Abstract
This chapter focuses on the key elements, rules and principles that govern ethnic data collection. It explains that, despite strong encouragement by international and European actors to use this human rights tool for equality and anti-discrimination purposes, States often hide behind an all-too restricted or faulty interpretation of the applicable data protection rules to collect such data. Due consideration is given to the context-dependency of the notions race and ethnicity and the challenges this poses to the definition of racial and ethnic origin for data collection purposes. It is highlighted that the determination of ethnic origin involves both objective and subjective criteria. Furthermore, this chapter expands on the general and special data protection rules contained in the data protection frameworks established, at the levels of the Council of Europe and the European Union, in order to demonstrate that they allow for the collection and processing of sensitive data on racial or ethnic origin, provided that certain conditions are respected and that appropriate safeguards are put in place to prevent misuse of the data and to respect the rights and fundamental freedom of data subjects. It also considers the inclusion of the protection of personal data in the right to private life in the International Covenant on Civil and Political Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms. The chapter concludes with the identification of five operational and organisational principles that help to reduce the risk that sensitive data, which has been collected or processed, are misused.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Ringelheim (2011), p. 1684.
- 2.
- 3.
- 4.
Inter-American Convention against Racism, Racial Discrimination and Related Forms of Intolerance (5 June 2013), art. 12.
- 5.
Disaggregated data collection on racial and ethnic groups is, however, implied in several UN instruments, including: Convention on the Rights of the Child (20 November 1989). Convention on the Elimination of All Forms of Discrimination against Women (18 December 1979). International Covenant on Civil and Political Rights (16 December 1966) (ICCPR). International Covenant on Economic, Social and Cultural Rights (16 December 1966). International Convention on the Elimination of All Forms of Racial Discrimination (21 December 1965) (ICERD). Declaration on the Rights of Indigenous Peoples (2 October 2007), arts. 3 and 4. Report of the Permanent Forum for Indigenous Peoples on the Workshop on Data Collection and Disaggregation for Indigenous Peoples (10 February 2014), para. 32.
- 6.
Convention on the Rights of Persons with Disabilities (31 December 2006) (CRPD), art. 31.
- 7.
Id.
- 8.
Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 18. Report of the Special Rapporteur on racism, racial discrimination, xenophobia and related forms of intolerance: Follow-up to and implementation of the Durban Declaration and Programme of Action (19 May 2009), paras. 24(a) and (b). Muigai (2000), p. 2. Chapter 2 (Sect. 2.1) focused on the notion discrimination.
- 9.
Refusing to collect such data could in some cases result in the obstruction of the right to information, because of the underlying resistance to document the socio-economic situation of vulnerable groups. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), paras. 18 and 41.
- 10.
Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 18. Chapter 2 (Sect. 2.1) discussed the notion equality. See also Chap. 4 (Sect. 4.1), which will zoom in on the five main benefits of ethnic data collection.
- 11.
Council Directive 2000/43/EC implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (29 June 2000) (RED), arts. 1 and 2.1.
- 12.
- 13.
- 14.
RED, recital 23 and art. 11.
- 15.
- 16.
- 17.
- 18.
- 19.
RED, recital 6. Resolution of the European Parliament on Non-Discrimination and Equal Opportunities for All—A Framework Strategy (14 June 2006), para. 14. Report of the Special Rapporteur on Contemporary forms of racism, racial discrimination, xenophobia and related intolerance (19 August 2013), para. 45. Report of the Permanent Forum on Indigenous Issues on the twelfth session (12 June 2013), para. 5. Report of the Permanent Forum for Indigenous Peoples on the Workshop on Data Collection and Disaggregation for Indigenous Peoples (10 February 2014), para. 31. Alidadi (2017), p. 16. European Union Agency for Fundamental Rights (FRA) (2011), p. 26. Wrench (2011), p. 1716. Ringelheim (2008/2009), pp. 45 and 46. Rallu et al. (2006), p. 535. Dahal et al. (2007), p. 5. The five main risks of ethnic data collection will be considered in Chap. 4 (Sect. 4.2).
- 20.
Durban Declaration (8 September 2001), paras. 92 and 93. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), paras. 1–3 and 8–92. Report of the Permanent Forum on Indigenous Issues on the thirteenth session (6 June 2014), para. 43. Guidance Note of the United Nations Secretary-General on Racial Discrimination and Protection of Minorities (March 2013), para. 23. Report of the Permanent Forum on Indigenous Issues on the second Session (5 June 2003), para. 122. Report of the Permanent Forum on Indigenous Issues on the first Session (2002), paras. 3(b)(c), 6(a)(b) and 31(b). United Nations Statistics Division (UNSD) (2008), para. 2.160. UNSD (2003), p. 2.
- 21.
In general policy recommendations, opinions and periodic country reports, various CoE bodies recommend ethnic data collection in different sectors such as education, employment and policing. Resolution 1740 of the Parliamentary Assembly on the situation of Roma in Europe and relevant activities of the Council of Europe (22 June 2010), arts. 12 and 15.7. Outline for State reports to be submitted under the fourth monitoring cycle of the Framework Convention for the Protection of National Minorities (30 April 2013), para. 5. Advisory Committee on the Framework Convention for the Protection of National Minorities (ACFC), Commentary on Effective Participation of Persons Belonging to National Minorities in Cultural, Social and Economic Life and in Public Affairs (27 February 2008), paras. 29–31 and 127. ACFC, Commentary on Education under the Framework Convention for the Protection of National Minorities (2 March 2006), paras; 10, 15, 18 and 19. European Commission against Racism and Intolerance (ECRI), General Policy Recommendation No. 14: Combating racism and racial discrimination in employment (22 June 2012), paras. 1(e) and 10(a). ECRI, General Policy Recommendation No. 13: Combating Anti-Gypsyism and Discrimination against Roma (24 June 2011), para. 14. ECRI, General Policy Recommendation No. 11: Combating racism and racial discrimination in policing (29 June 2007), paras. 2, 36 and 41–43. ECRI, General Policy Recommendation No. 10: Combating racism and racial discrimination in and through school education (15 December 2006), para. 1(b). ECRI, General Policy Recommendation No. 7: National legislation to combat racism and racial discrimination (13 December 2002), para. 1(a). ECRI, General Policy Recommendation No. 4: National surveys on the experience and perception of discrimination and racism from the point of view of potential victims (6 March 1998), paras. 1, 6 and 9. ECRI, General Policy Recommendation No. 1: Combating racism, xenophobia, anti-Semitism and intolerance (4 October 1996).
- 22.
Resolution of the European Parliament on Non-Discrimination and Equal Opportunities for All—A Framework Strategy (14 June 2006), paras. 13–21 and recitals O to Q. Commission Communication, Joint Report on the application of Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (‘Racial Equality Directive’) and of Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation (‘Employment Equality Directive’) (17 January 2014), pp. 5 and 6. Commission Communication, Non-discrimination and equal opportunities: A renewed commitment (2 July 2008), p. 7. European Commission (2004), pp. 22 and 23. Chopin et al. (2014), p. 21. FRA (2012b), para. 63. FRA (2011), p. 17.
- 23.
In 2013, OSF launched the Equality Data Initiative in collaboration with ENAR and Migration Policy Group to increase awareness of and enhance data collection practices in Europe for equality and anti-discrimination purposes by means of research and awareness-raising activities. The project focuses on public education (Bulgaria, Germany, Hungary, Ireland, Romania and Sweden) and public employment (France). Farkas (2017, p. 32) explains that only few non-governmental organisations advocate for ethnic data collection due to the controversies surrounding this equality tool and repeated instances of data misuse. Atanasova (2014), p. 1. ENAR (2014a), pp. 5 and 6. Abdikeeva (2014), pp. 5–33. Lamberts et al. (2014), pp. 5, 10, 11, 14 and 32. ENAR (2014b), pp. 1–20. Chopin et al. (2014), pp. 7, 16 and 30–63. Hermanin and Atanasova (2013). Hermanin and de Kroon (2013), pp. 3, 5, 6, 9, 13, 18, 26 and 28. ENAR (2012), pp. 13–18.
- 24.
- 25.
CERD Committee, General Recommendation No. 25: Gender related dimensions of racial discrimination (20 March 2000), paras. 1–3 and 6. See also: Durban Plan of Action (8 September 2001), para. 94.
- 26.
CESCR Committee, General Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12) (11 August 2000), para. 20.
- 27.
ACFC, Third Opinion on Bulgaria (11 February 2014), paras. 53 and 55. ACFC, Third Opinion on Ireland (10 October 2012), paras. 39 and 60. ACFC, Second Opinion on Bulgaria (18 March 2010), paras. 50, 54, 211 and 222. ACFC, Second Opinion on Hungary (9 December 2004), para. 34.
- 28.
ECRI, Third Report on Austria (25 June 2004), para. 77. ECRI, Third Report on France (25 June 2004), para. 114. ECRI, Third Report on Belgium (27 June 2003), para. 55. ECRI, Third Report on Germany (5 December 2003), para. 91. ECRI, Third Report on Norway (27 June 2003), para. 68.
- 29.
Report of the European Parliament on Gender Aspects of the European Framework of National Roma Inclusion Strategies (10 December 2013), para. 15.
- 30.
Commission Communication, Joint Report on the application of Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (‘Racial Equality Directive’) and of Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation (‘Employment Equality Directive’) (17 January 2014), p. 5. Opinion of the Advisory Committee on Equal Opportunities for Women and Men on the Gender Dimension of the Inclusion of Ethnic Minorities (November 2007), p. 9. European Commission (2004), pp. 22 and 23.
- 31.
Report of the Open Working Group of the General Assembly on Sustainable Development Goals (12 August 2014), proposed targets 10.3 and 17.18. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), paras. 30 and 82. Report of the Special Rapporteur on the right of everyone to the enjoyment of the highest attainable standard of health, Paul Hunt, on his Mission to Sweden (28 February 2007), para. 119. Commission Communication, Non-discrimination and equal opportunities: A renewed commitment (2 July 2008), p. 7. Milcher and Ivanov (2004), p. 7.
- 32.
- 33.
Inter-American Convention against Racism, Racial Discrimination and Related Forms of Intolerance, art. 15(v).
- 34.
Report of the UN Secretary-General on Compilation of guidelines on the form and content of reports to be submitted by States parties to the international human rights treaties (3 June 2009), para. 34. Guidelines on treaty-specific documents to be submitted by states parties under articles 16 and 17 of the International Covenant on Economic, Social and Cultural Rights (24 March 2009), paras. 3(g) and 10. Guidelines for the CERD-specific document to be submitted by States parties under article 9, paragraph 1, of the Convention (13 June 2008), paras. 3, 11, 12 and 19. Report of the Independent Expert on Minority Issues on the Implementation of General Assembly Resolution 60/251 of 15 March 2006 entitled “Human Rights Council” (2 February 2007), para. 78. Guidelines for the treaty-specific document to be submitted by States parties under article 40 of the International Covenant on Civil and Political Rights (4 October 2010), paras. 25 and 34. Durban Plan of Action (8 September 2001), para. 94. CESCR Committee, General Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12) (11 August 2000), para. 63. Country examples: CRC Committee, Concluding observations on the United States of America (26 June 2013), paras. 18, 19 and 25(d). CERD Committee, Concluding Observation on Albania (10 December 2001), paras. 12 and 26. Committee on the Elimination of Discrimination against Women (CEDAW Committee), Concluding observations on the Netherlands (5 February 2010), para. 45. Alidadi (2017, p. 17) identifies States’ obligation to report on their country’s human rights situation to international human rights monitoring bodies as one of the wide range of purposes equality data collection can serve. The benefits of ethnic data collection will be considered in Chap. 4 (Sects. 4.1 and 4.2). The significance of international and European monitoring and their role in ethnic data collection will be discussed further in Chap. 4 (Sect. 4.1.4) on the benefits of ethnic data collection and in Chap. 5 (Sect. 5.2.4) on the data sources on Roma in Europe.
- 35.
- 36.
Ramsay (2006), p. 5.
- 37.
Outcome document of the high-level plenary meeting of the General Assembly known as the World Conference of Indigenous Peoples (22 September 2014), para. 10. Report of the Permanent Forum on Indigenous Issues on the second Session (5 June 2003), para. 1.
- 38.
Report of the Permanent Forum on Indigenous Issues on the second Session (5 June 2003), paras. 27, 67, 68, 70 and 122.
- 39.
- 40.
- 41.
This is also true for its predecessor, the European Monitoring Center on Racism and Xenophobia. Regulation 168/2007 of the Council establishing a European Union Agency for Fundamental Rights (15 February 2007), recitals 5–7, 10, 15 and 27 and arts. 1, 4, 6–10 and 29. FRA (2009), p. 19.
- 42.
- 43.
The United Kingdom (UK) and most Central and Eastern European countries collect data on ethnicity in their censuses, while other Member States rely on proxy indicators for ethnicity—such as nationality, mother tongue and birthplace—to collect personal information. Dahal et al. (2007), p. 5. Makkonen (2006), pp. 6, 7, 25 and 78. Makkonen (2010), p. 227. Simon (2007), p. 45. Ringelheim (2006/2007), p. 74. Proxies for ethnicity are further discussed in Chap. 4 (Sect. 4.5) on ethnical identification.
- 44.
- 45.
- 46.
This is the case in Germany and France (allowed for statistical purposes but not for measuring anti-discrimination and diversity because considered in violation of the Constitutional equality principles). In Sweden, exceptions to the prohibition of ethnic data collection for equality and anti-discrimination purposes are allowed, but none have been introduced to date. Abdikeeva (2014), p. 16. Chopin et al. (2014), pp. 40–43 and 45. Wrench (2011), p. 1716. Oppenheimer (2008), pp. 737, 746 and 747. Ringelheim (2008/2009), pp. 48, 87 and 117–126. Cardinale (2007), p. 38. Simon (2007), pp. 9, 56, 57 and 59.
- 47.
The United Nations Principles and Recommendations for Population and Housing Censuses: Results of the Survey on Proposed Changes for the 2020 Census Round prepared by the United Nations Statistics Division (October 2013), paras. 75–77. Alidadi (2017), p. 25. Simon et al. (2015), p. 4. Morning (2005), pp. 1 and 14–22. These issues will be addressed further in Chap. 4 on the benefits, risks, data sources and methods of ethnic data collection.
- 48.
- 49.
- 50.
For instance, France, Germany and southern Member States collect information on nationality in order to distinguish between the national population and foreigners for statistical purposes. Germany and several Central and Eastern European Member States, including Romania and Slovenia, collect ethnic data for minority purposes. The UK and Ireland collect ethnic data for equality and anti-discrimination purposes. Abdikeeva (2014), pp. 15 and 16. Gray (2009), p. 62. European Commission (2008), pp. 70–74. Simon (2007), pp. 42, 46, 47, 62 and 69. Ringelheim (2006/2007), pp. 54–56.
- 51.
- 52.
RED, art. 2. See also art. 21 Charter of Fundamental Rights of the European Union (7 December 2000) (CFEU).
- 53.
Farkas (2017), pp. 4 and 37.
- 54.
- 55.
- 56.
- 57.
The choice of ethnic categories for ethnical classification purposes will be considered in Chap. 4 (Sect. 4.4) and the challenges to the construction of ethnic categories for Roma in Chap. 5 (Sect. 5.3). The different approaches to ethnical identification with one or multiple ethnic categories will be analysed in Chap. 4 (Sect. 4.5) and the appropriateness of these approaches for Roma in Chap. 5 (Sect. 5.4).
- 58.
- 59.
- 60.
Farkas (2017), p. 37.
- 61.
- 62.
Makkonen (2006), p. 74.
- 63.
See the definition of racial discrimination in art. 1.1 ICERD.
