and the project team of Directorate addressed the objectives of the project in order to raise public awareness and education of the teachers for the protection of personal data and presentation the results of the workshops under the project.

The occasion was used to promote "Manual for teachers to study the protection of personal data in primary and secondary education" and recommendations were made for further action to enter the curricula and content for the detailed study of the right to privacy and protection of personal data in a separate study subject in the educational process. The results from the project “Privacy is mine, although I am a child” were also presented at the conference. Namely, this project, aimed at primary school students happened as collaboration between the Directorate and “Prosvetno delo”.

1.6 26th Workshop for acting upon cases (Case Handling Workshop) under the auspices European Conference, which was held in Skopje between 6 to 7 October 2014.

Workshop (CHWS) is a series of events organized by the authorities for data protection, once a year in different Member hosts, in order to exchange ideas, experiences, knowledge, and information practical issues at the operational level. The workshop is a subset of the spring conference e bodies for data protection. This year the Directorate for Protection data hosted the representatives of the authorities to protect data internationally, the EU, the European Commission and the European Protection Supervisor Data attend.

The workshop has no authority to make its own policies, prepare reports and it is not meant to be a forum where you make decisions. Focus the workshop is to review the practical aspects of everyday bodies’ data protection, operational procedures and exchange of national experiences and best practices. Different types of problems can be discussed concerning the type of complaints, investigations and enforcement of legal responsibilities, the application of certain legal provisions or procedural issues, communication questions etc.

EVENTS

- TAIEX Workshop – Privacy by measure, impact assessment privacy and technology issues involving the privacy, July 2014

- TAIEX Expert mission "Protection of personal data against media “July 2014

- TAIEX Expert mission "Establishing a legal basis for the implementation of on-line inspection “, September 2014

- DPDP hosted 26^th Case Handling Workshop, 06 – 07 October 2014

- Study visit for the implementation of the e-privacy with special emphasis on "cookies”, November 2014

- Spring Conference of European authorities for the protection of personal data in Strasbourg, France

- Study visit of the project "Continuing activities within Sustainable start learning about the EU and training system " - Module" Justice and Internal police works"

- Regional training on "Personal data protection“ in Tirana, Albania

- Participation at 28th International conference Info-tech 2014 in Varna, Bulgaria

- Participation at the final conference of the PHAEDRA project in Krakow ,Poland

- Participation at CIS Forum in October 2014 in Albania

- TAIEX Study visit in Bulgaria on "Joint activities bodies to protect personal data - common supervisory inspection

- TAIEX Workshop on "European Privacy Seal “ - February 2014

- TAIEX Study visit to Finland on "The protection of personal data communication to employees “

- TAIEX Study visit to Germany on "The protection of personal data of asylum seekers”

- TAIEX Workshop on "Computer for rapid intervention teams (CERTs) and protection of personal data”

- TAIEX Expert mission to create and implement training for protection of personal data

- TAIEX Workshop on "Protection of personal data and cloud computing"

- TAIEX Workshop – Privacy by measure, impact assessment privacy and technology issues involving the privacy

- TAIEX Expert mission "Protection of personal data against media “

- TAIEX Expert mission "Establishing a legal basis for the implementation of on-line inspection

- TAIEX Study visit for the implementation of the e-privacy with special emphasis on "cookies

INSPECTIONS

One of the core competencies of the Directorate for Personal Data Protection, as an independent state authority, is supervision of the legality of the actions taken in the processing of personal data and protection. As an essential tool for the implementation of this competence of the Directorate established by Article 37 of the Law on Personal Data Protection are the supervisions performed by inspectors from the Sector for implementing inspections with the two sections. Inspections are planned on an annual basis, according to areas, with a program that is made at the end of the current year for the following year, and implemented through monthly plans for inspection in which controllers are specified, the collections that are subject to the audit and the date of the start of the inspections.

Also, the Directorate conducts extraordinary inspections on applications submitted for violation of the right to personal data protection and on an initiative from a state authority, legal entity or a physical person, or on a suspicion for violations of the provisions of the Law on personal data protection. The Directorate also conducts supervisions when after an executed inspection the injures set by the inspectors won't be removed by the deadline.

