Data protection
January 28, 2011Officials around Europe celebrated "European Privacy Day" on Friday, commemorating the 30th anniversary of the Council of Europe's signing of a 1981 convention that established privacy and data protection guidelines.
On January 28, 1981, the "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data," also known as Convention 108, established the first widespread international document on how data is stored, used and shared by governments and businesses.
In a video posted to her website on Thursday, Viviane Reding, the EU Commissioner for Justice, called this convention the "backbone of privacy laws in Europe."
Three decades on, the effects of that convention are still being felt today around the continent.
More recently, many of the ideas from that convention translated into further European Union legislation, including Directive 95/46/EC. In 1995, the directive established that personal data - defined as broadly as possible to include medical, financial, political, sexual or cultural identity - should not be processed by any public or private entity unless certain conditions are met.
It also established that every EU member state must create a data protection authority to monitor the enforcement of the law and to begin legal procedures if necessary.
In 2006, the European Parliament also passed Directive 2006/24/EC, a controversial data retention measure that ordered member states to store telephone, e-mail and Internet usage data, as well as the location of mobile phones for at least six months.
Any EU directive must be passed in each member state by its own national legislation, and while most EU states have complied with the 2006 directive, courts in Germany and Romania have overturned those laws.
New data protection issues continue to arise in northern Europe
In November 2010, Sweden finally introduced legislation to fall in line with the 2006 directive.
However, this week, one Swedish ISP and web host, Bahnhof, said that it was in the process of designing a procedure that would encrypt all traffic automatically over a virtual private network (VPN) for all of its users, thus effectively rendering the pending Swedish law useless.
"This means in practice that we will have storage of data between client and the VPN point," wrote Jon Karlung, the CEO of Bahnhof, in an e-mail sent to Deutsche Welle. "But in practice this data and traffic will be utterly useless since they will not contain anything of importance. We will have no clue what people are doing on the Internet. We will be [like] the mailman of the postal service, and we will, like them, not know what people write in their letters."
He added that the new service would cost five euros extra to its customers, and that it would be implemented "at the latest when the data retention directive becomes operational in Sweden."
Just south of Sweden, in Latvia, a new law is about to go into effect that will establish tighter IT security rules in the wake of a major privacy breach that took place last year.
Nearly one year ago, Latvia was hit by a major security breach at the Latvian State Revenue Service.
A hacker, working under the name "Neo," illegally downloaded 7.4 million documents from the electronic declaration system of the State Revenue Service by finding a major flaw in the way the documents were stored online.
The documents were then leaked to the media and exposed that many Latvian bankers did not take the salary cuts that they had promised and that other state-owned companies awarded bonuses to executives while asking for financial help from the state.
By October, the Latvian parliament passed a new IT security law, which will take effect on February 1, 2011. This marks the first legislation in this Baltic nation that puts a new IT security head at the top of every state institution.
"We will establish the minimal standards for every state and every local government institution in IT security," said Māris Andžāns, the head of the Consultative Council on Security of Electronic Communications and IT, and one of the officials involved in drafting of the legislation.
He told Deutsche Welle that while the country has fire safety rules, there have been no such laws for the use of digital information.
In order to ensure that the officials follow and obey the rules, two present computer security prevention institutions will be merged into a new Cyber-Security Response Agency. The agency will also start operations in February. It will consist of eight IT experts who will keep their eye on the overall situation of IT security and advise the public sector workers about data protection.
Kosovo implements SIM card registration
In a related data security move across the continent, Kosovo’s telecom regulator has decreed that all existing SIM cards must be registered to an owner and connected to an official form of ID by February 28, or face disconnection.
The registrations are designed to help police identify callers who make false reports to emergency services as well as users who illegally reroute international calls to voice-over-IP systems to skirt carriers' tariffs. To comply with the rule, users must submit identification to their mobile phone provider.
In the case of most Kosovars, this is a national ID card, which is linked to things such as pensions.
Kosovo follows other countries across Europe - including Germany, France, and Bulgaria - that usually require such registrations. And like those nations, Kosovo has strong legal provisions to protect the data that is collected from mobile phone users and potentially made available to law enforcement. But they mean very little in practice in Kosovo's case.
"There is not any supportive mechanism to implement this very important part of the law," said Ahmet Hasolli, an attorney at Kalo and Associates in Pristina, Kosovo's capital, in an interview with Deutsche Welle. "In addition, my perception is that citizens are not very familiar with the concept of data protection law."
Kosovo's constitution explicitly protects personal data. A 42-page law adopted in 2010 bolsters this with a stringent set of regulations - guided by rules set from Brussels - on how personal information can be collected, maintained and disclosed, laying out penalties for violations.
However, the agency established by the new law to actually implement and enforce its provisions isn't operational yet.
The result is that Kosovo has "zero" personal data protection, an official in the European Commission Liaison Office to Kosovo said, speaking on the condition of anonymity because he wasn't authorized to talk to the media.
"We have a new country here," the official said of Kosovo, which declared independence from Serbia in February 2008. "You start from scratch."
European data protection policy has origins in Germany
Most of the European and other EU member state privacy and data protection policies have originated from German law. In fact, the first data protection law of any kind in the world was passed in 1970 in the state of Hesse, in central Germany.
That state law became the basis for the Federal Data Protection Law (Bundesdatenschutzgesetz), which passed in 1977, four years before the Council of Europe’s Convention 108. The driving principle of this law is the fact that the collection of any data by either a public or a private entity must be done so with explicit permission.
"Germany has the oldest tradition in data protection," said Thomas Hoeren, a professor of communications law at the University of Münster. "I think it has to do with the Second World War and Nazi experience which showed that there was a lot of control of the population. People are very nervous in Germany of state control and corporate control of data."
However, the German law professor was quick to point out that despite Germany’s influence in Brussels, many Europeans still remain in the dark about what their rights are.
"From the formal point of view, the German data protection standard is the European standard," he said. "But the implemention of the directive is another problem."
Author: Cyrus Farivar
Editor: John Blau