- 64.
For instance, how many generations does one go back to determine descent, national or ethnic origin? What is colour? Ethnicity is also a context-dependent notion. For more on the context-dependency and variability of ethnicity, see Sect. 3.2.2. Ethnicity was introduced as a social construct in Chap. 2 (Sect. 2.2).
- 65.
- 66.
Id. at pp. 10–13.
- 67.
- 68.
- 69.
- 70.
- 71.
Ringelheim and De Schutter (2010), p. 84.
- 72.
Makkonen (2006), p. 76.
- 73.
- 74.
- 75.
Not universally accepted, this principle was originally outlined by the Permanent Court of International Justice in Advisory Opinion regarding Minority Schools in Albania (6 April 1935). France is officially colour-blind and denies the existence of ethnic, religious or linguistic minorities within its territory. ECRI, Fourth report on France (29 April 2010) CRI(2010)16, paras. 11 and 12. Dimitras (2004), pp. 2 and 4. Makkonen (2006), p. 76.
- 76.
These criteria must be applied uniformly to ensure equal treatment among different groups. See: Human Rights Committee (HR Committee), General Comment No. 23: The rights of minorities (Art. 27) (8 April 1994), para. 5.2. CERD Committee, General Recommendation No. 24: Article 12 of the Convention Women and Health (27 August 1999), paras. 2 and 3. Makkonen (2010), p. 21. Makkonen (2006), p. 76.
- 77.
Ahmed (2011, p. 21) states that common culture and tradition appear to be defining features of ethnicity, whereas common physical or biological features and a proper language are not. UNSD (2014), p. 170. UNSD (2008), para. 2.162. Simon (2007), p. 9. UN Economic Commission for Europe (UNECE) (2006), paras. 419–423. UNSD (2003), p. 4.
- 78.
EctHR, Timishev v. Russia, Judgment (13 December 2005), para. 55. Gerards (2007), p. 47.
- 79.
Farkas (2017, p. 4) reports that ethnic origin has been interpreted broadly by various international and national courts. Hermanin et al. (2013), p. 5. Dahal et al. (2007), pp. 4 and 13. Simon (2007), pp. 18, 26 and 27. Morning (2005), pp. 1, 5, 21 and 22. UNSD (2003), pp. 4, 5 and 10. UNSD (2008), para. 2.162. Haug (2001), p. 307. See Sect. 2.2.1 on racial origin. See also Chap. 2 (Sect. 2.2) where the notions race and ethnicity were first introduced.
- 80.
- 81.
Hermanin et al. (2013), p. 5. UNSD (2008), para. 2.162. Dahal et al. (2007), pp. 4 and 13. Simon (2007), pp. 18, 26 and 27. Morning (2005), pp. 1, 5, 21 and 22. UNSD (2003), pp. 4, 5 and 10. Haug (2001), p. 307. Methodological difficulties the collection of ethnic data, including ethnical categorisation, will be considered in Chap. 4 (Sect. 4.4).
- 82.
UNSD (2003), p. 10.
- 83.
- 84.
- 85.
ICERD, art. 1.1.
- 86.
Makkonen (2010), p. 21.
- 87.
The EctHR ruled that Russia violated the prohibition of discrimination in art. 14 European Convention for the Protection of Human Rights and Fundamental Freedoms (4 November 1950) (ECHR) in conjunction with a violation of the liberty of movement in art. 2 Protocol 4 to the ECHR, securing certain rights and freedoms other than those already included in the Convention and in the first Protocol thereto (16 September 1963). EctHR, Timishev v. Russia, Judgment (13 December 2005), para. 55. See Chap. 2 (Sect. 2.2.2.3) on race and ethnicity as overlapping social constructs.
- 88.
- 89.
Rallu et al. (2006), p. 531. See, for instance, Bulmer (1996, p. 35), who defines an ethnic group as “a collectivity within a larger population having real or putative common ancestry, memories of a shared past, and a cultural focus upon one or more symbolic elements which define the group’s identity, such as kinship, religion, language, shared territory, nationality, or physical appearance”.
- 90.
Ringelheim (2008/2009), pp. 91 and 92.
- 91.
Ringelheim and De Schutter (2010), p. 90.
- 92.
This rule was introduced in Sect. 3.2.2.
- 93.
- 94.
- 95.
- 96.
- 97.
- 98.
- 99.
- 100.
Art. 4.2 GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Art. 2(b) Convention 108+ defines it as “any operation or set of operations performed on personal data, such as the collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, or destruction of, or the carrying out of logical and/or arithmetical operations on such data”.
- 101.
Alidadi (2017), p. 20. This will be discussed further in Sect. 3.5 on special data protection rules that apply to sensitive data categories. The violation of privacy and data protection rules will be identified as one of the five main risk of ethnic data collection in Chap. 4 (Sect. 4.2.5). See also Chap. 5 on restricted interpretation of data protection rules in the framework of data collection on Roma (Sect. 5.7) and on the need for genuine political will (Sect. 5.8.3).
- 102.
The wording might differ slightly though. For instance, some first States impose a general prohibition of sensitive data processing (France; Denmark), whereas other prefer introducing conditions without imposing a general prohibition (Austria; Czech Republic; Estonia; Norway; Slovenia). Most national laws require written consent for personal data collection and processing. Cardinale (2007), p. 38. Simon (2007), pp. 10, 23 and 46.
- 103.
- 104.
- 105.
- 106.
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (28 January 1981) (Convention 108).
- 107.
The Protocol amending Convention 108 (10 October 2018) was opened for signatures by the Contracting States to Convention 108 on 10 October 2018. As of 9 May 2019, 27 States had signed but not yet ratified the Protocol amending Convention 108. The special conditions regarding the entry into force of the Protocol, as included in art. 37, have not yet been fulfilled. For an up-to-date overview of ratifications and signatures, see: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/223/signatures (Accessed 9 May 2019). See Chap. 2 (Sect. 2.6.2.2) for a brief overview of the review process of the European data protection framework.
- 108.
Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (27 April 2016) (GDPR) entered into force on 24 May 2016 and has applied directly in national legislation of the Member States since 25 May 2018. See Chap. 2 (Sect. 2.6.3.2) for a brief overview of the review process of the EU data protection framework.
- 109.
Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (24 October 1995) (Former Directive 95).
- 110.
ECSR, European Roma Rights Centre v. Italy, Decision (7 December 2005), para. 23. ACFC, Commentary on Effective Participation of Persons Belonging to National Minorities in Cultural, Social and Economic Life and in Public Affairs (27 February 2008), paras. 31 and 127. ECRI, General Policy Recommendation No. 1: Combating racism, xenophobia, anti-Semitism and intolerance (4 October 1996). ACFC, Third Opinion on the Russian Federation (24 November 2011), paras. 35 and 48. ACFC, Third Opinion on Hungary (18 March 2010), paras. 19, 38 and 62. ACFC, Second Opinion on the Czech Republic (24 February 2005), para. 37. ECRI, Fourth report on Hungary (20 June 2008), para. 191. ECRI, Third report on Denmark (16 December 2005), para. 102. ECRI, Third report on Bulgaria (27 June 2003), para. 73.
- 111.
Resolution of the European Parliament on Non-Discrimination and Equal Opportunities for All—A Framework Strategy (14 June 2006), art. 13.
- 112.
This is reflected in the ENAR Shadow Reports of France, Hungary, Spain, Luxembourg, Slovakia, Croatia, Turkey, Italy, Belgium, Poland, Greece, Ireland, the Czech Republic, Latvia, Austria, Bulgaria, the Netherlands, Finland, Lithuania, Germany and Portugal. An overly protective reading of the applicable data protection requirements hinders equality data practices, especially so when such efforts involve sensitive data, including data on racial and ethnic origin. Alidadi (2017), p. 20. Lamberts et al. (2014), p. 11.
- 113.
This has consequences for the protection of minorities, because the implementation of special measures for specific minority groups, including Roma, becomes very difficult without disaggregated data on ethnicity in various areas of socio-economic life. End-of-mission statement on Romania, by Professor Philip Alston, United Nations Human Rights Council Special Rapporteur on extreme poverty and human rights (11 November 2015). The data protection rules that apply to sensitive categories of data will be analysed in Sect. 3.5.
- 114.
In 2010, the HR Committee expressed such concern regarding the Hungarian act LXIII on the Protection of Personal Data and Public Access to Data of Public Interest, because “prohibits the collection of disaggregated personal data of any kind”. HR Committee, Concluding Observations on Hungary (16 November 2010), para. 6.
- 115.
End-of-mission statement on Romania, by Professor Philip Alston, United Nations Human Rights Council Special Rapporteur on extreme poverty and human rights (11 November 2015).
- 116.
- 117.
General data protection rules applies to all sorts of personal data will be analysed in Sect. 3.4.
- 118.
Special data protection rules applying to sensitive categories will be analysed in Sect. 3.5. Chapter 2 (Sect. 2.2) took a closer look at to he notions race and ethnicity. Section 3.2 considered how to define racial and ethnic origin for data collection purposes, and this will be developed further in Chap. 4 (Sect. 4.4) on ethnical categorisation as the first method of ethnic data collection practices.
- 119.
- 120.
Exceptions to the general data protection principles are possible, provided that they are included in national law and that they constitute necessary and proportionate measures in a democratic society for a range of purposes included in art. 11.1 Convention 108+ and art. 23.1 GDPR, including an open-ended provision on the protection of other essential or important objectives of general public interest.
- 121.
Convention 108+, art. 5.3. Convention 108, art. 5(a). GDPR, art. 5.1(a).
- 122.
The burden of proof regarding the legitimacy of data processing falls on data controllers. Convention 108+, art. 10.1. GDPR, art. 5.2. See Sect. 3.4.9 on accountability. Within the CoE framework, the controller is “the natural or legal person, public authority, service, agency or any other body which alone or jointly with others has decision-making power with respect to data processing” (art. 2(d) Convention 108+). Within the EU framework, the notion refers to “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (art. 4.7 GDPR).
- 123.
GDPR, art. 6. Convention 108+, art. 5.2.
- 124.
Former Directive 95, arts. 6 and 7. Commission Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Commission Proposal GDPR) (25 January 2012), arts. 5 and 6. De Hert and Papakonstantinou (2012), p. 135.
- 125.
Art. 5.1(a) GDPR states that the requirement of lawful processing equals the lawfulness requirement, which is considered in article 6 entitled ‘Lawfulness of processing’. See also the Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 48), which clarifies that the conditions for legitimate processing are set out in arts. 5.3 (“Personal data undergoing processing shall be processed lawfully”) and 5.4.
- 126.
Convention 108+, art. 5.2. GDPR, article 4.11. Consent is also explicitly mentioned in art. 8.2 CFEU, though this has been criticised. See, for instance: Rouvroy and Poullet (2009), pp. 71–74.
- 127.
Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011), pp. 2, 7 and 34. Chapter 2 (Sect. 2.5.2) underlined the focus on self-determination in the right to privacy. Article 29 Working Party and its replacement by the European Data Protection Board (EDBP) were discussed in Chap. 2 (Sect. 2.6.5.1) on the notion personal data protection. As explained there, the EDPB endorsed the GDPR-related guidelines of Article 29 Working Party in May 2018.
- 128.
- 129.
- 130.
It is unclear why consent is not mentioned in Convention 108 (except in art. 15 on mutual assistance). Consent takes up an important place, however, in various Recommendations of the Committee of Ministers. Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011), p. 4.
- 131.
Free, informed and unambiguous consent is cited as one possibility to render personal data processing lawful if there is also a legal basis for such processing. Consent can be withdrawn or suspended at any time and without retroactive effect. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principles 4.3 and 6.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), paras. 67, 71, 83, 84(a) and 84(c). The role of recommendations within the CoE data protection framework was considered in Chap. 2 (Sect. 2.6.2.1).
- 132.
The data subject’s consent was defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. Former Directive 95, arts. 2(h) and 7(a).
- 133.
- 134.
- 135.
FRA and CoE (2014), p. 57.
- 136.
The written consent required by some national laws could be problematic regarding the anonymity requirement. Simon (2007), p. 23.
- 137.
Whether sufficient information is provided, must be determined on a case-by-case basis. FRA and CoE (2014), p. 60.
- 138.
Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011), p. 12.
- 139.
Former Directive 95, art. 2(h). FRA and CoE (2014), p. 60.
- 140.
FRA and CoE (2014), p. 61.
- 141.
Reding (2012), pp. 124 and 125.
- 142.
Id.
- 143.
- 144.
- 145.
- 146.
Convention 108+, art. 5.2. GDPR, article 4.11. Whereas the GDPR includes a definition of consent in art. 4.11, Convention 108+ does not.
- 147.
Written consent can be given electronically. GDPR, recital 32 and article 4.11. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 42.
- 148.
Commission Proposal GDPR (25 January 2012). Traung (2012), p. 38.
- 149.
Mere silence, pre-ticked boxes, pre-validated forms or inactivity do not constitute consent. GDPR, recital 32. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 42.
- 150.
GDPR, recital 32 and art. 6.1(a). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 42. The purpose specification requirement is considered in Sect. 3.4.4.
- 151.
- 152.
This also includes respect for the proportionality of data processing, which will be discussed in Sect. 3.4.5 on data minimisation. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 44.
- 153.
GDPR, art. 7.1.
- 154.
- 155.
De Hert and Papakonstantinou (2012), p. 135.
- 156.
Convention 108+, art. 5.2. GDPR, art. 4.11. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 42) clarifies that there may be no (in)direct undue influence or pressure. Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011, p. 12) states that consent must be given without deception, intimidation or coercion.
- 157.
GDPR, art. 7.3.
- 158.
GDPR, art. 7.3. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 42) explains that consent can not be considered to have been given freely if the data subject cannot withdraw consent without prejudice.
- 159.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 45. The right to object will be reviewed in Sect. 3.4.3.2 on the transparency of personal data processing.
- 160.
Several Member States have lowered the minimum age of consent. For instance, it is 15 years in France and 13 years in the UK and Belgium (for information society services). GDPR, art. 8.
- 161.
De Hert and Papakonstantinou (2012), p. 136. In the European data protection framework, the notion processor refers to “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. See: Convention 108+, art. 2(f) (also includes to a service). GDPR, art. 4.8.
- 162.
GDPR, art. 83.5(a).
- 163.
Zanfir (2014), pp. 241 and 242.
- 164.
Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011), pp. 2, 7 and 34.
- 165.
Convention 108+, art. 5.2. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 41. Contrary to Convention 108+, the lawfulness of processing is not further developed in art. 5(a) Convention 108, which merely states that “(p)ersonal data undergoing automatic processing shall be obtained and processed fairly and lawfully”. Art. 8.2. CFEU also requires consent of the data subject “or some other legitimate basis laid down by law”.
- 166.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 46.
- 167.
Different articles apply to the processing of sensitive data, as will be discussed in Sect. 3.5.
- 168.
GDPR, art. 6.
- 169.
Arts. 6.1(b)–(f) GDPR did not substantially change these non-consent based options for lawful processing previously included in former arts. 7(b)–(f) Directive 95. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 46. Suggested further reading on these lawful ground for data processing, see: FRA and CoE (2018), pp. 151–159.
- 170.
See Sect. 3.5.
- 171.
GDPR, art. 85.2. Recital 153 GDPR refers to the right to freedom of expression and information in art. 11 CFEU, the content of which is similar to art. 10 ECHR following art. 52.3 CFEU. Former Directive 95 already included a similar provision in art. 9 for journalistic, artistic or literary expression purposes; recital 37 referred to the right to freedom of information and the right to receive and impart information in art. 10 ECHR.
- 172.