In 2014 were carried out a total of 404 inspections, including 314 regular, 81 extraordinary and 9 control inspections. Thus throughout the reporting period (September 2014 - April 2015) a total of 275 inspections, of which 229 regular, 42 extraordinary and 4 control inspections are carried out. There has been an increase in the number of extraordinary inspections which indicates the increased awareness of the citizens of their right to privacy and personal data protection in this context, which means the right to personal data protection, is already a reality in the country. Statistical review of performed supervision according the years, shows continued growth in the number of conducted inspections due to increased capacity and efficient operation of the inspectors in the Directorate, and the growing awareness of citizens to recognize the violation of personal data protection and report to the Directorate as a relevant authority in order to be sanctioned.

SIN- INSPECTION SOFTWARE

In 2011 began operating the inspection software for implementation of electronic management of the inspections. The software, which is designed according to the specific needs of the Directorate’s inspectors, is in function of providing more efficient and economical management of the inspection procedures, planning inspection and generating documents and reports on specific parameters for different purposes and needs. During 2014 with a certain configurations were made a series of improvements of the software, all in order to provide more effectively generated statistical data for the development of quantitative analyzes and reports on the inspections.

COMPLAINTS

The Directorate for Personal Data Protection, as an independent authority, within its powers acts upon complaints and proposals of citizens of Republic of Macedonia. In the reporting period 2014 to Directorate for Personal Data Protection were filed a total of 371 complaints, of which 331 from physical entities, 36 from legal entities and 4 anonymous submitters. Of the total number of complaints received, 2 were forwarded to the competence of another authority while others are in the area of personal data and from these five complaints were transferred to Sector for implementing inspections for further acting upon them. As of 31.12.2014, from the total number of complaints 15 of them had an ongoing settlement procedure and are transferred to be finalized in 2015. In the other cases was acted within the legal deadlines and were determined.

The large number of complaints to the Directorate indicates having a high level of public awareness of the existence and significance of the right to personal data protection, and also recognition of the Directorate for Personal Data Protection as a competent authority to act upon complaints. The fact that only 89% (331 out of a total of 371) of the complaints received are from individuals indicates successful implementation of a number of campaigns, initiatives for promotion of the right to personal data protection of, dissemination of info materials in2014, with the aim of increasing public awareness of the right to personal data protection, that the citizens have. Compared with 2013, according to analysis and observations done by the Directorate, the number of received complaints has noted a slight decline, but the result shows an increasing awareness among citizens, as well as the intensive education and training completed for controllers of personal data in order to properly collection and process personal data and respects the right to privacy.

Regarding the manner of filing, 125 of the complaints were written 245 electronically and 1 orally, by telephone. Out of these 371 complaints, 54% i.e. 202 complaints were concerning the misuse of personal data on social networks. For deleting a fake Facebook account were submitted 130 applications, 12requests to delete fake profiles of minors on this network, also for hacked profile's username or password were submitted 47 requests. Ten complaints concerning removing content from Facebook and three for removing content on other social networks. For hacked profile's username or password were submitted 47 requests.

OPINIONS

In accordance with the Rules of Procedure of the Government (Article 68, paragraph 1 point9), the Directorate for Personal Data Protection in reporting 2014 issued professional opinions on materials, draft laws, bylaws and other proposals regulations relating to the personal data protection. Since 2011is also used ENER, the only Electronic Register of Regulations, a tool designed for electronic access to information of the citizens, NGOs, chambers of commerce, business chambers, business associations and legal entities, representatives of government and separate ministries for the new proposal legislation. Ministries are required to publish on ENER all the proposal laws, drafts and draft laws, except of the laws that are passed under the emergency procedure, and make them available for comment, they have 10 days for publication. The Directorate for personal data protection in the report 2014 has issued 27 opinions on drafts and draft laws from different line ministries, or authorized bodies, of which 13 posts under the laws of ENER.

