ePrivacy& GDPR implementationplans… · osborneclarke.com 11 Key terminology Ø...
Transcript of ePrivacy& GDPR implementationplans… · osborneclarke.com 11 Key terminology Ø...
ePrivacy & GDPR implementation plans… CREOBIS1 March 2018
osborneclarke.com
2
Private & Confidential
Remember ?
osborneclarke.com
3
Practical ExamplesIot and Insurance
§ Insurtech: behaviour analytics and insurance policy through the connected devices
Private & Confidential
osborneclarke.com
4
Practical ExamplesIoT and Smart Homes (Domotics)
§ Nest: A connected thermometer. Also offers camera, smoke alarms, etc.
§ Internet-connected smart fridges ('Internet refrigerator')
Private & Confidential
osborneclarke.com
5
Practical ExamplesIoT and Consumer Protection
§ Safety, Security & Trust: Ban of 'Cayla' doll (Germany). Parents told to destroy dolls over hacking fears
Private & Confidential
osborneclarke.com
7
And tomorrow ?
Paste end slide graphics over this grey box in slide
deck
Did you just say "data protection & fundamental rights" ?
osborneclarke.com
9
IoT and PrivacyGeneral
§ "Poured into huge computers, swapped with mountains of other data from othersources, tapped at the touch of an electronic code button, these vast reservoirs ofpersonal information make it possible for government to collect taxes, for banksand schools and hospitals to serve millions of customers and students and patients,for restaurants and airlines and stores to extend immediate credit to people they'venever seen before. But somewhere in the roil of expanding population, vasteconomy, foliating technology and chronic world crisis, individual Americans havebegun to surrender both the sense and the reality of their own right to privacy– and their reaction to their loss has been slow and piecemeal."
- Newsweek 'Is Privacy Dead'? (1970)
Private & Confidential
osborneclarke.com
10
The famous GDPR…
General Data Protection Regulation (GDPR) enforceable 25 May 2018
Private & Confidential
Sanctions (including high fines)
Fines (up to 2 to 4 % global yearly turnover) Injunctions Damages
Governance
Security & data breaches Register and DPO Risk assessment Suppliers Out of EU transfers
Data subject rights
Information and access Rectification; erasure; restriction; portability Object; profiling Sensitive data
Principles
Purpose Proportionality Transparency Legal basis (consent, legitimate interest, performance of a contract, legal obligation,…)
osborneclarke.com
11
Key terminology
Ø Controllers: determines the purposes and means of processingØ Processors: processes data on behalf of a data controllerØ Personal data: any data which relate to an identified or identifiable natural
individual (the data subject)Ø Processing: virtually every conceivable operation in relation to dataØ GDPR applies to processing of personal data: (i) wholly or partly by
automated means and (ii) which form part of a filing system (= a structured set of personal data accessible according to specific criteria)
Ø Sensitive data/Special categories of personal data: (i) data revealingracial or ethnic origin, political opinions, religious or “similar” beliefs, trade union membership, (ii) data concerning health, sexual life/orientation, criminal offences/convictions, (iii) genetic/biometric data for unique identification
Private & Confidential
osborneclarke.com
12
Legal basis – What's new ?Legal basis for data processing remain the same, only their modalities change
Consent
Performance of a Contract
Legal Obligation
Protection of vital interest
Performance of a task carried out in the public interest
Legitimate interests of data controller, except where such interests are overriden by the intrests or fundemental rights and freedoms of data subject
LegalityPrinciple
Lawfulness, loyalty and
transparency
osborneclarke.com
13
What does "consent" mean under the GDPR?"'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" [emphasis added]
Requests for consent must be:
• clearly distinguishable from other matters (i.e. no "bundled" consent)
• in an intelligible and easily accessible form
• use clear and plain language
• Contain the following info: (i) data controller; (ii) identity purposes of processing; (iii) withdrawal right
Consent can be withdrawn at any time:
• must be as easy to withdraw as to give
• data subject must be told upfront that this is possible
Other drawbacks:
• contract performance must not be conditional on consent
• clear evidence
• consent for separate processing operations = granularity
osborneclarke.com
14
What does "explicit consent" mean under the GDPR?•The same as under the EU's Data Protection Directive?•The Article 29 Working Party defined "explicit consent" as:
"… all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing"
•Opt-in tick box or declaratory statement•Practically, how does this compare with "consent"?•Cannot be implied from default of reaction/passivity of data subject
osborneclarke.com
15
Identify data capture points
(e.g. online forms,
registrations, contact centres)
Check whether opt-in/consent is really required
What are people told about how
their data will be used? (check
policies, statements and
notices)
Revisit and amend any opt-in/consent forms
Update policies, statements and
notices
Private & Confidential
Consent: key actions
osborneclarke.com
16
Legitimate Interest
1.Identify
Legitimate Interest
2.Balance interests at issue
+ demonstrate that pursued interest justifies data processing + demonstrate that measures are
taken to counteract data subject's risks
3.Transparently
inform data subject about legitimate
interests
Measures to mitigate privacy infringement risks:- Strict limitation of processed data- Technical and organisation
measures to prevent automated decisions
- Anonymisation/pseudonymisationtechnics
- Aggregate data- Strengthened transparency- Facilitate exercise of data subject's
rights- …
osborneclarke.com
17
Purpose Limitation and Data Minimisation Principles
Purpose Limitation Principle
Under article 5(1)(b) of the GDPR, personal data must be collected only for well defined purposes, and may not be further processed for other purposes.
