Slides - sigint 2013

download report

Transcript Slides - sigint 2013

Data Protection Reform in Europe

Achim Klabunde

SIGINT2013 Cologne, 6 July 2013

@achimkla

(1) The EDPS

Established in 2004

• appointed by a joint decision of the EP and the Council for a 5 years mandate • Peter Hustinx, Giovanni Buttarelli 2

3 main tasks

• Supervision & Enforcement • Policy & Consultation • Cooperation

3

(2) The Context

#privacy

Technology is transforming access/use of data:

• Pre-digital: data in manual files, held locally • 1970s: mainframes in administrations, police uses filtering searches • 1980s: wide IT use, PCs, Internet, data transfers • 1990s: www, digital communications, convergence, communications privacy • 2000s: Digital audio and video, ecommerce, e everything, social media • 2010s: mobile, location based, cloud computing, massive profiling, Big Data

Timeline of developments Year

1970 1974 1978 1980 1981 1990

DP legislation IT developments

Hessen US Privacy Act FR law, CNIL OECD Guidelines Convention 108 UK Computer Misuse Act Arpanet has 13 nodes Name “ Internet ” 1 st spam email Usenet (now Google groups) IBM PC www (December 25)

Year Timeline of developments DP legislation IT developments

1995 2000 2001 2004 2006 2010 Directive 95/46/EC EU Charter Arts 7 & 8 Regulation 45/2001 EDPS Decision Data Retention Directive TFTP Agreement Amazon.com

Wikipedia (January 15, 2001) iPod (November 10) FaceBook Twitter iPad (April 3)

Challenges to Privacy

• Profiling of digital traces – Big Data (Cookies, clickstream data, hyperlinks) – Social networks (FaceBook) – Search Engines / integrated databases (Google) – Deep packet inspection (BT) – Location based services (Apple) – Customer profiling (Target) • Cloud computing • Foreign transfers • Data breach (Sony PlayStation: £250k)

Profiling of digital traces

• Chris Hoofnagle, Berkeley • released June 26, 2012 study: James Temple,

Web Privacy Census Shows Tracking Pervasive

• surveyed 100 most popular websites • of these, 21 placed 100 or more cookies on users’ computers • 84% of cookies placed by 3 rd parties

Websites setting cookies

Websites using scripts

Facebook

• Europe v Facebook : 22 complaints • Irish Data Protection Commissioner Audit • 12 recommendations to comply with law: • user choice on use and sharing of information, including in relation to third party apps • increased transparency and controls on use of personal data for advertising • Information to users day to day and on all personal data held on them • Faster deletion of data & data in social plugins • Greater control over tagging of photos

Google

• March 1, 2012: Google consolidation of services’ policies into one single policy across all sites: Google, Google+, Gmail, Maps, YouTube etc • CNIL / art 29WP - failure to: -update information to users - explain what data is being processed - obtain consent for use of cookies • U.S. NAAG: consequences for users of Gmail, Google Apps, android phones 13

Challenges to Privacy

(3) EU Law on Privacy: two fundamental rights

(a) the Right of Privacy

ECHR (1950), Article 8 Everyone has the right to respect for his or her private and family life, home and correspondence EU Charter (2000), Article 7 : …and communications.

15

(b) The Right to Protection of Personal Data

an autonomous fundamental right to self determination in the Information Society

EU Charter, Article 8

Article 16, EU Treaty: 1. Everyone has the right to the protection of personal data concerning him or her.

16

EU Charter, Article 8 (continued)

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority 17

EU legislation on Privacy and Data Protection

• OECD Guidelines 1980 (

soft law

) • ECHR Convention No. 108, Art. 8: privacy • EU Charter Arts. 7 and 8: … and DP • Data Protection Directive 95/46 • Data Protection Regulation 45/2001 • ePrivacy Directive 2002/58 • Data Retention Directive 2006/24 • Framework Decision 2008/977 • Article 16 EU 18

EU objective: enable lawful processing across borders

Data Protection and Internal Market objectives of Directive 95/46: Article 1 • MS shall protect … in particular [the] right to privacy with respect to the processing of personal data. • MS shall neither restrict nor prohibit the free flow of personal data between MS for the [above] reasons 19

22

What is

Personal Data

?

• • any information relating to an identified or

identifiable

natural person (

data subject

);

an identifiable person

is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

23

Examples of personal data

• CVs, diplomas, recommendation letters, criminal records, medical certificates, photos; • Students databases with all your administrative and evaluation related data held by your university; • Medical data and health related data, genetic data; • Customer data held by your telephone company, telephone calls and voice mails; • Your information held by your email account provider; • Transport data, body scanners in airports; • Video-surveillance cameras • …

Some basic rules…

1. Personal data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. 2. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 24 3. Compliance with these rules shall be subject to control by an independent authority

EU legislation

• OECD Guidelines 1980 (

soft law

) • ECHR Convention No. 108, Art. 8: privacy • EU Charter Arts. 7 and 8: … and DP • Data Protection Directive 95/46 • Data Protection Regulation 45/2001 • ePrivacy Directive 2002/58 • Data Retention Directive 2006/24 • Framework Decision 2008/977 • Article 16 EU 25

26

EU Data Protection Reform

#eudatap • Public consultation (May-Dec 2009) –

Written input received: 150-200

• Commission reflection (Jan-Sept 2010) –

Stakeholder meetings, impact analysis

• Communication (4 November 2010) –

Consultation & additional feedback

• Commission proposals for a Regulation and a Directive  25 January 2012 • Co-decision EP + Council  2013-2014 Visit www.edps.europa.eu

for more information!

