Minister of Justice Brax at the IFCLA Conference, Helsinki 10 June
It is a great pleasure to be invited to address this gala dinner.
In my capacity as the Minister of Justice, I would like to pay attention to those challenges that the technological development and the development of information technology in particular pose to privacy and personal data protection.
The protection of personal data is a fundamental right guaranteed for everyone by the Finnish Constitution. Along with the entering into force of the Lisbon Treaty on 1 December 2009, the protection of personal data was raised to the level of a fundamental right in the entire European Union. According to the Article 8 of the Charter of Fundamental Rights of the European Union, personal data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.
The current EU legislation on data protection is based on the Council of Europe Convention on Data Protection concluded in 1981. At the time of the conclusion of the Convention, there were national laws in force in the EU member states of that time concerning privacy, tort, secrecy or confidentiality of sensitive information, but there was a lack of general rules on the processing of personal data.
The objective of the Convention was to strengthen data protection with regard to automatic processing of personal data. Legal rules were considered to be necessary in view of the increasing use of computers. Compared with manual files, automated files had a vastly superior storage capacity and they offered possibilities for a much wider variety of transactions, which they could perform at high speed.
In the beginning of the 1980s, further growth of automatic data processing was expected as a result of the lowering of data processing costs, the availability of "intelligent" data processing devices and the establishment of new telecommunication facilities for data transmission, among other things. It was anticipated that "information power" will bring with it a corresponding social responsibility of the data users.
The principles of the Council of Europe Convention on Data Protection have formed a basis for the current EU Directive on the Protection of Personal Data, which entered into force in 1995. In 2002, the Directive on the Protection of Personal Data was expanded on and supplemented in respect of the communications field by issuing the Directive on Privacy and Electronic Communications.
Around the time of conclusion of the Council of Europe Convention, anyone could have hardly imagined how rapidly different databases and new technologies would become common. The rapidly advancing revolution of the information technologies has been beyond compare.
The technical revolution and globalisation have created a vast array of new and intriguing possibilities, but they have also brought along challenges pertaining, for example, to rights concerning protection of personal data and privacy.
New business models, new ways of producing services and new technologies cause more and more problems in identifying the cases where personal data is actually being processed. It can also be challenging to determine which provisions on processing of personal data should be applied in each case.
Challenges for privacy and protection of personal data are caused for example by social networking websites, e-commerce, on-line storage services, cloud computing, automatic face recognition, nanotechnology, geolocation, and profiling, inclusive of behavioural advertising, just to mention a few.
An example on how easily personal data can end up in wrong hands in the current era of technology is the case concerning Google Street View cars that was revealed a while ago. The cars had unintentionally collected sensitive private data from unprotected wireless networks for several years. The mistake was caused by a wrong programming code, and the company noticed its mistake only when it checked its data due to a request by the Data Protection Ombudsman of Germany.
The European Union is about to tackle these new challenges relating to the protection of personal data.
Last year, the European Commission carried out a public consultation, the purpose of which was to find out whether the current data protection regulation corresponds to the challenges especially brought by the new technologies and globalisation and what kind of measures these challenges call for.
Majority of the 168 citizens, private organisations and authorities that participated in the consultation considered that the current technology-neutral data protection principles are still valid, but they were also of the opinion that the principles should be implemented more effectively.
The Commission is in the process of assessing the feedback it received, and it has announced that it will issue a proposal for a new comprehensive legal framework for data protection this year.
In the future, greater attention will most likely be paid in the sphere of the European Union to the protection of personal data with technical protective measures. The European Data Protection Ombudsmen have suggested that a new "Privacy by Design" principle be introduced. This means that information and communication technologies would be designed and developed so that privacy and data protection requirements are taken into account from the very inception of the technology and at all stages of its development.
The application of the Privacy by Design principle would emphasise the need to implement privacy enhancing technologies, privacy by default settings and tools to enable users to better protect their personal data, for example by encrypting it or by restricting access to it.
Because of the technological development, the cross-border movement of personal data keeps on increasing at an enormous pace. Due to this, making decisions on the principles concerning data protection only within the EU gets more and more difficult. The fact that the European approach does not always correspond to the concepts of other countries brings along new challenges in the global world. Globally recognised general principles of data protection would facilitate the ever increasing movement of personal data. The draft of International Standards on the Protection of Personal Data and Privacy, drawn up in the Madrid International Conference of Data Protection and Privacy in 2009, is an important step towards this direction.
I would like to finish my speech by stating that data processing systems have been created to serve people; the information society must work in accordance with the basic values prevailing in society. Only this way citizens' trust in information and communication technologies can be reached and the natural development of the information society can be secured.