1 / 0

Ensuring Data Protection in Europe: Insights from SIGINT2013

Discover key highlights from Achim Klabunde's presentation at SIGINT2013 in Cologne on July 6, 2013. Appointed in 2004 by a joint decision of the EP and Council, experts Peter Hustinx and Giovanni Buttarelli discuss the three main tasks of supervising and enforcing data protection reforms in Europe.

dex
Download Presentation

Ensuring Data Protection in Europe: Insights from SIGINT2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection Reformin Europe

    Achim Klabunde SIGINT2013 Cologne, 6 July 2013 @achimkla
  2. Established in 2004 appointed by a joint decision of the EP and the Council for a 5 years mandate Peter Hustinx, Giovanni Buttarelli 3 main tasks Supervision & Enforcement Policy & Consultation Cooperation (1) The EDPS
  3. Technology is transforming access/use of data: Pre-digital: data in manual files, held locally 1970s: mainframes in administrations, police uses filtering searches 1980s: wide IT use, PCs, Internet, data transfers 1990s: www, digital communications, convergence, communications privacy 2000s: Digital audio and video, ecommerce, e-everything, social media 2010s: mobile, location based, cloud computing, massive profiling, Big Data (2) The Context #privacy
  4. Timeline of developments
  5. Timeline of developments
  6. Challenges to Privacy Profiling of digital traces – Big Data (Cookies, clickstream data, hyperlinks) Social networks (FaceBook) Search Engines / integrated databases (Google) Deep packet inspection (BT) Location based services (Apple) Customer profiling (Target) Cloud computing Foreign transfers Data breach (Sony PlayStation: £250k)
  7. Profiling of digital traces Chris Hoofnagle, Berkeley released June 26, 2012 study: James Temple, Web Privacy Census Shows Tracking Pervasive surveyed 100 most popular websites of these, 21 placed 100 or more cookies on users’ computers 84% of cookies placed by 3rd parties
  8. Websites setting cookies
  9. Websites using scripts
  10. Facebook Europe v Facebook : 22 complaints Irish Data Protection Commissioner Audit 12 recommendations to comply with law: user choice on use and sharing of information, including in relation to third party apps increased transparency and controls on use of personal data for advertising Information to users day to day and on all personal data held on them Faster deletion of data & data in social plugins Greater control over tagging of photos
  11. Google March 1, 2012: Google consolidation of services’ policies into one single policy across all sites: Google, Google+, Gmail, Maps, YouTube etc CNIL / art 29WP - failure to: -update information to users - explain what data is being processed - obtain consent for use of cookies U.S. NAAG: consequences for users of Gmail, Google Apps, android phones 13
  12. Challenges to Privacy
  13. (3) EU Law on Privacy:two fundamental rights(a) the Right of Privacy ECHR (1950), Article 8 Everyone has the right to respect for his or her private and family life, home and correspondence EU Charter (2000), Article 7 : …and communications. 15
  14. (b) The Right to Protection of Personal Data an autonomous fundamental right to self-determination in the Information Society EU Charter, Article 8 Article 16, EU Treaty: 1. Everyone has the right to the protection of personal data concerning him or her. 16
  15. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority EU Charter, Article 8 (continued) 17
  16. EU legislation on Privacy and Data Protection OECD Guidelines 1980 (soft law) ECHR Convention No. 108, Art. 8: privacy EU Charter Arts. 7 and 8: … and DP Data Protection Directive 95/46 Data Protection Regulation 45/2001 ePrivacy Directive 2002/58 Data Retention Directive 2006/24 Framework Decision 2008/977 Article 16 EU 18
  17. EU objective: enable lawful processing across borders Data Protection and Internal Market objectives of Directive 95/46: Article 1 MS shall protect … in particular [the] right to privacy with respect to the processing of personal data. MS shall neither restrict nor prohibit the free flow of personal data between MS for the [above] reasons 19
  18. What is “Personal Data”? any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
  19. Examples of personal data CVs, diplomas, recommendation letters, criminal records, medical certificates, photos; Students databases with all your administrative and evaluation related data held by your university; Medical data and health related data, genetic data; Customer data held by your telephone company, telephone calls and voice mails; Your information held by your email account provider; Transport data, body scanners in airports; Video-surveillance cameras …
  20. Personal data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority Some basic rules…
  21. EU legislation OECD Guidelines 1980 (soft law) ECHR Convention No. 108, Art. 8: privacy EU Charter Arts. 7 and 8: … and DP Data Protection Directive 95/46 Data Protection Regulation 45/2001 ePrivacy Directive 2002/58 Data Retention Directive 2006/24 Framework Decision 2008/977 Article 16 EU
  22. Public consultation (May-Dec 2009) Written input received: 150-200 Commission reflection (Jan-Sept 2010) Stakeholder meetings, impact analysis Communication (4 November 2010) Consultation & additional feedback Commission proposals for a Regulation and a Directive  25 January 2012 Co-decision EP + Council  2013-2014 EU Data Protection Reform #eudatap Visit www.edps.europa.eu for more information!
  23. A New Data Protection Legal Framework Reasons for a substantive reform Globalisation: increased transnational flows of data to be facilitated while ensuring adequate protection Technological changes Institutional changes: the Lisbon Treaty and the Charter A fragmented legal framework at EU level: need for more harmonisation and of new coherent and uniformly applied EU rules Legal certainty Need for change with regard to police and judicial activities
  24. A. The Chapeau communication B. The draft Regulation I. General assessment II. Scope, new definitions or principles III. Data subjects IV. Data controllers V. Supervision and enforcement VI. Transfer to third countries C. The Directive for law enforcement

