This Report was published by Georgian Young Lawyers’ Association in the framework of the project “Support to Establish Transparent and Accountable Governance in Georgia” financed by Open Society Foundations (OSF).
Georgian Young Lawyers’ Association is responsible for the Report and it does not necessarily reflect the position of the donor.
Author: Editor: Tech. Editor: Responsible for Publication:
SOPHIO CHARELI KHATUNA KVIRALASHVILI IRAKLI SVANIDZE TAMAR GVARAMADZE SULKHAN SALADZE
Was edited and published in the Young Lawyers’ Association 15, J.Kakhidze st. Tbilisi 0102, Georgia (+995 32) 295 23 53, 293 61 01 Web-page: www.gyla.ge E-mail: gyla@gyla.ge
Coping and Dissemination of publication for commercial purposes without GYLA’s written permission is prohibited. --------------------------------------------------------------------------------------------------© 2014, Georgian Young Lawyers’ Association
CONTENTS 1. INTRODUCTION ...................................................................................................................................................................................... 5
1.1. Substance of the Research ........................................................................................................................................................ 5 1.2. Methodology.................................................................................................................................................................................... 5
1.3. Key Findings ................................................................................................................................................................................... 6
2. THE LEGISLATION OF GEORGIA ...................................................................................................................................................... 6 2.1. Appointment of the Inspector ................................................................................................................................................. 7 2.2. Dismissal of the Inspector ........................................................................................................................................................ 8
2.3. Financial and Organizational Support to the Inspecting Authority ........................................................................ 9
2.4. Providing Consultations on the Issues Relating to the Personal Data Protection ........................................ 10
2.5. Consideration of the Applications/Complaints Related to the Data Protection ............................................. 10 2.6. Examination of the Legality of the Personal Data Processing in the Public and Private Sectors............. 10
2.7. Measures Applied by an Inspector for Implementing the Law .............................................................................. 12
2.8. Raising Public Awareness ....................................................................................................................................................... 12
3. INTERNATIONAL EXPERIENCE ..................................................................................................................................................... 14
3.1. Protection of the Personal Data in the EU and its Member States ........................................................................ 14
3.1.1. Experience of the EU and the Member States ................................................................................................... 14
3.1.2. Personal Data Protecton Legislation in Relation to the Labor Relations .............................................. 21 3.1.3. Problematic Issues in Terms of Personal Data Protection ........................................................................... 22 3.1.4. Best Practices .................................................................................................................................................................. 23 3.1.5. Amendments Planned by the EU ............................................................................................................................ 24
3.2. Proportionality Test .................................................................................................................................................................. 25
4. CONCLUSION AND RECOMMENDATIONS ................................................................................................................................ 29
3
4
1. INTRODUCTION 1.1. Substance of the Research There is “Firm belief that there can be no trust of citizens towards Europe if we do not remain vigilant in ensuring that personal data are protected against unauthorized use, and that citizens have the right to decide themselves whether or not their data are processed.”1 Such an approach once again underlines the importance of creating proper guarantees for the personal data protection, whether in Europe or worldwide. European integration, being one of the main international aspirations of Georgia, makes it especially important to work towards improvements in this sphere. The planned procedure of signing the Association Agreement2 further emphasizes the importance of the issue; the issue is addressed in the Article 14 of the initial text, according to which the parties to the Agreement have the obligation to take all possible actions to create the proper system for the personal data protection3. Recently, the national legislation of Georgia on personal data was amended, which entailed enactment of the new law and appointment of the Personal Data Protection Inspector4. Introduction of the monitoring body is a novelty to Georgia and there has been no prior experience of supervising in this field, which makes it especially important to examine all of the preconditions for effective operation of the supervising body. It is especially important considering the experience of various states, which shows that successful implementation of the legislative provisions is crucial for the proper operation of the Personal Data Protection Inspector.
Since the law of Georgia on the “Personal Data Protection” and subsequent introduction of the inspecting authority are a novelty to Georgia, Georgian Young Lawyers’ Association (GYLA) aimed at analyzing the legislation, the existing practices and examining them in the context of international experience to evaluate the effectiveness of the newlycreated institution and to elaborate recommendations for its further enhancement and improvement. 1.2. Methodology
While working on the present research GYLA applied the following methodology:
1) The legislation of Georgia on the personal data protection was analyzed; the legislation includes the law of Georgia on the “Personal Data Protection” and the Resolution #180 of July 19, 2013 of the Government of Georgia on the Establishing the Statute on the Operation and Implementation of Duties of the Personal Data Protection Inspector (Further – Statute on the Operation of the Inspector). All of the articles, relating to the operation, scope of authority and the rules of functioning of the Personal Data Protection Inspector were examined. 2) The following public information, reflecting the time period between July 1, 2013 and January 16, 20145 was requested from the Personal Data Protection Inspector’s office and further processed: • The number of complaints and applications submitted to the Inspector’s office, the issues, mentioned in those complaints and applications, and the information regarding the decisions made in response to those complaints and applications; • The information about the institutions, in which the legality of the personal data processing was examined (inspected) by the Inspector, along with the copies of the decisions made as a result of the inspections; • The information regarding the activities, undertaken by the Inspector to inform the society of the personal data protection environment and the relating important events; • The list of those public and private entities, which received consultations on the issues relating to the personal data protection; • The staff list approved by the Personal Data Protection Inspector and information on the number of those persons, who were employed at the Inspector’s office during the reporting time period; • The copy of the expenditure estimates, submitted by the Personal Data Protection Inspector; • The information about the received grants and their amounts (if such exist); • The information on the amounts of funding received by the Inspector and the Inspector’s office within 2013 and 2014 and the sources of the financing (separately for each year); The Commissioner for justice, fundamental rights and citizenship; European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 5; 1
Currently available version of the Association Agreement is intended for the information purposes only and this version does not confer any rights nor create any legally binding obligations to the parties. However, the document allows identifying the priorities, which will be included in the final version of the Agreement; 2
3 4
http://www.eeas.europa.eu/georgia/assoagreement/pdf/ge-aa-title-iii-justice-freedom-security_en.pdf;
Further referred to as “Inspector”, which is the supervising/monitoring authority;
The reporting period of requesting public information was defined based on the date, requested under the statement and the document, confirming the registration of the public information request; 5
5
3) The environment, the shortcomings and the weakenesses existing in the EU member countries, as well as the the combination of all those elements, which may be regarded as the preconditions for establishing the best practices were examined. Also, the problematic aspects of the personal data protection, the need of applying the proportionality test6 and the issues relating to its formulation were further analyzed. 1.3. Key Findings
The present research revealed a number of important facts: • The legislation of Georgia on the personal data protection is not comprehensive or complete and requires more concreteness in a number of cases; • The legislation of Georgia does not provide the rules, guidelines or instructions, regulating various sectors (labor, public health, etc.), while the international experience indicates the necessity of such instructions; • The rules of appointment, dismissal, provision of financial support and overall operation require further improvement towards ensuring the absolute independence of the Inspector; • The legislation of Georgia does not specify the legal nature of the Personal Data Protection Inspector; • The legislation on personal data protection excludes specific spheres from its coverage, such as: processing the personal data for the purposes of court proceedings, public and state security (including economic security), self-defense, operative investigation activities and investigation of violations; • According to the existing practices of the personal data protection, a number of legislative provisions have not yet been implemented; • The legislation of Georgia does not provide for the public interest test, therefore, the Personal Data Protection Inspector is deprived of the possibility of making an evaluation based on weighing the state interests against the public interests in each specific case;7 • According to the examined international practices, the independence of the Personal Data Protection Inspector is usually guaranteed at the constitutional level or is derived from its distinctly elaborated legal nature; • The international practices indicate that the appointment of the Personal Data Protection Inspector should be the prerogative of the legislative branch of the government; • The international practices further demonstrate that the personal data protection legislation should not aim at exclusion of any sphere from its coverage; • According to the international practices, the personal data protection does not represent an absolute right, therefore the personal data protection should be regarded in the context of other fundamental rights, which is possible through applying the proportionality test. 2. THE LEGISLATION OF GEORGIA
Right to private life is indispensable part of the concept of the democratic state and its protection is guaranteed under the several provisions within the Constitution of Georgia8. The right to private life has a broad and comprehensive meaning; the right consists of many components and among others, includes the protection of the personal data. Apart from the general provisions within the Constitution of Georgia, the issue is thoroughly regulated under a number of legal regulations. It is notable that the legislation, regulating the personal data protection underwent significant progress during the last couple of years; the law on the “Personal Data Protection” was enacted on December 28 2011, which further resulted in introducing the amendments to the General Administrative Code of Georgia.9 There were a number of preconditions for those processes, main of which was the incomplete nature of the existing legislation. Scarce provisions of the General Administrative Code of Georgia were not enough for the comprehensive regulation of the field, covering the public entities only; provisions aiming at protection of the personal data in the private sector10, being scattered across the different laws and regulations were not able to set the environment. Proportionality test (public interest test) does not refer to the “proportionality between public and private interests” as set forth in the Article 7 of the General Administrative Code of Georgia. For further information, see Part 3.2. of the present research; 6
The mentioned provision does not refer the proportionality principle, prescribed under the paragraph “c” of the Article 4 of the law of Georgia on the “Personal Data Protection”, based on which an inspector has an authority to examine the adequacy and proportionality of data processing in relation to the goal. See Section 3.2. of the research for additional information on balancing the state interests against public interests; 7
8 9
Articles 20, 41 and 16 of the Constitution of Georgia;
The law of Georgia #6327 of May 25, 2012 on the “Amendments to the General Administrative Code of Georgia”;
10
6
Organic Law of Georgia on the “Commerical Banks”, Law of Georgia on the “Rights of the Patient”;
Therefore, the existing legislation did not meet the European standards, while the international obligations, undartaken by Georgia11, have shown the necessity of improving the national legislation. It is noteworthy, that according to the Explanatory Note, “the comprehensive regulation of processing, storing and protecting the personal data, creating the proper protection mechanisms and complying with the international obligations undertaken by Georgia” were named to be the reasons for the enactment of the new law. The content of the law on the “Personal Data Protection” is quite innovative and may be considered a step forward in regulating this sphere. The law includes the components, such as thorough interpretation of the personal data related terminology, introduction of the concept of the Data of Special Category, elaborating the principles and grounds for processing the data, elaboration of the rights and obligations of the data subjects12 and of the data processors,13 and other issues. Apart from the mentioned, the law introduces one of the most important novelties – creation of the Personal Data Protection Inspector, the main duty of which is ensuring implementation of the law and supervising compliance with the law.
