Transcript Slides - sigint 2013
Data Protection Reform in Europe
Achim Klabunde
SIGINT2013 Cologne, 6 July 2013
@achimkla
(1) The EDPS
Established in 2004
• appointed by a joint decision of the EP and the Council for a 5 years mandate • Peter Hustinx, Giovanni Buttarelli 2
3 main tasks
• Supervision & Enforcement • Policy & Consultation • Cooperation
3
(2) The Context
#privacy
Technology is transforming access/use of data:
• Pre-digital: data in manual files, held locally • 1970s: mainframes in administrations, police uses filtering searches • 1980s: wide IT use, PCs, Internet, data transfers • 1990s: www, digital communications, convergence, communications privacy • 2000s: Digital audio and video, ecommerce, e everything, social media • 2010s: mobile, location based, cloud computing, massive profiling, Big Data
Timeline of developments Year
1970 1974 1978 1980 1981 1990
DP legislation IT developments
Hessen US Privacy Act FR law, CNIL OECD Guidelines Convention 108 UK Computer Misuse Act Arpanet has 13 nodes Name “ Internet ” 1 st spam email Usenet (now Google groups) IBM PC www (December 25)
Year Timeline of developments DP legislation IT developments
1995 2000 2001 2004 2006 2010 Directive 95/46/EC EU Charter Arts 7 & 8 Regulation 45/2001 EDPS Decision Data Retention Directive TFTP Agreement Amazon.com
Wikipedia (January 15, 2001) iPod (November 10) FaceBook Twitter iPad (April 3)
Challenges to Privacy
• Profiling of digital traces – Big Data (Cookies, clickstream data, hyperlinks) – Social networks (FaceBook) – Search Engines / integrated databases (Google) – Deep packet inspection (BT) – Location based services (Apple) – Customer profiling (Target) • Cloud computing • Foreign transfers • Data breach (Sony PlayStation: £250k)
Profiling of digital traces
• Chris Hoofnagle, Berkeley • released June 26, 2012 study: James Temple,
Web Privacy Census Shows Tracking Pervasive
• surveyed 100 most popular websites • of these, 21 placed 100 or more cookies on users’ computers • 84% of cookies placed by 3 rd parties
Websites setting cookies
Websites using scripts
• Europe v Facebook : 22 complaints • Irish Data Protection Commissioner Audit • 12 recommendations to comply with law: • user choice on use and sharing of information, including in relation to third party apps • increased transparency and controls on use of personal data for advertising • Information to users day to day and on all personal data held on them • Faster deletion of data & data in social plugins • Greater control over tagging of photos
• March 1, 2012: Google consolidation of services’ policies into one single policy across all sites: Google, Google+, Gmail, Maps, YouTube etc • CNIL / art 29WP - failure to: -update information to users - explain what data is being processed - obtain consent for use of cookies • U.S. NAAG: consequences for users of Gmail, Google Apps, android phones 13
Challenges to Privacy
(3) EU Law on Privacy: two fundamental rights
(a) the Right of Privacy
ECHR (1950), Article 8 Everyone has the right to respect for his or her private and family life, home and correspondence EU Charter (2000), Article 7 : …and communications.
15
(b) The Right to Protection of Personal Data
an autonomous fundamental right to self determination in the Information Society
EU Charter, Article 8
Article 16, EU Treaty: 1. Everyone has the right to the protection of personal data concerning him or her.
16
EU Charter, Article 8 (continued)
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority 17
EU legislation on Privacy and Data Protection
• OECD Guidelines 1980 (
soft law
) • ECHR Convention No. 108, Art. 8: privacy • EU Charter Arts. 7 and 8: … and DP • Data Protection Directive 95/46 • Data Protection Regulation 45/2001 • ePrivacy Directive 2002/58 • Data Retention Directive 2006/24 • Framework Decision 2008/977 • Article 16 EU 18
EU objective: enable lawful processing across borders
Data Protection and Internal Market objectives of Directive 95/46: Article 1 • MS shall protect … in particular [the] right to privacy with respect to the processing of personal data. • MS shall neither restrict nor prohibit the free flow of personal data between MS for the [above] reasons 19
22
What is
“
Personal Data
”
?
• • any information relating to an identified or
identifiable
natural person (
data subject
);
an identifiable person
is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
23
Examples of personal data
• CVs, diplomas, recommendation letters, criminal records, medical certificates, photos; • Students databases with all your administrative and evaluation related data held by your university; • Medical data and health related data, genetic data; • Customer data held by your telephone company, telephone calls and voice mails; • Your information held by your email account provider; • Transport data, body scanners in airports; • Video-surveillance cameras • …
Some basic rules…
1. Personal data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. 2. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 24 3. Compliance with these rules shall be subject to control by an independent authority
EU legislation
• OECD Guidelines 1980 (
soft law
) • ECHR Convention No. 108, Art. 8: privacy • EU Charter Arts. 7 and 8: … and DP • Data Protection Directive 95/46 • Data Protection Regulation 45/2001 • ePrivacy Directive 2002/58 • Data Retention Directive 2006/24 • Framework Decision 2008/977 • Article 16 EU 25
26
EU Data Protection Reform
#eudatap • Public consultation (May-Dec 2009) –
Written input received: 150-200
• Commission reflection (Jan-Sept 2010) –
Stakeholder meetings, impact analysis
• Communication (4 November 2010) –
Consultation & additional feedback
• Commission proposals for a Regulation and a Directive 25 January 2012 • Co-decision EP + Council 2013-2014 Visit www.edps.europa.eu
for more information!
