1 / 46

GDPR: The Foundations of Data Privacy

GDPR: The Foundations of Data Privacy. Zagreb, 7 March 2019. Cosimo Monda Director of the European Centre on Privacy and Cybersecurity (ECPC) , Maastricht University. Executive Education @ ECPC. Agenda. Legal Framework – context. What is Personal Data / Data Protection

kfindlay
Télécharger la présentation

GDPR: The Foundations of Data Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GDPR: The Foundations of Data Privacy Zagreb, 7 March 2019 Cosimo Monda Director of the European Centre on Privacy and Cybersecurity (ECPC) , Maastricht University

  2. Executive Education @ ECPC

  3. Agenda • Legal Framework – context. • What is Personal Data / Data Protection • Key concepts of GDPR • Principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage, integrity, accountability). • The value of case law moving forward: relevant examples for schools

  4. Technology makes our lives easier, but is it at the cost of our fundamental rights and interests?

  5. Privacy and Data Protection: two fundamental rights Privacy Data protection • Article 7 EU-Charter • “Everyone has the right to respect for his or her private and family life, home and communications“ • Art. 8 ECHR (1950): “… and correspondence” • Article 8 EU-Charter -Article 16 TFEU • “Everyone has the right to the protection of personal data concerning him or her.” • Both have many definitions… lead to coverage • Individual autonomy and Fair processing data protection requires the balancing of the full range of people’s fundamental rights and interests

  6. Article 8 EU-Charter - Protection of personal data • Such data must be processed fairly for specified purposesand on the basis of the consent of the person concerned or some other legitimate basislaid down by law. • Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority DPO Certification course - Jul-18 Edition

  7. Limitations • Substantial public interest, in particular: • national security • public safety • prevention of disorder or crime • protection of the rights and freedoms of others • The employer’s authority to organise the workplace Adoption of rules for internal organisation at the work place (Limitation does not mean that all notion of privacy is dismissed)

  8. Why is Today More Complicated? • Internet and observational technologies • Smart phones/mobile apps • Big data analytics • Artificial Intelligence (AI) • Internet of Things • Sensors • ?

  9. Personal Data uses Consent-based model is no longer sufficient Data Controllers are using personal data: • first to predict the future (thinking with data) • and then make decisions for people (acting with data) Data flows and uses are complex & beyond the ability of the individuals to fully understand what they were consenting to

  10. The increasing data challenges • Group privacy • Data uses through time • Toxic data • …

  11. Legal Framework DPO Certification course - Jul-18 Edition

  12. Legal Framework European Convention on Human Rights Convention 108 of the Council of Europe Community Directive 95/46/EC Charter of Fundamental Rights of the European Union Regulation (EC) No 45/2001 EU Treaty (Article 6) – TFEU (Article 16) ) Regulation 2016/679 (GDPR) Directive 2016/680 (Police Directive) Regulation2018/1725 (EU Institutions agencies and bodies)

  13. GDPR3 game changers • Principle of Accountability: The controller shall be responsible for, and be able to demonstrate compliance with all the principles relating to processing of personal data • Data protection compliance is becoming increasingly risk-based & by-design • Sanctions and Enforcement: Fines & Data subjects’ right to remedies

  14. GDPR in Numbers 190+CountriespotentiallyaffectedbytheRegulation 28,000Estimated number of new DPOs required in Europe 4% of global turnoverpotential fines 80+ New requirements 7Core data subjectsrights 72Hours given to report a data breach 15

  15. What changes does the GDPR bring? Broader territorial scope Applies to players not established in the EU but whose activities consist of targeting data subjects in the EU Enforcement DPAs will be entitled to impose fines ranging between 2% to 4% of annual turnover Accountability Controllers / Processors have to be able to demonstrate compliance with GDPR Expanded definitions Personal data now explicitly includes location data, IP addresses, online and technology identifiers Data subjects rights Reinforced rights: Access, rectification, restriction, erasure, objection to processing; no automated processing and profiling, data portability, class action… Explicit Consent Spelled out more clearly and focus on ability of individuals to distinguish a consent Data breach notification Report a personal data breach to the DPA within 72h… One-stop shop DPA of main establishment can act as lead DPA, supervising processing activities throughout the EU International data transfers BCRs as tools for data transfers outside the EU are now embedded in law