According to the Article 31 of the law of Georgia on the “Personal Data Protection” – “In exercising his/her powers an Inspector shall be independent and shall not be subordinated to any other public official or body.” The state is obliged to create proper environment, for the Inspector to exercise an absolute independence in implementing the duties. Achieving this goal mainly depends on the quality of the appointment procedures, dismissal procedures, providing financial and human resources and the scope of the Inspector’s authority. Therefore, we have examined all of the mechanisms, provided under the law, which create preconditions for the effective operation of the Personal Data Protection Inspector. 2.1. Appointment of the Inspector14
According to the law of Georgia on the “Personal Data Protection”, the Inspector is appointed to the position through the open competition. The Prime-Minister establishes the competition commission; the commission is composed based on the proportionality principle and consists of the representatives of the Executive Branch, the Parliament, the Judiciary Branch, the Ombudsman and the Non-Governmental Sector of Georgia. The competition commission nominates the potential Inspector with simple majority of votes and proposes the candidate to the Prime Minister, who then either appoints the Inspector or re-announces the competition within ten (10) days (the law does not provide the preconditions for the refusal by the prime-minister to appoint the proposed candidate, nor imposes the obligation of justifying such a refusal). The law of Georgia on the “Personal Data Protection” establishes minimum qualification requirements for the Inspector – the candidate must have a higher education, the citizenship of Georgia, the relevant professional experience and the professional and moral qualities, enabling him/her to implement the duties. The term of office of the appointed Inspector is three (3) years; the same person can be appointed as an inspector for 2 consecutive terms only. Although the law of Georgia on the “Personal Data Protection” entered its force on December 28, 2011, the competition commission was created only in 2013,15 and the Personal Data Protection Inspector was appointed to the position on July 1, 2013.16
According to the law of Georgia on the “Personal Data Protection”, the rules of operation and implementation of the duties by the Inspector are prescribed under the Statute,17 which is enacted by the Executive Government of Georgia.18
It is notable, that there are a number of shortcomings relating to the procedure of appointing the Inspector and enactment of the Statute on the Operation of the Inspector; elimination of those shortcomings creates the possibility of enhancement of the Inspector’s independence. First of all, it is notable, that according to the legislation, an authorized representative of the parliament is one of the members of the competition commission. Since the parliament of Georgia is composed of the minority and the majority members of the parliament, it is preferable to take this circumstance into consideration in the context of composing the commission and to grant the parliament two (2) quotas, which would support representing the interests of all the entities within the Legislative Branch. The The obligation to implement the 1981 “Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data”; the obligation to protect personal data according to the European Neighbourhood Policy Action Plan (ENP AP); 11
12 13 14 15 16 17
The person, that the personal data are about; The persons, processing the personal data;
Article 28 of the law of Georgia on the “Personal Data Protection”; Order #64 of March 28, 2013 of the Prime Minister of Georgia;
Order #132 of June 28, 2013 of the Prime Minister of Georgia;
Paragraph 2 of the Article 27 of the Law of Georgia on the “Protection of the Personal Data”;
The Resolution #180 of July 19, 2013 of the Government of Georgia on the Establishing the Statute on the Operation and Implementation of Duties of the Personal Data Protection Inspector; 18
7
number of votes required for making a final decision is also important; according to the incumbent legislation the candidate for the Inspector’s position is nominated through the simple majority of votes. We consider that instead of the incumbent rule it is preferable to introduce the requirement of reaching the consensus for the final decisionmaking; such requirement will eliminate the possibility of a biased decision-making and will increase the probability of selecting the best candidate. In addition, the term of the Inspector and the possibility of successive re-appointment of the same person need to be properly regulated to ensure the absolute independence of the Inspector. For the purpose of avoiding any kinds of influence on the inspecting authority, it is preferable to prolong the term of the Inspector even up to four-five (4-5) years and instead, to abolosh the provision allowing sucessive re-appointment of the same person.19 The issue of the enactment of the Statute on the Operation and Implementation of Duties of the Personal Data Protection Inspector by the Executive Government is also important. Granting such an authority to an executive government may reflect the decrease of the Inspector’s independence. Regulating the rules of the Inspector’s operation by one of the government branches clearly bears the risk of influencing the Inspector’s activities, which contradicts the principle of an absolute independence. Instead, it would be preferable to regulate the issues of particular importance at the legislative level and to transfer the authority of elaborating the operation rules to the Inspector, which would foster the increase of an Inspector’s legitimacy. It is also important to consider, that neither the law on the “Personal Data Protection” nor the Government-enacted Statute prescribes the legal-organizational nature of the inspecting authority, which is certainly a problematic aspect and requires further clarification. The mentioned issues reflect the most important elements, the clarification and improvement of which will make it possible to ensure proper and unbiased operation of the Inspector. 2.2. Dismissal of the Inspector20
The law of Georgia on the “Personal Data Protection” provides two basic grounds of the termination of the Inspector’s term. In one case it is the expiration of the term of the Inspector. In the second case there should be legally prescribed grounds for the premature termination of the term; the law prescribes the following grounds: • Loss of the citizenship of Georgia; • Non-fulfillment of the duties for four (4) consecutive months; • Court judgment of conviction (against the Inspector) entering into the force; • The court finding the Inspector to lack legal capacity, recognizing the Inspector to be missing or declaring the Inspector deceased; • If the Inspector got appointed to the position incompatible with the inspection authority or if the Inspector conducts incompatible activities; • Voluntary resignation; • Death;
According to the law of Georgia on the “Personal Data Protection” the Inspector’s term is considered to be terminated from the moment any of the above listed circumstances arise, of which the Prime Minister should be immediately notified; the Prime Minister then issues the relevant administrative-legal act. There are only two exceptions – if the termination relates to the four-months’ successive non-fulfillment of duties or being appointed to a non-compatible position; in such cases the Inspector’s tenure is terminated through the decision of the Prime-Minister. Therefore, the law provides that in a number of cases (listed above), a Prime Minister only recognizes a pre-existing fact – termination of the tenure, while in the event if the exceptions arise (also mentioned above) a Prime Minister makes a decision. Such a provision is ambiguous because the law does not clarify the procedures, preceding to the final decision of the Prime Minister in the event if the exceptions arise. Logically, the tenure is automatically terminated in the first case. In the second case there is possibility of choosing one of the possible decisions, which possibly amounts to the discretional authority; however, exercising the discretional authority should only be allowed on the grounds of analysis, proper examination of the circumstances, balancing the private interests against public interests and providing relevant justification. If assumed that such provision indeed amounts to the discretional authority, it is necessary to elaborate all of the procedures, through which the prime minister will establish the facts of successive non-fulfillment of duties for four months and/or the non-compatibility of Inspector’s activities/position.21 It is also preferable to add the provision to the law, which establishes the exceptions for the cases in which the Inspector has justifiable excuse for the non-fulfillment of duties. There are similar practices on the international level; see part 3.1.1. of the present research (see the Dismissal of the Inspector under the International Experience); 19
20
Paragraph 7 of the Article 28 and Article 29 of the law of Georgia on the “Personal Data Protection”;
For example, according to the Article 9 of the Parliament Statute the issue of the pre-term termination of the parliament membership is examined according to the prescribed rules, by the Comitee of the Procedures and Rules, which then prepares the relevant conclusions and presents the findings to the parliament bureau for the parliament hearing; 21
8
Considering the above judgment it is necessary to eliminate the ambiguousness existing in the law of Georgia on the “Personal Data Protection” which arises due to the differences of tenure termination procedures (according to the different grounds for the termination). It is necessary to elaborate clear rules, which would allow to foresee any possible development. This is particularly important, considering that a Prime Minister is the decision-maker; therefore, the improper regulation of the dismissal rules could imperil the Inspector’s independence. 2.3. Financial and Organizational Support to the Inspecting Authority 22
The law of Georgia on the “Personal Data Protection” regulates the issues of providing financial support and human resources, necessary for the proper operation of the Inspector. Specifically, the law prescribes that the Inspector implements the duties through the Inspector’s office, which is supervised either directly by the Inspector or by the Deputy Inspector. The structure, rules of operation and division of duties among the staff are prescribed by the Inspector under the Internal Statute. The Inspector also defines the staff list,23 which consists of the following positions:24 Deputy Inspector/Chairperson of the Department, Chairperson of the International Relations and Communications Department, Finance and Procurement Manager, Chief Lawyer, Senior Analyst of the Data Security, Analyst of the Data Security, Education and Training Manager, Public Relations Manager, Administrative and Registrar Specialist, Administrative Assistant (Specialist), Information Technology Administrator and the Driver. As of January 16 2014, the number of the Inspector’s office staff members was 11 while three (3) positions remained vacant.25 Examination of the staff list and the number of employees raises the question - whether or not such composition of the inspecting authority is capable of supervising the processing of the personal data throughout Georgia, considering that there are 19 ministries and thousands of the entities of public law, not to mention countless private entities, in relation to which the law will fully enter its force from 2016.26
As for the financial aspect, the law of Georgia on the “Personal Data Protection” stipulates that the operation of the Inspector is financed from the State budget, while the expenditure estimate is submitted by the Inspector him/ herself according to the prescribed procedures. Allocation of the necessary funds for the operation of the Inspector and its office are covered under a separate code of the state budget. As of 2014, 600’000 GEL are allocated for the operation of the personal data protection inspecting authority. In 2013, the funding amounted to only 204’000 GEL and the sum was transfered from the Government’s Reserve Fund based on the Government’s Resolution #699.27 We consider that while the law of Georgia on the “Personal Data Protection” was enacted on December 28, 2011 and the establishment of the inspecting authority was provided in the law from the very beginning, the necessary expenditures for the creation of the institution in 2013 were known in advance; therefore, the funds should have been allocated from the state budget and not the Reserve Fund. Such an approach, on the one hand, would have ensured proper allocation of the state funds and on the other hand, would have allowed comparing the funding of the inspecting authority in 2013 and in 2014. The law of Georgia on the “Personal Data Protection” has a number of shortcomings related to the funding issues; specifically, the possibility and the preconditions for the decrease of the funding in relation to the previous year are not covered by the law. To ensure complete financial independence of the monitoring body it is preferable to thoroughly articulate the rules relating to the funding in the law. It is possible to take an example from the similar institution – the regulations of this issue in relation to the Ombudsman of Georgia; this provision stipulates that decreasing the amount of the salaries indicated in the state budget in relation to the previous year may only take place after the prior consent of the Ombudsman of Georgia.28 It is notable, that apart from the state budget funding, the law of Georgia on the “Personal Data Protection” gives the Inspector a right to receive the grants and donations that serve implementation of the Inspector’s duties; the grants and donations may be received in compliance with the relevant legislation of Georgia. According to the official information provided by the Personal Data Protection Inspector, the Inspector’s office has not received any grants as of 2013.29 22
Article 32 of the law of Georgia on the “Personal Data Protection”;
Sub-Paragraph “b” of the Paragraph 3 of the Article 5 of the Statute on the Operation and Implementation of Duties of the Personal Data Protection Inspector; 23
24 25 26 27 28 29
The list of the positions is based on the January 20, 2014 #8/01 correspondence of the Personal Data Protection Inspector; January 20, 2014 #8/01 correspondence of the Personal Data Protection Inspector;
Paragraph 3 of the Article 56 of the law of Georgia on the “Personal Data Protection; January 20, 2014 #8/01 correspondence of the Personal Data Protection Inspector; Paragraph 3 of the Article 25 of the law of Georgia on the “Public Defender”;
Correspondence #8/01 of the January 20, 2014 of the Personal Data Protection Inspector;
9
