Post on 06-Apr-2017
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
EU Data Protection Legislation & Certification
Prof. Paul de Hert Vrije Universiteit Brussel (LSTS)
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Outline
What is new with data protection legislation in the EU?
What is the impact for the security industry?Data protection and self-regulationData protection certification mechanismsRelevance to CRISPConclusions and main points for discussion
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
General Data Protection Regulation 679/2016 Reform started in 2012 (EC public consultation in 2010) 679/2016, adopted in 2016 – applicable from May 2018 onwards Replaces the Dir 95/46/EC. 99 articles, 173 Recitals Aim to modernise the legal framework the fundamental right to
protection of personal data
Directive 680/2016
Reform of legislation on protection of privacy for electronic communications (2017 Commission proposal for an ePrivacy Regulation)
What is new with data protection legislation in the EU?
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
What is the impact for the security industry?
Security manufacturers and organisations that employ security measures that collect, process, use, store, personal data (e.g. images of persons) need to comply with the legislation.
Example: surveillance cameras: Manufacturers need to implement measures to facilitate compliance with the
legislation. Such as: data protection by design and data protection by default. Example: a CCTV system is designed to erase data automatically or a drone used to blur the image of persons (e.g. children)
Organisations that employ security measures: most of the times are data controllers. They need therefore to comply with the legal obligations stemming from the data protection legislation.
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Emerging field: Data protection and self-regulation
The General Data Protection Regulation includes several ‘self-regulation’ provisions Codes of conduct (e.g. in specific sectors cloud computing industry,
marketing, or other) Certification Standardisation (limited references in the text, relates to certification) Data Protection Impact assessments
Aim: help organisations comply with the legislation, offer transparency in relation to practices of organisations
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Data protection certification mechanisms in the General Data Protection Regulation
Art. 42 and 43 GDPR
Third party conformity assessment – external auditors.
National data protection certification mechanisms AND possibility for European Data Protection Seal.
Main actors involved – controllers/processors, certification bodies, supervisory authorities (DPAs).
Emphasis on oversight and control.
Unclear terminology – ‘certification’ , ‘seals’, ‘marks’ – could lead to legal uncertainty and non-harmonised application.
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Data protection certification mechanisms: Oversight by data protection authorities
Type Content GDPR ProvisionTasks Encourage the establishment of data protection
certification mechanisms57(1)(n)
Approve certification criteria 57(1)(n)Draft and publish accreditation criteria 57(1)(p)Conduct accreditation of certification bodies 57(1)(q)
Investigative Powers Review issued certifications 58(1)(c)Corrective powers Withdraw certification 58(2)(h)
Order certification body not to issue or withdraw certification
58(2)(h)
Authorisation powers Accredit certification body 58(3)(e) Issue certifications 58(3)(f)
Approve certification criteria 58(3)(f)
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
General Data Protection Certification mechanisms: effects and ‘rewards’
• Voluntary certification
• Certification based on the GDPR does not reduce the responsibility of the controller or the processor for compliance with the GDPR. (art. 42(4))
• No presumption of conformity with the legal obligations stemming from the GDPR. The authorities can conduct investigations to certified organisations.
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
So why would organisations be interested to be certified in line with the new EU data protection law?
Art. 83 GDPR: supervisory authority, when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine should give due regard on whether the controller or processor has adhered to approved data protection mechanisms of art. 42
Data protection transfers (appropriate safeguard without requiring any specific authorisation from a supervisory authority) – certification + binding and enforceable commitments, via contractual or other legally binding instruments”. (art.44)
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Where does CRISP fit in this development?
CRISP: evaluation and certification of security technologies in terms of 4 dimensions: Security Trust Efficiency Freedom infringement
Freedom infringement dimension includes data protection requirements based on the General Data Protection Regulation
CRISP provides a good assessment to an organisation on whether it complies with legal obligations.
Builds on work done by other certification schemes such as EuroPrise, adapted to new data protection legislation
CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Conclusions –open questions for the panel discussion
New EU legislation on data protection affects the security industry
To what extent different security sectors are affected?
Manufacturers and organisations need to comply with legal obligations stemming from data protection law.
Which obligations can be part of a certification scheme?
Due to complexity of legal provisions and multitude of obligations, the General Data Protection Regulation includes self-regulation tools that help organisations be accountable and comply (such as certification)
What is the relation of certification with the other tools in the data protection legislation? For instance, standards?
GDPR Certification is voluntary, includes strong oversight mechanisms from public authorities (data protection authorities).
Should it be voluntary?
CRISP has developed an evaluation methodology which, for its data protection part, takes into account the new requirements of the new legislation.
How CRISP’s different dimensions and requirements are interrelated? What happens in case of conflicting
Going through the CRISP evaluation (and certification) shows to the organisation, and to external parties, which is the level of data protection of the certified/evaluated organisation.
Who is the target audience of CRISP certification?
12
Thank youe:Paul.de.hert@vub.be