Resolution on future development of data protection and privacy
adopted by
the European Privacy and Data Protection Commissioners´ Conference
29 – 30 April 2010, Prague
The Conference recalls the positive achievements in the area of data protection and appreciates namely that the Lisbon Treaty explicitly recognizes data protection as a fundamental right. Development in this area will deepen trust in the information society.
Notwithstanding the Conference bears in mind that:
- protection of personal data is facing great challenges resulting from the use of new information technologies and globalisation; and
- demand is growing, namely in relation to combating serious crime and terrorism, for secondary use of personal data originally gathered for other purposes.
Taking into account that these facts repeatedly stress the need for an adequate system of data protection arrangements guaranteeing a high and equivalent standard of data protection. Considering the risks of amendments to the legal system in the area of data protection that would reduce the level of data protection or even ignore or circumvent the established principles:
- principle of lawful and fair collecting and processing of data;
- principle of accuracy;
- principle of purpose specification and limitation;
- principle of proportionality;
- principle of transparency;
- principle of involvement, namely guaranteeing the data subject´s right of access and the right of information;
- principle of non-discrimination;
- principle of data security;
- principle of responsibility and accountability;
- principle of independent supervision and legal sanctions;
- principle of adequate level of protection for international data transfers.
The Conference:
- declares that the protection of personal data and privacy must remain an important achievement of our civilisation. It is necessary to maintain the protection of fundamental rights also in the future. It is therefore essential that data protection principles are effectively and consistently complied with to avoid consequences that would result in the permanent surveillance and unrestricted profiling of citizens, which can have undesirable outcomes including the undue categorisation of individuals;
- further declares that the essential principles of personal data protection should continue to apply despite the new challenges mentioned above;
- urges the legislators and other stakeholders to continuously invest in a balanced approach of the issues at stake and the fundamental right to data protection is ensured;
- reiterates its statement at the Krakow Spring conference in 2005 that such challenges should be encountered by tailor made data protection rules for law enforcement;
- welcomes and endorses the recommendations of the Article 29 Data Protection Working Party with regard to the current debate on the future of privacy, with a view to be more effective in the field of data protection in a global environment.
It is particularly necessary:
- to continue to insist at national and EU level on clearly specifying who has responsibility for the processing and protection of personal data. Moreover to insist on having the data subject´s consent as one of the essential requirements for legitimate data processing, and next to insist on strict legal safeguards with regard to the secondary use of personal data. Finally, to strive for keeping any bureaucratic measures concerning personal data processing limited;
- to insist that before new legal measures are adopted and new information technologies introduced, the concept of privacy by design, or if need be a proper and sustainable impact assessment is taken into account so that any potential interference with privacy doesn´t outweigh the genuine added value of the intended legal measure or information technology;
- to strive at both national and EU level for the creation of a comprehensive set of rules for the protection of personal data in all areas (including the fight against crime and terrorism);
- to strive for the adoption of worldwide binding standards for personal data protection building on the international standards elaborated at the 2009 Data Protection Conference in Madrid, and supporting the effort of the Council of Europe to promote the adhesion of third country to the Convention 108 and its additional protocol.