On applications received from the other state authorities, in 2014 the Directorate published28 posts on materials, by-laws and other regulations, 4 of which are concerning the bilateral agreements in which the Republic of Macedonia is a party. Therefore, the total number of issued opinions on materials, draft laws and regulations during the reporting 2014 is 55 issued posts. In the previous year, were issued a total of 38 posts, in 2014 was noticed an increase of 45% to the total number of issued opinions, indicating that the Directorate for Personal Protection data has built are cognition of an institution consulted on materials, proposal laws, regulations and other draft regulations concerning personal data protection.

TRAINING FOR CONTROLLERS AND PROCESSORS

Given the need for education in the field of protection of personal data in order to improve the quality of data protection in the Republic of Macedonia by the controllers and processors of personal data collections, as well as raising public awareness in general, Directorate for personal data protection in 2014, organized and conducted trainings for controllers and processors of personal data collections. The trainings were conducted in accordance with previously established annual training program and the Guidelines on how to organize and conduct training for controllers and processors. In 2014 the total number of trainings organized and conducted amounted 53 trainings for secrecy and protection of personal data processing attended by 903 participants in total.

Following the development of modern technology which further rise the question of security of Internet communications and data protection in general, the Directorate for Personal Data Protection of the Republic of Macedonia in cooperation with the EC Council Semos education conducted 13 certified training for digital security of computer users - CSCU, where 152 participants gained knowledge and skills on how to protect their computers and electronic data, and thus to reduce vulnerability and increase the level of security of their privacy.

In 2014, with the support from USAID two workshops were organized on the protection of personal data in the courts, one for the presidents of the courts, the second for administrators.

INTERNATIONAL COOPERATION

8.1 Activities related to the process of EU integration - Report of Progress for 2014 by the European Commission

Directorate for protection of personal data contributes to Report Progress for 2014 by the European Commission through the submission of the report on the current situation in the field of protection of personal data. According to the report for 2014 adopted by the European Commission, the Directorate received a positive assessment of their work and the results achieved in 2014. The section dedicated to the progress of the Directorate, as it follows: “The Directorate for Personal Data Protection further increased the number of inspections carried out, of which 60 % were conducted in the private sector and 40% in the health sector and judiciary. Almost half of these inspections confirmed violations. The number of complaints to the Directorate remained stable at 404 in 2013, of which 62 % related to the abuse of data on social networks. Overall, the number of detected and confirmed violations increased almost five-fold, from 56 in 2012 to 254 in 2013 as a result of the Directorate’s proactive approach. Public awareness-raising activities also continued, resulting in a 30 % increase in visitors to the Directorate’s website. The number of data protection controllers and officers has increased and their training has been improved, but four staff also left.

The Directorate submitted its first report to Eurojust on personal data protection in the public prosecution system. Sector-specific legislation is still not harmonized with data protection legislation and far greater efforts need to be made to ensure that the Directorate is systematically consulted on any new policies and draft legislation. Some further fine-tuning of the data protection legislation is also needed to bring it fully into line with the acquis.

8.2 Consultative Committee of the Council of Europe to protect the individual from automatic processing of personal data T-PD

During 2014, the Directorate took active participation in the Committee on the second and third working meeting held in the reporting year, and were focused on the revision and modernization of the Convention 108. The final meeting of the subcommittee for the protection of personal data final reading of the proposals to modernize the Convention was performed, as well as new directions were made in context of the adoption of the Convention at the meeting of the Ministerial committee , within the council of Europe. According the work program 2012-2013 of the Consultative Committee of Convention 108 in the section entitled "other work"- proposal for reviewing the implementation of Recommendation no. (97) 5 on the protection of medical data and new forms of processing of medical data, a questionnaire was prepared, with the sole purpose of identification of the new trends in the field, as basis for further update of the database. The Directorate for Personal Data Protection approached to distribution of a questionnaire to healthcare organizations on the territory of the Republic of Macedonia and answered questionnaires were collected and forwarded to the Council of Europe. There were 10 questionnaires collected from the public and private health institutions in the Republic of Macedonia.

