Transcript Data Protection and the Health Sector
Data Protection: Now and the future
Gary Davis Deputy Data Protection Commissioner
Digital Depot, 15 November 2012
Presentation Outline
• • • •
Looking to the Now
Apps Analysis Future Drivers of Regulation Conclusion
Looking to the now
• • • • • Personal data/information is the oil that fuels the engine of the internet/technology economy.
Technology and the internet are fantastic enablers for individuals. Twitter/Facebook have assisted revolution, Google and others have changed the way we live and work Like it or not data protection regulators are the only regulators in this space Free/improved services = your information Everybody using the internet and technology knows the deal so what is the problem?
Looking to the now
• • • • Well they don’t fully understand the deal and how could they. Cookies for instance.
No suggestion that technology and internet companies are deliberately acting improperly Law enforcement and Governments increasingly accessing or seeking to access the information collected Clear imbalance between what the average individual understands while online and using technology and what actually happens
“Cookies” Law (SI 336/2011)
• • • • • Necessary “Session” Cookies normally OK. Full information as to such use should still be available to the website user.
Other “Cookies” - “third party” or “tracking” cookies – require consent Current browser settings do not meet “consent” requirement – IE10?
Adopted a “Wait and See” approach in the short-term to see if Industry (browser providers, ad networks etc) could come up with workable solutions Over now some 15 months later now will move to enforcement. Will commence by contacting approx 50 of the largest websites.
Presentation Outline
• • • • Looking to the Now
Apps Analysis
Future Drivers of Regulation Conclusion
Topical Issue - Apps Analysis
• EU a little behind the curve for once in probing their use of data.
• An Opinion from the Article 29 Working Party (over-arching Body of EU Data Protection Commissioners) on Mobile Apps due in coming weeks.
Topical Issue - Apps Analysis
While not finalised yet the Opinion in essence will point to the responsibilities of App Developers/Owners to: • • • Provide basic info via the App Store/Shop etc as to the data that will be accessed by installation of the App so that a user can make an informed choice Include a privacy policy from the Store/Shop so that a user can read it if desired and decide whether the proposed use of data is appropriate Fully justify why access is sought to each category of data.
• • • • •
Topical Issue - Apps Analysis (Ctd)
Not seek data on a just in case or might be useful basis Have in place appropriate contracts if storage of the data with a third party or cloud provider Ensure that data transfer requirements are met if the data is transferred outside the EU by you Ensure that the data is secure within the App and as it moves to/from the App Remove all user data if the user uninstalls the App
Presentation Outline
• • • • Looking to the Now Apps Analysis
Future Drivers of Regulation
Conclusion
The challenge
• • • • • Current imbalance between the capacity of the entities involved and the regulators The current laws and penalties are too weak Questions of jurisdiction remain New EU Data Protection Regulation intended to address the imbalance Questions remain about law enforcement access. Too pervasive and will discourage internet and technology use
• • • • •
EU DP Law Changes: Timetable
2009/2010 Public and Sectoral Consultation “Communication” from EU Commission November 2010 Draft Laws published 25 January 2012 Negotiation in Council and Parliament – 2012/14?
Implementation – by 2015-16?