2.4. Providing Consultations on the Issues Relating to the Personal Data Protection30 The law stipulates that the Personal Data Protection Inspector has an obligation to provide consultations to the Government of Georgia, local self-government bodies, other public institutions, entities of private law and to the natural persons; this obligation covers provision of consultations on any issues relating to the personal data protection and processing. According to the official information, requested from the Personal Data Protection Inspector, 44 consultations were provided from July 1, 2013 to January 16, 2014, while the report publicized by the Inspector, covering the period from the August 2013 to March 2014, shows that the number of the provided consultations reached 376.31 According to the official information provided by the supervising authority, the consultation seekers were both private and public entities; among others, there were various ministries, entities of public law, banks and insurance companies, mobile operators and other. Due to the fact that the Inspector’s office did not keep the detailed record of the consulted persons, we were not able to receive the detailed list of the beneficiaries at the moment of requesting the public information.32 2.5. Consideration of the Applications/Complaints Related to the Data Protection33 The Personal Data Protection Inspector is obliged to consider the applications of the personal data subjects relating to the processing of the personal data, and to make a decision within ten (10) days and to inform the applicant of the decision and of the activities to be conducted. The Inspector is obliged to conduct the research and examination of the application-related circumstances; in their turn, the data processors are obliged to provide the inspecting authority with all of the information and documentaion necessary for the inspection or application examination purposes. Following the consideration of the application, the Inspector selects one of the many actions stipulated in the law, based on the circumstances and the findings of the examination. It is important that the Personal Data Protection Inspector has the authority to make the decisions of the preventive nature; specifically, the Inspector may request blocking of the personal data of the applicant until the completion of the application consideration. Such a possibility may not be applied when the resuming of the personal data processing is necessary for preserving the vital interests of the personal data subject or third persons or when such processing is necessary for the state security and self-defense purposes. The maximum time of the application consideration by the Inspector should not exceed two (2) months. Prolongation of the term is possible for only one (1) month, based on the justified decision of the Inspector. Due to the fact that the issues relating to the personal data processing may have a special importance in a number of cases, it is important that the monitoring authority (Inspector) responds immediately. The term for the application consideration and the term for the implementation of the necessary activities prescribed under the law may not ensure the timely response in each potential case of the violation. It is also notable that the law of Georgia on the “Personal Data Protection” allows the personal data subject to not only submit the written application in case of the violation of the law, but also to address the Inspector with the complaint. Therefore, the supervising authority has an obligation to consider the submitted complaints. In difference with the application consideration by the Inspector, the law does not prescribe the rules, regulating the activities to be conducted in case of submission of the complaint. Therefore, it is unclear, whether the complaint consideration process is regulated under the application-related rules or whether there is some other type of regulation. According to the official information, provided by the Personal Data Protection Inspector, total of nine (9) applications and zero (0) complaints were considered within the period from the July 1, 2013 to January 16, 2014. The submitted applications related to the following issues: the legality of the so-called “Black Lists” existing in the banking sector, exchange of the customers’ phone numbers among the companies for the direct marketing purposes, publicity of the salaries of the persons employed in the private sector, the application of the “Personal Data Protection” law to the video-recording for the purpose of ensuring drivers’ compliance with the road traffic rules, publication of the information about the credit loans through the internet (by the banks), rectification of the incorrect personal data, etc. 2.6. Examination of the Legality of the Personal Data Processing in the Public and Private Sectors34
The law of Georgia on the “Personal Data Protection” provides that the Inspector has an authority to examine the legality of the personal data processing both on the Inspector’s own initiative and on the grounds of the application by the stakeholder. The monitoring authority may enter any institution or organization and may access any type 30
Sub-Paragraph “a” of the Paragraph 1 of the Article 27 and Article 33 of the law of Georgia on the “Personal Data Protection”;
2014 Report of the Personal Data Protection Inspector http://personaldata.ge/res/docs/anual%20report%28eng%29%20%284%29.pdf; 31
32 33 34
Correspondence #8/01 of the January 20, 2014 of the Personal Data Protection Inspector; Article 26 and Article 34 of the law of Georgia on the “Personal Data Protection”;
Articles 20 and 35 of the law of Georgia on the “Personal Data Protection”;
10
of documantation (regardless of its content) for the purpose of an inspection. The obligation of prior notification is applicable in the exceptional cases only; specifically, notification obligation is applicable while inspecting the institutions, the operation of which is related to the state security and self-defense or which conduct the operative investigation activities. In such cases the Inspector has an obligation to inform the inspection object of the planned activities three (3) days in advance. This provision may be problematic in terms of practical implementation. The problem arises due to the fact that the prior notification term is absolutely enough for correcting the shortcomings in the system, which undermines the purpose of conducting the inspection. The concept of the inspection is based on the suddenness and any exception from this rule contradicts the goals of conducting such inspections. The Inspector has an authority to request any type of information and documentation for the purposes of the inspection, while the data processors have an obligation of immediately fulfilling the request of the monitoring body. In case if there are legal or physical constraints to providing the requested information and documentation, the law provides the maximum of 15 days for fulfillment of the request. Because the Inspector and the inspecting body’s employees have the authority to access any kind of documentation or information, the law provides protective mechanisms against disclosure of such information. Specifically, the law obliges the relevant persons to ensure non-disclosure and restricts illegal processing of the information that was made available to them within the performance of the duties. Conducting the inspection implies examining the law compliance of the data processing, activities and application of the organizational-technical means for the data protection, maintenance of the personal data Filing System and record catalogues, disclosing the data to other states and international organizations.
According to the law of Georgia on the “Personal Data Protection”, disclosing the data to other states or to the international organizations is only permissible if35 this law provides the grounds and the relevant guarantees for processing the data. The Inspector examines the legality of such disclosure, and based on the examination of the circumstances, makes the decision on granting the permission to disclose the data to other states.36
According to both the official information provided by the Personal Data Protection Inspector and the annual report, total of two inspections were conducted starting from the July 2013 until March 2014,37 specifically: • In the first case, the inspection was based on the application of the National Security Council Secretary – Giorgi Bokeria. The Secretary requested to examine the law compliance of the research conducted by the Tbilisi Open University titled “Analysis of the Predetermining Factors to the Employment at the Public Sector” because, according to the applicant, the research related to the processing of the personal data such as the political preference of the individuals. The procedures, conducted in 12 ministries and all the related documents were examined within the inspection. Following the inspection, the inspecting authority prepared the conclusion and sent it to the stakeholders; following the Inspector’s request, the data was deleted in three (3) institutions in compliance with the relevant procedures. • In the second case the inspection was initiated by the Inspector and it was based on the prison video and audio recordings of the accused Bachana Akhalaia that were made public by the media in October 2013. The goal of the inspection was to examine the law compliance of the audio, visual, electronic and other technical control mechamisms applied in the penitentiary #7. For the purposes of the inspection, the inspecting authority requested the information and examined the process of the data processing on spot, after which the inspecting authority issued the relevant recommendations.
The examination of the legality of the data processing may include both the “ex post facto” and the “ex ante”38 control. The law of Georgia on the “Personal Data Protection” does not direcly provide the obligation of examining the environment prior to the data processing, but because the the data processors have the obligation to inform the inspecting authority39 in writing (or electronically) of the law-prescribed information40 prior to the creation of the personal data Filing System41 and prior to adding the new category of information to the system, it may be implied that if the doubts arise prior to the processing of the data, the Inspector has an authority to conduct the inspection for establishing whether or not the existing environment complies with the requirements prescribed under the law. 35 36
This does not relate to the cases, in which the personal data transfer is provided under the international contracts and agreements;
Paragraph 3 of the Article 41 and Article 42 of the law of Georgia on the “Personal Data Protection”;
Correspondence #8/01 of January 20, 2014 of the Personal Data Inspector; 2014 annual report of the Personal Data Inspector http://personaldata.ge/res/docs/anual%20report%28eng%29%20%284%29.pdf; 37
38
“ex post facto” – “ex ante” – after the action – before the action;
According to the Article 10 of the law of Georgia on the “Personal Data Protection” the obligation to inform the Inspector also applies to all of the private organizations prior to starting the processing the biometric information; 39
Paragraph 1 of the Article 19 of the law of Georgia on the “Personal Data Protection” – title of a Filing System, titles and address of a data processor and of an authorized person, place of storage and/or of processing of data, legal grounds for processing the data, category of a data subject and other information; 40
Sub-Paragraph “m” of the Article 2 of the law of Georgia on the “Personal Data Protection” – Filing System – a structured set of data, which are arranged and accessible according to specific criteria; 41
11
2.7. Measures Applied by an Inspector for Implementing the Law The law of Georgia on the “Personal Data Protection” provides a number of activities to be carried out in the event of discovering the violation of the law or of the other personal data related regulations; such activities cover both the violations discovered as a result of the consideration of the data subject’s application and violations, discovered within the regular inspection procedures. Specifically, based on the examination of the circumstances and after making the relevant conclusion, the monitoring body may make the following decisions: • To request correction of the data processing-related shortcomings and elimination of the violations within the timelimits and as prescribed by the Inspector; • To request temporary suspension or permanent termination of the data processing in case if the data security measures taken and procedures followed by the data processor (or by an authorized person) do not comply with the requirments of the law; • To request termination of the data processing, blocking the data, deleting or de-personalizing the data, if the Inspector considers that the processing of the data is conducted against the law; • To request termination of the data disclosure to other states and to foreign organizations, if the disclosue is conducted in violation of the law; • To provide written advice and recommendations to the data processor and to the authorized person on the insignificant violations relating to the personal data processing rules. It is notable, that the law does not provide the possibility to cumulatively apply the above listed activities. The only clarification in this regard is provided under the Paragraph 3 of the Article 13 of the Statute on the Operation and Implementation of Duties of the Personal Data Protection Inspector, which grants the Inspector an authority to apply two (2) or more activities cumulatively based on the specific circumstances of each specific case. To ensure the uniform/ consistent intepretation of the provision, it would reasonable to make clarifications in the legislation on cumulative application of the different options. Apart from this it is important to consider that according to the Paragraph “b” of the Article 8 of the law of Georgia on the “Normative Acts” the issues of the enforcement and imposing legal responsibility may only be regulated under the law of Georgia. Therefore, any aspects of application of the activities by the Inspector, implying imposition of responsibility or enforcement require to be regulated under the Law and not under the Statute, which is the bylaw in its nature. Apart from the available options listed above, the incumbent legislation grants the monitoring body the authority to draw up the protocol of the administrative violation in the cases prescribed under the legislation. Chapter 7 of the law of Georgia on the “Personal Data Protection” lists the administrative violations relating to the personal data and the amounts of the relevant fines. On the average, the amount of the fine varies from 500 GEL to 3’000 GEL depending on the gravity and the frequency of the violation. The law imperatively provides the amounts of the fines for each specific violation, therefore, the Personal Data Protection Inspector is deprived of the possibility to exercise discretional authority and to establish the reasonable amount of the fine according to the circumstances of the each specific case. According to the law of Georgia on the “Personal Data Protection”, any decision of the Inspector is mandatory and may only be appealed at the court. If the authorized person or the data processor does not fulfill the request of the monitoring body, the Inspector him/herself may address the court. In the event of discovering the signs of a violation, the Personal Data Protection Inspector is obliged to address the authorized bodies for further investigation. 2.8. Raising Public Awareness
One of the obligations of the monitoring body is to keep the society informed. The operation of the personal data protection system is mainly based on the informed individual, who thoroughly knows all of the rules, providing his/her protection guarantees in the transactions occurring throughout the daily life. Therefore, the Inspector should conduct a whole range of activities aimed at performing this duty, which includes educational activities and activities aimed at introducing and popularizing the legislation. According to the official information, provided by the Personal Data Protection Inspector, within the period from July 1, 2013 to January 16 2014 the monitoring body conducted a whole range of activities aimed at rasing public awareness. Specifically, the statements were publicized regarding the following issues: direct marketing, conducting video surveillance, legality of processing the data, processing the Data of Special Category and publicizing the information containing the taxpayer secrecy. The Inspector participated in a number of TV and radio programs for the purpose of popularizing the law of Georgia on the “Personal Data Protection”. The basic training on the personal data protection was conducted for the 58 staff members of the Ministry of the Internal Affairs; 163 of the public servants and the private company representatives were given opportunity to get acquainted with the
12
basics of the personal data processing in labor relations.42 Informative meetings were conducted with participation of the students and the representatives of the medical and insurance sectors in Tbilisi, Batumi and Kutaisi. On December 20, 2013 the work meeting was conducted with the data processors; the event was attended by up to 80 representatives of the public and private sector.43 The web-page of the personal data inspecting authority was created;44 the web-page contains various types of information, such as the structure of the institution, main areas of work, national legislation and international norms, the list of the employees, the amount of the budget, the expenditure estimate, etc. According to the official information provided by the Personal Data Protection Inspector, it is also planned to publish manuals and informative brochures. Presently, the following documents may be found at the web-page: Manual on Maintenance of the Personal Data Filing System and the notification form, the Manual on Pocessing the Biometric Data and the notification form, the Manual on Cross-Border Transfer of the Data and the notification form, the application form and the list of the necessary documents for the personal data subject to submit the application to the Inspector.45