8.3 Article 29 Working Party

The Directorate has observer status in the Working Group 29. During 2014, the Directorate has made commitments to participate in the work of this very important body for the protection of privacy. Representatives of the Directorate attended all meetings of Article 29. Participation has enabled recognition of the professionalism of the Directorate and opened the doors for direct bilateral and multilateral cooperation with other participants. The exchange of views within the meetings of the Working Group is essential to find suitable mechanisms to implement legislation to protect personal data. Also, regular attendance and active participation of the Directorate of all meetings of the Working Group 29 in 2014 achieved timely monitoring of developments that will be covered by the new legislation on protection of personal data in the European Union, the adoption of which is expected in the next period.

8.4 Cooperation with OSCE

The Directorate for Personal Data Protection and the OSCE Mission in Skopje, Department of rule of law, through the exchange of letters, expressed commitment to implement a series of activities within the project "Privacy classes- implemented in secondary schools in the City of Skopje. Namely, the OSCE Mission in Skopje is committed to supporting this initiative of the Directorate for protection of personal data which arise according to the analyzes that are conducted in the past, and the number of complaints received by the citizens. The initiative was met with a nod from the Ministry of Education and Science, Bureau for Development of Education and the City of Skopje. This collaboration resulted in the implementation of joint activities to raise awareness of the implementation application of regulations on protection of personal data they are expected to continue in 2015.

8.5 Cooperation with the UNICEF Office in Macedonia

The Directorate for Personal Data Protection and the Office of UNICEF in the Republic of Macedonia expressed willingness to cooperate and implement a series of joint activities, especially in the assessment and analysis of the institutional response to the protection of children's rights. Namely, the Directorate considered it more than needed to engage in activities aimed at getting analyzes as well as to the way to improve and strengthen the institutional response to the protection of children's rights, taking into account the attention and efforts towards that Directorate was focused in the last period, which relate to raising awareness of young people about the protection of personal data and continuously develops initiatives to popularize the right to privacy and the safe use of social networks. The message was recognized and acknowledged by the UNICEF office in the Republic of Macedonia expressed declarative commitment of both sides to cooperation that has the potential to bring about positive changes in the field of protection of children's rights. This collaboration is expected to result in the implementation of joint activities in the field of protection of children's rights, but summarize the results of the analysis of the subject makes the UNICEF Office in Macedonia and those results are expected in 2015. The results of this analysis will be appropriately incorporated into the strategy of the Directorate from 2015 to 2020.

8.6 Inter-ministerial body for human rights

The Directorate is one of the 12 representatives in the Inter-Ministerial Body for Human Rights, and during 2014 one meeting was held. Beside other topics, At the sessions of the Inter-ministerial body for human rights was discussed for the review of the reporting obligations of the Republic of Macedonia in terms of international human rights instruments, the Republic of Macedonia's candidate status to join the UN Human Rights Council for 2014 - 2016, the review of current liabilities of the country in the field of human rights in the context of EU integration, the government's program of cooperation with UNICEF, the proposed measures to ensure the accreditation with status "A" of the Ombudsman by the International Coordinating Committee of National institutions for the Protection and Promotion of human rights (Paris Principles compliance), recording hate motivated cases by relevant institutions, initiating procedures for signing and ratification of international agreements in the field of human rights by the Republic of Macedonia and reports from visit of the mechanisms for monitoring of UN and the Council of Europe. It was also discussed the possibility of ratification of some important international instruments in the field of protection and promotion of human rights, such as the Convention of the Council of Europe on preventing and combating violence against women and domestic violence, better known as the Istanbul Convention, as well as the obligations Macedonia has in context of international human rights instruments, including current obligations in the field of human rights in the context of EU integration.

AUSTRALIA / AUSTRALIE (AFP / APF)

http://www.privacy.org.au

[email protected]

http://www.privacy.org.au/About/Contacts.html

Significant privacy/data protection developments in Australia 2014-15

Graham Greenleaf, Professor of Law & Information Systems, UNSW Australia
on behalf of the Australian Privacy Foundation (International Committee) – 22 June 2015

Prepared for Council of Europe Convention 108 Consultative Committee, 32nd Plenary Meeting. This report follows the Foundation’s report to the Consultative Committee dated 22 May 2014.