Future EU Law: Structure
• • • Directly-applicable Regulation Separate Directive for Law Enforcement Area Separate Decision for Foreign Affairs (CFSP) Area Not yet presented
• • •
General Principles (1)
Protecting Fundamental Right to Data Protection
and Free Movement of Personal Data Particular focus on children Applies to Organisations processing personal data either established in the EU
of, EU residents
or
offering goods and services to, or monitoring the behaviour
Does not apply to natural person without any gainful interest in the course of their own exclusively personal or household activity
General Principles (2)
• • • Data Minimisation “limited to the minimum necessary” Transparency
More prescriptive information requirements Strengthened Right of Access
More Information No Charge (except “manifestly excessive”) Normally within one month
General Principles (3)
• Accountability of Data Controller (Joint Controller) “ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation” Documentation Data Protection Officer
• • • •
General Principles (4)
Privacy by Design
Privacy Impact Assessment “Seal” systems Data Portability “Right to be Forgotten”
Requirement for retention policy On request, delete unless clash with other rights (freedom of expression etc) Strengthened Data Security
Data Breach Notification
• • •
Lawfulness of Processing
Stricter definition of “consent”
Burden of proof on data controller Can’t be “buried” in another document Not valid where “significant imbalance” Parental consent for child under 13
“Legal Obligation” , “Public Interest” and “Exercise of Official Authority” grounds must be laid down in law which meets proportionality test “Legitimate Interests” of data controller does not apply to a public organisation
Direct Marketing
•
Strengthened Right to Refuse
“right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information”
•
International Transfers: Principle (1)
Where the Commission has taken no decision on the adequate level of data protection a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will
continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred
International Transfers (2)
• • • “Adequacy” Decisions by Commission Standard Clauses Adopted by Commission
Commission
or
Prescribed by DPA and “declared generally valid” by
Approved by DPA (subject to Consistency Mechanism) Binding Corporate Rules
International Transfers (3)
• • Informed Consent, Contractual Requirement etc
“Legitimate Interests” of data controller or processor and “not frequent, massive or structural” and must inform DPA
Data Protection Officer (1)
• • Must be appointed by Controller or Processor if: Public body OR 250+ employees OR Core activities involve “regular and systematic monitoring of data subjects” • Joint appointment possible Publicly named
Data Protection Officer (2)
• • • “expert knowledge of data protection law” “ability to fulfil the (designated) tasks” Any other professional duties “compatible” and “do not result in a conflict of interests”
Data Protection Officer (3)
• Must perform tasks independently Minimum 2-year appointment • Protection against dismissal Necessary Resources “involved in all issues which relate to the protection of personal data” • Direct report to Management
Data Protection Officer (4)
• • • Advise on data protection policy and monitor practice Assignment of internal responsibilities; Training; Privacy Impact Assessments; Privacy by Design; Information to data subjects; Data Security; Documentation Main contact with supervisory authority Main contact with public
• • •
Data Protection Authorities (DPAs) (1)
Independence
Appointment, financial resources, staff
Strengthened Powers
Conduct investigations on own initiative Investigate complaints “to the extent appropriate” Must be consulted on relevant legislation “One-stop-Shop” for data controllers
Location of “main establishment”
DPAs (2)
• •
European Cooperation
“Consistency Mechanism” • Joint Enforcement, Binding Consultation
etc
Strengthened European Data Protection
Board Commission regulatory powers Sanctions
• • •
Sanctions
DPA Obligation to impose Administrative Sanctions where data protection law breached “intentionally or negligently”
up to €1M or 2% of annual worldwide turnover, depending on breach
Separate Penalties for infringements Individual right to a Judicial Remedy Including compensation for damage suffered
Presentation Outline
• • • • Looking to the Now Apps Analysis Future Drivers of Regulation
Conclusion
• • •
The Future and the Now – Ireland a Key Player
We will be chairing the final discussions at Council level on the draft Regulation in the first six months of next year At present we are home to the lead EU operations of some of the largest technology players so very likely to be lead regulator for at least some or all of: Google, Facebook, Apple, Linkedin, Twitter, Intel Can we do the job?
13 August
•
Evgeny Morozov ( @evgenymorozov )
13/08/2012 01:25 A new algorithm uses tracking data on people’s phones to predict where they’ll be in 24 hours. Average error: 20 meters slate.com/blogs/future_t…
14 August
•
PrivacyDigest ( @PrivacyDigest )
14/08/2012 07:34 Psa: Watch Out: "We Know Your House" Uses Twitter to Find Out Where You Live and Then Posts It Online gizmodo.com/5934062/watch-… #Privacy
14 August
•
Ryan Calo ( @rcalo )
14/08/2012 19:53 My colleague Anita companies. @UWSchoolofLaw writes about driver tracking by insurance #privacy verdict.justia.com/2012/08/14/pro…
19 August
• •
Abine, Inc. ( @GetAbine )
19/08/2012 15:24 In addition to a credit score, you now have an e-score that rates your desirability as a customer: ow.ly/d4zUv #privacy
Harvard Biz Review ( @HarvardBiz )
19/08/2012 22:12 Customer Intelligence, Privacy, and the "Creepy Factor" s.hbr.org/RnVLNe