A New Data Protection Legal Framework
Reasons for a substantive reform • Globalisation: increased transnational flows of data to be facilitated while ensuring adequate protection • Technological changes • Institutional changes: the Lisbon Treaty and the Charter • A fragmented legal framework at EU level: need for more harmonisation and of new coherent and uniformly applied EU rules • Legal certainty • Need for change with regard to police and judicial activities
A. The Chapeau communication B. The draft Regulation I. General assessment II. Scope, new definitions or principles III. Data subjects IV. Data controllers V. Supervision and enforcement VI. Transfer to third countries C. The Directive for law enforcement
The draft Regulation
I. General Assessment
The new Data Protection framework: EU A huge step forward for data protection in the Still lacks comprehensiveness
I. General Assessment
The EU DP reform:
- Enhances harmonisation of data protection - Reinforces position and rights of data subject particularly on-line - Strengthens responsibility of data controller - Strengthens DPA ´ s supervision and enforcement BUT: - does not remedy lack of comprehensiveness - gives rise to a number of horizontal issues
II. Scope, new definitions or principles
Territorial scope: Controller of processor established within EU - Non EU-based controllers: ‘offering goods and services to’ or ‘monitoring behaviour of’data subjects in the EU
II. Scope, new definitions or principles
Personal data (including in principle location data and identifiers: cookied and IP addresses) New definitions: ‘personal data breach’, ‘genetic data’ and ‘biometric data’ Notion of ‘main establishment’ (for the controller and the processor) Data minimization (limitation of amount of data) Better information about data processing Genuine consent, improper when there is a significant imbalance of power (i.e. employment sector) Safeguards for processing of children ´ s data Increased level of security of data
III. Data subjects
Reinforces position and rights of data subject: • Right to be forgotten (17) - Right to request erasure and prevention for further dissemination - Exceptions • Right to data portability (18)
III. Data subjects
• Right to object (19) - Specific legal grounds - Marketing purposes: free of charge + information • Measures based on profiling (20) Only if: - Performance of a contract + safeguards - Union or Member State law + safeguards - Consent of the data subject And: - not based solely on special categories of data
IV. Data controllers
Strengthen responsibilities of the controller Accountability
(22 onwards): - “measures to ensure and demonstrate compliance with the Regulation” - “mechanisms to ensure the verification of the effectiveness of the measures”
IV. Data controllers
Information and communication
- Right to expect transparent and easily accessible policies - Intelligible form, clear and plain language (11) - Procedures and mechanisms (12) - Communication to recipients (13) - Content of the information (14)
IV. Data controllers
Data protection by design and by default (23) Documentation (28) Principle: - All processing operations under the controller’s responsibility Exceptions: - Natural person without commercial interest - Enterprises or organisation < 250 employees and activity ancillary to the main activity
IV. Data controllers
Data Protection Impact Assessment (33) - Processing operations presenting specific risks - List of DPA - Possible adjustement for ‘SMEs’(delegated acts) Notification of data breaches (31, 32) - Notification to the supervisory authority - Communication to the data subjects
IV. Data controllers
Designation of data protection officers
(35 onwards) Where: - Public authority or body - Enterprise ≥ 250 employees - Core activity = regular and systematic monitoring of data subjects Tasks: - Inform and advise - Monitor the implementation Contact point
VI. Transfer to third countries
Only if adequate level of protection - Except if appropriate safeguards - Contractual clauses or BCR - Specific derogation
V. Supervision and enforcement
One stop shop – ‘main establishment’ (4(13), 51) – Lead authority?
- European Data Protection Board (64 onwards) - Consistency (57 onwards) - Sanctions (79)
BUT:
- Role of Commission - Compulsory sanctions - Strong sanctions and remedies - Wide choices data subject - Redress for interest groups - Sanctions up to 1 mln Euro/2% turnover
Reform and ePrivacy Directive
• Regulation does not impose additional obligations on natural or legal persons for processing by providers of electronic communications services subject to specific obligations with the same objective set out in Directive 2002/58/EC
specific regime remains the same
• However, Article 1(2) of Directive 2002/58/EC is to be deleted: not anymore applicable to legal persons • Pending issue: ePrivacy to be updated in order to be consistent with new Framework
44
EU Data Protection Reform
• Commission proposals for a Regulation and a Directive 25 January 2012 • Co-decision EP + Council • EP : – Draft report January 2013 (Jan Philip Albrecht, LIBE Committee) – Consulting Committees ITRE, IMCO, EMPL, JURI March 2013 – LIBE vote: April, May, June, July, September 2013 –
Elections: May 2014
• Council: – Irish Presidency: Council 6/7 June » agrees that “
amended text for chapters I to IV is a good basis for further progress
” on Regulation.
– Lithuanian Presidency: 1 July – 31 December 2013
Information sources
• EDPS: edps.europa.eu
• EP Oeil: www.europarl.europa.eu/oeil • PreLex: ec.europa.eu/prelex • Regulation: 2012/0011/COD • Directive: 2012/0010/COD
Thank you for your attention
For more information: www.edps.europa.eu
@EU_EDPS @achimkla