There have been a number of Opinions and Working Documents issued recently at a European Commission level by the Article 29 Working Party. This consists of a representative from each Member State’s supervisory authority for data protection.
Opinion on the level of protection of personal data in Argentina
In October, the Article 29 Data Protection Working Party looked at the protection of personal data under Argentinean law. The Working Party concludes that Argentinean law does provide an adequate level of protection with regard to the processing of personal data. This Opinion is the first step in Argentina being “white-listed”, as a country outside the European Economic Area to which personal data may be transferred. The next step is for a formal decision from the Commission. Other countries that have been white-listed in this way are Hungary, Switzerland, the US safe harbor scheme and Canada (subject to some restrictions).
The Opinion also encourages Argentina to address certain weaknesses in its legal system and requests the European Commission to continue discussing these with the Argentinean Government. It is possible, therefore, that the Commission may take some time before white-listing Argentina.
Working Document on Blacklists
In October, the Article 29 Working Party issued a paper to analyse how “Blacklists” in the EU currently operate in practice and to raise awareness about the data protection issues involved. The use of certain kinds of blacklist (regarding debts, criminal offences and fraud prevention in particular) is widespread in the EU but there are discrepancies in how Member States operate them. This paper makes the case for having uniform, harmonised criteria for processing the personal data on blacklists.
A blacklist is essentially the compilation and dissemination of certain kinds of data on a specific group of people which may have adverse, prejudicial and discriminatory effects for the individuals concerned by barring them from access to a specific service or by harming their reputation.
Legal recognition of these blacklists is based on undertakings’ legitimate need for information about, for example, debtor, solvency and credit records in order to assess credit risks. However, the data subject has an equally legitimate right to data protection. The paper argues that this balance of interests requires that blacklists be subject to the series of safeguards laid down in the Data Protection Directive 95/46/EC and in Member States’ regulations:
(i) the information must be accurate and up to date;
(ii) the citizen must have right of access to his/her data and the right to have mistakes corrected and irrelevant information deleted, especially in respect of criminal offences or convictions;
(iii) blacklists must be operated within a legal framework; and
(iv) mechanisms should be put in place to avoid errors in identifying individuals.
The Working Document will be of interest to any organisation that operates or uses blacklists.
Statement on Mandatory Systematic Retention of Telecommunication Traffic Data
The European Data Protection Commissioners have expressed their concern about proposals which would result in the mandatory and systematic retention of all kinds of telecommunications traffic data to facilitate possible access by law enforcement and security bodies. The Commissioners have grave doubts about the legitimacy, legality and excessive cost of such measures, and noted the absence of equivalent measures in the US. Such disproportionate retention of data would be an infringement of the right to privacy under Article 8 of the European Convention on Human Rights, except in specific cases subject to special safeguards.