Apart from the above listed activities, the Personal Data Protection Inspector is obliged to actively cooperate with various entities, international organizations and other state institutions on any issues relating to the personal data protection.46 This is especially relevant in cases of data transfer to other states, because in a number of cases, it is the Inspector who is obliged to evaluate the existence of the data protection guarantees and only after the proper examination, the Inspector may make a decision on granting permission on the transfer of the data.47
The monitoring body has a role in the law-making as well. The Inspector has an authority to present (based on its own initiative) the proposals for the improvement of the existing legislation to the Parliament and to other public entities. The Inspector may also prepare the conclusions on those laws and bylaws, which relate to the processing of the personal data.48 Providing this right at the legislative level is surely a positive fact; however, the legislative provision does not indicate whether the conclusions of the Inspector are mandatory for the relevant administrative bodies and institutions or not. This, in its turn, diminishes the role and importance of the Inspector, as of a competent body in this field. In terms of publicity and accountability of the Inspector’s operation, the law prescribes the obligation of providing annual reports. The report should contain a general evaluation of the personal data protection environment in the country, conclusions and recommendations; the report should also contain the information about the significant violations, discovered throughout the year and the activities implemented. The Inspector presents the report once a year to the Government of Georgia. The report is public and the monitoring body itself publicizes the report. It is notable that the law of Georgia on the “Personal Data Protection” does not prescribe the time limits for presenting the report. The issue is regulated under the Statute on the Operation and Implementation of Duties of the Personal Data Protection Inspector. Article 22 of the mentioned Statute stipulates, that the monitoring body is obliged to prepare and publicize the report on the personal data protection environment in the country before March 1 of each year. For ensuring more clarity and enhancing the legitimacy of the rules, regulating the publication of the report, it would be preferable to introduce the exact timeframes of publicizing this rather important document into the law. The first report, presented to the Government on March 1 2014 contains the information on the seven (7) months of operation; the report mainly includes the information about the practical problems and facts of violation of the law discovered by the inspecting authority. The issues of particular importance are the following: processing the data in such quantities and throughout such a period of time that is disproportional and inadequate for achieving the goal, processing the data without the legal grounds, processing the Data of Special Category without explicit consent, processing and using the biometric data in contradiciton with the legislative requirements, conducting video surveillance without placing proper warning sings, transfering the data to other states without the legal grounds, etc. Combining such problematic issues in one document gives possibility to generalize the existing practices, to outline the main shortcomings/problems and to search for the means of solving those problems – whether through initiating the amendments at the legislative level or through elaborating the guidelines for clarifying the particular issues. Following the above, the content of the incumbent legislation on the personal data protection is on the one hand innovative, but on another hand, it includes the shortcomings, relating, among others, to the following issues: the 2014 annual report of the Personal Data Protection Inspector http://personaldata.ge/res/docs/anual%20report%28eng%29%20%284%29.pdf; 42
43 44
Correspondence #8/01 of January 20, 2014 of the Personal Data Protection Inspector; http://personaldata.ge/en/home;
http://personaldata.ge/en/for-public-bodies/failuri-sistemebis-katalogi ; http://personaldata.ge/en/for-public-bodies/ transsasazghvro-gatsvla ; http://personaldata.ge/en/for-individuals/take-an-action; http://personaldata.ge/en/for-organizations/ biometric-data ; 45
46 47 48
Article 37 of the law of Georgia on the “Personal Data Protection”;
Paragraph 3 of the Article 41 and Article 42 of the law of Georgia on the “Personal Data Protection”; Article 36 of the law of Georgia on the “Personal Data Protection”;
13
appointment of the Inspector, composition of the competition commission, decision-making through the necessary amount of votes, the tenure of the Inspector, defining the rules of the operation and the legal form, application of the discretional authority during termination of the tenure, ensuring proper funding, rules and timeframes of submitting application/complaint, the notification obligation during the inspection, application of a number of options cumulatively for the implementation of the law, defining the appropriate amount of the fine for the violation and other issues. It is also notable that the law of Georgia on the “Personal Data Protection” does not cover specific spheres, such as processing the data for the purpose of the legal proceedings, public and state security (including economic security), self-defense, operative investigation activities and the criminal investigation purposes. In addition, there are no personal data protection rules, aimed at the personal data protection and adjusted to the peculiarities of the labor, healthcare and similar specific sectors. Therefore, there is a need to examine and analyze the existing shortcomings of the law of Georgia on the “Personal Data Protection” and to analyze the law in the context of the international experience, which will allow creating comprehensive and well-functioning system that complies with the worldwide standards. 3. INTERNATIONAL EXPERIENCE
3.1. Protection of the Personal Data in the EU and its Member States 3.1.1. Experience of the EU and the Member States EU has always been a leading union in terms of the personal data protection. The example of this is the October 24, 1995 Directive on the personal data protection, which had become the basis for creation of the national framework legislation in a number of member countries. The content of the Article 6 of the Charter of the Fundamental Rights of the European Union is also innovative. In difference with other international documents on human rights, the Charter focuses specifically on the mandatory nature of personal data protection, instead of a right to private life.
Inclusion of the personal data protection right as one of the fundamental rights in the EU Charter reflects the technological progress if the 21st century, which once again demonstrates the necessity of persistent protection of the fundamental rights. On the daily basis, life is the continuous process of information exchange and flow, which once again underlines the importance of ensuring proper guarantees for the personal data protection. The especial importance of the issue naturally implies the necessity of overcoming various challenges. One of the such challenges is ensuring the absolute independence of a monitoring body. Since the role of this institution is rather significant for the implementation of the existing legislation, it is important to thoroughly consider all the necessary mechanisms for its effective operation.
According to the EU Directive on the personal data protection, the absolute independence is the natural and mandatory component of the supervising body. Lack of such independence would have undermined the meaning of the existence of such an institution. Achievement of this goal requires to thoroughly regulate such important issues as the procedures for the appointment and the dismissal of the Inspector and the scope of Inspector’s authorities. The experience of the EU member states shows the existence of the different approaches, some of which are innovative and some of which represent incomplete implementation of the Directive’s requirements. Examination of the best practices and identified shortcomings gives possibility to clearly understand the role of the monitoring body and its place in the personal data protection, as well as the legislative and practical features, only inherent to the independent institution. Appointment of the Inspector49 - the approach towards selection or appointment of the Personal Data Protection Inspector varies across the EU member states. The major difference relates to the role and significance of the different branches of the government in this processes. In some of the cases the prerogative of composing the supervising body is entirely granted to a legislative branch (Germany, Slovenia); in other cases the complete consensus of the parlamentarians from both the majority and the minorty is the precondition for the final decision (Greece); in some of the countries the composition of the personal data protection institution is the prerogative of an executive government (Ireland, Luxemburg); in some cases the institution is entirely tied to the Ministry of Justice (Denmark, Latvia). According to the widespread opinion the active role of an executive government in the process of the appointment of the Inspector imperils the independence of the inspecting authority. The international practice has also approved the so-called mixed model, which implies active involvement and coordinated work of all three branches of government in the process of composing the inspecting authority (France, Spain, Portugal, Belgium); however, in such case it is important to consider the goals of the procedure of plural engagement in the appointment process and to avoid the possibility of direct or indirect influence on the final decision-maker. European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 21-23; 49
14
Dismissal of the Inspector50 - in terms of dismissal the following issues are of especial importance: the term of office of the authority, the authorized body and the existence of the concrete circumstances which are the basis for making a final decision. The experience of the EU member states shows that the term of office of the Personal Data Protection Inspector ranges from five (5) to seven (7) years and the law does not provide the possibility to either re-appoint the same person, nor to terminate the tenure of the existing Inspector (Italy). In a number of cases the legislation provides exhaustive list of circumstances, which serve as the preconditions for initiating the procedure of termination of the Inspector’s tenure; as means of additional guarantee during the termination of the tenure, the legislation very often establishes the mandatory application of the same rules as applied during the appointment of the Inspector (Slovenia, Poland). While the above mentioned procedures aim at ensuring the maximum independence from the political influence, the case, in which the government is granted the authority to dismiss the Inspector without any preconditions (Ireland) surely creates the doubts on the independence of the monitoring body. In terms of creating additional guarantees for both appointment and the dismissal procedures, the cases in which the independence of the Personal Data Protection Inspector is guaranteed under the supreme law of the state – constitution (Greece, Portugal) and cases in which the legal form/nature of the monitoring body are clearly and thoroughly elaborated in the legislation are of especial interest (Spain, Malta). Financial and Organizational Support to the Inspecting Authority – according to the experience of the EU member states there may be various types of sources for financing the personal data inspection authority, be it only one or multiple funding sources. The general rule is to finance the supervising body from the state budget (Italy, France, Netherlands, Estonia); however, there are cases, in which the financing of the Inspector is tied to the budget of a concrete state institution, for example (in a number of cases) – the Ministry of Justice. The additional source of income for the Personal Data Protection Inspector may be the financial means accumulated through the operation of the monitoring body – be it the fees for the notification of processing the data or the sanctions levied as a result of the inspection (Luxemburg, Malta). In some of the cases, the sole source of the Inspector’s funding is the amount of finances earned through the Inspector’s operation. The clear example of this is the experience of the United Kingdom.
The experience of the EU member states reflect lack of proper financing for the Personal Data Protection Inspector (Austria, Italy, Romania, France, Portugal); in the countries, where financing does not represent a problem, there is a tendency of budget decrease in the future. It is notable that such approach clearly contradicts the EU Directive on the personal data protection, according to which an absolute independence of the Personal Data Protection Inspector is vital51, which is impossible to achieve without proper financial resources.
Providing Consultations on the Issues Relating to the Personal Data Protection52 - according to the EU Directive on the personal data protection, all administrative and legislative bodies are obliged to consult with the relevant monitoring body during the development of any legal initiative relating or that may relate in the future to the sphere regulated by the personal data protection legislation.53 The goals of this Directive impose the general obligation of the Inspector to provide advice, relevant information and to elaborate the specific sector-oriented guidelines. The aspect of providing consultations also implies the possible role of the monitoring body in the transfer of the data to the other countries. The table provided below aims at reflecting the ways of exercising the authority to consult according to the national legislations of the EU member states. EU Member States Bulgaria
Mandatory Voluntary Providing Elaborating Providing Permission Consultation Consultation Consultations Recommendations for Transfer of the (legislative proposal) (legislative proposal) Information to Another Countries √
√
√
√
√
Czech Republic
√
√
√
Denmark
√
√
√
Belgium
√ √
√
European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 21-23; 50
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art.28; 51
European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 26-28; 52
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art.28(2); 53
15
Germany
√
Estonia
√
Greece
√
Spain
√
France
√
Ireland Italy
√
Cyprus
√
Latvia
√
Lithuania Luxemburg
√
Netherlands
√
Austria
√
Poland
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
Malta
√
√
√
Hungary
Portugal
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
Romania
√ √
√
√
√
Slovenia
√
√
√
√ √
Slovakia
√
√
√
Finland
√
√
√
√
Sweden
√
√
√
√
√
√
√
√
√
United Kingdom
The presented table clearly reflects that in all of the EU member states the Personal Data Protection Inspector has an authority to provide consultations to the data processors and to the stakeholders. In addition, the monitoring bodies issue instructions or guidelines, regulating concrete issues; however, according the majority of the countries such documents unfortunately are not mandatory for implementation. As for the administrative bodies and legislative branch consulting with the Inspector on the initiated draft laws, majority of the states provide such a provision in their legislation; however, the consultations only have a recommendatory nature. This in its turn diminishes the role and significance of the inspecting authority in terms of personal data protection. According to the opinion of the European Union Agency for Fundamental Rights, consulting with the competent body in the field when making a legislative initiative creates a preventive mechanism against future shortcomings, helping to avoid collision of various norms. This makes it rather important to ensure mandatory inclusion of the Personal Data Protection Inspector in this process. Consideration of Applications/Complaint54 - according to the EU Directive on the personal data protection, the Inspector must have an authority to consider the complaints and applications55 submitted by the data subject or their representative; this includes not only the obligation of considering the complaint/application, but also the obligation of informing the applicant of the final decision. In addition, in case of identifying the violation, the monitoring authority must have the possibility to address the court or to get involved in the ongoing proceeding, 56 to cooperate with parliament or other political forces in relation to the particular issues.57 The below table reflects the concretization of the articles of the EU Directive, resulting from the transformation of the EU Directive provisions into the national legislations.