Art. 11.1(b) Convention 108+ stipulates that exceptions are allowed if they have a legal basis, respect the fundamental rights and freedoms’ essence and are a necessary and proportionate measure in a democratic society for “the protection of the data subject or the rights and fundamental freedoms of others, notably freedom expression”. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 96) expands further on the issues and provides some examples, including “freedom of expression of journalistic, academic, artistic or literary expression, and the right to receive and impart information, confidentiality of correspondence and communications, or business or commercial secrecy and other legally protected secrets”, which “should apply in particular to processing of personal data in the audio-visual field and in news archives and press libraries”. Notions related to the right to freedom of expression, including journalism, should be interpreted broadly.
- 173.
Convention 108+, art. 11.1(b). GDPR, recital 153.
- 174.
An example could be binding those collecting and working with the data to be bound by a professional secrecy obligation. Safeguards will be considered in Sect. 3.7.1. GDPR, art. 89.
- 175.
See, among other, derogations in EU or national law to data subjects’ right of access to their personal data and their right to rectification, their right to restriction of processing and their right to object. This will be considered in Sect. 3.4.3 on the transparency of personal data processing. FRA and CoE (2018), p. 340.
- 176.
Convention 108+, art. 5.4(a). Convention 108, art. 5(a). GDPR, art. 5.1(a). Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 9.1. See also CFEU, art. 8.2.
- 177.
- 178.
See Sect. 3.4.3 on transparency as the third general data protection rules.
- 179.
The close connection between both data protection rules is also emphasised in Convention 108+, with art. 5.4(a) demanding personal data to be “processed fairly and in a transparent manner” and art. 8.1 stipulation that controllers must provide data subjects with “any necessary additional information in order to ensure fair and transparent processing of the personal data”. Clifford and Ausloos (2018), pp. 138 and 139. Transparency of processing, including the types of information that controllers must give to data subjects, will be considered in Sect. 4.3.4.
- 180.
Clifford and Ausloos (2018), p. 140.
- 181.
Id.
- 182.
See Sect. 3.4.3 on transparency as the third general data protection rule.
- 183.
FRA and CoE (2018), p. 118.
- 184.
Clifford and Ausloos (2018), pp. 138–140.
- 185.
- 186.
Convention 108+, art. 10.1. GDPR, art. 5.2. See Sect. 3.4.9.1 on accountability.
- 187.
- 188.
Clifford and Ausloos (2018), p. 140.
- 189.
Id.
- 190.
Clifford and Ausloos (2018), pp. 140 and 141.
- 191.
FRA and CoE (2018), p. 119.
- 192.
Clifford and Ausloos (2018), p. 186.
- 193.
Id.
- 194.
- 195.
De Hert and Papakonstantinou (2012), p. 134.
- 196.
- 197.
Gellert et al. (2013), p. 70.
- 198.
Convention 108+, art. 8. GDPR, arts. 12 and 13.
- 199.
Opinion 2/2017 of Article 29 Data Protection Working Party on data processing at work (8 June 2017), p. 23.
- 200.
Convention 108+, art. 9.1(b). GDPR, art. 15. FRA and CoE (2018), p. 120.
- 201.
Convention 108+, art. 9.1(b). GDPR, art. 15.1.
- 202.
Convention 108+, art. 9.1(b). GDPR, art. 1.5.1. Art. 8.2 CFEU also includes the right of access to one’s personal data.
- 203.
It will be considered in Sect. 3.4.3.2 how data subjects can exercise control over the processing of their personal data.
- 204.
Convention 108+, art. 9.1(b). See, similarly, arts. 12.3–12.5 GDPR.
- 205.
This period can be extended by 2 months if this is considered necessary, taking into consideration the complexity and numbers of requests. GDPR, art. 12.3.
- 206.
This could range from the need to safeguard national security to protecting judicial investigations and prosecutions and the protection of public (economic and/or financial) or private interests. GDPR, arts. 15.3 and 15.4. See, similarly, Convention 108+, art. 11.
- 207.
GDPR, recital 63. The lawfulness of personal data processing was considered in Sect. 3.4.1.
- 208.
Convention 108+, art. 9.1(b). In certain specific conditions, including in case of excessive requests, controllers may exceptionally charge a reasonable fee, which may not prevent data subjects from exercising their rights. Manifestly unfounded or excessive requests, particularly so when there are repetitive, may be refused provided that the controller or processor justifies such a refusal. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 76.
- 209.
GDPR, art. 15.1. Several of these rights will be discussed in Sect. 3.4.3.2 on data subjects’ exercise of control over their personal data.
- 210.
Convention 108+, art. 9.1(c). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 77. GDPR, art. 15.1(h). Following arts. 13.2(f) and 14.2(g) GDPR, data subjects must also be informed meaningfully about the significance and the envisaged consequences for data subjects of such processing. For more on this, see Sect. 3.4.3.2 on data subjects” right not to be subject to decisions based on automated processing, which also includes a definition of profiling.
- 211.
FRA and CoE (2018), p. 207.
- 212.
Convention 108+, art. 8.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 68. GDPR, art. 12.
- 213.
GDPR, recital 39.
- 214.
Arts. 13.1(b) and 14.1(b) GDPR add that, where applicable, data subjects must also receive the data protection officer’s contact details.
- 215.
Controllers that intend to further processing for other purposes than the ones for which the data were obtained must inform data subjects about that other purpose and other relevant information prior to performing such further processing. See GDPR, arts. 14.3 and 14.4. As explained in Sect. 3.4.1.1, new consent will be required for processing for different purposes.
- 216.
Convention 108+, arts. 8.1, 9.1(f) and 12. GDPR, arts. 13.1(a)–(f) and 14.1(a)–(f). In addition to the right of access discussed previously in this section, the data subjects’ rights, including their right to data rectification, data erasure, data portability as well as their right to restrict processing and to object to the processing of their personal data, will be discussed further in Sect. 3.4.3.2.
- 217.
GDPR, arts. 13.2(f) and 14.2(e). See also: Convention 108+, arts. 9.1(f) and 12.
- 218.
According to art. 8.1 Convention 108+, this could include “the preservation period, the knowledge of the reasoning underlying the data processing, or information on data transfers to a recipient in another Party or non-Party (including whether that particular non-Party provides an appropriate level of data protection, or the measures taken by the controller to guarantee such an appropriate level of data protection)”.
- 219.
Arts. 13.2 and 14.2 cite information on data storage, the existence of their right to request access, rectification or erasure of personal data, restriction of processing, to object to processing and the right to data portability, as well as the right to withdraw consent at any time if consent formed the lawful basis for the data collection. The rights of the data subject will be analysed in Sect. 3.4.3.2.
- 220.
The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 70) states that the provision of information may be done at a later stage if it is impossible at the start of the processing operation. Within the EU framework, art. 14.3 GDPR determines in case the personal data were collected from third parties, data controllers must give the information to the data subjects within a reasonable period of obtaining their data and the latest within 1 month. In case of the use of personal data for communication with the data subject/for disclosure to another recipient/for further processing for another purpose than the inital one, the information must be given at the latest at the time of the first communication/first disclosure/prior to that further processing.
- 221.
Art. 9.1(b) Convention 108+ requires communication in an intelligible form, which “applies to the content as well as to the form of a standardised digital communication”. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 76. GDPR, recital 39.
- 222.
GDPR, recital 39. FRA and CoE (2018), p. 218.
- 223.
Convention 108+, art. 9.1(b). GDPR, arts. 12.1 and 13. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 68) clarifies that any appropriate format suffices to provide information to data subjects, “as long as the information is fairly and effectively presented to the data subject” in an “easily accessible, legible, understandable” way. Furthermore, the language used must be adapted based on the relevant data subjects. For instance, the language used to inform adults about data processing operations will differ from the language used to inform children.
- 224.
GDPR, arts. 13 and 14. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 68. The informing of data subjects via any available, reasonable and affordable manes may be done individually or collectively. Collective means could include a public notice or a website. See: Convention 108+, art. 8.2. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 70. GDPR, art. 13.4.
- 225.
Convention 108+, art. 8.2. GDPR, art. 13.4.
- 226.
Indirect data collection concerns data collection through third parties. Convention 108+, art. 8.3. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 69. GDPR, arts. 13.4 and 14.5.
- 227.
The reason for this could be legal (eg. criminal investigation) or practice (eg. processing of pictures without names or contact details). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 69. GDPR, art. 12.2.
- 228.
The GDPR includes a broad interpretation of the processing of personal data for scientific research purposes, “including for example technological development and demonstration, fundamental research, applied research and privately funded research” as well as “studies conducted in the public interest in the area of public health”. GDPR, recital 159. Within the framework of Convention 108+, the processing of data for scientific research purposes is interpreted as aiming “at providing researchers with information contributing to an understanding of phenomena in varied scientific fields (epidemiology, psychology, economics, sociology, linguistics, political science, criminology, etc.) with a view to establishing permanent principles, laws of behaviour or patterns of causality which transcend all the individuals to whom they apply”. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50.
- 229.
Historical research also includes genealogical research. GDPR, recital 160. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50.
- 230.
Another situation that justifies an exception to controllers’ obligation to provide information to data subjects concerns professional secrecy obligation regulated by law that require personal data to be kept confidential. See arts. 14.5(b) to 14.5(e) and 89.2 and 89.3 GDPR. See also art. 11 Convention 108+, which puts down the strict conditions that must be adhered to to restrict data subjects’ rights. Public interest will be discussed more in-depth in Sect. 3.5 when reviewing sensitive data processing.
- 231.
GDPR, recital 157.
- 232.
- 233.
The lawfulness of processing was analysed in Sect. 3.4.1.
- 234.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 71.
- 235.
The repetitive character of requests may play a role in this. It falls on the controller to demonstrate requests’ manifestly unfounded or excessive character. Another option is that controllers charge a reasonable fee in such situations. GDPR, art. 12.5. For excpetions and restrictions to the rights of the data subject within the CoE framework, see: Convention 108+, art. 11.
- 236.
- 237.
It mainly remains a national competence. Former Directive 95 also included a discretionary framework with regard to the adoption of research exemptions.
- 238.
The application of such rights might make it very hard or impossible to achieve the research’s legitimate purpose. FRA and CoE (2018), pp. 339–340.
- 239.
It concerns data subjects’ right of access, right to rectification, right to restriction and right to object. This was done based on art. 89 GDPR. Which of the 12 safeguards a controller adopts, will depend on the nature, scope, context, purposes and degree of risk of processing. Safeguards could include, among others, the implementation of anonymisation or pseudonymisation measures, the performance a data protection impact assessment, the adoption of a code of conduct, and/or the carrying out of regular audits. The controller must document and justify the choices made for each research project. Luxembourg, Act on the organisation of the National Data Protection Commission and the general data protection framework (1 August 2008), art. 65.
- 240.
The inaccuracy can concern the wrong spelling of a name or a change of address. For more significant legal inaccuracies, including the legal identity or the place of residence of a data subject, controllers may demand proof, provided that this does not place an unreasonable burden on data subjects as this would be prevent data subjects from exercising their right to rectification. Convention 108+, art. 9.1(e). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 72. GDPR, arts. 12.5 and 16. This right is also included in art. 8.2 CFEU. FRA and CoE (2018), p. 220. De Hert and Papakonstantinou (2012), p. 137.
- 241.
For instance, this could be relevant in the context of proceedings before a public authority, where data subjects could ask to include a supplementary statement indicating the contestation of data accuracy while awaiting an official decision. GDPR, art. 16. FRA and CoE (2018), p. 221.
- 242.
As will be explained in Sect. 3.4.6, data accuracy constitutes one of the genearl data protection rules that apply to all sorts of personal data.
- 243.
Realisation of this right should happen upon request, free of charge and without excessive delay. Convention 108+, art. 9.1(e). GDPR, arts 12.5 and 17.
- 244.
See Sect. 3.4.5 on data minimisation and the demand for adequate, relevant and limited data.
- 245.
Convention 108+, art. 9.1(e). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 72. The lawfulness of personal data processing was discussed in Sect. 3.4.1. See also Sect. 3.4.9 on the accountability rule, where it is explained that controllers must be able to demonstrate compliance with the lawfulness rule at all times.
- 246.
This obligation ceases to exist in case it is impossible to inform the recipients of the original information or if doing so would requires disproportionate efforts. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 81.
- 247.
GDPR, art. 17.1.
- 248.
The available technology and cost of implementation must be taken into account when implementing this obligation. Erasure includes any links to as well as any copies or replications of those personal data. GDPR, art. 17.2.
- 249.
Art. 17.3(c) GDPR limits this to the area of public health, whereas art. 11.1(a) Convention 108+ contains the open category “other essential objectives of general public interest” in addition to the ones explicitly included in the provision. Public interest will be considered more in-depth in Sect. 3.5 on sensitive data processing.
- 250.
Convention 108+, art. 11. GDPR, art. 17.3. The GDPR also cites personal data processing to comly with a legal obligation that requires processing and to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority invested in the controller, as exceptions to the right to be forgotten.
- 251.
See Guidelines of Article 29 Data Protection Working Party on the implementation of the CJEU judgment on “Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (24 November 2014), pp. 5 and 12. Suggested further reading: FRA and CoE (2018), pp. 224–226.
- 252.
The right to object will be discussed further on in this section.
- 253.
In automated filing systems, processing restrictions should be ensured by technical means that prevent further processing of, or changes to, the personal data. Restrictions to the processing should be clearly indicated in the system. GDPR, recital 67.
- 254.
GDPR, art. 18.2.
- 255.
GDPR, art. 18.2. For more on public interest, see Sect. 3.5.
- 256.
GDPR, art. 19. See, similarly, regarding data rectification and erasure: Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 81.
- 257.
GDPR, art. 18.3.
- 258.
GDPR, art. 20.1. Former Article 29 Working Party developed guidelines on this right. See: Guidelines of Article 29 Data Protection Working Party on the right to data portability (13 December 2016; revised 5 April 2017). Convention 108+ does not include a corresponding right.
- 259.
GDPR, art. 20.1.
- 260.
GDPR, art. 20.2.
- 261.
GDPR, recital 68.
- 262.
Id.
- 263.
GDPR, art. 201.1.
- 264.
Data processing may be necessary for the controller to comply with a legal obligation or to perform a task carried out in the public interest or int he exercise of an official authority vested in him or her. GDPR, recital 68 and art. 20.3.
- 265.
GDPR, art. 20.4.
- 266.
Convention 108+, art. 9.1(d). GDPR, arts. 6.1(e)–(f) and 21.1. Profiling will be defined when discussing the next right of data subjects, namely their right not to be subject to decisions based solely on automated processing. Public interest will be considered in Sect. 3.5.
- 267.
GDPR, arts. 21.2 and 21.6.
- 268.
GDPR, art. 21.5.
- 269.
FRA and CoE (2018), p. 232.
- 270.
Prior processing operations remain legitimate. GDPR, arts. 21.1 and 21.3.
- 271.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 79.
- 272.
Data processing for the establishment, exercise or defence of legal claims or for reasons of public safety could constitute such an overriding legitimate ground. Convention 108+, art. 9.1(d). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 78. GDPR, art. 21.1.
- 273.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 78.
- 274.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 80. Lawfulness of personal data processing was analysed in Sect. 3.4.1.
- 275.
GDPR, arts. 21.2 and 21.6. Convention 108+, art. 11.1(a). Public interest will be discussed in Sect. 3.5.
- 276.
Convention 108+, art. 11.2 (also mentions archiving purposes in the public interest. GDPR. GDPR, art. 89.
- 277.
GDPR, art. 89.
- 278.
Convention 108+, art. 11.2.
- 279.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 97.
- 280.
FRA and CoE (2018), p. 233.
- 281.
GDPR, art. 4.(4).
- 282.
