ePrivacy & GDPR implementation plans… CREOBIS1 March 2018

osborneclarke.com

2

Private & Confidential

Remember ?

osborneclarke.com

3

Practical ExamplesIot and Insurance

§ Insurtech: behaviour analytics and insurance policy through the connected devices

Private & Confidential

osborneclarke.com

4

Practical ExamplesIoT and Smart Homes (Domotics)

§ Nest: A connected thermometer. Also offers camera, smoke alarms, etc.

§ Internet-connected smart fridges ('Internet refrigerator')

Private & Confidential

osborneclarke.com

5

Practical ExamplesIoT and Consumer Protection

§ Safety, Security & Trust: Ban of 'Cayla' doll (Germany). Parents told to destroy dolls over hacking fears

Private & Confidential

osborneclarke.com

7

And tomorrow ?

Paste end slide graphics over this grey box in slide

deck

Did you just say "data protection & fundamental rights" ?

osborneclarke.com

9

IoT and PrivacyGeneral

§ "Poured into huge computers, swapped with mountains of other data from othersources, tapped at the touch of an electronic code button, these vast reservoirs ofpersonal information make it possible for government to collect taxes, for banksand schools and hospitals to serve millions of customers and students and patients,for restaurants and airlines and stores to extend immediate credit to people they'venever seen before. But somewhere in the roil of expanding population, vasteconomy, foliating technology and chronic world crisis, individual Americans havebegun to surrender both the sense and the reality of their own right to privacy– and their reaction to their loss has been slow and piecemeal."

- Newsweek 'Is Privacy Dead'? (1970)

Private & Confidential

osborneclarke.com

10

The famous GDPR…

General Data Protection Regulation (GDPR) enforceable 25 May 2018

Private & Confidential

Sanctions (including high fines)

Fines (up to 2 to 4 % global yearly turnover) Injunctions Damages

Governance

Security & data breaches Register and DPO Risk assessment Suppliers Out of EU transfers

Data subject rights

Information and access Rectification; erasure; restriction; portability Object; profiling Sensitive data

Principles

Purpose Proportionality Transparency Legal basis (consent, legitimate interest, performance of a contract, legal obligation,…)

osborneclarke.com

11

Key terminology

Ø Controllers: determines the purposes and means of processingØ Processors: processes data on behalf of a data controllerØ Personal data: any data which relate to an identified or identifiable natural

individual (the data subject)Ø Processing: virtually every conceivable operation in relation to dataØ GDPR applies to processing of personal data: (i) wholly or partly by

automated means and (ii) which form part of a filing system (= a structured set of personal data accessible according to specific criteria)

Ø Sensitive data/Special categories of personal data: (i) data revealingracial or ethnic origin, political opinions, religious or “similar” beliefs, trade union membership, (ii) data concerning health, sexual life/orientation, criminal offences/convictions, (iii) genetic/biometric data for unique identification

Private & Confidential

osborneclarke.com

12

Legal basis – What's new ?Legal basis for data processing remain the same, only their modalities change

Consent

Performance of a Contract

Legal Obligation

Protection of vital interest

Performance of a task carried out in the public interest

Legitimate interests of data controller, except where such interests are overriden by the intrests or fundemental rights and freedoms of data subject

LegalityPrinciple

Lawfulness, loyalty and

transparency

osborneclarke.com

13

What does "consent" mean under the GDPR?"'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" [emphasis added]

Requests for consent must be:

• clearly distinguishable from other matters (i.e. no "bundled" consent)

• in an intelligible and easily accessible form

• use clear and plain language

• Contain the following info: (i) data controller; (ii) identity purposes of processing; (iii) withdrawal right

Consent can be withdrawn at any time:

• must be as easy to withdraw as to give

• data subject must be told upfront that this is possible

Other drawbacks:

• contract performance must not be conditional on consent

• clear evidence

• consent for separate processing operations = granularity

osborneclarke.com

14

What does "explicit consent" mean under the GDPR?•The same as under the EU's Data Protection Directive?•The Article 29 Working Party defined "explicit consent" as:

"… all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing"

•Opt-in tick box or declaratory statement•Practically, how does this compare with "consent"?•Cannot be implied from default of reaction/passivity of data subject

osborneclarke.com

15

Identify data capture points

(e.g. online forms,

registrations, contact centres)

Check whether opt-in/consent is really required

What are people told about how

their data will be used? (check

policies, statements and

notices)

Revisit and amend any opt-in/consent forms

Update policies, statements and

notices

Private & Confidential

Consent: key actions

osborneclarke.com

16

Legitimate Interest

1.Identify

Legitimate Interest

2.Balance interests at issue

+ demonstrate that pursued interest justifies data processing + demonstrate that measures are

taken to counteract data subject's risks

3.Transparently

inform data subject about legitimate

interests

Measures to mitigate privacy infringement risks:- Strict limitation of processed data- Technical and organisation

measures to prevent automated decisions

- Anonymisation/pseudonymisationtechnics

- Aggregate data- Strengthened transparency- Facilitate exercise of data subject's

rights- …

osborneclarke.com

17

Purpose Limitation and Data Minimisation Principles

Purpose Limitation Principle

Under article 5(1)(b) of the GDPR, personal data must be collected only for well defined purposes, and may not be further processed for other purposes.