European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 26-28; 54
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art.28(4)(1); 55
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art.28(3)(3); 56
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art.28(3)(2); 57
16
EU Member States
Consideration of the applications/ complaints
Right to Address the Court/Police
Right to Directly Address the Court
Right to Make Decisions Independently
Right to Address the Parliament
Bulgaria
√
√
√
√
Belgium
√
√
√
√
Czech Republic
√
√
√
√
Denmark
√
√
Germany
√
√
Estonia
√
Greece
√
√
Spain
√
√
√
France
√
√
√
√
Ireland
√
Italy
√
√
√
√
Cyprus
√
√
Latvia
√
Lithuania
√
√
Luxemburg
√
√
Hungary
√
√
Malta
√
√
Netherlands
√
√
Austria
√
Poland
√
√
Portugal
√
√
Romania
√
√
√
√
Slovenia
√
√
√
√
Slovakia
√
√
Finland
√
√
√
Sweden
√
√
√
United Kingdom
√
√
√
√ √
√
√
√
√
√
√
√ √ √
√ √
√
√
√
√
√
√ √
√
√ √ √
√
√
√
√
The table shows that in all of the EU member states the monitoring body is granted the authority to consider applications and complaints and to inform the data subject of the final decision within the law prescribed time limits. If the Personal Data Protection Inspector considers that the presented circumstances are properly justified/ well-grounded, the Inspector may make a final decision him/herself or, considering the circumstances, may decide to address the court, police and in a number of cases – the parliament. In this regard, the example of Slovenia is of particular interest, where the Personal Data Protection Inspector has an authority to address the constitutional court if legally prescribed grounds exist.
Examination of the Legality of Processing Personal Data58 - generally, there are two different approaches to conducting an inspection by the Personal Data Protection Inspector. First is undertaking preventive measures,59 which aim at avoiding the violation of the law (Finland, Sweden, Ireland, United Kingdom); another approach is for the monitoring body to focus on the ongoing processes and examine the compliance with the legislative requirements (Latvia, Czech Republic, Greece).60 There may be intermediate approach, in which the Personal Data Protection Inspector conducts full supervision of the both preceding processes as well as the subsequent processes, while having an authority to act upon the identified violations (Denmark, Netherlands, Slovakia and Italy). Relevant articles of the Directive serve the preventive examination activities, 61 which imply prior notification from the data processor and on-spot examination by the Inspector. The inspection aims at revealing, evaluating and
European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 20-21, 28-30; 58
59
Ex-ante control;
60
Ex-post facto enforcement;
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art.5-8; 61
17
preventing potential risks before the data processing starts. The experience of the EU member states shows three basic approaches in this regard.
First is the case of Bulgaria, the legislation of which obliges all of the private/public persons and state institutions to send prior notification to the relevant monitoring body before starting processing the data. Although such regulation theoretically complies with the EU Directive requirements, it is problematic in terms of practical implementation; specifically, since all types of personal data processing require prior notification, the resources of the national monitoring body are not enough for registering all of the applications of the registration-seekers; therefore, the duty – conducting preventive examination is not being comprehensively implemented.
The example of the second approach is demonstrated in the case of Poland, where the legislation obliges the data processors to only register the Personal Data Filing System with the monitoring authority, prior to starting processing the data. In this case the main problem is usually the lack of knowledge; specifically, there are a number of shortcomings in creating the Filing Systems and sending notifications; in a number of cases the data processors are not even aware of the obligation to register the Filing System, which results in improper processing of the personal data by the hospitals, banks, financial institutions and alike.
In difference with the above cases, the legislation of Germany obliges the private sector representatives to register (in case of automatic processing of the data) and only obliges the state institutions to send notification. According to the experience of Germany, any institution or entity are released from the obligation of prior registration or notification if that institution/entity has designated a specialized person, who supervises the issues relating to the personal data protection. Designating a separate employee, at the first glance, seems to be the optimum resolution for regulating such issues within one entity. However, in this case, it is important to define the scope of authority and the mechanisms for effective response available to such a designated employee, which should have the possibility of effectively responding to the identified violations. According to the experience of Germany, improper regulation of such issues is the reason why the concept of the personal data protection employee cannot be considered an effective mechanism. As already mentioned, apart from the ex-ante control there is the type of control implying the direct supervision of the ongoing data processing and its compliance with the legislation. EU Directive on the personal data protection prescribes that during such type of the inspecting it is mandatory for the inspecting authority to have proper mechanisms for conducting the effective and targeted examination.62 The below table shows the reflection of this provision in the national legislations of the EU member states. EU Member States
Requesting Access to the Data Information/ Storage/Filing Documentation Systems
On-Spot Examination, Expropriation (without court order) √
On-Spot Examination/ Expropriation (through the court order)
Authority to Conduct an Audit
Bulgaria
√
√
Belgium
√
√
√
Czech Republic
√
√
√
Denmark
√
√
√
Germany
√
√
√
Estonia
√
√
√
Greece
√
√
√
√
Spain
√
√
√
France
√
√
Ireland
√
Italy
√
√
√
Cyprus
√
√
√
√
Latvia
√
√
√
Lithuania
√
√
√
√
Luxemburg
√
√
√
√
Hungary
√
√
√
√
Malta
√
√
Netherlands
√
√
√ √ √ √ √
√ √
√
√ √
√
√ √
√
√
√ √
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art.28(3)(1); 62
18
Austria
√
√
√
Poland
√
√
√
√
Portugal
√
√
√
√
Romania
√
√
Slovenia
√
√
√
√
Slovakia
√
√
√
√
Finland
√
√
√
√
Sweden
√
√
√
United Kingdom
√
√
√
Examination of the practices in the EU member states have shown that as a rule, the monitoring body has an authority to supervise the compliance of the private and public entities/institutions with the personal data protection legislation. For this purpose the inspecting authority may conduct an audit, on-spot observation, request the relevant information, request an access to the business information and documentation and to conduct a number of such activities. At the same time, the Personal Data Protection Inspector applies such an authority based on his/ her own convictions as well as on the basis of the submitted applications. Examination of the practices has shown that in a number of states there is a tendency of granting additional scope of authority to the inspecting body for the purpose of conducting the inspection; such an authority includes entering the property of the data processor (applying police force if needed) and expropriation of all the technical devices and machines which might be used for processing the data; Inspector also has an authority to conduct on-sport observation and confiscate various objects as means of an evidence (even without the consent of the data processor). In addition, it is notable, that conducting the above activities by the Inspector does not require a special permit from the court. Activities Aimed at Implementing the Law63 - according to the EU Directive on the personal data protection it is necessary for the Inspector to have the authority for proper response in the event of identifying the violation, which might be reflected in permanent or temporary termination, blocking, deletion/destruction of the data/data processing or in imposing the responsibility on the violator. While the activities on the process are regulated under the Article 28 of the Directive, the sanctions and the compensation are regulated under the Chapter 3. Mentioned norms are reflected differently accross the national legislations of the EU member states, therefore one may encounter different regulation of this issue. The below table depicts all of the possible mechanisms, available to the monitoring bodies across the EU. EU Member States
√
√
Giving Warning to the Data Processor/ Requesting to Conduct Certain Activities √
Czech Republic
√
√
√
Denmark
√
√
√
Germany
√
√
√
Estonia
√
√
√
Greece
√
√
√
√
Spain
√
√
√
√
France
√
√
√
Ireland
√
Italy
√
√
Cyprus
√
√
Latvia
√
Lithuania
√
√
√
Luxemburg
√
√
√
Bulgaria
Suspension of the Deletion or Data Processing Destruction of the Data
Imposing Criminal Fine Imprisonment Administrative (by the court) (by the court) Sanctions (by the Inspector) √
Belgium
√ √ √
√
√
√ √
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√ √
√
European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 22-24, 31-37; 63
19
Hungary
√
√
Malta
√
√
√
Netherlands
√
√
Austria
√
Poland
√
√
√
√
Portugal
√
√
√
√
Romania
√
√
√
√
√
Slovenia
√
√
√
√
√
√
Slovakia
√
√
√
√
√
√
Finland
√
√
√
√
Sweden
√
United Kingdom
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
As the experience of the EU member states shows, apart from tha rare exceptions, the Personal Data Protection Inspector is granted the authority to request either suspension of the data processing, termination of the data processing, deletion/destruction or blocking of the data in the event of identifying the violations during the inspecting; in relation to imposing the sanctions on the violator there are three general approaches, which are: 1. Applying administrative sanctions by the monitoring body; 2. Applying the criminal fine by the court and 3. Imprisonment. The selection of the sanctions to be applied is conducted according to the type of the violation. It is also notable that in almost each case the decision of the Inspector on imposing the fine is subject to the right to appeal in the court. According to the observation conducted by the European Union Agency for Fundamental Rights, despite the legislation including the mechanisms for response by the supervising body, their effectiveness is very low due to the insignificant amount of the fines and their rare application in the practice. It is also notable that the EU Directive on the personal data protection stipulates the possibility of receiving the compensation by the data subject, in case if the damage was inflicted to the data subject as a result of illegal processing of the personal data.64 The practice of the member states mostly differs in whether the issue is subject to a separate regulation or whether it is automatically covered by the pre-existing norms. Examination of the existing practices shows three main approaches: 1. The general norms of the civil code cover the personal data-related damage restitution (in this case the burden of proof is on the plaintiff; the plaintiff also pays for the court expenditures),65 2. Regulative norms are the same, except that the burden of proof is on the defendant (the legislation grants the processor a possibility to avoid the responsibility if that person proves that the damage was not inflicted due to his/her actions)66 3. Specific norms are elaborated.67 It is notable that the states, in which the specific regulations for the personal data protection were introduced, mainly favor so-called “Strict Responsibility” principle, according to which the intention and the negligence do not matter for imposing the responsibility; in such cases the existence of the damage is the major contributing factor. It is especially important to consider that in the legislation and practices of a number of the states, the damage restitution includes not only material, but also non-pecuniary damage, either separately or cumulatively.68 Raising Public Awareness69 - one of the main responsibilities of the Personal Data Protection Inspector is raising public awareness. This is particularly important becasue effective implementation of the law in practice is only possible when its target audience are informed of their rights and duties. The planning of the mentioned process requires identification of the problematic issues, which might become the topic for discussions. Various researches are conducted by the EU and its member states for the purpose of identifcaition of the weakenesses. The survey conducted by the Eurobarometer70 identified a number of interesting issues, specifically: • While the majority of the respondents know of their right, only 28% of them (across the entire EU) has information about the Personal Data Protection Inspector;
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art.23 (1); 64
65 66 67 68
Bulgaria, Czech Republic, Spain, France, Austria, Lithuania, Latvia, United Kingdom and others; Denmark, Germany, Italy, Sweden;
Greece, Germany, Hungary, Sweden;
Italy, Slovakia, Germany, Greece, United Kingdom, Lithuania, Sweden and Hungary;
European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 27-28, 37-41; 69
Eurobarometer Surveys: No 225 - Data Protection in the European Union: Citizens’s Perceptions; No 226 – “Data Protection in the European Union: Data Controllers’ Perceptions; 70
20
• •
Only 13% of the respondents replied having active connections with the Personal Data Protection Inspector. The results varied across the countries from 41% (Italy) to 1% (Austria); Majority of the respondents named the reasons for addressing the Personal Data Protection Inspector to be the need for the consultations (60%) or sending notification on the personal data processing (56%);71
These results clearly indicate lack of awareness about the Personal Data Protection Inspector, which underlines the necessity of planning active campaign.