GDPR, arts. 12, 13.2(f) and 14.2(g). See Sect. 3.4.3.1 on the information aspect of the transparency rule.
- 283.
GDPR, art. 22.1.
- 284.
Convention 108+, art. 9.1(a). GDPR, art. 22.1.
- 285.
GDPR, recital 71.
- 286.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 75.
- 287.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 75.
- 288.
Examples of laws include fraud and tax-evasion monitoring. This is the only exception explicitly mentioned in Convention 108+. Convention 108+, art. 9.2. GDPR, recital 71 and art. 22.2.
- 289.
GDPR, recital 71 and art. 22.2. Art. 22.4 GDPR includes additional rules for decisions based on special categories of data. Special data protection rules will be analysed in Sect. 3.5.
- 290.
GDPR, arts. 22.2 and 22.3.
- 291.
GDPR, art. 22.3.
- 292.
GDPR, recital 71.
- 293.
Id.
- 294.
GDPR, recital 71 and art. 22.4. The two core sets of data protection rules were introduced in Sect. 3.3. See Sect. 3.5 for an analysis of the special data protection rules included in the European data protection framework. See also Sect. 3.5.3 for a brief introduction to sensitive data processing for profiling purposes in the police sector.
- 295.
Convention 108, art. 5(b). Convention 108+, art. 5.4(b). GDPR, art. 5.1(b). Art. 8.2 CFEU also requires specified purposes for processing.
- 296.
Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 4.1 and 12.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 68. Makkonen (2010), pp. 228 and 229.
- 297.
In such situations, the inital legal basis suffices. GDPR, recital 50 and art. 6. The lawfulness of processing was discussed in Sect. 3.4.1.
- 298.
- 299.
GDPR, art. 10.
- 300.
GDPR, art. 6.4. Very similar wording is included in the Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 49).
- 301.
FRA and CoE (2018), pp. 122 and 123.
- 302.
Article 29 Data Protection Working Party emphasises the close connection between purpose limitation and transparency, predictability and user control. Opinion 3/2013 of Article 29 Data Protection Working Party on purpose limitation (2 April 2013), pp. 13 and 14. The transparency rule was considered in Sect. 3.4.3.
- 303.
- 304.
De Hert and Papakonstantinou (2012), pp. 134 and 135.
- 305.
No explicit prior consent is needed for such further processing. Such further processing is a priori considered to be compatible, provided that other safeguards exist. Convention 108+, art. 5.4(b). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50. GDPR, art. 5.1(b). See: Simon (2007), p. 12. Korff (2002), pp. 66–69.
- 306.
For instance, recital 157 GDPR recognises the value of research within social science when stating that “research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions”. Such solid, high-quality knowledge could be used to feed into the implementation of knowledge-based policies and improve peoples’ lives and the efficiency of social services. Art. 13 CFEU explicitly protects freedom of the arts and sciences, whereas art. 10 ECHR on freedom of expression does so implicitly. FRA and CoE (2014), p. 32.
- 307.
Convention 108+, art. 5.4(b). GDPR, art. 6.4(e). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50.
- 308.
GDPR, arts. 6.4(e) and 30. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50. Simon (2007), p. 12. Korff (2002), pp. 66–69. Anonymisation will be discussed in Sect. 3.4.7 on storage limitation. Encryption, pseudonymisation and professional secrecy will be considered in Sect. 3.7.1 on operational and organisational principles of sensitive data processing.
- 309.
- 310.
GDPR, recital 50. The right to object was considered in Sect. 3.4.3.2.
- 311.
Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 4.7. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 75c.
- 312.
Convention 108, art. 5(c). Former Directive 95, art. 6.1(c).
- 313.
Convention 108+, art. 5.4(c). Convention 108 referred data storage instead of processing.
- 314.
FRA and CoE (2018), p. 125.
- 315.
Convention 108+, art. 5.1.
- 316.
Id.
- 317.
Special privacy-enhancing technology might make it possible to avoid personal data processing in certain situations. For an example, see: FRA and CoE (2018), pp. 126 and 127.
- 318.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 52.
- 319.
GDPR, art. 5.1(c).
- 320.
Commission Proposal GDPR (25 January 2012), art. 5(c).
- 321.
Art. 89.1 GDPR stipulates that the safeguards put in place for such derogations “shall ensure that technical and organisational measures are in place in particular to ensure respect for the principle of data minimisation”. Explicit reference to data minimisation is also found in art. 25 (data protection by design and by default) and art. 47 (binding corporate rules). Secondary use was discussed in Sect. 3.4.4 on purpose limitation.
- 322.
Convention 108, art. 5(d). Convention 108, art. 5.4(d). GDPR, art. 5.1(d).
- 323.
GDPR, art. 5.1(d).
- 324.
FRA and CoE (2018), p. 127.
- 325.
For examples of both situations, see: FRA and CoE (2018), pp. 127 and 128.
- 326.
Convention 108, art. 5(e). Convention 108+, art. 5.4(e). GDPR, art. 5.1(e).
- 327.
GDPR, art. 5.1(e). Convention 108+, art. 5.4(e). The Explanatory Report to to the Protocol amending Convention 108 (10 October 2018, para. 53) clarifies that, in addition to deleting personal data once the purpose of the data processing operation has been achieved, keeping them solely in a form that prevents any (in)direct identification of the data subject is a valuable means to respect the storage limitation rule.
- 328.
The unreasonableness of time, effort or resources must be assessed in light of the available technology at the time of the processing and of technological developments. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 19. In 2014, former Article 29 Working Party issued an opinion on the effectiveness of different anonymisation techniques, in which it stressed that the appropriateness of the different techniques must be considered on a case-by-case basis. See: Opinion 5/2014 of Article 29 Data Protection Working Party on anonymisation techniques (10 April 2014). For more on data anonymisation, see: FRA and CoE (2018), pp. 93 and 94.
- 329.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 20.
- 330.
GDPR, recital 39.
- 331.
- 332.
Whereas Convention 108+ uses the notion ‘appropriate safeguards’, the GDPR cites ‘appropriate technical and organisation measures’ GDPR, art. 5.1(e). Convention 108+, art. 5.4(b).
- 333.
Art. 11.1 Convention 108+ reads that an exception is allowed “[…] when such an exception is provided for by law, respects the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society for: (a) the protection of national security, defense, public safety, important economic and financial interests of the State, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest; (b) the protection of the data subject or the rights and fundamental freedoms of others, notably freedom of expression.” These principles were previously considered when discussing interferences with the right to private life in Chap. 2 (Sect. 2.5.4). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 54.
- 334.
Convention 108, art. 7. Convention 108+, art. 7.1. GDPR, arts. 5.1(f) and 5.2.
- 335.
GDPR, art. 28.1. See also: Convention 108+, art. 7.1. The Committee of Ministers determines that everyone to whom personal data are communicated for statistical purposes, is responsible for keeping such data secure and that the controller must make sure that who collects or processes the personal data, is aware of such security responsibilities. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), paras. 110(A) and 110(D). Chapter 2 (Sect. 2.6.2.1) considered the role of recommendations within the CoE data protection framework.
- 336.
Art. 28.1 GDPR states that “(w)here processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.
- 337.
GDPR, recital 81 and arts. 25 and 32.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 56. See also: Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 15.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), paras. 110(A) and 110(D). Chapter 2 (Sect. 2.6.2.1) considered the role of recommendations within the CoE data protection framework.
- 338.
- 339.
GDPR, art. 32.1.
- 340.
GDPR, art. 32.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 63.
- 341.
GDPR, arts. 32.1 and 32.2 Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 62 and 63 (“Their costs should be commensurate with the seriousness and probability of the potential risks”). Examples of security measures controllers and processor can adopt will be given in Sect. 3.7.1 when discussing the confidentiality of personal data processing.
- 342.
- 343.
Whereas security makes up the focus of this section, confidentiality of personal data processing will be considered in Sect. 3.7.1 on the operational and organisational principles for sensitive data processing.
- 344.
- 345.
GDPR, arts. 32–34. Some of these provision were already discussed previously in this section on data security. As explained, article 32 deals with the security of processing and gives suggestions regarding the appropriate technical and organisational measures controllers and processers could implement and how the appropriate level of security accounts can be assessed.
- 346.
- 347.
Waltzer (2011), p. 84.
- 348.
At EU level, these new articles build on the personal data breach notification in art. 4.2 Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (12 July 2002). Commission Proposal GDPR (25 January 2012), p. 10.
- 349.
Art. 7.2 Convention 108+ states that notification is required without delay when it concerns “data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects”. Art. 33.1 GDPR requires notification without undue delay when the personal data breach is likely “to result in a risk to the rights and freedoms of natural persons”. The controller must notify supervisory authority within 72 h of becoming aware of the data breach. If done at a later time, the controller must provide reasons for the delay.
- 350.
GDPR, art. 34.1. Whereas not explicitly included in Convention 108+, art. 7.2 stipulates that “at least the competent supervisory authority” must be notified of data breaches, leaving the door open for other complementary notifications and the Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 66) clarifies in which situations this may be advised or required. In addition to competent supervisory authorities and data subjects, it may also be desirable to notify other relevant authorities (e.g. those in charge of computer systems).
- 351.
GDPR, arts. 34.1 and 34.3.
- 352.
This will be discussed further in Sect. 3.7.1 on the confidentiality of data processing.
- 353.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 66.
- 354.
GDPR, recital 75.
- 355.
GDPR, art. 34.2.
- 356.
Id.
- 357.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 66.
- 358.
GDPR, art. 34.3(c). Convention 108+ does not include a similar provision.
- 359.
This obligation also applies to processors. Demonstrating compliance may be required to supervisory authorities, data subjects and/or the general public. Convention 108+, art. 10.1. GDPR, arts. 5.2, 30 and 37. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 85. FRA and CoE (2018), pp. 134 and 135. The general data protection rules were analysed in Sects. 3.4.1–3.4.8.
- 360.
GDPR, arts. 24, 30, 37–39, 40 and 44.
- 361.
Commission Proposal GDPR (25 January 2012), p. 10.
- 362.
- 363.
Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011). Joint contribution on The Future of Privacy by Article 29 Data Protection Working Party and Working Party on Police and Justice to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data (1 December 2009), paras. 8, 17, 39, 77 and 79–83. In an opinion from 2010, former Article 29 Working Party stated that the controller must be proactive by putting the appropriate measures in place to demonstrate compliance as by keeping documentation to demonstrate compliance. See: Opinion 3/2010 of Article 29 Data Protection Working Party on the principle of accountability (13 July 2010). Former Article 29 Data Protection Party was discussed in Chap. 2 (Sect. 2.6.5) on the role of supervisory bodies in the European data protection framework.
- 364.
Convention 108+, art. 10.1. GDPR, arts. 5.2 and 24.
- 365.
This list is not exhaustive. Other provisions, including those relating to contracts, data protection by design and default, data protection officers, codes of conduct, certification schemes and data protection fees, also contribute to accountability and governance.
- 366.
Former Directive 95, arts. 18 and 19. Member States could foresee in simplifications of and exceptions to the notification requirement in certain situations.
- 367.
De Hert and Papakonstantinou (2012), p. 139.
- 368.
The documentation must include information on the controller, the processing purposes, a description of the data (subject) categories, the categories of recipients, data transfers (if any) and time limits for erasure and a general description of the technical and organisational security measures. Enterprises and organisations employing less than 250 people are exempted from the documentation requirement, unless the processing is likely to pose a risk for the rights and freedoms of data subjects, when the processing is not occasional, when the processing includes special categories of data, or when it concerns personal data relating to criminal convictions or offences. GDPR, arts. 30.1, 30.4 and 30.5.
- 369.
GDPR, arts. 33 and 34. Data security was considered in Sect. 3.4.8.
- 370.
GDPR, art. 35. Data protection impact assessments (DPIAs) will be considered in Sect. 3.4.9.2.
- 371.
De Hert and Papakonstantinou (2012), p. 139.
- 372.
- 373.
In April 2017, Article 29 Working Party adopted Guidelines on DPIA and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (4 April 2017). The Guidelines were revised on 4 October 2017. In May 2018, the EDPB endorsed the GDPR-related guidelines of Article 29 Working Party. Examples of risks for data subjects were cited in Sect. 3.4.8 on data security.
- 374.
GDPR, art. 35.3(b). The distinction between personal and sensitive data was explained in Chap. 2 (Sect. 2.6.4). Arts. 35.4 and 35.5 GDPR determine that supervisory authorities must draw up and publicize a list of the different kinds of processing operations that require a DPIA, and it may do the same for operations that do not require a DPIA. The role of data protection authorities was briefly discussed in Chap. 2 (Sect. 2.6.5.2).
- 375.
- 376.
GDPR, art. 35.7.
- 377.
GDPR, art. 35.9.
- 378.
- 379.
- 380.
De Hert and Papakonstantinou (2012), p. 141.
- 381.
GDPR, art. 35.11.
- 382.
- 383.
- 384.
Recommendation of the European Commission on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (RFID) (12 May 2009), recommendation 4. In 2011, former Article 29 Working Party endorsed a DPIA for RFID applications (Opinion 9/2011 of Article 29 Data Protection Working Party on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (11 February 2011)). The European Parliament also requires prior PIAs and a proportionality test for new legislative instruments in its Resolution on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada (5 May 2010), art. 5.
- 385.
European Commission (2010), paras. 108, 131 and 132.
- 386.
- 387.
- 388.
- 389.
- 390.
Recommendation of the European Commission on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (12 May 2009), recital 11 and recommendations 4 and 10. Wright (2011b), p. 72.
- 391.
- 392.
Convention 108+, art. 10.2.
- 393.
Convention 108+, art. 10.3.
- 394.
Convention 108+, art. 10.4.
- 395.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 85.
- 396.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 85. Section 3.7.4 will discuss the involvement of trained staff in data collection and processing as an important organisational and operational principle.
- 397.
Former Directive 95, art. 20.
- 398.
Former Directive 95, arts. 20.1 and 20.2. According to recital 53 of former Directive 95, specific risks could arise “by virtue of their nature, their scope or their purposes, such as that of excluding individuals from a right, benefit or a contract, or by virtue of the specific use of new technologies”. It was up to Member States to specify such specific risks in their national legislation. The notification requirement as applicable under former Directive 95 was briefly mentioned in Sect. 3.4.9.1.
- 399.
- 400.
Countries with standardised routines for such data do not need prior authorisation by the appropriate national body or authority. Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (8 November 2001), art. 1. Explanatory Report to Convention 108 (28 January 1981), para. 16. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 18. Simon (2007), p. 18. As mentioned in Sect. 3.1.2, the collection of ethnic data for equality and anti-discrimination purposes is encouraged by international and European actors. The five main risks of ethnic data collection will be addressed in Chap. 4 (Sect. 4.2).
- 401.
- 402.
Former Directive 95, art. 20.3.
- 403.
GDPR, art. 36.4.
- 404.
- 405.
- 406.
- 407.
The notions race and ethnicity were previously discussed in Chap. 2 (Sect. 2.2) and in this chapter (Sect. 3.2). The role of objective criteria in ethnic data collection purposes will be addressed further on in Chap. 4 (Sects. 4.4 and 4.5) when considering the different methods involved in ethnic data collection and in Chap. 5 (Sects. 5.3 and 5.4) when reviewing the challenges to these methods upon the collection of data on Roma in Europe.
- 408.
As will be explained, appropriate safeguards play an important role in both instruments.
- 409.
Within the framework of Convention 108+, special categories of data are: genetic data, personal data relating to offenses, criminal proceedings and convictions, an related security measures; biometric data uniquely identifying a person; personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life. Notwithstanding the appropriate safeguards requirement, exceptions and restrictions to data subjects’ rights in art. 9 Convention 108+ are still possible under art. 11 Convention 108+. Convention 108+, art. 6.1. Convention 108, art. 6.
