GDPR The Foundations of Data Privacy Zagreb 7
GDPR: The Foundations of Data Privacy Zagreb, 7 March 2019 • Cosimo Monda Director of the European Centre on Privacy and Cybersecurity (ECPC) , Maastricht University
Executive Education @ ECPC
Agenda Legal Framework – context. What is Personal Data / Data Protection Key concepts of GDPR Principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage, integrity, accountability). ü The value of case law moving forward: relevant examples for schools ü ü 4
Technology makes our lives easier, but is it at the cost of our fundamental rights and interests?
Privacy and Data Protection: two fundamental rights Privacy Data protection Article 7 EU-Charter “Everyone has the right to respect for his or her private and family life, home and communications“ Art. 8 ECHR (1950): “… and correspondence” Article 8 EU-Charter -Article 16 TFEU “Everyone has the right to the protection of personal data concerning him or her. ” Both have many definitions… lead to coverage Individual autonomy and Fair processing data protection requires the balancing of the full range of people’s fundamental rights and interests 6
Article 8 EU-Charter - Protection of personal data 1. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. 2. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority DPO Certification course - Jul-18 Edition 7
Limitations q q Substantial public interest, in particular: national security public safety prevention of disorder or crime protection of the rights and freedoms of others The employer’s authority to organise the workplace Adoption of rules for internal organisation at the work place (Limitation does not mean that all notion of privacy is dismissed)
Why is Today More Complicated? • • Internet and observational technologies Smart phones/mobile apps Big data analytics Artificial Intelligence (AI) Internet of Things Sensors ?
Personal Data uses Data Controllers are using personal data: a) first to predict the future (thinking with data) b) and then make decisions for people (acting with data) Consent-based model is no longer sufficient Data flows and uses are complex & beyond the ability of the individuals to fully understand what they were consenting to
The increasing data challenges • • Group privacy Data uses through time Toxic data …
Legal Framework
Legal Framework European Convention on Human Rights Convention 108 of the Council of Europe Community Directive 95/46/EC Charter of Fundamental Rights of the European Union Regulation (EC) No 45/2001 EU Treaty (Article 6) – TFEU (Article 16) Regulation 2016/679 (GDPR) Directive 2016/680 (Police Directive) Regulation 2018/1725 (EU Institutions agencies and bodies)
GDPR 3 game changers 1. Principle of Accountability: The controller shall be responsible for, and be able to demonstrate compliance with all the principles relating to processing of personal data 2. Data protection compliance is becoming increasingly risk-based & bydesign 3. Sanctions and Enforcement: Fines & Data subjects’ right to remedies 14
GDPR in Numbers 190+ Countries potentially affected by the Regulation 28, 000 Estimated number of new DPOs required in Europe 80+ New requirements 4% of global turnover potential fines 7 Core data subjects rights 72 Hours given to report a data breach 15
What changes does the GDPR bring? Broader territorial scope Enforcement Accountability Expanded definitions Data subjects rights Explicit Consent Data breach notification One-stop shop International data transfers Applies to players not established in the EU but whose activities consist of targeting data subjects in the EU DPAs will be entitled to impose fines ranging between 2% to 4% of annual turnover Controllers / Processors have to be able to demonstrate compliance with GDPR Personal data now explicitly includes location data, IP addresses, online and technology identifiers Reinforced rights: Access, rectification, restriction, erasure, objection to processing; no automated processing and profiling, data portability, class action… Spelled out more clearly and focus on ability of individuals to distinguish a consent Report a personal data breach to the DPA within 72 h… DPA of main establishment can act as lead DPA, supervising processing activities throughout the EU BCRs as tools for data transfers outside the EU are now embedded in law 16
Key definitions
What is “Personal Data” “Any information relating to an identified or identifiable natural person” - even dynamic IP addresses are personal data Breyer case (C-582/14): “a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person. ” - § 65 - This definition does not cover legal persons and deceased, but does cover employees and business information that can be linked to an individual “Operational Data” - Regulation 2018/1725 will not apply to the processing of operational personal data by EUROPOL and the European Public Prosecutor, until their respective founding Regulations are adapted.