4 exceptions:• If the purpose of the secondary processing is "compatible" with the purpose of the
initial collection, taking into account, notably, any link between the initial purposes and the secondary purposes, the context of the initial collection and the expectations of the individual, etc.; or
• If the secondary processing pursues "statistical purposes", provided however that in such a situation the result may not contain personal data and may not be used in support of measures or decisions regarding any individual; or
• If the individual has given his/her consent, on the understanding that such consent must be freely given and duly informed, and that it may always be withdrawn.
• (secondary purpose is based on a EU or MS law – art. 23 GDPR)
osborneclarke.com
18
Purpose Limitation and Data Minimisation Principles
According to WP29 Guidelines, for further processing, organisation will have to consider if, and to what extent:(i)the new purpose affects the privacy of the individuals ; and (ii)it is within their reasonable expectations that their data could be used in this way
How to comply with this principle • Draft a Privacy Notice which is comprehensive enough to inform data subject
about the processing, its purposes, and the rights of data subjects;• Specify the purposes according to which data are processed• Take into account expectation of data subject for further processing and
potential harm.
osborneclarke.com
19
Purpose Limitation and Data Minimisation Principles
Data Minimisation PrincipleArticle 5.1c) of GDPR provides that data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".
E.g. of potential difficulty: Big Data analytics tends to involve collecting and analysing as much data as possible. The issue here is not simply the amount of data collected and processed but also to determine whether it is necessary for the purposes of the processing, or excessive.
Organisation needs to be able to demonstrate, beforehand, that the data is relevant for the purposes of processing and not excessive in relation to that aim. Finding correlations afterwards, will not be an acceptable means of proving that the data processed were relevant.
How to comply with this principle ?• Define the purposes of the processing and establish what data will be relevant• Good practice: implement good information governance and enforce retention schedules
in order to prevent data storage for a longer time than necessary for its initial purposes.
osborneclarke.com
20
Electronic Communications Data ?
§ Legal basis : Contract? Consent? Leg. Interest?
§ Data Quality: Duration? Minimisation?
§ Transparency & Notice: Collection of Data? Inferences from profiling/big data analytics?
§ Quality of consent?
§ Risk Assessment/Privacy by Design
Private & Confidential
Privacy=Informational&Communicational
osborneclarke.com
21
IoT and Privacy Concerns
§ IoT is not directly addressed in the General Data Protection Regulation (GDPR)
§ Privacy and security challenges also include the following:
§ General vulnerability of IoT-connected devices: often deployed outside a traditional IT structure and lacking sufficient security
§ Profiling and Intrusive bringing out of behaviour patterns
§ Inferences derived from data and repurposing of original processing
§ Limitations on the possibility to remain anonymous when using services
§ Security risks: Infections by malware; Unauthorised access to personal data; Intrusive use of wearable devices; Unlawful surveillance; …
(Article 29 Working Party: Opinion 8/2014 on the Recent Developments on the Internet of Things)
Private & Confidential
osborneclarke.com
22
e-Privacy Directive (2002/58 & 2009/136)
§ Scope : publicly available electronic communications services & networks(art. 3)
§ Security & notification of data breaches (art. 4)§ Confidentiality (art. 5) :
§ communications & traffic data
§ Cookies & similar software pieces§ Limited processing of traffic & location data (art. 6 & 9) + obligation to delete
or anonymize them§ Spamming & unsolicited communications (art. 13)§ e-Privacy Directive: Location Data (Article 9)
Private & Confidential
osborneclarke.com
23
Future: e-Privacy Regulation?
• 10 January 2017: EC proposal for an e-Privacy Regulation (Regulation on Privacy and Electronic Communications, ePR) to replace the 2002 e-Privacy Directive (Directive 2002/58/EC, ePD)
• A lex specialis to the GDPR
• Alignment of definitions of basis concepts / consistent rules
• Goal is to cover not only telcos but also "OTT / over the top" players and M2M developments
• Covers data & metadata (during the transmission / storage is governed by GDPR)
• Enforcement is entrusted to the Data Protection Authorities
osborneclarke.com
24
Future: e-Privacy Regulation?
• Limitations on processing of electronic communications content + metadata
• Only for the transmission / billing security of networks
• Or with the consent of the end-user + impossible to achieve with anonymous data + consultation of DPA's in certain cases
• Protection of terminal equipment
• Use of processing & storage capabilities of equipment and collection of information from the equipment are prohibited, but for necessary purposes or with prior consent
• Privacy settings w/ browsers could be used to express consent (?)
• Direct marketing at large: consent is required for sending communications w/ exception for existing customers subject to opt-out as an option
osborneclarke.com
25
Impact for GDPR Implementation Plans ?
• "Il est urgent d'attendre …" ?
• Consent to become a standard for more intrustive / tech-based business models collecting data (whether personal or communications data)
Paste end slide graphics over this grey box in slide
deck
Thank you
Osborne Clarke is the business name for an international legal practice and its associated businesses. Full details here: osborneclarke.com/definitions
osborneclarke.com
27
Contact details
Benjamin DocquirPartnerData protection/IP/ITT +32 2 515 [email protected]