Post aus Lateinamerika: Datenschutz
Mehrere Bürgerrechtsorganisationen aus Lateinamerika haben sich zusammengeschlossen, um für einen starken Datenschutz in Europa aufzutreten und haben den Mitgliedern des Innenausschusses im Europaparlament einen Brief geschrieben, den wir hier gerne teilen. Hier der Brief auf Englisch zum Download: Brief auf Englisch.
Dear Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee,
„We are a group of digital and civil rights organisations throughout Latin America, writing to express our full support for your efforts to update, harmonise and strengthen data protection laws in the European Union, through the European Commission’s proposal for a General Data Protection Regulation (COM(2012)11) (“The Regulation”).“
The European Union is a global standard setter. Its privacy and data protection legal framework, in particular the 1995 Data Protection Directive (95/46/EC), has served as a source of great inspiration throughout Latin America. The Regulation therefore has the potential to become the global benchmark on the protection of personal data.
As privacy and data protection are one of the cornerstones of free speech, it is absolutely crucial that the European Union keep in mind the impact that the Regulation will have in countries outside this zone. In fact, data protection laws in Latin American countries are heavily inspired in the diverse legal instruments from countries that are members of the European Union, and therefore, the current discussions regarding the Regulation will certainly impact the data protection levels in Latin America.
We would like to point your attention to four very critical aspects of the Regulation that must be addressed in order to ensure adequate protection of the fundamental rights of individuals in the European Union and around the world.
1. The protection of all personal information, without diluting the concept through „pseudonymisation“
Given rapid advancements in the processing of data, it is not always necessary for a data controller to be able to identify a specific person in order to make decisions that impact on their exercise of the right to data protection, also known in some countries as the right to “informational selfdetermination”. This should be reflected in the definition of “data subject” in Article 4 (1) (i.e. the individual whose personal data is processed) by including the aspect of “singling out”.
Furthermore, a definition of “anonymous data” should be avoided, since such a definition would increase the risk of creating loopholes and grey legal areas, and that from a practical point of view the safety of stored data cannot be guaranteed through anonymization procedures. We strongly caution against the inclusion of pseudonymous data, as this concept could easily dilute the effective protection of personal data through establishing new intermediate categories between “personal data” and nonpersonal data.
2. Recognition that every individual affected by the Regulation has the right to effectively control his or her personal information
This right includes ensuring explicit, strong and informed consent for processing of our personal data (Article 4(8)) and effective data portability in order to promote competition, reduce „lockin“ and achieve informational selfdetermination (Article 18).
3. Avoid exceptions that could undermine the effectiveness of the Regulation
In particular in Article 6 of the Regulation, one of the six legal grounds for processing personal data, the data controller’s „legitimate interest“, is a dangerous loophole that must be amended in order to truly enable individuals control over their personal data. What was originally meant to be a narrow exception has now become the standard justification for many companies’ processing of personal data.
In order to reverse this trend, additional safeguards are needed. The “legitimate interest” clause should only be allowed as a measure of last resort (namely when no other legal ground for data processing exists). It should also be justified and communicated to the public before it is used.
4. Protection against secretive profiling of citizens, both on and offline
The general prohibition should apply to all kinds of profiling, both online and offline. It is also essential to recognise that online identifiers are personal data, as they can “single out” individuals, even if these individuals cannot be named. Suitable safeguards should be put into place in Article 20 and throughout the Regulation. For example, citizens should also have the right to be provided meaningful information about the logic behind the profiling.
The Regulation will further the trend to encourage countries and companies around the world to improve their privacy standards, thereby improving free speech and democracy globally. We need strong, harmonised
data protection standards in order to protect our right to informational selfdetermination and foster trust among consumers and Internet users.
The organizations signing this letter, together with expressing our support to the efforts to update,
harmonize and strengthening the data protection laws in the European Union, express their hope for the Civil Liberties, Justice and Home Affairs Committee of the European Parliament continues the European legacy as a global standard setter and protecting fundamental rights across Latin America and the world.
Ageia Densi (http://www.ageiadensi.org/) Argentina
Asociacio?n Paraguaya de Derecho Informa?tico (APADIT) (http://apadit.wordpress.com/)
Paraguay Asociacio?n por los Derechos Civiles (http://www.adc.org.ar) Argentina
Centro de Tecnologi?a y Sociedad, Fundacio?n Getulio Vargas (http://direitorio.fgv.br/cts)
Brazil Fundacio?n Vi?a Libre (http://www.vialibre.org.ar) Argentina
Identidad Robada (http://www.identidadrobada.com/) Argentina
ONG Ci?vico (http://ongcivico.org/) Chile
ONG Derechos Digitales (http://www.derechosdigitales.org) Chile
Son Tus Datos (http://sontusdatos.org) Mexico