Some examples of Personal Data
The Data Subject • A data subject is an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 20
The Data Subject Or are there…? Two types of data subjects Employees Customers 21 Source: Nymity Research Division
The Data Subject Unique in the Crowd – MIT / University of Louvain (2013) • 1. 5 M individuals tracked for 15 months • Hourly location tracking • 4 Data points to identify 95% of the individuals
What is Data Processing? “Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. ” 23
Processing Personal Data
Accountability under the GDPR Lawfulness, fairness and transparency Integrity and confidentiality Purpose limitation Collected for specified, explicit and legitimate purposes Processed in a manner to maintain security Article 5(2) GDPR The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). Accountability Article 24(1) GDPR Data minimisation Storage limitation Adequate, relevant and limited to what is necessary in relation to the purpose Retained only for as long as necessary for achieving the purpose Accuracy Accurate and, where necessary, kept up to date Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Accountability Made Simple A controller must be: • Responsible - This means understanding the risks created for others - Adopt Appropriate Technical and Organisational Measures (what is appropriate depends on the organisation) • Answerable (Demonstrate Compliance) - Must be transparent to everyone - Stand ready to demonstrate to authorities
Accountability in practice 1. Organization/ top management commitment to accountability and adoption of internal procedures prior to the creation of new personal data processing operations (internal review, assessment, etc. ); . 2. Mechanisms to put privacy policies into effect, including tools, training and education. 3. Systems for internal ongoing oversight and assurance reviews and external verification. 4. Transparency and mechanisms for individual participation. 5. Means for remediation and external enforcement.
Lawfulness, Fairness & Transparency • • Principle requires not only lawful, but only fair and transparent processing Legal ground required • Transparency is key right of the data subject - • • Ensure (s)he receives the relevant information at the time the data is collected, or obtained by the data controller from a third party Needs to be understandable: in accessible form, in clear and plain language Also known as Notice Includes information on the data controller, data processors involved and the risks, rules, safeguards and rights Not the same as a legal statement on data processing, or liability waiver Don’t surprise the data subject
Data Minimisation, Accuracy, Storage Limitation & Integrity and Confidentiality • • Data should be adequate, relevant and limited to what is necessary in relation to the purpose Do not collect more data than you need at the time of collection - • Data need to be correct, kept up to date and not retained longer than is necessary for the purpose - • Need to know, instead of nice to have Be specific on your retention periods Retention periods can differ between processing purposes for the same data set Protection against risk of interference - Ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
What happens if we have a new purpose? Is the processing compatible with the initial purpose? Purpose compatibility test: 1. 2. 3. 4. 5. What links are there between the different purposes? What is the context in which the personal data have been collected? What is the nature of the personal data (any special categories)? What are the consequences for the data subjects? What safeguards are foreseen? For archiving in the public interest, scientific research and statistical purpose is not necessary to run the compatibility test Article 6
Confidentiality and Security Data security and due diligence “…. the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…” Taken into account 4 criteria ü ü State of the Art Costs Nature of the data Risks Article 33 DPO Certification course - 2017 Edition 31
Data protection by design and by default • Controllers to put in place measures to effectively implement data protection principles and to integrate necessary safeguards to comply with the law and to protect data subjects’ rights - e. g. , pseudonymization and data minimization • Controllers to implement privacy settings so that only minimal necessary personal data are processed - e. g. , personal data are not made public by default DPO Certification course - 2017 Edition 32
Processing Special Categories of Data
Special Categories of Data (Sensitive Data) Data Revealing Processing of Racial or Ethnic Origin Genetic Data Political Opinions Biometric Data (with the purpose of identification) Religious or Philosophical Beliefs Data concerning Health, Sex Life or Sexual Orientation Trade Union Membership Data related to Criminal Convictions or Offenses Article 10 34