It is notable that apart from the general research conducted by the EU, there is a tendency of conducting regular surveys at the national level by the member states (Sweden, Denmark, Finland, France, Austria, Spain, Ireland, Latvia, Netherlands, Slovakia, Hungary, United Kingdom). There are different approaches across the various countries according to the national context, potentially problematic issues and set goals. While the surveys are conducted on the permanent basis in Slovakia and the results of the surveys are reflected in the Inspector’s reports, such surveys are conducted periodically in Sweden and include not only public but also private sector.
For identifying and resolving the problems reflected by the surveys it is necessary for the monitoring body to have a tight communication with the public. The means for achieving this goal, according to the experience of the majority of the countries (except Lithuania, Bulgaria and Slovakia) are the electronic resources, which represent one of the approved mechanisms for the stakeholders to get their voices through. Personal Data Protection Inspectors publicize the relevant legislation, guidelines, instructions, initiated amendments, opinions and conclusions through their web-pages. In addition, one of the mechanisms for raising public awareness in the EU member countries is financing special programs oriented on the conferences and special focus groups, the benefitiaries of which may be the representatives of various social groups, be it students or the employed population. Informing the society by the relevant monitoring bodies aims not only at informing the public of the existing legislatition but also presenting the detailed report on the activities conducted by the Inspector. In a number of cases the reports are presented on the annual basis and in other cases the reports are presented on the by-monthly basis (Italy); in some of the cases this document is simply being publicized (Spain, United Kingdom, France, Italy), while in other cases the reports are presented to the legislative branch. 3.1.2. Personal Data Protecton Legislation in Relation to the Labor Relations72
Ensuring personal data protection is especially important in the labor relations, in which one party of the agreement is subordinated to another party to an agreement. Although the rights of the employees in the EU member states are protected by the labor unions, the development of the technologies makes it easier to control and monitor the actions of the individual, be it video surveillance or supervising the electronic correspondence. Therefore, in the context of inequality, which is the natural feature of the labor relations, it is especially important to introduce additional regulations in the personal data protection sphere; such regulations should explicitly/clearly elaborate employer’s obligation to process the personal data of the employee only in compliance with the legislation. The experience of the EU member countries reveals two types of approaches. In a number of cases the issues of the personal data protection are regulated under the law, while in other cases specific rules are introduced into the labor legislation (Italy, Hungary, Spain, Slovakia, Czech Republic, Portugal, Netherlands, Luxemburg, Latvia, Ireland, Greece, Finland, Belgium). In this regard the inspecting body’s instructions and regulations aiming at detailed interpretation of the issue are of especial significance.
Various shortcomings relating to the personal data protection were identified in the labor relations. Firstly, it is notable that some of the EU member states do not have the specific regulation of this sphere at all (Sweden, Romania, United Kingdom, Bulgaria, Malta, Lithuania, Cyprus, France, Estonia, Denmark, Austria, and Germany). In those states in which the specific rules exist, in a number of cases the labor unions lack the legal authority to conduct the monitoring (Czech Republic, Latvia, Ireland). In a number of cases, the employer is granted a particularly broad scope of authority for defining the goals of processing the data him/herself according to the specifics of the entity (Poland). In other cases, small companies do not fall under the scope of the existing regulations at all (Netherlands). As for those states, in which both legislation and its practical implementation are relatively comprehensive, there is a negative trend of decreasing the established standards in the future perspective. For example, the legislative amendments are initiated in Finland, according to which the employer will be granted the right to monitor the email addresses from the sent and received correspondence as well as the types of the attachments (via electronic mail), under certain circumstances; in addition, it may be possible to process the personal data of the employees for the purposes of preventing the violation/investigation of the violation; processing may be conducted in such a way that it would then be possible to identify the specific individuals. According to the opinion of the European Union Agency 71
The present data reflects two surveys conducted by the Eurobarometer in February 2008;
European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 37; 72
21
for Fundamental Rights, the approach, existing in a number of the states and the planned amendments negatively affect the existence of the proper guarantees of the personal data protection in the specific spheres and that such approach cannot comply with the EU Directive Requirements.73 3.1.3. Problematic Issues in Terms of Personal Data Protection74
The legislative environment and practical experience of the EU member states shows problematic issues, which, not being covered by the personal data protection legislation, require special attention. In this regard there are three main categories: state security (which includes self-defense and operative investigation activities), healthcare and video surveillance. •
State Security
Article 13 of the EU Directive on the personal data protection prescribes the spheres, not covered under the Directive; those are the state security, self-defense, public security and other. The provision’s grammatic interpretation clearly prescribes the exceptions, which means that the EU Directive standards of data processing do not apply to those exceptions. According to the prevailing opinion, such an approach is incorrect. Since all of the articles of the Directive should be interpreted according to its Preamble and the declared goals, we should take into consideration that one of the grounds of the Directive is the Article 8 of the Charter of the Fundamental Rights, the diversion from which is only allowed in cases prescribed under the law and only in consideration of the essence of the right, protected under this Article. Therefore, the proportionality test must be applied to balance the cumulatively existing goals and the righs in each specific case; the approach, according to which the rights, guaranteed under the EU Charter may be easily neglected for achieving a number of state goals, is unacceptabele. Since the right to the private life and protection of the personal data is the widely recognized right and it should include all aspects of human life, it is impossible for the goal of the Directive to be prescribing the spheres, in which such protection is not guaranteed; especially, if we consider that the issue relates to processing the large amount of personal data, the processing of which might occur according to one’s wishes, for the purpose of achieving any goal, without any restrictions or prohibitions. Following the above, the European Union Agency for Fundamental Rights considers it to be reasonable to not interpret the Article 13 in a radical manner and not to deprive the personal data of the protection guarantees, while such data may become subject of transfer under the exceptions. •
Healthcare
According to the EU Directive on the personal data protection, the information relating to the individual’s health condition is the Data of Special Category, the processing of which is prohibited. The exceptions relate to the cases, in which processing the data aims at diagnosing the individual, providing assistance, conducting prevention activities or processing the data by the healthcare specialist who is obliged under the law to maintain professional secrecy.75
When speaking of the healthcare-related issues, it is unquestionable, that in a number of cases, when there is a necessity of providing emergency services in a timely manner, it is important to have a possibility to process the data without any legal impediments. However, it should be noted, that the more people have access to an individual’s personal data, the more probability of violating the law exists. Therefore, the experience of the EU member states has shown that although it is preferable for the healthcare system to be free of any improper barriers, it is obligatory to introduce specific rules, which prescribe the duties and the circle of persons, specialists and public servants, who have an access or may have an access to the personal data of various individuals. According to the European Union Agency for Fundamental Rights, it is necessary for the national supervising bodies to examine and analyze the legislation regulating the healthcare to establish whether it complies with the EU Directive requirements. This is particularly important after, considering the experience of many countries (one of the most recent examples is Belgium), the portals are being introduced for ensuring easier access to the healthcare services, which naturally creates higher risks of processing the health-related personal data illegally.
European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 37; 73
European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 44-46; 74
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art.8(3); 75
22
•
Video Surveillance
According to the experience of the EU members states, the video surveillance poses particular problem in terms of the personal data protection. In this regard, there are a number of examples of the illegal surveillance, be it the cases of supervising the employees or controlling the street perimeter. Especial problem is posed by the surveillance by the unregistered video-cameras, which makes it impossible for the Inspector to conduct proper monitoring (Austria). According to the European Union Agency for Fundamental Rights, due to the acuteness of the problem, the general nature of the provisions of the Directive are not able to properly regulate the issue and there is a need of elaborating further detailed regulations.
3.1.4. Best Practices76
Personal Data Protection Inspector Effective operation of the Personal Data Protection Inspector is mostly dependent on the structure/system of the supervising authority or on the activities, conducted by that supervising authority. In a number of cases, the EU member states have granted such a supervising body the broad scope of independence and the proper authority; in other cases, the EU member states have elaborated the system, according to which the Personal Data Protection Inspector actively collaborates with a number of actors in this sphere, be it the state agencies, non-govenrnmental sector or the supevising authorities of other countries. The level of independence of the Personal Data Protection Inspector is crucially important in terms of law implementation. Therefore, it is rather important for such independence to have distinctly elaborated legal nature (such as in cases of Spain and Malta) or for the independent nature of the institution to be declared at the constitutional level (Portugal, Greece). As for the appointment of the supervising body, in this case, the best practices may be considered to be the decision-making procedure in which the final decision is reached through the consensus of the parliamentary majority and minority. It is also notable that the absolute independence of the Personal Data Protection Inspector is clearly reflected in the example of Slovenia, in which the monitoring body is granted the authority to address the constitutional court.
The authority of the Personal Data Protection Inspector to elaborate the Code of Conduct is a positive tendency, which clearly creates additional guarantees for the personal data protection. In the case of Ireland, the national legislation grants the Personal Data Protection Inspector an authority to elaborate the Code of Conduct and to submit it to the parliament; the Code, in case of approval by the parliament, gains the enforceable power, applicable to all the entities, institutions and companies, regulated within the data protection legislation. Active cooperation among the public institutions and the relevant supervising bodies is a guarantee for the proper operation of the personal data protection system. In case of Germany, there is a special Data Protection Academy, which conducts the regular trainings for the public servants, that supports their re-preparation, awareness raising and productivity.
The permanent cooperation of the Personal Data Protection Inspector with the active non-governmental sector may be considered as the best practices. Since the skepticism towards the ongoing processes is natural to the civil society representatives, it is easy for them to identify the shortcomings and the violations, which may arise in the practice. Implementation of the Legislation
Granting an Inspector the broad scope of authority to react to the violations and to conduct an inspection is the precondition for the best practices in terms of implementation of the personal data legislation. One of the ways to achieve this goal is reflected in the approach elaborated by the Italy; according to this approach, the memorandum is signed among the Personal Data Protection Inspector and various divisions of the police; the memorandum stimulates active cooperation. The same rules apply in case of Romania, with the only difference – apart from the enforcement authorities, various other state institutions are involved as well. The existing experience has demonstrated that such an approach is one of the tested methods for achieving effective operation of the supervising body.
In addition, in terms of implementation of the personal data protection legislation, it is interesting to consider the case of the Netherlands, where the government has a responsibility to present the report to the parliament after five (5) years from the enactment of the specific legislation; the report describes the practical implementaion of the law. Therefore, the legislation on the personal data protection underwent this process as well. The evaluation is conducted in two (2) stages. The first stage involved the analysis of the bylaws; the second stage involved European Union Agency For Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, Strengthening the Fundamental Rights Architecture in the EU II, (Luxemburg: Publication office of European union, 2010), 47-49; 76
23
examination and interviewing relating to the practical cases. This experience has shown that such an approach is an effective mechanism for identifying and eliminating the shortcomings, arising from the practical implementation of the specific law. Raising Awareness
As already mentioned, raising public awareness is one of the main aspects for the effective implementation of the personal data protection legislation. A number of activities may be implemented in this regard. In the EU member states, the electronic resources, oriented at the consumers, represent one of the most tested means for establishing tight connections with the society. The web-page allows any interested person to search for any kind of information, be it the legislation, most recent court decisions, guidelines, regulating specific fields, elaborated by the supervising body itself, etc. In addition, the electronic resources make it possible to send the relevant documents to the Personal Data Protection Inspector, to register/send notification on processing the data, submitting the complaint and conducting other similar activities. Since the EU unites 27 states, generally, such web-resources are provided in different languages; however, it would be preferable to provide English version of the web-resources, which would engage a much wider population.
