Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre...
-
Upload
mitchell-lindsey -
Category
Documents
-
view
213 -
download
1
Transcript of Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre...
Data Protection ComplianceData Protection Compliance
Professor Ian WaldenProfessor Ian WaldenInstitute of Computer and Communications Law,Institute of Computer and Communications Law,
Centre for Commercial Law Studies, Queen Mary, University of LondonCentre for Commercial Law Studies, Queen Mary, University of London
iccl
@cc
ls.e
duic
cl@
ccls
.edu
Introductory RemarksIntroductory Remarks
Personal data– ‘processing’: collecting, using, disclosing &
transferring personal data
Compliance– data controller
• ‘determines purpose and means’– e.g. SWIFT case
– data processor• e.g. Web host
– “shall be in writing or in another equivalent form” (art. 17(4))” (art. 17(4))
iccl
@cc
ls.e
duic
cl@
ccls
.edu
Transparency Transparency
Obligation– fair processing (art. 6(1))
– when using networks to store information or gain access to information stored on users terminal equipment (02/58/EC, art. 5(3))
• e.g. ‘cookies’• ‘provided with clear and comprehensive information’
Timing– when collected from data subject (art. 10)
– when not obtained from data subject (art. 11)• unless already has it
iccl
@cc
ls.e
duic
cl@
ccls
.edu
Transparency Content of notification
– identity, purposes, recipients, consequences, right of access
Right of access (art. 12)– personal data
– meta-data• purposes, disclosures, source
– right of rectification, erasure, blocking• notification of third parties
Notification to national authority (art. 18)
iccl
@cc
ls.e
duic
cl@
ccls
.edu
Transparency
Related legislation– Distance-selling Directive 97/7/EC: art. 4 (prior information), art. 5
(written confirmation)• Distance-selling of financial services Directive 02/65/EC: art. 3 (prior
information), art. 4 (additional requirements), art. 5 (communication of terms & information)
– eCommerce Directive 00/31/EC: art. 5 (general), art. 6 (commercial communications), art. 10 (contract process)
Form– ‘durable medium’
• “which enables the consumer to store information addressed personally to him in a way accessible for future reference” (02/65/EC, at art. 2(f))
– ‘easily, directly and permanently accessible to the recipients of the service’
iccl
@cc
ls.e
duic
cl@
ccls
.edu
Processing Personal Data
ConsentConsent– ““freely given, specific and informed”freely given, specific and informed”
Ex anteEx ante– as one ground for legitimising processingas one ground for legitimising processing
– as sole ground for legitimising processingas sole ground for legitimising processing• use of traffic data for ‘marketing’ or ‘provision of value added use of traffic data for ‘marketing’ or ‘provision of value added
services’ (02/58/EC, art. 6(3))services’ (02/58/EC, art. 6(3))
Ex postEx post– right to object to processing for the purposes of ‘direct right to object to processing for the purposes of ‘direct
marketing’ (art. 14(b))marketing’ (art. 14(b))
iccl
@cc
ls.e
duic
cl@
ccls
.edu
Processing Personal DataProcessing Personal Data
– naturenature• implied (opt-out) & explicit (opt-in)implied (opt-out) & explicit (opt-in)
– ‘‘unambiguously’ unambiguously’
• ‘‘special categories of data’ (art. 8)special categories of data’ (art. 8)• Directive 99/93/EC, art. 8(2) re: certification service providersDirective 99/93/EC, art. 8(2) re: certification service providers
– timingtiming• prior prior
– Directive 02/58/EC, art. 13(1): unsolicited communicationsDirective 02/58/EC, art. 13(1): unsolicited communications
Alternative groundsAlternative grounds– performance of a contract (transactional)performance of a contract (transactional)
– compliance with a legal obligation (regulatory)compliance with a legal obligation (regulatory)
iccl
@cc
ls.e
duic
cl@
ccls
.edu
Problem of Children From marketing to social networking sites, e.g. Bebo,
Facebook When is a child independent?
– OIC: 12 yrs; FEDMA: 14 yrs
Children’s Online Privacy Protection Act of 1998– directed at children under 13, or knowingly collects
– otherwise, not under a duty to investigate age of visitors
– ‘verifiable parental consent’• e.g. email with digital signature
– enforcement• UMG Recordings $400,000 and Bonzi Software $75,000
iccl
@cc
ls.e
duic
cl@
ccls
.edu
Transferring DataTransferring Data
Question of applicable law (art. 4)Question of applicable law (art. 4)– ““..for purposes of processing personal data makes use of ..for purposes of processing personal data makes use of
equipment..”equipment..”• transit exceptiontransit exception• web-based formsweb-based forms
– Lindqvist Lindqvist (2003)(2003)• uploading to web does not mean ‘transfer’ (para. 68)uploading to web does not mean ‘transfer’ (para. 68)
‘‘Adequate level of protection’ (art. 25)Adequate level of protection’ (art. 25)– ‘‘in the light of all the circumstances’in the light of all the circumstances’– Community findings (art. 25(6)) of adequacyCommunity findings (art. 25(6)) of adequacy
• Switzerland, Hungary, Canada, Argentina, US ‘Safe Harbor’Switzerland, Hungary, Canada, Argentina, US ‘Safe Harbor’
iccl
@cc
ls.e
duic
cl@
ccls
.edu
Transferring Data
Derogations (art. 26)– consent
– specified need, e.g. “on important public interest grounds, or for the establishment, exercise or defence of legal claims;”
• But SWIFT case: “only important public interests identified as such by the national legislation applicable to data controllers established in the EU are valid in this connection.” (WP 128)
– authorised by national authority• e.g. contractual provisions, binding corporate rules