Avis sur la promotion de la confiance dans la société d’information par des mesures d’encouragement de la protection des données et de la vie privée
Protection des données dès la conception
La protection des données dès la conception vise à intégrer la protection des données et le respect de la vie privée dans la conception des activités de traitement et des systèmes d’information, afin de respecter les principes de protection des données. Les organisations sont tenues de prendre en compte la protection des droits des personnes, tant avant que pendant leurs activités de traitement, en mettant en œuvre les mesures techniques et organisationnelles appropriées afin de veiller à ce qu’elles satisfassent aux obligations de protection des données. Afin de s’assurer que ce principe clé du règlement général sur la protection des données est mis en pratique, le CEPD publiera des documents d’orientation.
Avis concernant la communication de la Commission sur le plan d'action pour le déploiement de systèmes de transport intelligents en Europe et la proposition de directive du Parlement européen et du Conseil établissant le cadre pour le déploiement de systèmes de transport intelligents dans le domaine du transport routier et d'interfaces avec d'autres modes de transport, JO C 47, 25.02.2009, p. 6
The EDPS has adopted an opinion on the European Commission's proposed deployment plan for intelligent transport systems (ITS) in Europe that was adopted in December 2008 to accelerate and coordinate their deployment in road transport and their connection with other modes of transport. The deployment of ITS has considerable privacy implications, for instance because these systems make it possible to track a vehicle and to collect a wide variety of data relating to European road users' driving habits.
The EDPS notes that data protection has been taken into consideration in the proposed legal framework and that it is also put forward as a general condition for the proper deployment of ITS. He however underlines that the Commission's proposal is too broad and too general to adequately address the privacy and data protection concerns raised by ITS deployment in the Member States. In particular, it is not clear when the performance of ITS services will lead to the collection and processing of personal data, what are the purposes and modalities for which data processing may take place, or who will be responsible for compliance with data protection obligations.
The EDPS opinion includes the following main recommendations:
- clarification of responsibilities: it is crucial to clarify the roles of the different actors involved in ITS in order to identify who will bear the responsibility of ensuring that systems work properly from a data protection perspective (who is the data controller?);
- safeguards for the use of location technologies: appropriate safeguards should be implemented by data controllers providing ITS services so that the use of location technologies is not intrusive from a privacy viewpoint. This should notably require further clarification as to the specific circumstances in which a vehicle will be tracked, strictly limiting the use of location devices to what is necessary for that purpose, and ensuring that location data are not disclosed to unauthorized recipients;
- "privacy by design" approach: the EDPS recommends to consider privacy and data protection from an early stage of the design of ITS to define the architecture, operation and management of the systems. Privacy and security requirements should be incorporated within standards, best practices, technical specifications and systems.
ITS apply information and communication technologies (satellite, computer, telephone, etc.) to transport infrastructure and vehicles with the intention to make transport safer and cleaner and to reduce traffic congestion. ITS applications and services are based on the collection, processing and exchange of a wide variety of data, both from public and private sources, including information on traffic and accidents but also personal data, such as the driving habits and journey patterns of citizens. Their deployment will also rely to a large extent on the use of geolocalisation technologies, such as satellite-positioning and RFID tags. As such, ITS constitute a "data-intensive area" and raise a number of privacy and data protection issues that should be carefully addressed in order to ensure the workability of ITS across Europe.
Avis sur la communication de la Commission intitulée "Vers une stratégie européenne en matière d'e-Justice", JO C 128, 06.06.2009, p. 13
The Communication aims to propose an e-Justice Strategy that intends to increase citizens' confidence in the European area of Justice. E-Justice's primary objective should be to help justice to be administered more effectively throughout Europe, for the benefit of the citizens. The EU's action should enable citizens to access information without being hindered by the linguistic, cultural and legal barriers stemming from the multiplicity of systems. A draft action plan and timetable for the various projects are annexed to the Communication.
E-Justice has a very wide-ranging scope, including in general the use of ICT in the administration of justice within the European Union. This covers a number of issues like projects providing litigants with information in a more effective way. This includes online information on judicial systems, legislation and case law, electronic communication systems linking litigants and the courts and the establishment of fully electronic procedures. It covers also European projects like the use of electronic tools to record hearings and projects involving information exchange or interconnection.
The EDPS supports the present proposal to establish e-Justice and recommends taking into account the observations made in his opinion, which includes:
- Taking into account the recent Framework decision on the protection of personal data in the field of police and judicial cooperation in criminal matters - including its shortcomings - not only when implementing the measures envisaged in the Communication, but also with a view to starting as soon as possible the reflections on further improvements of the legal framework for data protection in law enforcement;
- Including administrative procedures in e-Justice. As part of this new element, e-Justice projects should be initiated to enhance the visibility of data protection rules as well as national data protection authorities, in particular in relation to the kinds of data processed in the framework of e-Justice projects;
- Maintaining a preference for decentralized architectures;
- Ensuring that the interconnection and interoperability of systems duly takes into account the purpose limitation principle;
- Allocating clear responsibilities to all actors processing personal data within the envisaged systems and providing mechanisms of effective coordination between data protection authorities;
- Ensuring that processing of personal data for purposes other than those for which they were collected should respect the specific conditions laid down by the applicable data protection legislation;
- Clearly defining and circumscribing the use of automatic translations, so as to favour mutual understanding of criminal offences without affecting the quality of the information transmitted;
- Clarifying Commission responsibility for common infrastructures, such as the s-TESTA;
- With regard to the use of new technologies, ensuring that data protection issues are taken into account at the earliest possible stage ("privacy-by-design") as well as fostering technology tools allowing citizens to be in better control of their personal data even when they move between different Member States.
Avis sur la communication de la Commission au Parlement européen, au Conseil, au Comité Economique et Social et au Comité des régions intitulée "L'identification par radiofréquence (RFID) en Europe: vers un cadre politique", document COM(2007) 96, JO C 101, 23.04.2008, p. 1