  25. The draft Regulation

  26. I. General Assessment The new Data Protection framework: - A huge step forward for data protection in the EU-Still lacks comprehensiveness
  27. The EU DP reform:- Enhances harmonisation of data protection- Reinforces position and rights of data subject particularly on-line- Strengthens responsibility of data controller- Strengthens DPA´s supervision and enforcementBUT: - does not remedy lack of comprehensiveness - gives rise to a number of horizontal issues I. General Assessment
  28. Territorial scope: - Controller of processor established within EU - Non EU-based controllers: ‘offering goods and services to’ or ‘monitoring behaviour of’data subjects in the EU II. Scope, new definitions or principles
  29. II. Scope, new definitions or principles - Personal data (including in principle location data and identifiers: cookied and IP addresses) New definitions: ‘personal data breach’, ‘genetic data’ and ‘biometric data’ Notion of ‘main establishment’ (for the controller and the processor) Data minimization (limitation of amount of data) Better information about data processing Genuine consent, improper when there is a significant imbalance of power (i.e. employment sector) Safeguards for processing of children´s data Increased level of security of data
  30. III. Data subjects Reinforces position and rights of data subject: Right to be forgotten(17) - Right to request erasure and prevention for further dissemination - Exceptions Right to data portability (18)
  31. III. Data subjects Right to object (19) - Specific legal grounds - Marketing purposes: free of charge +information Measures based on profiling (20) Only if:- Performance of a contract +safeguards - Union or Member State law + safeguards - Consent of the data subject And: - not based solely on special categories of data
  32. IV. Data controllers Strengthenresponsibilitiesof the controller Accountability(22 onwards): - “measures to ensure and demonstrate compliance with the Regulation” - “mechanisms to ensure the verification of the effectiveness of the measures”
  33. IV. Data controllers Information and communication - Right to expect transparent and easily accessible policies - Intelligible form, clear and plain language (11) - Procedures and mechanisms (12) - Communication to recipients (13) - Content of the information (14)
  34. IV. Data controllers Data protection by design and by default (23) Documentation (28) Principle: - All processing operations under thecontroller’sresponsibility Exceptions: - Natural person without commercial interest - Enterprises or organisation < 250 employees and activity ancillary to the main activity
  35. IV. Data controllers Data Protection Impact Assessment (33) - Processing operations presenting specific risks - List of DPA - Possible adjustement for ‘SMEs’(delegated acts) Notification of data breaches (31, 32) - Notification to the supervisory authority - Communication to the data subjects
  36. IV. Data controllers Designation of data protection officers(35 onwards) Where:- Public authority or body Enterprise ≥ 250 employees Core activity = regular and systematic monitoring of data subjects Tasks: - Inform and advise - Monitor the implementation - Contact point
  37. VI. Transfer to third countries - Only if adequate level of protection - Except if appropriate safeguards - Contractual clauses or BCR - Specific derogation
  38. V. Supervision and enforcement - One stop shop – ‘main establishment’ (4(13), 51) – Lead authority? - European Data Protection Board (64 onwards) - Consistency (57 onwards) - Sanctions (79) BUT: - Role of Commission - Compulsory sanctions - Strong sanctions and remedies - Wide choices data subject - Redress for interest groups - Sanctions up to 1 mln Euro/2% turnover
  39. Regulation does not impose additional obligations on natural or legal persons for processing by providers of electronic communications services subject to specific obligations with the same objective set out in Directive 2002/58/EC specific regime remains the same However, Article 1(2) of Directive 2002/58/EC is to be deleted: not anymore applicable to legal persons Pending issue: ePrivacy to be updated in order to be consistent with new Framework Reform and ePrivacy Directive
  40. Commission proposals for a Regulation and a Directive  25 January 2012 Co-decision EP + Council EP: Draft report January 2013 (Jan Philip Albrecht, LIBE Committee) Consulting Committees ITRE, IMCO, EMPL, JURI March 2013 LIBE vote: April, May, June, July, September 2013 Elections: May 2014 Council: Irish Presidency: Council 6/7 June agrees that “amended text for chapters I to IV is a good basis for further progress” on Regulation. Lithuanian Presidency: 1 July – 31 December 2013 EU Data Protection Reform
  41. Information sources EDPS: edps.europa.eu EP Oeil: www.europarl.europa.eu/oeil PreLex: ec.europa.eu/prelex Regulation: 2012/0011/COD Directive: 2012/0010/COD
  42. Thank you for your attentionFor more information:www.edps.europa.euedps@edps.europa.eu@achimkla @EU_EDPS
More Related