- 410.
Convention 108+, art. 6.2. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 55) cites some other examples, including “injury to an individual’s dignity or physical integrity, where the data subject’s most intimate sphere, such as his or her sex life or sexual orientation, is being affected, or here processing of data could affect the presumption of innocence”.
- 411.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 60.
- 412.
- 413.
The Explanatory Report underlines that a particular risk may rise for data subjects when specific types of data (e.g. genetic data, data related to criminal offences and convictions) are processed, independently of the context of such processing operations. For the processing of other types of data (e.g. images), the context is relevant to determine whether the data are sensitive. the Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 56, 57 and 59.
- 414.
- 415.
Simon (2007), p. 68.
- 416.
The Committee of Ministers specifies additionally that the communication of sensitive data is only possible if provided for by law or with the explicit consent of the data subject, provided domestic law does not prohibit the giving of consent. Where required, such consent must be explicit, free and informed. An important public interest may justify an exception to the obligation of requiring consent. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principles 6.2 and 12.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 85(b).
- 417.
Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 85(b).
- 418.
Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 39.
- 419.
Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 85(b).
- 420.
This constitutes a safeguard within the meaning of art. 6 Convention 108+. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 60.
- 421.
For instance, the collection of sensitive data in identifiable form for statistical purposes could be needed to carry out a repeat or longitudinal survey. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 60. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 4.8. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 76.
- 422.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 60. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 4.8. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 76.
- 423.
See Sect. 3.5.1 for the rules on sensitive data processing included in Convention 108+.
- 424.
GDPR, art. 9.1. Within the framework of the GDPR, special categories of data are: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- 425.
Arts. 9.2–9.4 GDPR include the lawful grounds for sensitive data processing.
- 426.
National law could exclude consent as a ground of lawful processing of sensitive data when such operations pose unusual risks for data subjects. GDPR, art. 8.2(a). The conditions of consent as included in art. 7 GDPR and as discussed in Sect. 3.4.1.1 must be fulfilled. FRA and CoE (2018), p. 11. Alidadi (2017), p. 21. As explained in Sect. 3.4.1.1, consent also forms a possible ground for lawful processing for non-sensitive data.
- 427.
- 428.
GDPR, art. 9.2(e). FRA and CoE (2014, p. 91) state that the public availability of the data “must be interpreted as implying consent of the data subject to the use of such data”. FRA and CoE (2018, pp. 162 and 163) further specify that this exception “must be construed strictly and as requiring the data subject to deliberately make his or her personal data public” and that “(t)he fact that the data subject has made public the processed personal data does not exempt controllers from their obligations under data protection law” (e.g. purpose limitation).
- 429.
The processing may only relate to these bodies’ (former) members or to persons who have regular contact with them in connection with their purposes. Furthermore, the data may not disclosed outside that body, unless when data subjects’ have given their consent. GDPR, art. 9.2(d).
- 430.
GDPR, art. 9.2(c). Recital 46 clarifies that processing of personal data that is essential for the life of another natural person “should in principle take place only where the processing cannot be manifestly based on another legal basis”.
- 431.
This exception applies more broadly to any situation where courts act in their judicial capacity. Legal claims can play a role in court proceedings, administrative procedures or out-of-court procedures. GDPR, recital 52 and art. 9.2(f).
- 432.
In the framework of processing for preventative or occupational medicine purposes, a contract with a health care professional can also constitute a lawful ground.
- 433.
This exception must be authorised by national law providing appropriate safeguards to protect the data subjects’ fundamental rights and interests. GDPR, art. 9.2(b).
- 434.
This includes preventive or occupational medicine, working capacity assessments of employees, medical diagnosis, the provision of health or social care or treatment, and the management of health-care services. The processor must be bound by professional secrecy. It is the only processing of sensitive data for which a contractual relationship can constitute a legal basis for legitimate processing. GDPR, arts. 9.2(h) and 9.3. On a separate note, when it comes to the processing of genetic data, biometric data and data concerning health, art. 9.4 GDPR allows Member States to maintain or introduce additional conditions, including limitations, to such operations.
- 435.
Examples include protection against serious cross-border heath threats or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. Professional secrecy is underlined as a particularly important safeguard. GDPR, art. 9.2(i).
- 436.
The law must be proportionate to the aim pursued and respect the essence of the right to data protection. GDPR, art. 9.2(j). Art. 89(1) GDPR specifies that “(t)hose safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation” and that “(t)hose measures may include pseudonymisation provided that those purposes can be fulfilled in that manner”. The article continues that “(w)here those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner”.
- 437.
The law must be proportionate to the aim pursued and respect the essence of the right to data protection. GDPR, art. 9.2(g).
- 438.
UK, Data Protection Act (England and Wales) (23 May 2018), Section 10.
- 439.
Germany, Federal Data Protection Law (27 April 2017), art. 27.1. The Law entered into force on 25 May 2018. Suggested further reading on changes in German data protection law within the framework of the GDPR, see: Molnár-Gábor (2018), pp. 620–621.
- 440.
Luxembourg, Act on the organisation of the National Data Protection Commission and the general data protection framework (1 August 2008), art. 64.
- 441.
Member States can specify the situations in which, and the conditions according to which, sensitive data can be processed, thereby leaving the door open for different approaches across the EU towards this practice. Alidadi (2017), p. 21.
- 442.
Simon (2007), p. 22.
- 443.
Art. 21.1 CFEU refers to discrimination grounds “such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation”. FRA (2012b), paras. 70, 72, 74, 76 and 77.
- 444.
Such data collection must “(c)omply with legally established safeguards, including legislation on data protection, to ensure confidentiality and respect for the privacy of persons with disabilities” and “with internationally accepted norms to protect human rights and fundamental freedoms and ethical principles in the collection and use of statistics”. The CRPD has been ratified by all EU Member States as well as by the EU. CRPD, art. 31. This article was previously mentioned in Sect. 3.1.2 on the lack of an explicit legal obligation at UN, Council of Europe and EU level to collect ethnic data.
- 445.
Recital 34 former Directive 95 cited public health, social protection, scientific research and government statistics as possible substantial public interests. As explained previously in this section, contrary to former Directive 95, art. 9.2(j) GDPR explicitly includes the exception of sensitive data processing when this is necessary for archiving purposes in the public interest, scientific research purposes or statistical purposes.
- 446.
GDPR, art. 9.2(g). Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 39. Makkonen (2006), p. 61. Ringelheim (2006/2007), pp. 64–65 and 77.
- 447.
UK, Data Protection Act (England and Wales) (23 May 2018), Schedule 3 para. 9.
- 448.
The Information Commissioner also monitors the application of the Data Protection Act. University of Essex Human Rights Centre Clinic (2013), pp. 33 and 34. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 53.
- 449.
Such prior monitoring does not take place in countries such as the UK where the processing of sensitive data is undertaken as a standardised routine. Art. 36.5 GDPR stipulates that “Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health”. Former Directive 95, recital 22 and arts. 8(2)–(5) and 20. Simon (2007), pp. 10, 11 and 17–19. Ringelheim (2006/2007), pp. 56, 57 and 63. As will be explained in Sect. 3.4.9.1 on accountability, the prior notification that was included in former Directive 95 has been replaced by a documentation requirement in the GDPR.
- 450.
CJEU, Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy, Judgment (16 December 2008, GC), paras. 1–3. Makkonen (2010), p. 229.
- 451.
- 452.
- 453.
Farkas (2017), pp. 5 and 6.
- 454.
- 455.
- 456.
GDPR, art. 9.2.
- 457.
The possibility for differences in Member States is atypical for the GDPR.
- 458.
Pormeister (2017), p. 138.
- 459.
Belgium, Law on the protection of natural persons with regard to the processing of their personal data (30 July 2018), art. 9.
- 460.
Luxembourg, Act on the organisation of the National Data Protection Commission and the general data protection framework (1 August 2008), art. 66.
- 461.
Additional (technical and organisational) measures can be adopted by the French Data Protection Authority regarding the processing of genetic, biometric of health-related data. France, Law n° 2018-493 on the protection of personal data (21 June 2018).
- 462.
Pormeister (2017), p. 146.
- 463.
This would be the case if the conditions apply to the cross-border processing of such sensitive data. GDPR, recital 53. Pormeister (2017), p. 146.
- 464.
GDPR, art. 10.
- 465.
Id.
- 466.
This will be discussed further in Chap. 4 on the support of indirect discrimination claims in legal proceedings as the fifth benefit of ethnic data collection for equality and anti-discrimination purposes (Sect. 4.1.5), and discriminatory ethnic profiling by public bodies as the fourth risk or fear of ethnic data collection (Sect. 4.2.4).
- 467.
The role of recommendations within the Council of Europe data protection framework and their non-legally binding nature was addressed in Chap. 2 (Sect. 2.6.2.1). Recommendation CM/Rec(87)15 of the Committee of Ministers to Member States Regulating the Use of Personal Data in the Police Sector (17 September 1987), Principle 2.4.
- 468.
Recommendation CM/Rec(2010)13 of the Committee of Ministers to Member States on the protection of individuals with regard to automatic processing of personal data in the context of profiling (23 November 2010). The general data protection rules were analysed in Sect. 3.4.
- 469.
GDPR, art. 22.1. Former Directive 95 did not contain a provision specifically dealing with profiling. Exceptions to this right are possible under specific conditions, including when the decision is necessary for substantial public interests, provided that suitable safeguards are in place to safeguard the data subjects’ rights and freedoms and legitimate interests. Other exceptions include necessity for entry into force or performance of a contract, authorisation by law, or when the decision is based on the data subject’s explicit consent. In all these situations, safeguards must be put in place. See: GDPR, recital 71 and arts. 22.2 and 22.4. This was discussed in Sect. 3.4.3.2 on the transparency of data processing.
- 470.
The Police and Criminal Justice Authorities Directive entered into force on 6 May 2016 and the Member States had until 6 May 2018 to transpose it into national legislation. Directive 2016/680 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences of the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (Police and Criminal Justice Authorities Directive) (27 April 2016). This instrument replaced Council Framework Decision 2008/877/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (27 November 2008).
- 471.
Safeguards must include, at a minimum, the right to obtain human intervention on the part of the controller. Police and Criminal Justice Authorities Directive, art. 11.1.
- 472.
Police and Criminal Justice Authorities Directive, arts. 11.2.
- 473.
Police and Criminal Justice Authorities Directive, arts. 11.3.
- 474.
FRA (2012b), para. 80.
- 475.
- 476.
EctHR, Rotaru v. Romania, Judgment (4 May 2000, GC), para. 43.
- 477.
See, for example, S. and Marper v. the United Kingdom, in which the EctHR refers repeatedly to the data protection principles contained in Convention 108. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), para. 103. See Sects. 3.3–3.5 on the general and special rules covering data collection and processing. Convention 108 was introduced in Chap. 2 (Sects. 2.5.1 and 2.6).
- 478.
EU Network of Independent Experts in Fundamental Rights (2006), p. 91.
- 479.
González Fuster (2014, pp. 94 and 95) argues that the degree of incorporation of the substance of Convention 108 in art. 8 ECHR remains debatable. For instance, it is unclear whether or not art. 8 ECHR is limited to automated personal data processing operations like Convention 108. According to Gutwirth (2002, p. 86), art. 8 ECHR covers both manual and automatic processing of personal information. For further reading on the partial recognition of data protection under art. 8 of the ECHR, see also: De Hert and Gutwirth (2009), pp. 24–26.
- 480.
- 481.
Gutwirth (2002), pp. 85 and 86.
- 482.
These ECHR, art. 8.2. See, similarly: CFEU, arts. 7 and 57. See also: Note from the Praesidium on the Draft Charter of Fundamental Rights of the European Union—Text of the explanations relating to the complete text of the Charter as set out in CHARTE 4487/00 CONVENT 50 (11 October 2000). principle were considered in Chap. 2 (Sect. 2.5.4) on the conditions that interferences with the right to private life must fulfil.
- 483.
EctHR, Rotaru v. Romania, Judgment (4 May 2000, GC), para. 47.
- 484.
The mere storage of personal information constitutes an interference within the scope of art. 8 ECHR, irrespective of the subsequent use of such information. EctHR, Leander v. Sweden, Judgment (26 March 1987), paras. 48, 54, 55 and 66–68. In the case Joanna Szulc v. Poland, the EctHR states that it is now “well-established in its case-law that the storing of information relating to an individual’s private life in a secret register and the release of such information comes within the scope of Article 8.2”. EctHR, Joanna Szulc v. Poland, Judgment (13 November 2012), para. 81.
- 485.
- 486.
Sweden did not overstep its wide margin of appreciation in choosing the means to achieve the protection of national security. EctHR, Leander v. Sweden, Judgment (26 March 1987), paras. 59 and 67.
- 487.
Therefore, the EctHR did not consider it necessary to review the legitimacy of the aim pursued or its necessity in a democratic society. EctHR, Rotaru v. Romania, Judgment (4 May 2000, GC), para. 62.
- 488.
EctHR, Rotaru v. Romania, Judgment (4 May 2000, GC), paras. 52, 62, 63, 72 and 73. The accessibility and foreseeability of legal provisions including interferences with the right to private life was highlighted in Chap. 2 (Sect. 2.5.4.1) on the legality principle that privacy interferences must adhere to.
- 489.
- 490.
S. was acquitted of all charges and the case against Marper was formally discontinued. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC). The need to limit the storage of personal data was stressed in Sect. 3.4.7.
- 491.
- 492.
The EctHR focused on the necessity requirement and not on the quality of law requirement. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), para. 99.
- 493.
The UK system also did not include independent review of data retention. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), paras. 102, 118–112 and 122–125. States’ margin of appreciation was considered in Chap. 2 (Sect. 2.5.4.2) on necessity as one of the conditions for privacy interferences.
- 494.
Data retention must be proportionate in relation to the purposes of the processing operation and it must be limited in time. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), para. 119. The storage limitation rule was considered as the seventh general data protection rule in Sect. 3.4.7.
- 495.
Therefore, the EctHR did not consider is necessary to look into the claims of the applicant regarding the inadequacy of safeguards and insufficient protection against misuse and abuse of the personal data. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), paras. 125 and 126.
- 496.
See, similarly, concerning the right of convicted prisoners to vote irrespective of the length of sentence, the gravity of their offence and their personal circumstances: EctHR, Hirst v. United Kingdom (No. 2), Judgment (6 October 2005, GC), paras. 76, 79, 81 and 82. Nardell (2010), p. 46. The importance of a case-by-case approach to interferences with the right to private life was highlighted in Chap. 2 (Sect. 2.5.4).
- 497.
- 498.
EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), para. 103. Automated processing of personal data was discussed in Sect. 3.4.3.2 on data subjects’ right not to be subject right not to be subject to decisions based solely on automated processing and in Sect. 3.5.3 on sensitive data processing for profiling purposes in the police sector.
- 499.
HR Committee, General Comment No. 16: Article 17 (The Right to Privacy) (8 April 1988), para. 10.
- 500.
- 501.
- 502.
EctHR, K.H. and others v. Slovakia, Judgment (28 April 2009), para. 44.
- 503.
The determination of how to copy the files is up to States. Refusal to provide data subjects with copies of their data files is possible, provided compelling reasons can be demonstrated, which Romania failed to do in this case. EctHR, K.H. and others v. Slovakia, Judgment (28 April 2009), paras. 45 and 47.
- 504.
Id. at para. 48.
- 505.
Id. at para. 58.
- 506.
