magnify
Home Articles posted by Christopher Kuner

Creating International Frameworks for Data Protection: The ICRC/Brussels Privacy Hub Handbook on Data Protection in Humanitarian Action

Published on July 13, 2017        Author:  and

Introduction

The collection and processing of personally-identifiable data is central to the work of both international organisations working in the humanitarian sector (IHOs) and non-governmental organisations (NGOs) in protecting and delivering essential aid to hundreds of millions of vulnerable individuals. With the increased adoption of new technologies in recent years, and the increased complexity of data flows and the growth in the number of stakeholders involved in the processing, there has been an increasing need for data protection guidelines that IHOs and NGOs can apply in their work. This was highlighted first in the 2013 report by Privacy International entitled: “Aiding Surveillance”, and was also recognised by the International Conference of Privacy and Data Protection Commissioners in its Resolution on Privacy and International Humanitarian Action adopted in Amsterdam in 2015 (Amsterdam Resolution).

This need has led to publication of the new Handbook on Data Protection in Humanitarian Action prepared jointly by the Data Protection Office of the International Committee of the Red Cross (ICRC) and the Brussels Privacy Hub, a research institute of the Vrije Universiteit Brussel (VUB) in Brussels. It has been drafted in consultation with stakeholders from the global data protection and international humanitarian communities, including IHOs and humanitarian practitioners, data protection authorities, academics, NGOs, and experts on relevant topics. The drafting committee for the Handbook also included the Swiss Data Protection Authority; the Office of the European Data Protection Supervisor (EDPS); the French-speaking Association of Data Protection Authorities (AFAPDP); the UN High Commissioner for Refugees (UNHCR); the International Organisation for Migration (IOM); and the International Federation of Red Cross and Red Crescent Societies (IFRC).

Content of the Handbook

The Handbook addresses questions of common concern in the application of data protection in international humanitarian action, and is addressed to staff of IHOs and NGOs who are involved in the processing of personal data, particularly those in charge of advising on and applying data protection standards. It is hoped that it may also prove useful to other parties, such as data protection authorities, private companies, and others involved in international humanitarian action. Read the rest of this entry…

 

The Court of Justice of EU’s Judgment on the “Right to be Forgotten”: An International Perspective

Published on May 20, 2014        Author: 

In its judgment published on 13 May in the case C-131/12 Google Spain AEPD and Mario Costeja Gonzalez, the Court of Justice of the European Union (CJEU), Grand Chamber, recognized a “right to be forgotten” with regard to Internet search engine results. Unfortunately, the judgment has important international implications that the Court did not sufficiently consider. In this post, I will put aside the issues of EU data protection law that the judgment raises, and focus instead on its implications for the rights of individuals to use the Internet as a global communications medium. It is important to note that application of the judgment extends beyond particular search engine providers to include any “provider of content which consists in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference” (paragraph 21), which could include Internet archives, social media, news crawler services, and many other types of online services.

The plaintiff in the case complained to the Spanish Data Protection Agency (DPA) against a Spanish newspaper and Google, stating that a Google search brought up a link to the newspaper containing irrelevant information about him, and requesting that the newspaper be required to remove or alter the pages and that Google be required to remove the data from the search results. The DPA found against Google, which then appealed to the Spanish Audiencia Nacional (National High Court). The Spanish court referred the case to the CJEU. On June 25, 2013, Advocate-General Jääskinen recommended that the Court find that it had jurisdiction over Google; that in its role as a search engine provider, Google was a data processor rather than a controller; and that the EU Data Protection Directive 95/46 does not contain a right to be forgotten that could entitle the plaintiff to have his data deleted from search engine results.

In its judgment, the Court differed in several important points from the Advocate-General’s opinion, and reached the following conclusions:

–Google’s branches in the EU are subject to the national data protection law of the EU member states where they are located, since they are “inextricably linked” to the activities of the Google headquarters in the US by virtue of Google Spain selling advertising space on the search engine provided by Google Inc, even if the actual processing is carried out in the US (paragraphs 42-60).

–Search engines are “data controllers” and as such are independently responsible for the personal data they retrieve, store, and display from websites (paragraphs 21-41).

–Under the Directive, there exists a limited right to have search engines delete material from search results (i.e., a “right to be forgotten”), regardless of whether the material indexed was posted legally or whether it is accurate (paragraphs 62-99). Read the rest of this entry…

 
 Share on Facebook Share on Twitter
Comments Off on The Court of Justice of EU’s Judgment on the “Right to be Forgotten”: An International Perspective

Extraterritoriality and the Fundamental Right to Data Protection

Published on December 16, 2013        Author: 

Kuner ChristopehrChristopher Kuner is affiliated with the Brussels office of Wilson, Sonsini, Goodrich & Rosati, and is an Honorary Fellow of the Centre for European Legal Studies, University of Cambridge, and an Honorary Professor at the University of Copenhagen.

Following a series of thoughtful entries by Marko Milanovic, Anne Peters, and Carly Nyst dealing with the extraterritorial application of privacy rights to foreign intelligence surveillance, this post discusses extraterritoriality and the fundamental right to data protection, particularly in the context of the Internet. I will cast my net more broadly than intelligence surveillance, and avoid revisiting points made in those earlier posts.

Since space is limited, I will limit myself to three topics: 1) the distinction between data protection and privacy; 2) the status of data protection in international law; and 3) challenges for the extraterritorial application of data protection rights.

Data Protection and Privacy

Data protection law restricts the processing of personal data, and grants legal rights to individuals in how they are processed. It was developed in Europe in the 1970s and 1980s, and has now spread to all regions of the world.

Data protection and privacy often overlap, but are not identical. Privacy generally protects against intrusion into an individual’s “private space”, whereas data protection regulates the processing of an individual’s personal data, whether or not such data are considered “private”. A good starting point for understanding the distinction between the two concepts in EU law and European human rights law is the article by Juliane Kokott and Christoph Sobotta published recently in International Data Privacy Law. Read the rest of this entry…