Planning the informative campaign serves raising public awareness; the campaign includes not only one-time trainings and seminars, but also the permanent education disciplines, be it at the level of the secondary or higher education. In addition, elaborating various TV programs and the journals/newspapers, focused at the various target audiences are also effective. The example of such an approach is the Czech Republic, in which the Personal Data Protection Inspector proposed a number of TV programs relating to the personal data protection; the program “Personal Data Protection During Education” – is mainly oriented at the youth. The program “Negligence is Not an Option – Each of Us Has a Secret” – was oriented on all age groups and according to the Personal Data Protection Inspector’s annual report, each episode was seen by 310’000 persons. As for the journals and the newspapers, such practices are followed in Finland and the print materials are published four times a year. An interesting tendency was identified in Portugal and Belgium, where the monitoring authority gives possibility to the interested law students to undergo an internship and gain knowledge about the Personal Data Protection Inspection’s operation. Elaborating guidelines and instructions is an effective mechanism for concretization and simplification of the legislation. It may be said that the Personal Data Protection Inspector of Spain is especially active in this regard. The regulations, elaborated by the Inspector relate to the topics, such as: “Child Rights and Parental Responsibilities”, “Personal Data Security Criteria”, “Protecting Personal Data, as the Fundamental Human Right”, and the personal data in cases of the City Councils, schools, state universities, labor unions, state healthcare and social services. The similar approach was identified in Estonia and Italy.
Apart from the above activities, the encouraging activities, such as in case of Slovenia, may be considered as the best practices; in Slovenia, those practices include giving various prizes to those public/private entities or state institutions, the activities of which were distinguished in terms of personal data protection throughout the last year. 3.1.5. Amendments Planned by the EU77
Fast technological development and globalization has significantly changed the methods of collecting, using, accessing and protecting the personal data. Exchange of information through the social networks and storing various data on the internet has become a part of the everyday life. In this context it is especially important to ensure the protection of universally recognized right – protection of the personal data. Since the incumbent EUlevel Directive on the personal data protection was enacted 17 years ago, the Directive is unable to respond to the challenges of the 21st century; therefore, a number of amendments were planned starting from the 2009. As of today, there are two types of legislative drafts prepared; the EU Parliament will consider those drafts at the plenary session in April 2014 at the first hearing. 78 According to the proposed amendments, the Directive on the personal data protection will be transformed into the EU Regulation. According to the incumbent rules, the Regulation, in difference with the Directive, does not require to be reflected/implemented in the national legislations and its provisions are directly enforceable in the member states. This change is a positive step towards harmonization and towards establishing uniform approach. As for the second type of the legislative act, it too, serves modernization of the existing framework decision79 and relates to the issues such as the personal data processing80 for the purposes of prevention, identification, investigation of the violation, criminal prosecution of violators and related court 77 78 79
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52012DC0009:en:NOT; http://europa.eu/rapid/press-release_MEMO-14-60_en.htm;
Framework Decision 2008/977/JHA[16];
Directive setting rules on the protection of personal data processed for the purposes of the prevention, detention, investigation, prosecution of criminal offences and related judicial activities; 80
24
procedures. The goal of the Directive is ensuring proper guarantees in terms of personal data protection in the sphere of the criminal law; this implies, despite the specific nature of the issue, applicability of the general rules, considering the elementary rights of the data subject, such as informing the data subject of his/her personal data being processed, integrating various rules in regards of persons having various legal status, be it a witness, a suspect, or other person.
Apart from the mentioned, the proposed amendments envision a number of novelties, specifically, the personal data subject will have an absolute authority to decide upon the issues relating to the personal data – the concept of the so-called “Right to be Forgotten” is introduced, which implies that any individual has a right to request complete deletion of the processed information about him/her. The basis for offering the amendment is the practical experience, showing that the social networks process much more information about an individual (data subject), than he/she expects. It is also to be noted that requesting the deletion of the information by an authorized person does not imply complete deletion of the stored information. Therefore, to avoid such risky situations in the future, it is necessary for the legislation to provide regulations in a detailed and uniform manner regarding the obligation of the data processor to process only the amount of data, which is necessary for achieving the purpose, the obligation to undertake all measures to protect the stored data against publication and unauthorized use and the obligation to completely delete the existing information upon the request of the data subject. The proposed amendments offer another novelty: obligation to inform the data subject in a case of the violation; the analysis of the existing experience has shown the necessity of such an amendment. Specifically, according to the identified tendency, while the person, processing the personal data becomes informed of the unauthorised access to the processed data by the third parties, he/she does not immediately inform the affected individuals (even if the data includes information such as names, surnames, addresses or credit card information). According to the proposed amendments, it is planned to introduce the provisions, obliging the data processor to inform the Personal Data Protection Inspector no later than 24 hours from the moment of discovering the violation and, if possible, inform the data subject; this will allow them to undertake necessary measures to fix the existing situation. In addition, the acceptance form will be elaborated for the internet users (data subjects) to ensure clear and distinct consent in each particular case and to give the data subject the possibility to acknowledge potential results of his/ her actions.
In addition it is to be considered, that in one of the decisions of the EU Court81 it has been once again underlined, that the personal data protection is not an absolute right and it should be considered in the context of other fundamental rights. Therefore it is planned for the new Regulation to include such provisions, which will provide possibility to consider freedom of expression, unhindered availability of the public information, professional secrecy and other similar rights in each particular case. Following all of the abovementioned, the planned amendments of the EU in the sphere of the personal data protection include a number of innovative approaches, aiming at improvement of the incumbent system and granting more authority to the personal data subject, as well as to consider all the fundamental rights (at any stage of the data processing), which might have a decisive impact in each particular case. Therefore, since one of the international aspirations of Georgia is the EU membership, it is important to analyze all of the ongoing amendments and, as possible, to reflect them in the national legislation to establish the best practices, which all of the EU member states aspire to achieve. Apart from the mentioned it is also reasonable to consider the above described experience along with the existing shortcomings, examples of the best practices and problematic spheres, which will give us the opportunity to elaborate clear vision of the system’s future development and perfection. 3.2. Proportionality Test
Since the right to the personal data protection is not an absolute right, there are cases, in which it is necessary to weigh this right against other fundamental rights. Therefore, it is rather important to have a mechanism, which will make such procedure possible. According to the international experience, the so-called public interest test serves this purpose. Usually, the public interest test is the legal norm, part of the Public Information Act, based on which it is possible to obtain the public information, not covered under the legislation in the existence of the specific circumstances. The examination of the experience of various states has shown that in a majority of cases the legislation neglects the universally recognized right to freely receive the information and favors such a classification of the information, according to which the majority of information is not subject to the publication – be it a state secret, or the information, protected for the state security, economic stability or maintenance of public order. Introduction of the concept of the public interest test serves as the solution in these circumstances; this test confronts the internationally established rigid and uniform approach and establishes possibility to make decisions relevant to differences of various situations. There is a diversity of formulations of the public interest test in various legal systems and practical experiences: 81
Court of Justice of the EU, judgment of 9.11.2010, Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert [2010];
25
• • • •
The public interest test of negative nature; Public interest test, which prohibits any type of classification of information; Public interest test, which is not clearly and distinctly formulated; Public interest test, which is clearly and distrinctly formulated: • The test is either mandatory or represents the discretional authority of the administrative body; • The test applies only to the specific legal norms (exceptions); • The law lists potential public interests; • The public interest test balances the public interest against the state interest; • The public interest test is defined at the legislative level;
Public Interest Test of Negative Nature – the international practices show, that the public interest test is not always used as a tool for accessing the public information stored with the administrative body – sometimes it is applied against this purpose. For example, the Public Information Act in Iceland prohibits publication of official information if such publication contradicts “Public Interests”. According to the legislation of Iceland, the proportionality test is only used in the negative nature and does not have any other interpretation.
There are cases, in which the negative public interest test creates ambiguousness. For example, the Regulation regarding public access to the EU documentation82, according to which “the public interest”, on the one hand, is used as the means for overcoming the provisions providing exceptions, while on the other hand, is used as the means for impeding the access to the information in such sensitive spheres as public security, self-defense or confidentiality of the international relations. Therefore, the public interest test, in cases of such regulations, represents the mechanism of double standards, practical implementation of which may create certain problems. The Public Interest Test, Which Prohibits Any Classification of the Information
There is a public interest test, which, in a number of cases prohibits classification of any type of information and in other cases, prohibits classification of certain types of information only. Public Information Act of Estonia approaches the issue from the global perspective, and excludes the possibility of providing any exceptions; therefore, grants an absolute power to the universally recognized human right to freely access the information. There is a slightly different regulation in the case of the United States, in which there are categories of information; introducing barriers on accessing specific categories of information is considered to contradict the goals and requirements under the Public Information Act.83 One of the examples relates to the facts of the violation of the Fundamental Rights. According to the legislation of Romania, the information, which may relate to the violation committed by the administrative bodies or state institutions should not be classified. Public Interest Test, Which is not Clearly and Distinctly Formulated
Examination of the international practices has shown, that a lot of Public Information Acts across the different countries does not contain clearly indicated public interest test. It is especially curious, that Sweden and the United States are among such countries. In case of such developed democracies, inexistence of proper regulation of this, at first sight, rather important aspect, creates doubt on necessity of its existence. The answer is clear for such countries as the United States and Sweden, in which open governance and access to information represent part of the culture, which is indivisible from their everyday life; therefore, there is no need of additional declaration of this principle at the legislative level. As for such countries, which are in the process of building the democracy, it is considered, that existence of the public interest test is the guarantee for proper functioning of the Public Information Act.84 Public Interest Test, which is Clearly and Distinctly Formulated
The legislation of those countries, which clearly include the public interest test, differs in terms of its formulation. Therefore, one might encounter various approaches, which will be discussed in further detail below: Obligation or Authority?