Data retention legislation enacted

On 26 March 2015 Australia enacted the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. It requires ISPs and telcos to retain ‘metadata’ (now defined in the Act) for two years (but without a requirement to then delete it). Stated to be excluded are ‘information about telecommunications content’ or ‘information about subscribers’ web browsing history’, or communications that pass “over the top” of the underlying service the service provider provides, or location information which goes beyond what the service provider uses to provide the service.

A Communications Access Co-ordinator who will supervise a complex scheme of approving data retention plans submitted by service providers, after they are considered by enforcement and security agencies. Twenty organisations or classes of organisations (intelligence agencies plus fourteen ‘criminal law enforcement agencies’) will not require a warrant to access such metadata. The Minister can add other agencies temporarily. Warrants may be required to access metadata of journalists’ sources.

For details see G Greenleaf ‘Going against the flow: Australia enacts data retention law’ (2015) 134 Privacy Laws & Business International Report, 26-28.

Mandatory data breach legislation promised

As yet Australia only has a voluntary DBN scheme administered by the Privacy Commissioner, who received 104 voluntary notifications in 2014, and accepted one resulting enforceable undertaking.

As part of the political compromise to get the data retention Bill through the Senate, the government accepted a recommendation by a Parliamentary Joint Committee (the PJCIS) to introduce a mandatory data breach reporting (MDB) scheme by the end of 2015. However, the PJCIS did not specify details, so it is unknown whether the new MDB Bill will resemble the previous Labor government’s unsuccessful 2013 Bill (Privacy Amendment (Privacy Alerts) Bill 2013).[2] It is assumed that such an obligation will be imposed not only on ISPs but on all parties (public or private sector), and would apply to all metadata (whether or not it is ‘personal data’).

The 2013 Bill contained various privacy-protective features. It required notification of serious data breaches (SDB) to the Commissioner and either (i) to individuals or (ii) by publication. Failure to comply with the DBN requirements would make all Privacy Act enforcement measures applicable, including actions for damages (potential class actions). This would make DBN in effect the 14th Australian Privacy Principle (APP). A weakness of the 2013 Bill included that the exemption from the Privacy Act for ‘small businesses’ (under $3M turnover) would continue, irrespective of the amount of personal data lost. Also, unless the Commissioner republished all SDB Notices, they would be lost and independent monitoring would not be possible: a transparency deficiency.

Privacy Commissioner makes enforceable decisions

Prior to 2014 Australian Privacy Commissioners made almost no use of their power (existing since 1988) to make formal decisions (‘determinations’ under s.52 Privacy Act 1988) enforceable by a court. From 2001(when the private sector came within the Privacy Act) to 2013, successive Commissioners made only 8 determinations (about 0.6 p/a). In 2014-15 the Commissioner has made 8 determinations, most of which have included awards of compensatory damages. These have included:

DK and Telstra [2014] P wanted phone line for alarm system; not told his name and address would appear in White Pages; A$18K damages for non-economic loss, and Telstra was required to ensure all future applicants informed, and given option of a silent line.

CP and Dept. Defence [2014] A$5K non-economic loss where specialist disclosed psychiatric report to GP after agreeing not to.

BO and Aerocare P/L [2014] A$8,500 non-economic loss where sensitive data about a disabled person was disclosed at an airport.

EZ and EY [2015] A$6,500 damages where P’s Dr was asked by Police whether P was ‘psychotic’, replied that it was possible; defences concerning immediate risk of harm not available.

EQ and GBR Marine Park Authority [2015] A$5,000 damages for confirming to a newspaper that P was under investigation for an offence, outside statutory conditions allowing deterrent disclosure of offences.

CM and Diocese of Bathurst [2014] A$7,500 damages for inadequate security over documents in sex abuse investigation.