The EctHR did agree with the authorities that the quantity of files and shortcomings in the archive system justified a 6-year of delay in granting the applicant access to his file. EctHR, Haralambie v. Romania, Judgment (27 October 2009), paras. 77–79, 86 and 96. See also: EctHR, Joanna Szulc v. Poland, Judgment (13 November 2012), paras. 81, 84 and 86–87. EctHR, Jarnea v. Romania, Judgment (19 July 2011), paras. 50 and 51.
- 507.
It concerned personal information collected by the secret services during Communism that alleged her collaboration with them. EctHR, Joanna Szulc v. Poland, Judgment (13 November 2012), para. 87. Data subjects’ right to data rectification was considered in Sect. 3.4.3.2 on the transparency of personal data processing.
- 508.
Laferty (2014), pp. 563 and 564.
- 509.
HR Committee, General Comment No. 16: Article 17 (The Right to Privacy) (8 April 1988), para. 10. This corresponds to the transparency rule as discussed in Sect. 3.4.3.
- 510.
Id.
- 511.
Data security was analysed as the eighth general data protection rule in Sect. 3.4.8.
- 512.
Id.
- 513.
EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), paras. 99 and 103.
- 514.
- 515.
Seltzer and Anderson (2001), pp. 497 and 498.
- 516.
- 517.
- 518.
- 519.
Data security was identified as the eighth general data protection rule in Sect. 3.4.8.
- 520.
- 521.
- 522.
Resolution 68/261 of the General Assembly on Fundamental Principles of Official Statistics (3 March 2014), principle 6. See also Sect. 3.4.4, where it was explained that the purpose specification rule limits of personal data use.
- 523.
The same goes for statistical research professionals, including those who collect the data. FRA and CoE (2018), p. 340.
- 524.
Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 48.
- 525.
GDPR, art. 5.1(f). Data security was considered in Sect. 3.4.8.
- 526.
As explained in Sect. 3.4.8 on data security, the appropriateness of a measure will depend on “the state of the art, the costs of implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. GDPR, art. 32.1.
- 527.
GDPR, art. 32.2.
- 528.
GDPR, 32.4.
- 529.
Convention 108+, art. 7.1. See Sect. 3.4.8 on data security as the eight general data protection rule.
- 530.
It was explained in Sect. 3.4.8 on data security that such a breach gives rise to a notification obligation of the controller. Convention 108+, art. 7. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 64 and 66.
- 531.
FRA and CoE (2018), p. 171.
- 532.
Such processing operations must be governed by a contract of another legal act. GDPR, art. 28.3(b).
- 533.
Within the EU framework, such an obligation applies in accordance with EU or national law. GDPR, 38.5. Convention 108+, art. 15.8. Within the CoE framework, Supervisory authorities are “bound by the same obligation to observe discretion and confidentiality towards data protection authorities of other Parties and data subjects residing abroad”. See Convention 108+, art. 19. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 148. In relation to obligations of secrecy, see also art. 90 GDPR.
- 534.
Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 3.2.
- 535.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 50 and 56.
- 536.
GDPR, art. 9.2(i). The non-consent based grounds for sensitive data processing within the framework of the GDPR were cited in Sect. 3.5.2.
- 537.
GDPR, arts. 9.2(h) and 9.3. See Sect. 3.5.2.
- 538.
Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principles 11, 15.1 and 15.4. Anonymisation was discussed in Sect. 3.4.7 on storage limitation. The key distinction between anonymous and personal data was explained in Chap. 2 (Sect. 2.6.4). As explained there, the rules of the GDPR and Convention 108(+) do not apply to anonymous data.
- 539.
Pavee Point Traveller and Roma Centre (2013).
- 540.
- 541.
GDPR, art. 25.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 18–20.
- 542.
The pseudonymised data and the list containing the identifying information must be stored separately. Contrary to anonymisation, pseudonymisation does not break all links to identifying the individual. GDPR, art. 4.5. FRA and CoE (2018), pp. 94, 95, 131 and 342.
- 543.
- 544.
Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principles 11 and 15.1–15.3.
- 545.
This is the case in the Netherlands. Seltzer and Anderson (2001), pp. 497 and 498.
- 546.
- 547.
Art. 32.1 GDPR cites “the state of the art, the costs of implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” as relevant factors. This was previously highlighted in Sect. 3.4.8 on data security.
- 548.
Haug (2001), p. 309.
- 549.
This is the case in the USA. Seltzer and Anderson (2001), pp. 497 and 498.
- 550.
Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 43.
- 551.
Id.
- 552.
- 553.
This was explained in Sect. 3.4.9 on accountability.
- 554.
These norms exist at international and national level. Resolution 68/261 of the General Assembly on Fundamental Principles of Official Statistics (3 March 2014). UNSD (2015). National examples: Academy of Social Sciences (2013). National Committees for Research Ethics in Norway (2006). Hesse-Biber and Leavy (2011), pp. 59–89.
- 555.
Seltzer and Anderson (2001), pp. 498 and 499.
- 556.
Statements such as “this is typical for the majority population, compared to that for ethnic minorities” are inappropriate. Makkonen (2010), p. 236.
- 557.
- 558.
GDPR, art. 32.3. For more on this, see Sect. 3.4.8 on data security.
- 559.
- 560.
FRA and CoE (2018), pp. 181–183.
- 561.
GDPR, art. 40. Art. 40.2 GDPR stipulates that codes of conduct should give special attention to ensuring proper application of, among others, the rules concerning fair and transparent processing, the legitimate interests pursued, the collection of personal data, pseudonymisation of such data, information requirements, the rights of data subjects, data security, notification of personal data breaches and dispute resolution procedures. The general data protection rules were analysed in Sect. 3.4. See also: Commission Proposal GDPR (25 January 2012), p. 11.
- 562.
GDPR, art. 40.1.
- 563.
GDPR, arts. 40.9 and 40.10.
- 564.
Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 33. This relates to Convention 108(+), art. 4.1.
- 565.
These codes must include information on who has access to the data, which measures must be taken to protect the data and keep them secure and confidential, and information on the controllers. The Explanatory Memorandum adds that each organisation collecting and processing personal data needs to have a code of professional ethics that is in line with the basic data protection principles, based on the realities of the day-to-day work of the organisation and “known and subscribed to by all involved in collecting and processing data for statistical purposes”. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 16.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 114(a). As explained in Chap. 2 (Sect. 2.6.2.1), the Recommendations issued by the Committee of Ministers are not legally binding, but contain important standards of reference for states.
- 566.
Gelling (1999), pp. 564–569.
- 567.
See, for instance, the research ethics policy and procedure of the University of the West of England, Bristol, which is available at https://www2.uwe.ac.uk/services/Marketing/research/pdf/Research-Ethics-Policy-and-Procedures.pdf (Accessed 13 March 2019).
- 568.
Gelling (1999), pp. 564–569.
- 569.
- 570.
See, in relation to the anonymisation of personal health data in scientific research: Quinn (2017), pp. 347–367. Suggested further reading on how research participants can be affected by ethical committee’s protective efforts: Juritzen et al. (2011), pp. 640–650. The impact of a too restrictive interpretation of privacy and data protection rules will be considered in relation to data collection on Roma in Chap. 5 (Sect. 5.7).
- 571.
Pavee Point Traveller and Roma Centre (2013).
- 572.
For instance, Harvard University requires researchers working on projects involving data collection on vulnerable groups to have completed the CITI Program training for Social and Behavioral Research Investigators. The latter includes modules on a variety of topics, including informed consent, privacy and confidentiality, and conflicts of interest.
- 573.
Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 9.5. See Sect. 3.4.4 on purpose specification, Sect. 3.4.8 on integrity and confidentiality, Sect. 3.6 on personal data protection through the right to private life, and Sect. 3.7.1 on professional secrecy and confidentiality of data processing.
- 574.
Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 95.
- 575.
Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 95.
- 576.
GDPR, art. 39, para. 1(b).
- 577.
Other examples of appropriate measures include “setting up of appropriate notification procedures, establishing specific contractual provisions where the processing is delegated in order to give effect to the Convention; as well as setting up internal procedures to enable the verification and demonstration of compliance”. Convention 108+, art. 10.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 85.
- 578.
The United Nations Development Programme (UNDP) adds that co-operation with national statistical offices is also important to identify the data already available, to encourage dialogue on concerns and to enhance capacity building. UNDP (2010), pp. 3, 4, 95, 109 and 110.
- 579.
CRC Committee, General Comment No. 11: Indigenous children and their rights under the Convention (12 February 2009), paras. 71 and 80. CERD Committee, General Recommendation No. 32: The meaning and scope of special measures in the International Convention on the Elimination of All Forms of Racial Discrimination (24 September 2009), para. 18. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), paras. 59 and 60. Report of the Special Rapporteur on Contemporary forms of racism, racial discrimination, xenophobia and related intolerance (19 August 2013), paras. 24 and 82. Report of the Independent Expert on Minority Issues on the Implementation of General Assembly Resolution 60/251 of 15 March 2006 entitled “Human Rights Council” (2 February 2007), paras. 76, 91 and 104(b). Report of the High Commissioner for Human Rights containing a draft basic document on the development of a racial equality index (31 January 2006), paras. 60, 74 and 75. Report of the Permanent Forum for Indigenous Peoples on the Workshop on Data Collection and Disaggregation for Indigenous Peoples (10 February 2014), para. 33. UNSD (2014), p. 170. UNDP (2010), pp. 59 and 95. UNSD (2008), para. 246. Gray (2009), pp. 59 and 63. Haug (2001), p. 309. The importance of active participation of Roma and non-Roma communities and local authorities in ethnic data collection will be highlighted in Chap. 5 (Sect. 5.8.2).
- 580.
- 581.
GDPR, art. 35.9. Security accountability through DPIAs was mentioned in Sect. 3.4.9.2.
- 582.
See, for example: ACFC, Third Opinion on Bulgaria (11 February 2014), para. 31. ACFC, Third Opinion on Hungary (18 March 2010), para. 45. ACFC, Second Opinion on Slovakia (26 May 2005), para. 27. For more on the importance of awareness-raising among Roma and non-Roma communities when collecting data on Roma, see Chap. 5 (Sect. 5.8.1).
- 583.
Gray (2009), p. 63. Haug (2001), p. 309. As will be discussed in Chap. 4 (Sect. 4.5.2), self-identification is—in theory—the preferred approach to ethnical identification, but the effectiveness of this approach depends on the level of co-operation from the target group. See also Chap. 5 on combining self-identification with other identification methods as an interesting alternative in the case of the Roma minority (Sect. 5.4.5) and on awareness-raising and active participation as key principles of ethnic data collection on Roma (Sect. 5.8).
- 584.
This includes questions, definition and explanatory notes in the languages of various racial or ethnic groups. Gray (2009), p. 63.
- 585.
This happened in Ireland. Gray (2009, p. 59) underlines, however, that the main responsibility for collecting information on minorities and indigenous peoples lies with States.
- 586.
See, among other: Chap. 5 (Sects. 5.8.1 and 5.8.2) on the key principles of ethnic data collection practices on Roma, Chap. 6 (Sects. 6.2 and 6.3.2) on positive action, Chap. 9 (Sects. 9.2.1 and 9.2.4) on challenges limiting positive action for Roma, Chap. 11 (Sects. 11.3.1, 11.3.4 and 11.5) on inter-cultural mediation to enhance Roma inclusion, and Chap. 12 (Sects. 12.2.1 and 12.2.2) on the key elements identified throughout the book.
- 587.
- 588.
Data subject have the right to have their personal data rectified or erased, to restrict processing or to object to it and to transfer their data to another controller.
- 589.
See Chap. 4.
References
Legal Instruments
United Nations
Convention on the Elimination of All Forms of Discrimination against Women (18 December 1979) UNTS vol. 1249, 13
Convention on the Rights of the Child (20 November 1989) A/RES/44/25
Convention on the Rights of Persons with Disabilities (31 December 2006) A/RES/61/106
International Convention on the Elimination of All Forms of Racial Discrimination (21 December 1965) UNTS vol. 660, 195
International Covenant on Civil and Political Rights (16 December 1966) UNTS vol. 999, 171
International Covenant on Economic, Social and Cultural Rights (16 December 1966) UNTS vol. 993, 3
Organization of American States
Inter-American Convention against Racism, Racial Discrimination and Related Forms of Intolerance (5 June 2013)
Council of Europe
Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (8 November 2001) ETS 181
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (28 January 1981) ETS 108
European Convention for the Protection of Human Rights and Fundamental Freedoms (4 November 1950) ETS 5
Protocol 4 to the Convention for the Protection of Human Rights and Fundamental Freedoms, securing certain rights and freedoms other than those already included in the Convention and in the first Protocol thereto (16 September 1963) ETS 4
Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (10 October 2018) ETS 223
European Union
Charter of Fundamental Rights of the European Union (7 December 2000) OJ 2000/C 364/01
Council Directive 2000/43/EC implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (29 June 2000) OJ 2000/L 180/22
Council Framework Decision 2008/877/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (27 November 2008) OJ 2008/L 350/60
Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (24 October 1995) OJ 1995/L 281/31
Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (12 July 2002) OJ 2002/L 201/37
Directive 2016/680 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences of the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (27 April 2016) OJ 2016/L 119/89
Regulation 168/2007 of the Council establishing a European Union Agency for Fundamental Rights (15 February 2007) OJ 2007/L 53/1
Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (27 April 2016) OJ 2016/L 119/1
National Level
Belgium, Law on the protection of natural persons with regard to the processing of their personal data (30 July 2018)
France, Law n° 2018-493 on the protection of personal data (21 June 2018)
Germany, Federal Data Protection Law (27 April 2017)
Luxembourg, Act on the organisation of the National Data Protection Commission and the general data protection framework (1 August 2008)
United Kingdom, Data Protection Act (England and Wales) (23 May 2018)
Non-legally Binding Instruments
United Nations
Declaration on the Rights of Indigenous Peoples (2 October 2007) A/RES/61/295
Durban Declaration and Plan of Action (8 September 2001) A/CONF.189/12
End-of-mission statement on Romania, by Professor Philip Alston, United Nations Human Rights Council Special Rapporteur on extreme poverty and human rights (11 November 2015). Available via OHCHR. https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=16737&LangID. Accessed 7 May 2019
Guidance Note of the United Nations Secretary-General on Racial Discrimination and Protection of Minorities (March 2013). Available via OHCHR. www.ohchr.org/Documents/Issues/Minorities/GuidanceNoteRacialDiscriminationMinorities.pdf. Accessed 2 December 2018
Guidelines for the CERD-specific document to be submitted by States parties under article 9, paragraph 1, of the Convention (13 June 2008) CERD/C/2007/1
Guidelines for the treaty-specific document to be submitted by States parties under article 40 of the International Covenant on Civil and Political Rights (4 October 2010) CCPR/C/2009/1
Guidelines on treaty-specific documents to be submitted by states parties under articles 16 and 17 of the International Covenant on Economic, Social and Cultural Rights (24 March 2009) E/C.12/2008/2
Outcome document of the high-level plenary meeting of the General Assembly known as the World Conference of Indigenous Peoples (22 September 2014) A/RES/69/2
Outline for State reports to be submitted under the fourth monitoring cycle of the Framework Convention for the Protection of National Minorities (30 April 2013) ACFC/III(2013)001
Report of the High Commissioner for Human Rights containing a draft basic document on the development of a racial equality index (31 January 2006) E/CN.4/2006/14
Report of the Independent Expert on Minority Issues on the Implementation of General Assembly Resolution 60/251 of 15 March 2006 entitled “Human Rights Council” (2 February 2007) A/HRC/4/9
Report of the Open Working Group of the General Assembly on Sustainable Development Goals (12 August 2014) A/68/970
Report of the Permanent Forum on Indigenous Issues on the first Session (2002) E/CN.19/2003/Rev.1
Report of the Permanent Forum on Indigenous Issues on the second Session (5 June 2003) E/C.19/2003/22
Report of the Permanent Forum on Indigenous Issues on the twelfth session (12 June 2013) E/2013/43-E/C.19/2013/25
Report of the Permanent Forum on Indigenous Issues on the thirteenth session (6 June 2014) E/2014/43-E/C.19/2014/11
Report of the Permanent Forum for Indigenous Peoples on the Workshop on Data Collection and Disaggregation for Indigenous Peoples (10 February 2014) E/C/19/2004/2
Report of the Special Rapporteur on Contemporary forms of racism, racial discrimination, xenophobia and related intolerance (19 August 2013) A/68/333
Report of the Special Rapporteur on racism, racial discrimination, xenophobia and related forms of intolerance: Follow-up to and implementation of the Durban Declaration and Programme of Action (19 May 2009) A/HRC/11/36
Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015) A/70/335
Report of the Special Rapporteur on the right of everyone to the enjoyment of the highest attainable standard of health, Paul Hunt, on his Mission to Sweden (28 February 2007) A/HRC/4/28/Add.2
Report of the United Nations Secretary-General on Compilation of guidelines on the form and content of reports to be submitted by States parties to the international human rights treaties (3 June 2009) HRI/GEN/2/Rev.6
Resolution 68/261 of the General Assembly on Fundamental Principles of Official Statistics (3 March 2014) A/RES/68/261
The United Nations Principles and Recommendations for Population and Housing Censuses: Results of the Survey on Proposed Changes for the 2020 Census Round prepared by the United Nations Statistics Division (October 2013) ESA/STAT/AC.277/2
Council of Europe
Explanatory Memorandum of Recommendation No. R(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997)
Explanatory Report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (28 January 1981) ETS 108
Explanatory Report to the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (10 October 2018) ETS 223
Recommendation CM/Rec(87)15 of the Committee of Ministers to Member States Regulating the Use of Personal Data in the Police Sector (17 September 1987)
Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997)
Recommendation CM/Rec(2010)13 of the Committee of Ministers to Member States on the protection of individuals with regard to automatic processing of personal data in the context of profiling (23 November 2010)
Resolution 1740 of the Parliamentary Assembly on the situation of Roma in Europe and relevant activities of the Council of Europe (22 June 2010)
European Union
Commission Communication, A comprehensive approach on personal data protection in the European Union (4 November 2010) COM(2010) 609 final
Commission Communication, Joint Report on the application of Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (‘Racial Equality Directive’) and of Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation (‘Employment Equality Directive’) (17 January 2014) COM(2014) 2 final.