4 exceptions:• If the purpose of the secondary processing is "compatible" with the purpose of the

initial collection, taking into account, notably, any link between the initial purposes and the secondary purposes, the context of the initial collection and the expectations of the individual, etc.; or

• If the secondary processing pursues "statistical purposes", provided however that in such a situation the result may not contain personal data and may not be used in support of measures or decisions regarding any individual; or

• If the individual has given his/her consent, on the understanding that such consent must be freely given and duly informed, and that it may always be withdrawn.

• (secondary purpose is based on a EU or MS law – art. 23 GDPR)

osborneclarke.com

18

Purpose Limitation and Data Minimisation Principles

According to WP29 Guidelines, for further processing, organisation will have to consider if, and to what extent:(i)the new purpose affects the privacy of the individuals ; and (ii)it is within their reasonable expectations that their data could be used in this way

How to comply with this principle • Draft a Privacy Notice which is comprehensive enough to inform data subject

about the processing, its purposes, and the rights of data subjects;• Specify the purposes according to which data are processed• Take into account expectation of data subject for further processing and

potential harm.

osborneclarke.com

19

Purpose Limitation and Data Minimisation Principles

Data Minimisation PrincipleArticle 5.1c) of GDPR provides that data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".

E.g. of potential difficulty: Big Data analytics tends to involve collecting and analysing as much data as possible. The issue here is not simply the amount of data collected and processed but also to determine whether it is necessary for the purposes of the processing, or excessive.

Organisation needs to be able to demonstrate, beforehand, that the data is relevant for the purposes of processing and not excessive in relation to that aim. Finding correlations afterwards, will not be an acceptable means of proving that the data processed were relevant.

How to comply with this principle ?• Define the purposes of the processing and establish what data will be relevant• Good practice: implement good information governance and enforce retention schedules

in order to prevent data storage for a longer time than necessary for its initial purposes.

osborneclarke.com

20

Electronic Communications Data ?

§ Legal basis : Contract? Consent? Leg. Interest?

§ Data Quality: Duration? Minimisation?

§ Transparency & Notice: Collection of Data? Inferences from profiling/big data analytics?

§ Quality of consent?

§ Risk Assessment/Privacy by Design

Private & Confidential

Privacy=Informational&Communicational

osborneclarke.com

21

IoT and Privacy Concerns

§ IoT is not directly addressed in the General Data Protection Regulation (GDPR)

§ Privacy and security challenges also include the following:

§ General vulnerability of IoT-connected devices: often deployed outside a traditional IT structure and lacking sufficient security

§ Profiling and Intrusive bringing out of behaviour patterns

§ Inferences derived from data and repurposing of original processing

§ Limitations on the possibility to remain anonymous when using services

§ Security risks: Infections by malware; Unauthorised access to personal data; Intrusive use of wearable devices; Unlawful surveillance; …

(Article 29 Working Party: Opinion 8/2014 on the Recent Developments on the Internet of Things)

Private & Confidential

osborneclarke.com

22

e-Privacy Directive (2002/58 & 2009/136)

§ Scope : publicly available electronic communications services & networks(art. 3)

§ Security & notification of data breaches (art. 4)§ Confidentiality (art. 5) :

§ communications & traffic data

§ Cookies & similar software pieces§ Limited processing of traffic & location data (art. 6 & 9) + obligation to delete

or anonymize them§ Spamming & unsolicited communications (art. 13)§ e-Privacy Directive: Location Data (Article 9)

Private & Confidential

osborneclarke.com

23

Future: e-Privacy Regulation?

• 10 January 2017: EC proposal for an e-Privacy Regulation (Regulation on Privacy and Electronic Communications, ePR) to replace the 2002 e-Privacy Directive (Directive 2002/58/EC, ePD)

• A lex specialis to the GDPR

• Alignment of definitions of basis concepts / consistent rules

• Goal is to cover not only telcos but also "OTT / over the top" players and M2M developments

• Covers data & metadata (during the transmission / storage is governed by GDPR)

• Enforcement is entrusted to the Data Protection Authorities

osborneclarke.com

24

Future: e-Privacy Regulation?

• Limitations on processing of electronic communications content + metadata

• Only for the transmission / billing security of networks

• Or with the consent of the end-user + impossible to achieve with anonymous data + consultation of DPA's in certain cases

• Protection of terminal equipment

• Use of processing & storage capabilities of equipment and collection of information from the equipment are prohibited, but for necessary purposes or with prior consent

• Privacy settings w/ browsers could be used to express consent (?)

• Direct marketing at large: consent is required for sending communications w/ exception for existing customers subject to opt-out as an option

osborneclarke.com

25

Impact for GDPR Implementation Plans ?

• "Il est urgent d'attendre …" ?

• Consent to become a standard for more intrustive / tech-based business models collecting data (whether personal or communications data)

Paste end slide graphics over this grey box in slide

deck

Thank you

Osborne Clarke is the business name for an international legal practice and its associated businesses. Full details here: osborneclarke.com/definitions

osborneclarke.com

27

Contact details

Benjamin DocquirPartnerData protection/IP/ITT +32 2 515 9336benjamin.docquir@osborneclarke.com