In other countries, a small number of binding decisions resulting in modest payments of damages (average A$5K) would not count as an important development, but in Australia they are a significant change. (All of the decisions may be found in the International Privacy Law Library.)

Grubb v Telstra: metadata is personal information

The most important s.52 determination by the Commissioner is Grubb and Telstra [2015] AICmr 35, which is now being appealed. Journalist G required telecommunications carrier Telstra to provide access to the ‘metadata’ of his phone calls. To be ‘personal information’ under the Privacy Act, G’s identity had to be ‘reasonably ascertainable’ from the data. The Commissioner decided that: (i) If Telstra could identify individuals from such data on request by police and intelligence agencies (as it did very frequently), then it was also ‘personal information’ for access purposes; (ii) it was not burdensome to Telstra to do provide such data, given its size, specialist staff and equipment for this purpose; but (iii) incoming calls were exempt from access, because disclosure of accidental callers would interfere with privacy of others.

This decision has major implications for data analytics, because it makes such ‘metadata’ count as ‘personal information’ for all privacy principles, not only access, including those concerning collection, use, disclosure, deletion and security. Telstra’s appeal is also likely to result in the first significant court interpretations of the Privacy Act in its 25 year history.

Use of new enforcement powers in Privacy Act 1988 (March 2014-May 2015)

The above enforcement decisions did not involve the Commissioner using any of his new post-2014 enforcement powers, and did not involve the amended privacy principles (APPs) (see previous report). They give some indication to business and government, however, that the Privacy Act may be enforced more strongly under the post-2014 regime than before. The Commissioner’s only use of his new powers in their first year of operation has been to accept one enforceable undertaking (from a telecommunications carrier).

Law reform report into ‘serious privacy invasions’ (tort/civil action)

Australia does not have any of (i) constitutional protection of privacy, or (ii) a tort (civil action) ‘right of privacy’ or even (iii) the extension of breach of confidence to protect privacy (as in the UK). However, in a recent ‘revenge porn’ case (Wilson v Ferguson [2015] WASC 15) the Western Australian Supreme Court decided that sexual images provided by the plaintiff to the defendant are confidential, and awarded A$50K (£25K) damages for their disclosure via the Internet.

The previous Labor government gave a reference (request for a report) on ‘serious invasions of privacy’ to the Australian Law Reform Commission (ALRC) in 2013. The ALRC delivered its report in 2014 to the new Coalition government, which was not interested in taking action on the report, so any legislative development must await a future government. Key recommendations of the ALRC report included that a statutory tort of ‘serious invasion of privacy’ should be enacted, covering (a) intrusions on seclusion (physical, or by surveillance) of P’s private activities/affairs; and (b) misuse of private information about P. It recommended that the statutory tort should be actionable only when three factors applied: (i) when the plaintiff had a ‘reasonable expectation of privacy’; (ii) for intentional or reckless conduct (not negligence); and (iii) where the invasion is ‘serious’ (with an inclusive list of relevant factors to be included in the legislation). No further developments are expected under the current government.

For further details see Serious Invasions of Privacy in the Digital Era (ALRC 123 Summary) at <https://www.alrc.gov.au/publications/serious-invasions-privacy-digital-era-alrc-123-summary>.

Incomplete abolition of the Australian Information Commissioner

The government attempted to abolish to position of Information Commissioner, but cannot get its legislation through the Senate. The Information Commissioner, Professor John McMillan AO, has been appointed as the Acting NSW Ombudsman from 1 August 2015 for 2 years, and the government is considering acting Information Commissioner arrangements. The Privacy Commissioner now acts separately, as was the case before the Information Commissioner existed.

[1] http://www.llv.li/files/dss/pdf-llv-dss-empfehlung-zum-internet-der-dinge.pdf.

[2]See Mary-Anne Nielsen (Australian) Parliamentary Library Bills Digest: Privacy Amendment (Privacy Alerts) Bill 2013, BILLS DIGEST No. 146, 2012–13, 19 June 2013; Graham Greenleaf ‘Privacy enforcement in Australia is strengthened: gaps remain’ (2014) 128 Privacy Laws & Business International Report 1-5