Commission Communication, Non-discrimination and equal opportunities: A renewed commitment (2 July 2008) COM(2008) 420 final
Commission Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (25 January 2012) COM(2012) 11 final
Guidelines of Article 29 Working Party on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (4 April 2017; revised 4 October 2017) WP 248 rev.01
Guidelines of Article 29 Working Party on the implementation of the CJEU judgment on “Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (24 November 2014) WP 225
Guidelines of Article 29 Data Protection Working Party on the right to data portability (13 December 2016; revised 5 April 2017) WP 242
Joint contribution on The Future of Privacy by Article 29 Data Protection Working Party and Working Party on Police and Justice to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data (1 December 2009), WP 168
Note from the Praesidium on the Draft Charter of Fundamental Rights of the European Union – Text of the explanations relating to the complete text of the Charter as set out in CHARTE 4487/00 CONVENT 50 (11 October 2000)
Opinion 3/2010 of Article 29 Data Protection Working Party on the principle of accountability (13 July 2010) WP 173
Opinion 3/2013 of Article 29 Data Protection Working Party on purpose limitation (2 April 2013) WP 203
Opinion 5/2014 of Article 29 Data Protection Working Party on anonymisation techniques (10 April 2014) WP216
Opinion 9/2011 of Article 29 Data Protection Working Party on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (11 February 2011) WP 180
Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011) WP 187
Opinion 2/2017 of Article 29 Data Protection Working Party on data processing at work (8 June 2017) WP 249
Opinion of the Advisory Committee on Equal Opportunities for Women and Men on the Gender Dimension of the Inclusion of Ethnic Minorities (November 2007)
Recommendation of the European Commission on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (12 May 2009) OJ 2009/L 122/47
Resolution of the European Parliament on Non-Discrimination and Equal Opportunities for All – A Framework Strategy (14 June 2006) 2005/2191(INI)
Resolution of the European Parliament on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada (5 May 2010) P7_TA(2010)0144
Report of the European Parliament on Gender Aspects of the European Framework of National Roma Inclusion Strategies (10 December 2013) 2013/2066(INI)
Case Law
European Court of Human Rights
Haralambie v. Romania, Judgment (27 October 2009), Application No. 21737/03
Hirst v. United Kingdom (No. 2), Judgment (6 October 2005, GC), Application No. 74025/01
Jarnea v. Romania, Judgment (19 July 2011), Application No. 41838/05
Joanna Szulc v. Poland, Judgment (13 November 2012), Application No. 43932/08
K.H. and others v. Slovakia, Judgment (28 April 2009), Application No. 32881/04
Leander v. Sweden, Judgment (26 March 1987), Application No. 9248/81
Rotaru v. Romania, Judgment (4 May 2000, GC), Application No. 28341/95
S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), Application Nos. 30562/04 and 30566/04
Timishev v. Russia, Judgment (13 December 2005), Application Nos. 55762/00 and 55974/00
European Committee on Social Rights
European Roma Rights Centre v. Italy, Decision (7 December 2005), Collective Complaint No. 27/2004
Court of Justice of the European Union
Galina Meister v. Speech Design Carrier Systems, Judgment (19 April 2012), Case C-415/10
Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy, Judgment (16 December 2008, GC), Case C-73/07
Country Monitoring
Permanent Court of International Justice
Advisory Opinion regarding Minority Schools in Albania, Opinion (6 April 1935) PCIJ Reports Series A/B, No 64
Human Rights Committee
Concluding Observations on Hungary (16 November 2010) CCPR/C/HUN/CO/5
Committee on the Elimination of Racial Discrimination
Concluding Observation on Albania (10 December 2001) CERD/C/63/CO/1
Concluding observations on the Netherlands (5 February 2010) CEDAW/C/NLD/CO/5
Committee on the Elimination of Discrimination Against Women
Concluding observations on the Netherlands (5 February 2010) CEDAW/C/NLD/CO/5
Committee on the Rights of the Child
Concluding observations on the United States of America (26 June 2013) CRC/C/OPAC/USA/CO/2
Advisory Committee on the Framework Convention for the Protection of National Minorities
Second Opinion on Bulgaria (18 March 2010) FCNM/II(2012)001
Second Opinion on the Czech Republic (24 February 2005) ACFC/INF/OP/II(2005)002
Second Opinion on Hungary (9 December 2004) ACFC/INF/OP/II(2004)003
Second Opinion on Slovakia (26 May 2005) ACFC/OP/II(2005)004
Third Opinion on Bulgaria (11 February 2014) ACFC/OP/III(2014)001
Third Opinion on Hungary (18 March 2010) ACFC/OP/III(2010)001
Third Opinion on Ireland (10 October 2012) ACFC/OP/III(2012)006
Third Opinion on the Russian Federation (24 November 2011) ACFC/OP/III(2011)010
European Commission Against Racism and Intolerance
Third Report on Austria (25 June 2004) CRI(2005)1
Third Report on Belgium (27 June 2003) CRI(2004)1
Third report on Bulgaria (27 June 2003) CRI(2004)2
Third report on Denmark (16 December 2005) CRI(2006)18
Third Report on France (25 June 2004) CRI(2005)3
Third Report on Germany (5 December 2003) CRI(2004)23
Third Report on Norway (27 June 2003) CRI(2004)3
Fourth report on France (29 April 2010) CRI(2010)16
Fourth report on Hungary (20 June 2008) CRI(2009)3
General Comments and Recommendations
Human Rights Committee
General Comment No. 16: Article 17 (The Right to Privacy) (8 April 1988) HRI/GEN/1/Rev.1 (1994)
General Comment No. 23: The rights of minorities (Art. 27) (8 April 1994) HRI/GEN/1/Rev.1
Committee on Economic, Social and Cultural Rights
Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12) (11 August 2000) E/C.12/2000/4
Committee on the Elimination of Racial Discrimination
General Recommendation No. 24: Article 12 of the Convention Women and Health (27 August 1999) A/54/18, annex V
General Recommendation No. 25: Gender related dimensions of racial discrimination (20 March 2000) A/55/18, annex V
General Recommendation No. 32: The meaning and scope of special measures in the International Convention on the Elimination of All Forms of Racial Discrimination (24 September 2009) CERD/C/GC/32.
Committee on the Rights of the Child
General Comment No. 11: Indigenous children and their rights under the Convention (12 February 2009) CRC/C/GC/11
European Commission Against Racism and Intolerance
General Policy Recommendation No. 1: Combating racism, xenophobia, anti-Semitism and intolerance (4 October 1996) CRI(96) 43
General Policy Recommendation No. 4: National surveys on the experience and perception of discrimination and racism from the point of view of potential victims (6 March 1998) CRI(98)30
General Policy Recommendation No. 7: National legislation to combat racism and racial discrimination (13 December 2002) CRI(2003)8
General Policy Recommendation No. 10: Combating racism and racial discrimination in and through school education (15 December 2006) CRI(2007)6
General Policy Recommendation No. 11: Combating racism and racial discrimination in policing (29 June 2007) CRI(2007)39
General Policy Recommendation No. 13: Combating Anti-Gypsyism and Discrimination against Roma (24 June 2011) CRI(2011) 37
General Policy Recommendation No. 14: Combating racism and racial discrimination in employment (22 June 2012) CRI(2012)48
Advisory Committee on the Framework Convention for the Protection of National Minorities
Commentary on Education under the Framework Convention for the Protection of National Minorities (2 March 2006) ACFC/25DOC(2006)002
Commentary on Effective Participation of Persons Belonging to National Minorities in Cultural, Social and Economic Life and in Public Affairs (27 February 2008) ACFC/31DOC(2008)001
Literature
Abdikeeva A (2014) Measure, plan, act – how data collection can support racial equality. Eur Netw Against Racism, Brussels.
Academy of Social Sciences (2013) Generic ethics principles in social science research. Available via ACSS. https://acss.org.uk/wp-content/uploads/2014/01/Professional-Briefings-3-Ethics-r.pdf. Accessed 27 Oct 2018
Ahmed T (2011) The impact of EU law on minority rights. Hart, Oxford
Alidadi K (2017) Gauging process towards equality? Challenges and best practices of equality data collection in the EU. Eur Equality Law Rev 2017(2):15–27
Atanasova A (2014) Background paper: equality data initiative. www.opensocietyfoundations.org/sites/default/files/equality-data-initiative-background-20141126.pdf. Accessed 27 Oct 2018
Bigo D, Carrera S, González Fuster G, Guild E, De Hert P, Jeandesboz J, Papakonstantinous V (2011) Towards a new EU Legal Framework for data protection and privacy: challenges, principles and the role of the European Parliament. European Parliament, Brussels
Brownsword R (2009) Consent in data protection law: privacy, fair processing and confidentiality. In: Gutwirth S, Poullet Y, de Hert P, de Terwangne C, Nouwt S (eds) Reinventing data protection? pp 83–110
Bulmer M (1996) The ethnic group question in the 1991 census of population. In: Coleman D, Salt J (eds) Ethnicity in the 1991 census, vol 1. HMSO, London, pp 33–62
Bulmer M, Solomos J (1998) Introduction: re-thinking ethnic and racial studies. Ethn Racial Stud 21(5):819–837
Cardinale G (2007) The challenges ahead for European anti-discrimination legislation: an ECRI perspective. Eur Anti-Discrimination Law Rev 5:31–40
Chopin I, Farkas L, Germaine C (2014) Ethnic origin and disability data collection in Europe: measuring inequality – combating discrimination. Open Society Foundations, Brussels
Clifford D, Ausloos J (2018) Data protection and the role of fairness. Yearb Eur Law 37(1):130–187
Curren L, Kaye J (2010) Revoking consent: a blind spot in data protection law? Comput Law Secur Rev 26:273–283
Dahal G, Me A, Bisogno E (2007) Challenges in measuring gender and minorities. Presentation at the Global Forum on Gender Statistics, Istat and United Nations, Rome, 10–12 December 2007. Available via UN STATS. unstats.un.org/unsd/gender/Rome_Dec2007/docs/2.3_Me.pdf. Accessed 27 Oct 2018
De Hert P (2011) From the principle of accountability to system responsibility. Key concepts in data protection law and human rights law discussions. In: Zombor F (ed) International data protection conference 2011. Hungarian Official Journal Publisher, Hungary, pp 88–120
De Hert P (2012) A human rights perspective on privacy and data protection impact assessments. In: Wright D, De Hert P (eds) Privacy impact assessment. Springer, Dordrecht, pp 33–76
De Hert P, Gutwirth S (2009) Data protection in the case law of Strasbourg and Luxembourg: constitutionalisation in action. In: Gutwirth S, Poullet Y, De Hert P, De Terwagne C, Nouwt S (eds) Reinventing data protection? Springer, Amsterdam, pp 3–44
De Hert P, Papakonstantinou V (2012) The proposed data protection regulation replacing Directive 95/46/EC: a sound system for the protection of individuals. Comput Law Secur Rev 28:130–142
De Schutter O (2007) Positive action. In: Schiek D, Waddington L, Bell M (eds) Cases, materials and text on national, supranational and international non-discrimination law. Hart, Oxford, pp 757–869
Dimitras PE (2004) Recognition of minorities in Europe: protection of rights and dignity. Available via Minority Rights Group International. minorityrights.org/wp-content/uploads/old-site-downloads/download-47-Recognition-of-Minorities-in-Europe-Protecting-Rights-and-Dignity.pdf. Accessed 27 Oct 2018
European Commission (2004) Equality and non-discrimination in an enlarged European Union – green paper. Office for Official Publications of the European Communities, Luxembourg
European Commission (2008) The fight against discrimination and the promotion of equality – how to measure progress done. Office for Official Publications of the European Communities, Luxembourg
European Commission (2010) Comparative study on different approaches to new privacy challenges, in particular in the light of technological developments. Office for Official Publications of the European Communities, Luxembourg
European Commission (2018) Moving forward on equality data collection. Available via the European Commission. http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=612778. Accessed 16 Dec 2018
European Network Against Racism (2012) Social inclusion and data collection. Available via the European Network Against Racism. cms.horus.be/files/99935/MediaArchive/Factsheet_Final.pdf. Accessed 28 July 2018
European Network Against Racism (2014a) Annual report 2013. European Network Against Racism. https://www.enar-eu.org/IMG/pdf/annualreport2013_final.pdf. Accessed 27 Oct 2018
European Network Against Racism (2014b) ENAR OSF symposium on equality data collection 24 and 25 October 2013, Brussels – Meeting report. Available via European Network Against Racism. www.enar-eu.org/IMG/pdf/enar_osf_2013_symposium_on_equality_data_collection.pdf. Accessed 27 Oct 2018
European Union Agency for Fundamental Rights (2009) EU-MIDIS European Union Minorities and Discrimination Survey – main results report. Publications Office of the European Union, Luxembourg
European Union Agency for Fundamental Rights (2011) Fundamental rights: key legal and policy developments in 2010. Publications Office of the European Union, Luxembourg
European Union Agency for Fundamental Rights (2012a) Fundamental rights: challenges and achievements in 2011. Publications Office of the European Union, Luxembourg
European Union Agency for Fundamental Rights (2012b) Opinion 2/2012 on the proposed data protection reform package, 1 October 2012. Available via European Union Agency for Fundamental Rights. http://fra.europa.eu/en/opinion/2012/fra-opinion-proposed-eu-data-protection-reform-package. Accessed 27 Oct 2018
European Union Agency for Fundamental Rights (2019) EU High Level Group to publish equality data guidelines and compendium. Available via European Union Agency for Fundamental Rights. https://fra.europa.eu/en/event/2019/eu-high-level-group-publish-equality-data-guidelines-and-compendium?pk_campaign=FRA-Alerts-Newsletter&pk_source=newsletter. Accessed 25 Mar 2019
European Union Agency for Fundamental Rights and Council of Europe (2014) Handbook on European data protection law. Publications Office of the European Union, Luxembourg
European Union Agency for Fundamental Rights and Council of Europe (2018) Handbook on European data protection law. Publications Office of the European Union, Luxembourg
European Union Network of Independent Experts in Fundamental Rights (2006) Commentary of the Charter of Fundamental Rights of the European Union. Available via UC Louvain. https://sites.uclouvain.be/cridho/documents/Download.Rep/NetworkCommentaryFinal.pdf. Accessed 26 Oct 2018
Farkas L (2012) Getting it right the wrong way? The consequences of a summary judgment: the Meister case. Eur Anti-Discrimination Law Rev 15:23–33
