Opinion of the European Data Protection Supervisor: 
Europe's Role in Shaping the Future of Internet Governance (23 June 2014)

Summary:
  • This document calls for all Internet policy discussions to take into consideration the internationally-recognised, fundamental rights of privacy and data protection. Such rights are:
    • 1) at the basis of users' online interactions, 
    • 2) should be protected online as well as offline, and 
    • 3) “are not negotiable”.
  • The current WHOIS system is named as “an example of a data protection issue which has to be addressed” because of its “authentication and data retention requirements.” It must be replaced “with a solution taking account, inter alia, of privacy concerns.”
  • Data protection authorities must be represented in multi-stakeholder Internet governance processes and must ensure that respect for fundamental rights are assured for all users regardless of their means and capabilities. They should also should work to ensure the harmonisation of data protection rules at a global level.
  • Data controllers have a responsibility to: 
    • provide transparent and easily accessible and understandable information, 
    • should provide procedures and mechanisms for exercising a data subject's rights,
    • must provide information on storage periods, 
    • must provide information on rights to lodge a complaint, and 
    • must provide information in relation to the international transfer of data and to the source from which the data is originating.
  • Users have the right to be forgotten and to erasure. In balancing the right to erasure against the freedom of information, the former overrides the general public's right to be informed, unless the data subject plays a role in public life that justifies interference with his/her right to privacy.
  • There is a close relationship between technological design and data protection. The principles of data protection-by-design and by-default could serve as significant enablers of trust on the Internet. Accordingly the inclusion of optimal data protection standards in the development of technology at the early design phase is encouraged.
  • Conflicts of law arise in connection with the Internet, jeopardising users' rights to privacy and data protection, and these need to be solved. “Given the global and cross-border nature of the Internet, personal data is often transferred to and processed in jurisdictions other than those in which users have submitted their data, exposing them to the risk of lower or no data protection. In addition, controllers processing personal data on the Internet may be faced with conflicting laws and obligations and must choose between violating foreign obligations or EU data protection safeguards … which in consequence undermines the data protection safeguards afforded to users under EU law.”
    • Google v AEPD might provide some guidance on answering this question – in this judgement the Court of Justice of the European Union ruled that the presence of an establishment on the territory of an EU Member State and the relationship between the activities of that establishment and the data processing at issue can be used to decide the applicability of EU data protection law to a processing carried out online.
  • “From a European perspective, we would encourage controllers processing the personal data of EU individuals on the Internet to increase the transparency and the amount of information they provide to users in relation to the law(s) they are subject to and the data protection rules they are bound to apply, including laws on access to data by government bodies, jurisdictions where data may be processed, and what safeguards have been implemented to protect users' data.”

Ayden Férdeline