Processing of sensitive data Processing of ‘sensitive’ data is prohibited Unless: (a) explicit consent (e) data manifestly made public by the data subject (g) substantial public interest on the basis Union law (i) public interest in the area of public health …
Processing of personal data relating to criminal convictions and offences ü Only under control of official authority, or; ü When authorised by Union law providing appropriate safeguardslaw providing for appropriate safeguards for the rights and freedoms of data subjects. • No general derogations 36
Automated individual decision-making, including profiling • • • Restrictions where profiling has: - legal consequences; or - significantly affects the individual Only allowed in exceptional cases - performance of a contract - authorized by law - explicit consent Profiling with special data prohibited unless explicit consent or substantial public interest backed by Union law 37
The value of case law moving forward: relevant examples for schools
Social media presence for schools CJEU Case C-210/16 Wirtschaftsakademie Schleswig-Holstein • • Wirtschaftsakademie Schleswig-Holstein (W) provides training and education W set up a Facebook (FB) Fan Page in Germany; the Fan Page uses Facebook Insights to create custom audiences to track users, compile user statistics and (for FB) target ads Enables tracking of Fan Page visitors who are not FB users, but neither W nor FB warned users of tracking German Land DPA (ULD) ordered W to deactivate fan page German courts set the ULD order aside, found W not to be a controller • Main issue: Who is/are the controller(s) in this case? • • •
Social media presence for schools CJEU Case C-210/16 Wirtschaftsakademie Schleswig-Holstein Holding: • The institute is a joint controller, jointly responsible with FB Because the institute defined parameters, asked for demographic and geographic data for target audience; statistical data was provided to the institute, but FB processing was triggered by the institute’s request (i. e. they started the page) • Controllership is not tied to complete control over processing (see Case C-25/17 Jehovah’s Witnesses) • Joint responsibility of each controller ensures a more complete protection of DP rights of fan page visitors • Need to clarify responsibilities of joint controllers and make it transparent to data subject (see Art. 26 GDPR)
Social media presence for schools CJEU Case C-210/16 Wirtschaftsakademie Schleswig-Holstein Schools should be very careful with creating a Facebook fan page In practice it is difficult to inform users since it is difficult: • to understand and/or impossible to get detailed information from FB regarding the processes to add to a notification; and • to embed the notice; where and how should it be displayed?
Impact for schools CJEU Case C-210/16 Wirtschaftsakademie Schleswig-Holstein Impact for schools: Schools should be very careful with creating a Facebook fan page In practice it is difficult to inform users since it is difficult: • to understand and/or impossible to get detailed information from FB regarding the processes to add to a notification; and • to embed the notice; where and how should it be displayed?
Social media presence for schools CJEU Case C-40/17 Fashion ID Main Issue: Determination and responsibility of controller(s) for social media plug-ins embedded on webpages • • FID embedded FB “Like” button in its website, to promote visibility of its products on FB Mere visiting of page triggered transfer of user data to FB Ireland FB also placed cookies on user device to enable tracking Consumer protection association sought injunction under consumer protection law against Fashion ID for enabling FB to track users of its website without users’ knowledge or consent Schools should follow this and consider any use of the FB like button on their website.
Disclosure of religious conviction to school authority ECHR Folgerø and Others v. Norway (GC) 2007 Main Issue: Art 9 (freedom of thought, conscience and religion) vs Art. 8 (Right to private life) The mandatory disclosure of religious and philosophical beliefs of parents/children to a school authority trigger Article 8 ECHR § 98, where imposing an obligation on parents to disclose detailed information to the school authorities about their religious and philosophical convictions could be seen to constitute a violation of Article 8 of the Convention, even though in the case itself there was no obligation as such for parents to disclose their own convictions) Article 91 GDPR provides that existing data protection rules of churches and religious associations may be kept if they are aligned with the GDPR it would have to be assessed whether such rules exist for religious schools and whether these rules are aligned with the GDPR
Q&A Thank you very much for your attention! Cosimo Monda www. maastrichtuniversity. nl/ecpc @ecpcmaastricht
46
- Slides: 46