There are two types of the public interest test, in terms of its application – first, in which weighing the public and the state interests is mandatory in each case, and the second type – when the decision of applying the test is the discretion of the decision-making authority. Majority of the states have implemented the mandatory type 82 83
Regulation 1049/2001 concerning access to information of the EU institutions;
Similar approach is demonstrated by Mexico and Peru in relation to the public interest test formulation;
The Model Freedom of Information Acts published by the NGO Article 19 (s.22) at http://www.article19.org/data/files/pdfs/ standards/modelfoilaw.pdf; 84
26
of the test in their legislation; however, there are examples,85 in which the decision represents the discretional right of the public authority. The public interest test, the application of which depends upon the discretion of the administrative authority is less effective in terms of practical implementation. There is high level of probability, that the official, responsible for providing public information, who can make a decision independently, in a number of cases, will neglect the possibility of applying public interest test, which clearly creates another barrier to accessing the information by the interested individuals. Norms, Providing Specific Exceptions, Which Fall Under the Public Interest Test
The experience of the various countries has shown, that the clearly defined public interest test either covers all or only specific exceptions. According to the general tendency, the spheres which are of particular sensitivity to the state, such as the self-defense, international relations and the economic issues are usually left beyond the regulations. However, the publication of the personal data and the commercial secrecy-related information may be considered as the sphere of regulation. A number of those norms (exceptions) that are covered under the regulation varies across the different coutnries. For example, while the legislation of the Switzerland applies the public interest test to the personal data only, in case of Canada the legislation applies the public interest test additionally to the commercial secrets. Belgium is the leading country in this regard - its legislation applies the public interest test to all of the exceptions. The List of Potential Public Interests, Prescribed Under the Legislation, Which Represent the Precondition for Application of the Test
While under the legislation of a number of countries the preconditions (the public interests) for the application of the proportionality test may vary, the Public Information Acts of a number of countries prescribe the exact list. For example, in case of Uruguay, the application of the proportionality test is only allowed if the requested public information relates to the violation of the basic human rights or serves avoiding such violation. According to the legislation of South Africa, the test is applied if the information may reveal some kind of violation, or in case of the information, which may relate to the circumstances, which pose a risk to the environment and the public order. Such a public interest list may include information, relating to the public order and security, economic environment in the country, protection of environment and natural resources, education, trade, agriculture and cultural heritage. In addition, such a list may include information, which allows revealing improper conduct or violation conducted by the administrative body or a public entity. Elaborating the specific list of public interests in the legislation draws attention of the persons, responsible for providing public information and ensures that they demonstrate more diligence in providing information relating to the listed topics. However, there is another circumstance – a probability that the exhaustive list will not cover all the possible spheres, which, as a result, will impede the practical implementation of the test. Therefore, out of the proposed two solutions the general definition of the public interest should be favored. Public Interest Test, Which Balances Public Interest Against the State Interest
The public interest test is characterized by the balance between the state and the public interests; therefore, in various specific cases, the test might either result in a publication of the information, while in others it may result in nonpublication. Considering this, the formulation of the provision differs. The proportionality test, characteristic to the Public Information Act in the United Kingdom favors publication of the information stored with the administrative body. According to the formulation of the provision, unimpeded access to the information does not apply to those exceptions, in which that exception is so important, that it outweighs the public interest. In such situations, during the decison-making, the burder of proof is on the relevant public servant, who must provide firm grounds for his/ her argumentation. According to the experience of rather many countries, this approach was chosen in formulating the proportionality test in the Public Information Acts (Australia is one of the examples). The model of the Public Information Act, elaborated by the NGOs includes the similar formulation of the public interest test. According to such formulation of the provision – the administrative authority does not have a right to refuse to provide the requested public information, unless he/she properly justifies that disclosing the information might create serious risks for the state interests and that it outweighs the public interest. In cases when the public interest test is more likely to favor non-publication of the official information, the public interest becomes the object of justification. According to the legislation of Australia, Canada, New Zealand and South Africa, during the application of the proportionality test it is to be proved, that the publication of the information is of such an interest to the public, that it outweighs the exceptions.
When speaking of the proportionality test, which balances public and state interests, it is very important to consider – what kind of interest there is and what importance it bears in both cases. Such provision is not included in the 85
Canada, China, Japan;
27
legislation of a number of countries; however, there are cases, in which such a level of the interest is specified, which is enough for making the final decision. According to the Public Information Acts of the Canada and South Africa, the proportionality test is aimed at protection of the information stored with the administrative authority, if the grounds are “obviously” indicating the need of protecting the state interest. Such an indicator may also be the “firm public interest”, “unconditionally outweighing”, “clearly indicates”, and others. According to the widespread opinion, it is preferable to have specific qualitative indicator, for justifying both sides of the argument. Formulation of Public Interest, Defined at the Legislative Level
The experience of a number of countries has shown that usually, the Public Information Act does not include the definition of the public interest. While considering, whether or not there is a necessity of defining this term, there is a proper justification to support both views.
The fact that the public interest is of ambiguous nature, changeable throughout the time and the circumstances, makes it especially difficult to introduce the definition. There is an expectation, that any definition will easily become irrelevant after certain period of time and according to the change of the public consciousness. On the other hand, the examination of the international experience has shown that inexistence of the public interest definition creates certain practical problems86. Specifically, there were cases, in which all of the necessary aspects of the proportionality test were met and the only remaining precondition for the final decision-making was the proper definition of the public interest; usually, in such cases, the representative of the administrative authority refrains from disclosing the official information. This, naturally, impedes the freedom of exercise of the universally recognized human right to having access to the information. The diversity of the public interest definition across various public institutions is a problematic issue; the definition of the term is mostly dependent on the trainings, law books or Inspector’s guidelines, used by the public servants in various cases. This approach creates a high probability of making different decisions on the identical cases, even within the same state institution. The issue of making and justifying the decision is also problematic and non-uniform. While in a number of cases, the administrative authorities apply general argumentation, in other cases, the authorities apply specific facts and circumstance-based judgment, which includes consideration of the future risks and potential outcomes.
In case of non-existence of the public interest definition, the inequality of the power among the authority responsible for disclosing the information and the information-seeker should be noted. The representative of the administrative authority has thorough knowledge of the factors and circumstances, that are preconditions for both publication and non-publication of the information, therefore, the authority has a potential to properly justify any of the decisions. In case of the information-seeker, incomplete knowledge may represent an impediment in gaining access to the information. The issue of the public interest definition arised during the Public Information Act reform in Australia. However, since it was considered impossible to define public interest for each specific case and circumstance, it has been decided to refrain from elaborating the definition. The practical experience, gained as a result of administering the Public Information Act specifies rather broad definition and it becomes possible to define the spheres and issues, which might represent the public interest. For example, in case of Australia, the indicator of publicizing the information is the following: information, necessary for conducting public debates, information relating to the accountability of the public servants, transparency of the public finances/expenditure, information relating to the implementation of the duties by the administrative authorities, information relating to the consideration and decision-making on the complaints, revealing the violation, facts which allows persons to annul their conviction, health-related information and other. It is also possible to enlist the circumstances, which aim at protecting the certain information from publication: peril to state security and international relations, information, impeding the decision-making, interference in the effective implementation of the duties by the administrative authority and other. Apart from the mentioned indicators there are also the circumstances, which are irrelevant to the publication of the official information; for example, the publicized information may be perceived improperly by the society or may result in embarrassment of the public servants or state officials.
Enlisting part of those spheres of public interest at the legislative level, which were identified based on the practical experience resulting from the administering the Public Information Act, may represent a certain solution in this situation. This, on the one hand, will give the administrative authority and the information-seeker an approximate understanding of the essence and goals of the provision, while on the other hand, in the context of incomplete list, will imply all of the public interests, characteristic to the specific spheres. Therefore, the issue – whether or not the Public Information Act should include the public interest definition represents the topic of permanent discussion and it is preferable to make decisions according to the legislative system and the existing practices of the each specific country. 86
The experience of the Australia;
28
Private Interest vs. Public Interest In terms of proportionality test it is very important to consider whether it is applicable to the interests of specific individuals. There might be cases in the practice, in which the information, requested by individuals might not clearly represent public interest, but might still fall under the public interest definition. For example, the information, requested by an individual for the purpose of protecting his/her rights or proving his/her innocence at the court. Since the protection of the equality before the law, access to justice and of the similar principles of universal recognition represent the public interest, it may be considered that the information supporting the court defense of an individual represents public interest.
There is a different approach to this issue according to the different experiences of various countries. While in case of the United Kingdom the public and the private interests are clearly distinguished and it is impossible for the interests of one individual to match the interests of the public, in Australia the recently elaborated Public Information Act offers reverse approach. Since the provision is newly formulated, it is unfortunately impossible to judge whether its practical implementation is effective or not. Best Practices
Following all of the above, the experience of various countries allows to elaborate the basic aspects, which the effective public interest test must include. First of all it is notable that an application of such a test is preferable to be of the mandatory nature; the test should include all types and categories of information and all types of public interest; it must be formulated in a way that favors publication of the official information and must include the incomplete list of preconditions for its application. The proportionality test must exist in such a legislative environment, in which all of the state information falls within the Public Information Act regulation and large portion of it must not relate to the cases of exceptions. The existence of the proportionality test, of course, does not exclude the necessity of protecting the sensitive information; however, it is necessary to be justified in each specific case, considering the interests of the public and the state. 4. CONCLUSION AND RECOMMENDATIONS
The research conducted by the Georgian Young Lawyers’ Association revealed that the incumbent legislation of Georgia on the personal data protection is not comprehensive and requires additional regulation in a number of cases. There are no sector-oriented guidelines or instructions, for such specific spheres as labor, healthcare or video surveillance, which would ensure proper guarantees for the personal data protection.
It is notable that a number of cases of data processing is left beyond the regulation of the law – such as during the legal proceedings at the court, cases of public or state security, self-defense, operative ivestigation activities, and offense investigations; therefore, those cases do not fall within the authority of the monitoring body. There is a shortcoming in the law in terms of appointing the Inspector, dismissing the Inspector and regulating the inspectionrelated activities – the executive government has especially significant role in the ongoing processes; the interests of the parliamentary majority and minority are not taken into consideration; some of the aspects of appointing the Inspector require additional concretization; the possibility of conducting preliminary inspection is ambiguous; Georgian legislation does not draw a clear borderline between the complaint and the request, therefore there are no distinct rules applicable during the complaint consideration, the conclusions on the initiated legislative proposals do not have mandatory nature, and other. The legal nature of the Personal Data Protection Inspector is especially problematic; none of the legislative acts define it distinctly. Since it has been less than a year since the monitoring body has first started operation, there is no established practice and a number of the legislative provisions are not implemented, which makes it impossible to evaluate their effectiveness. Since the legislation of Georgia does not provide for the public interest test, the personal data protection right has an absolute nature and any exceptions are impermissible. Therefore, even if there is a high public interest, for example, the transparency of the budgetary finances, it is impossible to request publication of the personal data of specific persons. At the same time, such a test would have granted an Inspector the authority to make a relevant (individual) decision based on balancing the public and state interests against each other in each specific case. In difference with Georgian practice, the international practices underline that it is prohibited for the personal data protection legislation to aim at leaving any type of data processing beyond the application of the law. Therefore, consideration of the specifics of particular spheres requires these spheres to be regulated under the general principles, in the first place; afterwards, the Inspector must be given an authority to conduct inspection and elaborate specific rules in each case, be it the cases of data processing relating to the state self-defense, operative ivestigation activities, international relations or the public security. The international practices show the necessity of the specific guidelines in such spheres, as the labor relations, healthcare and video surveillance. As for achieving the absolute independence of the monitoring body, apart from a
29
number of guarantees, the best practices show that it is preferable to either regulate the issue at the constitutional level, or clearly and distinctly define its legal nature; overall, this represents the guarantee against any influence. It is also notable that an active involvement of the legislative government in the process of appointing the Inspector is necessary. Specifically, the final decision should be made through the consensus of the majority and minority parliamentarians, which implies maximum separation of the inspection authority from the governmental powers and underlines its independent nature. According to the international experience, the existence of the proportionality test and its application by the monitoring authority is another important issue; this allows the Inspector to evaluate the state and public interests in each specific case and to make a final decision based on the analysis. Because the legislation in Georgia does not fully meet the established standards, there is a clear necessity of initiating certain amendments. Based on the research and the analysis, the Georgian Young Lawyers’ Association elaborated the following important recommendations:
30
•
The incumbent legislation on the protection of the personal data must be revised to eliminate the shortcomings and to provide additional guarantees for ensuring the independence of the inspecting authority.
•
Sector-oriented regulations that establish specific rules must be elaborated, which will regulate the issues of the personal data protection in coherence with the specifics of the various fields.
•
The proportionality test must be introduced to the legislation of Georgia for the purpose of balancing the personal data protection right against other fundamental rights and for consideration of the public interest.