  16. Key definitions

  17. What is “Personal Data” “Any information relating to an identified or identifiable natural person” • even dynamic IP addresses are personal dataBreyer case (C-582/14): “a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.” - §65 • This definition does notcover legal persons and deceased, but does cover employees and business information that can be linked to an individual “Operational Data” - Regulation 2018/1725will not apply to the processing of operational personal data by EUROPOL and the European Public Prosecutor, until their respective founding Regulations are adapted.

  18. Some examples of Personal Data

  19. The Data Subject • A data subject is an identifiablenatural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  20. The Data Subject Or are there…? Two types of data subjects Employees Customers 21 Source: Nymity Research Division

  21. The Data Subject Unique in the Crowd – MIT / University of Louvain (2013) • 1.5M individuals tracked for 15 months • Hourly location tracking • 4 Data points to identify 95% of the individuals

  22. What is Data Processing? “Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

  23. Processing Personal Data

  24. Accountability under the GDPR Article 5(2) GDPR Accountability The controller shall be responsible for, and be able todemonstrate compliance with, paragraph 1 (‘accountability’). Article 24(1) GDPR Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

  25. Accountability Made Simple A controller must be: • Responsible • This means understanding the risks created for others • Adopt Appropriate Technical and Organisational Measures (what is appropriate depends on the organisation) • Answerable(Demonstrate Compliance) • Must be transparent to everyone • Stand ready to demonstrate to authorities

  26. Accountability in practice • Organization/ top management commitment to accountability and adoption of internal proceduresprior to the creation of new personal data processing operations (internal review, assessment, etc.);. • Mechanisms to put privacy policies into effect, including tools, training and education. • Systems for internal ongoing oversight and assurance reviews and external verification. • Transparency and mechanisms for individual participation. • Means for remediation and external enforcement.

  27. Lawfulness, Fairness & Transparency • Principle requires not only lawful, but only fair and transparent processing • Legal ground required • Transparency is key right of the data subject • Ensure (s)he receives the relevant information at the time the data is collected, or obtained by the data controller from a third party • Needs to be understandable: in accessible form, in clear and plain language • Also known as Notice • Includes information on the data controller, data processors involved and the risks, rules, safeguards and rights • Not the same as a legal statement on data processing, or liability waiver Don’t surprise the data subject

  28. Data Minimisation, Accuracy, Storage Limitation & Integrity and Confidentiality • Data should be adequate, relevant and limited to what is necessary in relation to the purpose • Do not collect more data than you need at the time of collection • Need to know, instead of nice to have • Data need to be correct, kept up to date and not retained longer than is necessary for the purpose • Be specific on your retention periods • Retention periods can differ between processing purposes for the same data set • Protection against risk of interference • Ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

  29. What happens if we have a new purpose? Is the processing compatible with the initial purpose? Purpose compatibility test: What links are there between the different purposes? What is the context in which the personal data have been collected? What is the nature of the personal data (any special categories)? What are the consequences for the data subjects? What safeguards are foreseen? For archiving in the public interest, scientificresearch and statistical purpose isnot necessary to run the compatibility test Article 6

  30. Confidentiality and SecurityData security and due diligence “…. the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…” Taken into account 4 criteria • State of the Art • Costs • Nature of the data • Risks Article 33 DPO Certification course - 2017 Edition

  31. Data protection by design and by default • Controllers to put in place measures to effectively implement data protection principles and to integrate necessary safeguards to comply with the law and to protect data subjects’ rights • e.g., pseudonymization and data minimization • Controllers to implement privacy settings so that only minimal necessary personal data are processed • e.g., personal data are not made public by default DPO Certification course - 2017 Edition