A New Data Protection Legal Framework

Reasons for a substantive reform • Globalisation: increased transnational flows of data to be facilitated while ensuring adequate protection • Technological changes • Institutional changes: the Lisbon Treaty and the Charter • A fragmented legal framework at EU level: need for more harmonisation and of new coherent and uniformly applied EU rules • Legal certainty • Need for change with regard to police and judicial activities

A. The Chapeau communication B. The draft Regulation I. General assessment II. Scope, new definitions or principles III. Data subjects IV. Data controllers V. Supervision and enforcement VI. Transfer to third countries C. The Directive for law enforcement

The draft Regulation

I. General Assessment

The new Data Protection framework: EU A huge step forward for data protection in the Still lacks comprehensiveness

I. General Assessment

The EU DP reform:

- Enhances harmonisation of data protection - Reinforces position and rights of data subject particularly on-line - Strengthens responsibility of data controller - Strengthens DPA ´ s supervision and enforcement BUT: - does not remedy lack of comprehensiveness - gives rise to a number of horizontal issues

II. Scope, new definitions or principles

Territorial scope: Controller of processor established within EU - Non EU-based controllers: ‘offering goods and services to’ or ‘monitoring behaviour of’data subjects in the EU

II. Scope, new definitions or principles

Personal data (including in principle location data and identifiers: cookied and IP addresses) New definitions: ‘personal data breach’, ‘genetic data’ and ‘biometric data’ Notion of ‘main establishment’ (for the controller and the processor) Data minimization (limitation of amount of data) Better information about data processing Genuine consent, improper when there is a significant imbalance of power (i.e. employment sector) Safeguards for processing of children ´ s data Increased level of security of data

III. Data subjects

Reinforces position and rights of data subject: • Right to be forgotten (17) - Right to request erasure and prevention for further dissemination - Exceptions • Right to data portability (18)

III. Data subjects

Right to object (19) - Specific legal grounds - Marketing purposes: free of charge + information • Measures based on profiling (20) Only if: - Performance of a contract + safeguards - Union or Member State law + safeguards - Consent of the data subject And: - not based solely on special categories of data

IV. Data controllers

Strengthen responsibilities of the controller Accountability

(22 onwards): - “measures to ensure and demonstrate compliance with the Regulation” - “mechanisms to ensure the verification of the effectiveness of the measures”

IV. Data controllers

Information and communication

- Right to expect transparent and easily accessible policies - Intelligible form, clear and plain language (11) - Procedures and mechanisms (12) - Communication to recipients (13) - Content of the information (14)

IV. Data controllers

Data protection by design and by default (23)  Documentation (28) Principle: - All processing operations under the controller’s responsibility Exceptions: - Natural person without commercial interest - Enterprises or organisation < 250 employees and activity ancillary to the main activity

IV. Data controllers

Data Protection Impact Assessment (33) - Processing operations presenting specific risks - List of DPA - Possible adjustement for ‘SMEs’(delegated acts)  Notification of data breaches (31, 32) - Notification to the supervisory authority - Communication to the data subjects

IV. Data controllers

Designation of data protection officers

(35 onwards) Where: - Public authority or body - Enterprise ≥ 250 employees - Core activity = regular and systematic monitoring of data subjects Tasks: - Inform and advise - Monitor the implementation Contact point

VI. Transfer to third countries

Only if adequate level of protection - Except if appropriate safeguards - Contractual clauses or BCR - Specific derogation

V. Supervision and enforcement

One stop shop – ‘main establishment’ (4(13), 51) – Lead authority?

- European Data Protection Board (64 onwards) - Consistency (57 onwards) - Sanctions (79)

BUT:

- Role of Commission - Compulsory sanctions - Strong sanctions and remedies - Wide choices data subject - Redress for interest groups - Sanctions up to 1 mln Euro/2% turnover

Reform and ePrivacy Directive

• Regulation does not impose additional obligations on natural or legal persons for processing by providers of electronic communications services subject to specific obligations with the same objective set out in Directive 2002/58/EC

specific regime remains the same

• However, Article 1(2) of Directive 2002/58/EC is to be deleted: not anymore applicable to legal persons • Pending issue: ePrivacy to be updated in order to be consistent with new Framework

44

EU Data Protection Reform

• Commission proposals for a Regulation and a Directive  25 January 2012 • Co-decision EP + Council • EP : – Draft report January 2013 (Jan Philip Albrecht, LIBE Committee) – Consulting Committees ITRE, IMCO, EMPL, JURI March 2013 – LIBE vote: April, May, June, July, September 2013 –

Elections: May 2014

• Council: – Irish Presidency: Council 6/7 June » agrees that “

amended text for chapters I to IV is a good basis for further progress

” on Regulation.

– Lithuanian Presidency: 1 July – 31 December 2013

Information sources

• EDPS: edps.europa.eu

• EP Oeil: www.europarl.europa.eu/oeil • PreLex: ec.europa.eu/prelex • Regulation: 2012/0011/COD • Directive: 2012/0010/COD

Thank you for your attention

For more information: www.edps.europa.eu

[email protected]

@EU_EDPS @achimkla