Working Party on the Protection of Individuals
with regard to the Processing of Personal Data
Adopted by the Working Party on 23 February 1999
Working Document:
Processing of Personal Data on the Internet
1. Introduction
Each new phase of technological development presents a challenge for the protection of personal data and the right to privacy. Past experience such as with the distribution of personal computers, the beginning of telematics applications etc. demonstrates this. The internet forms part of such challenges for the following reasons at least:
- The use of the infrastructure is often directly based on the processing of personal data, such as certain Internet Protocol addresses.
- The services provided over this infrastructure offer new possibilities in particular concerning distribution of information including personal data (e.g. mailing lists, discussion groups, access to databases etc.).
- The technical tools are new, for example browsing software, and they evolve at a rapid rhythm.
- Many actors are also new to new on-line commercial activities involving the processing of personal data and traditional boundaries between different professions are in an equally rapid process of redefinition.
- One of the most challenging uses of the internet is to do business on-line: electronic commerce consists in particular direct selling from business to consumers without any form of intermediary, using new methods of targeting and new means of payment.
- The global dimension is immediately present.
In this complex and, from the data protection view point, controversial context, the national data protection authorities have been working in a pragmatic way for about three years and their experience is gradually being consolidated (see for example their annual reports).
The Working Party has similarly started to address subjects on the application of data protection principles to personal data processing on the internet in a pragmatic way and according to the urgency of the subject emerging at European or international level.
Examples are:
- Anonymity on the internet
- Support of the "Berlin – Budapest memorandum" of the International Working Group on Data Protection in telecommunications
- A first opinion on the P3P project of the World Wide Web Consortium
- Recommendation 1/99 on "Invisible and automatic processing of personal data on the Internet performed by software and hardware", adopted on 23 February 1999.
The issue of data protection and privacy on the internet is also discussed in international fora such as the Council of Europe and the OECD. On the proposal of the European Union to go for global solutions within the framework of the WTO, the WTO has accepted to include data protection in its work programme on trade related aspects of electronic commerce. This subject will be discussed by the Council for Trade in Services which meets regularly with a view to presenting a report by June 1999. The objective is the agreement on basic binding principles allowing for free flow of personal data in world-wide electronic commerce whilst respecting the individual’s right to privacy and thus ensure trust and confidence in electronic commerce.
The European Conference of Data Protection Commissioners held in Dublin on 23 and 24 April 1998, expressed the wish that the Working Party may develop the subject in a more systematic approach to clarify the issues at stake and provide for solutions with a view to contributing to a development of the internet and related services that respects the user's right to privacy and thus provides for confidence and trust both for commercial and private applications. The Commissioners recalled that the rules following from the EU Data Protection legislation fully apply, according to appropriate modalities, to personal data processing on the internet, irrespective of the technical tools used.
2. The relevance of the data protection directives
The Working Party shares the view of the EU Data Protection Commissioners Conference. The Internet is not a legal vacuum. Processing of personal data on the Internet has to respect data protection principles just as in the off-line world. This does not constitute a limitation of the uses of the Internet, but is on the contrary part of the essentials aiming at ensuring trust and confidence of users in the functioning of the Internet and the services provided over it. Data protection on the Internet is thus and indispensable condition for the take-up of electronic commerce.
The general data protection directive 95/46/EC applies to any processing of personal data falling under its scope, irrespective of the technical means used. Personal data processing on the Internet therefore has to be considered in the light of the directive.
The specific directive 97/66/EC on the protection of privacy and personal data in the telecommunications sector complements the general directive 95/46/ECby establishing specific legal and technical provisions.
The Internet is a network of computers open to all. It thus forms part of the public telecommunications sector. The provisions of Directive 97/66/EC therefore apply to the processing of personal data in connection with the provision of publicly available telecommunication services in public telecommunications networks in the Community.
3. The Internet Task Force
The Working Party is conscious that the homogenous application of the data protection directives to processing of personal data on the Internet requires an analysis taking into account in particular both h the technical and legal aspects. The Working Party intends to further contribute to the responses to the many detailed questions which may be raised in this context.
In order to ensure a coherent and homogenous approach to data processing on the Internet , the Working Party has set up the interdisciplinary Internet Task Force whose mandate is to identify the Internet issues which need to be addressed and to prepare the views of the Working Party on them.
The Internet Task Force has already prepared tRecommendation 1/99 of the Working Party on Invisible and Automatic processing of Personal Data on the Internet Performed by Software and Hardware.
The Internet Task Force will continue to work in a more general way on the application of the two directives to personal data processing on the Internet and will come up with proposals on how to implement their provisions in a homogenous way, for example concerning electronic mail services (e-mail) and traffic data on internet.
|
|
Done at Brussels, 23 February 1999
For the Working Party
The Chairman
Peter HUSTINX |
|