  32. Processing Special Categories of Data

  33. Special Categories of Data (Sensitive Data) Article 10

  34. Processing of sensitive data Processing of ‘sensitive’ data is prohibited Unless: (a) explicitconsent (e) data manifestly made public by the data subject (g) substantial public interest on the basis Union law (i) public interest in the area of public health …

  35. Processing of personal data relating to criminal convictions and offences • Only under control of official authority, or; • When authorised by Union law providing appropriate safeguardslaw providing for appropriate safeguards for the rights and freedoms of data subjects . • No general derogations

  36. Automated individual decision-making, including profiling • Restrictions where profiling has: • legal consequences; or • significantly affects the individual • Only allowed in exceptional cases • performance of a contract • authorized by law • explicit consent • Profiling with special data prohibited unless explicit consent or substantial public interest backed by Union law

  37. The value of case law moving forward: relevant examples for schools

  38. Social media presence for schools • Wirtschaftsakademie Schleswig-Holstein (W) provides training and education • W set up a Facebook (FB) Fan Page in Germany; the Fan Page uses Facebook Insights to create custom audiences to track users, compile user statistics and (for FB) target ads • Enables tracking of Fan Page visitors who are not FB users, but neither W nor FB warned users of tracking • German Land DPA (ULD) ordered W to deactivate fan page • German courts set the ULD order aside, found W not to be a controller • Main issue: Who is/are the controller(s) in this case?

  39. Social media presence for schools Holding: • The institute is a joint controller, jointly responsible with FB Because the institute defined parameters, asked for demographic and geographic data for target audience; statistical data was provided to the institute, but FB processing was triggered by the institute’s request (i.e. they started the page) • Controllership is not tied to complete control over processing (see Case C-25/17 Jehovah’s Witnesses) • Joint responsibility of each controller ensures a more complete protection of DP rights of fan page visitors • Need to clarify responsibilities of joint controllers and make it transparent to data subject (see Art. 26 GDPR)

  40. Social media presence for schools Schools should be very careful with creating a Facebook fan page In practice it is difficult to inform users since it is difficult: • to understand and/or impossible to get detailed information from FB regarding the processes to add to a notification; and • to embed the notice; where and how should it be displayed?

  41. Impact for schools Impact for schools: Schools should be very careful with creating a Facebook fan page In practice it is difficult to inform users since it is difficult: • to understand and/or impossible to get detailed information from FB regarding the processes to add to a notification; and • to embed the notice; where and how should it be displayed?

  42. Social media presence for schools Main Issue: Determination and responsibility of controller(s) for social media plug-ins embedded on webpages • FID embedded FB “Like” button in its website, to promote visibility of its products on FB • Mere visiting of page triggered transfer of user data to FB Ireland • FB also placed cookies on user device to enable tracking • Consumer protection association sought injunction under consumer protection law against Fashion ID for enabling FB to track users of its website without users’ knowledge or consent Schools should follow this and consider any use of the FB like button on their website.

  43. Disclosure of religious conviction to school authority Main Issue: Art 9 (freedom of thought, conscience and religion) vs Art. 8 (Right to private life) The mandatory disclosure of religious and philosophical beliefs of parents/children to a school authority trigger Article 8 ECHR § 98, where imposing an obligation on parents to disclose detailed information to the school authorities about their religious and philosophical convictions could be seen to constitute a violation of Article 8 of the Convention, even though in the case itself there was no obligation as such for parents to disclose their own convictions) Article 91 GDPR provides that existing data protection rules of churches and religious associations may be kept if they are aligned with the GDPR it would have to be assessed whether such rules exist for religious schools and whether these rules are aligned with the GDPR

  44. Q&A www.maastrichtuniversity.nl/ecpc @ecpcmaastricht Thank you very much for your attention! Cosimo Monda

More Related