Farkas L (2017) Data collection in the field of ethnicity. Publications Office of the European Union, Luxembourg
Feretti F (2012) A European perspective on data processing consent through the re-conceptualization of European data protection’s looking glass after the Lisbon treaty: taking rights seriously. Eur Rev Private Law 2:473–506
Gellert R, de Vries K, De Hert P, Gutwirth S (2013) A comparative analysis of anti-discrimination and data protection legislations. In: Custers B, Calders T, Schermer B, Zarsky T (eds) Discrimination and privacy in the information society. Springer, Heidelberg, pp 61–89
Gelling L (1999) Role of the research ethics committee. Nurse Educ Today 19(7):564–569
Gerards J (2007) Discrimination grounds. In: Schiek D, Waddington L, Bell B (eds) Cases, materials and text on national, supranational and international non-discrimination law. Hart, Oxford, pp 33–184
González Fuster G (2014) The emergence of personal data protection as a fundamental right in the EU. Springer, Vienna
Gray Z (2009) The importance of ethnic data for promoting the right to education. In: Minority Rights Group International (ed) State of the world’s minorities and indigenous peoples. Minority Rights Group International, London, pp 54–63
Gutwirth S (2002) Privacy and the information age. Rowman & Littlefield, Lanham
Haug W (2001) Ethnic, religious and language groups: towards a set of rules for data collection and statistical analysis. Int Stat Rev 69(2):303–311
Hermanin C, Atanasova A (2013) Making ‘Big Data’ work for equality. Available via Open Society Foundations. www.opensocietyfoundations.org/voices/making-big-data-work-equality-0. Accessed 27 Oct 2018
Hermanin C, de Kroon E (2013) The Race Equality Directive: a shadow report. Lessons learnt from the implementation in nine EU member states. Available via Open Society Foundations. www.opensocietyfoundations.org/sites/default/files/Race-Equality%20Directive-Shadow-Report-20130711.pdf. Accessed 27 Oct 2018
Hermanin C, Möschel M, Grigolo M (2013) Introduction: how does race ‘count’ in fighting racial and ethnic discrimination in Europe? In: Möschel M, Hermanin C, Grigolo M (eds) Fighting discrimination in Europe – the case for a race-conscious approach. Routledge, London, pp 1–12
Hesse-Biber SN, Leavy P (2011) The practice of qualitative research. Sage, Los Angeles
Irish Health Information and Quality Authority (2010) Guidance on privacy impact assessment in health and social care. Health Information and Quality Authority, Dublin
Juritzen T, Grimen H, Heggen K (2011) Protecting vulnerable research participants: a Foucault-inspired analysis of ethic committees. Nurs Ethics 18(5):640–650
Kierkegaard S, Waters N, Greenleaf G, Bygrave LA, Lloyd I, Saxby S (2011) 30 years on – the review of the Council of Europe Data Protection Convention 108. Comput Law Secur Rev 27:223–231
Korff D (2002) EC study on implementation of data protection directive – comparative summary of national laws. Available via SSRN. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1287667. Accessed 27 Oct 2018
Laferty M (2014) Article 8: the right to respect for private and family life, home, and correspondence. In: Harris D, O’Boyle, Edward Bates M, Buckley C (eds) Harris, O’Boyle, and Warbrick Law of the European Convention on Human Rights, 3rd edn. Oxford University Press, Oxford, pp 522–591
Lamberts M, Ode A, Witkamp B (2014) Racism and discrimination in employment in Europe – shadow report 2012–2013. European Network Against Racism, Brussels
Le Métayer D, Monteleone S (2009) Automated consent through privacy agents: legal requirements and technical architecture. Comput Law Secur Rev 25(2):136–144
Makkonen T (2006) Measuring discrimination – data collection and EU equality law. Office for Official Publications of the European Communities, Luxembourg
Makkonen T (2007) European handbook on equality data. Office for Official Publications of the European Communities, Luxembourg
Makkonen T (2010) Equal in law, unequal in fact – racial and ethnic discrimination and the legal response thereto in Europe. Dissertation, University of Helsinki
McDonald C, Negrin K (2010) No data – no progress: summary and analysis. Open Society Institute, New York
Milcher S, Ivanov A (2004) The United Nations Development Programme’s vulnerability projects, Roma and ethnic data. Roma Rights 2:7–13
Molnár-Gábor F (2018) Germany: a fair balance between scientific freedom and data subjects’ rights? Hum Genet 137:619–626
Morning A (2005) Ethnic classification in global perspective: a cross-national survey of the 2000 census round. Available via UN STATS. https://unstats.un.org/unsd/demographic/sconcerns/popchar/morning.pdf. Accessed 27 Oct 2018
Möschel M (2013) Race in mainland European legal analysis: towards a European critical race theory. In: Möschel M, Hermanin C, Grigolo M (eds) Fighting discrimination in Europe – the case for a race-conscious approach. Routledge, London, pp 13–29
Muigai G (2000) Statistical data as a method to promote and monitor racial equality and non-discrimination: benefits and risks. Contribution to the regional seminar for the Americas on data collection and the use of indicators to promote and monitor racial equality and non-discrimination, OHCHR, Rio de Janeiro, 3–5 May 2000. Available via OHCHR. www2.ohchr.org/english/issues/racism/rapporteur/docs/Contribution_ethnically_disaggregated_data_BrazilMay2010.pdf. Accessed 27 Oct 2018
Nardell GC (2010) Levelling up: data privacy and the European Court of Human Rights. In: Gutwirth S, Poullet Y, De Hert P (eds) Data protection in a profiled world. Springer, Dordrecht, pp 43–52
National Committees for Research Ethics in Norway (2006) Guidelines for research ethics in the social sciences, law and the humanities. National Committee for Research Ethics in the Social Sciences and the Humanities, Oslo
Office of the High Commissioner for Human Rights (2012) Human rights indicators: a guide to measurement and implementation. Available via OHCHR. https://www.ohchr.org/Documents/Publications/Human_rights_indicators_en.pdf. Accessed 2 Dec 2018
Olli E, Kofod Olsen B (2005) Towards common measures for discrimination: exploring possibilities for combining existing data for measuring ethnic discrimination. Centre for Combating Ethnic Discrimination and Danish Institute for Human Rights, Oslo and Copenhagen
Olli E, Kofod Olsen B (2006) Towards common measures for discrimination II – recommendations for improving measurement of discrimination. Norwegian Equality and Anti-Discrimination Ombud and Danish Institute of Human Rights. Oslo and Copenhagen
Oppenheimer DB (2008) Why France needs to collect data on racial identity… in a French way. Hastings Int Comp Law Rev 31:735–751
Pavee Point Traveller and Roma Centre (2013) Equality and ethnic data. Available via Pavee Point. www.paveepoint.ie/ethnic-data-collection-seminar/. Accessed 27 Oct 2018
Pormeister K (2017) Genetic data and the research exemption: is the GDPR going too far? Int Data Privacy Law 7(2):137–146
Quinn P (2017) The anonymisation of research data – a pyric victory for privacy that should not be pushed too hard by the EU Data Protection Framework? Eur J Health Law 24:347–367
Rallu J-L, Piché V, Simon P (2006) Demography and ethnicity – an ambiguous relationship. In: Caselli G, Vallin J, Wunsch G (eds) Demography: analysis and synthesis. Academic, Burlington, pp 531–549
Ramsay K (2006) Disaggregated data collection: a precondition for effective protection of minority rights in South East Europe. Available via Minority Rights Group International. minorityrights.org/publications/disaggregated-data-collection-a-precondition-for-effective-protection-of-minority-rights-in-south-east-europe-august-2006/. Accessed 27 Oct 2018
Reding V (2012) The European data protection framework for the twenty-first century. Int Data Privacy Law 2(3):119–129
Reuter N, Makkonen T, Oosi O (2004) Study on data collection to measure the extent and impact of discrimination in Europe. Available via Universität Mannheim. edz.bib.uni-mannheim.de/daten/edz-ath/gdem/04/collection%20data.pdf. Accessed 27 Oct 2018
Ringelheim J (2006/2007) Minority protection, data collection and the right to privacy. Eur Yearb Minor Issues 6:51–77
Ringelheim J (2008/2009) Collecting racial or ethnic data for anti-discrimination policies: a U.S.-Europe comparison. Rutgers Race Law Rev 10:39–141
Ringelheim J (2011) Ethnic categories and European human rights law. Ethn Racial Stud 34(10):1682–1696
Ringelheim J (2013) Ethnic categories and European human rights law. In: Möschel M, Hermanin C, Grigolo G (eds) Fighting discrimination in Europe – the case for a race-conscious approach. Routledge, London, pp 47–60
Ringelheim J, De Schutter O (2010) Ethnic monitoring – the processing of racial and ethnic data in anti-discrimination policies: reconciling the promotion of equality with privacy rights. Bruylant, Brussels
Rouvroy A, Poullet Y (2009) The right to informational self-determination and the value of self-development: reassessing the importance of privacy for democracy. In: Gutwirth S, Poullet Y, De Hert P, De Terwangne C, Nouwt S (eds) Reinventing data protection? Springer, Amsterdam, pp 45–76
Sabbagh D (2013) The paradox of decategorization: deinstitutionalizing race through race-based affirmative action in the United States. In: Möschel M, Hermanin C, Grigolo M (eds) Fighting discrimination in Europe – the case for a race-conscious approach. Routledge, London, pp 30–46
Seltzer W, Anderson M (2001) The dark side of numbers: the role of population data systems in human rights abuses. Soc Res 68(2):481–513
Simon P (2004) Comparative study on the collection of data to measure the extent and impact of discrimination within the United States, Canada, Austria, Great-Britain and the Netherlands – Medis Project. Office for Official Publications of the European Communities, Luxembourg
Simon P (2005) The measurement of racial discrimination: the policy use of statistics. Int Soc Sci J 57:9–25
Simon P (2007) “Ethnic” statistics and data protection in the Council of Europe Countries. Available via the Council of Europe. https://www.coe.int/t/dghl/monitoring/ecri/activities/Themes/Ethnic_statistics_and_data_protection.pdf. Accessed 28 July 2018
Simon P, Piché V, Gagnon AA (2015) The making of racial and ethnic categories: official statistics reconsidered. In: Simon P, Piché V, Gagnon AA (eds) Social statistics and ethnic diversity: cross-national perspectives in classifications and identity politics. Springer, Cham, pp 1–14
Traung P (2012) The proposed new EU general data protection regulation. Comput Law Rev Int 13(2):33–49
United Kingdom Information Commissioner’s Office (2014) Conducting privacy impact assessments – code of practice. Available via PHD Journals. https://www.pdpjournals.com/docs/88317.pdf. Accessed 27 Oct 2018
United Nations Development Programme (2010) Marginalised minorities in development programming. UNDP, New York
United Nations Economic Commission for Europe (2006) Conference of European Statisticians Recommendations for the 2010 Censuses of population and housing. Available via UNECE. www.unece.org/fileadmin/DAM/stats/publications/CES_2010_Census_Recommendations_English.pdf. Accessed 27 Oct 2018
United Nations Economic Commission for Europe (2007) Managing statistical confidentiality and microdata access. Available via UNECE. https://www.unece.org/fileadmin/DAM/stats/publications/Managing.statistical.confidentiality.and.microdata.access.pdf. Accessed 27 Oct 2018
United Nations Statistics Division (2003) Ethnicity: a review of data collection and dissemination. Available via UNSTATS. https://unstats.un.org/unsd/demographic/sconcerns/popchar/Ethnicitypaper.pdf. Accessed 2 Dec 2018
United Nations Statistics Division (2008) Principles and recommendations for a population and housing censuses, Rev. 2. United Nations, New York
United Nations Statistics Division (2014) Principles and recommendations for a vital statistics system, Rev. 3. Available via UNSTATS. unstats.un.org/unsd/demographic/standmeth/principles/M19Rev3en.pdf. Accessed 2 Dec 2018
United Nations Statistics Division (2015) United Nations Fundamental Principles of Official Statistics – implementation guidelines. Available via UNSTATS. https://unstats.un.org/unsd/dnss/gp/Implementation_Guidelines_FINAL_without_edit.pdf. Accessed 2 Dec 2018
University of Essex Human Rights Centre Clinic (2013) Disaggregated data and human rights: law, policy and practice. Available via University of Essex Human Rights Clinic. https://www1.essex.ac.uk/hrc/careers/clinic/documents/disaggregated-data-and-human-rights-law-policy-and-practice.pdf. Accessed 27 Oct 2018
Van Alsenoy B (2012) Allocating responsibility among controllers, processors and “everything in between”: the definition of actors and roles in Directive 95/46/EC. Comput Law Secur Rev 28:25–43
Waltzer J-P (2011) The modernization of the Convention of the Council of Europe for the protection of individuals with regard to automatic processing of personal data (ETS No. 108): moving from a European standard towards a universal standard for data protection? In: Zombor F (ed) International data protection conference 2011. Hungarian Official Journal Publisher, Hungary, pp 81–86
World Health Organization (2010) How health systems can address health inequities linked to migration and ethnicity. WHO Regional Office for Europe, Copenhagen
Wrench J (2011) Data on discrimination in EU countries: statistics, research and the drive for comparability. Ethn Racial Stud 34(10):1715–1730
Wright D (2011a) Should privacy impact assessments be mandatory? Commun ACM 54(8):121–131
Wright D (2011b) The state of the art in privacy impact assessment. In: Zombor F (ed) International data protection conference 2011. Hungarian Official Journal Publisher, Hungary, pp 69–76
Wright D, De Hert P (2012a) Introduction to privacy impact assessment. In: Wright D, De Hert P (eds) Privacy impact assessment. Springer, Dordrecht, pp 3–32
Wright D, De Hert P (2012b) Privacy impact assessment. Springer, Dordrecht
Zanfir G (2014) Forgetting about consent. Why the focus should be on “Suitable Safeguards” in data protection law. In: Gutwirth S, Leenes R, De Hert P (eds) Reloading data protection – multidisciplinary insights and contemporary challenges. Springer, Dordrecht, pp 237–257
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Van Caeneghem, J. (2019). Ethnic Data Collection: Key Elements, Rules and Principles. In: Legal Aspects of Ethnic Data Collection and Positive Action. Springer, Cham. https://doi.org/10.1007/978-3-030-23668-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-23668-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-23667-0
Online ISBN: 978-3-030-23668-7
eBook Packages: Law and CriminologyLaw and Criminology (R0)