Date post: | 16-Jan-2016 |
Category: |
Documents |
Upload: | elinor-byrd |
View: | 217 times |
Download: | 0 times |
Data Protection – Future EU Law and the Compliance Function
Billy HawkesData Protection Commissioner
ACOI
Dublin, 17 April 2012
Presentation Outline
• Present Law• Commission Proposals • Some Issues• ePrivacy Regulations: Update
EU Data Protection Legislation• Data Protection Directive 95/46/EC
Internal Market legal basis
• Electronic Privacy Directive 2002/58/EC (as amended)• EUROPOL, EURODAC, EUROJUST,
SCHENGEN etc Decisions/Regulations• Police & Justice Decision 2008/977/JHA
Intra-EU only
EU & Irish Legislation• Data Protection
Directive 95/46/EC Being updated
• Electronic Privacy Directive 2002/58/EC
(as amended)• EUROPOL etc• Police & Justice Decision
2008/977/JHA
• Data Protection Acts 1988 & 2003
• EC Electronic Privacy Regulations 2011 (SI 336/2011)
• Corresponding Acts• (To be transposed)
Presentation Outline
• Present Law• Commission Proposals • Some Issues• ePrivacy Regulations: Update
Lisbon Treaty Article 16 Treaty on the Functioning of the Union• 1. Everyone has the right to the protection of personal data
concerning them.• 2. The European Parliament and the Council, acting in
accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.
• Compliance with these rules shall be subject to the control of independent authorities. …..
EU Charter of Fundamental Rights: Article 8• Protection of personal data• 1. Everyone has the right to the protection of personal
data concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.
EU DP Law Changes: Timetable• 2009/2010 Public and Sectoral Consultation• “Communication” from EU Commission
November 2010• Draft Laws published 25 January 2012• Negotiation in Council and Parliament –
2012/13?• Implementation – by 2015-16?
Future EU Law: Structure • Directly-applicable Regulation• Separate Directive for Law
Enforcement Area• Separate Decision for Foreign
Affairs (CFSP) Area Not yet presented
Philosophy• The processing of personal data is designed to
serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data.
• It should contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, the strengthening and the convergence of the economies within the internal market, and the well-being of individuals.
General Principles (1)• Protecting Fundamental Right to Data
Protection and Free Movement of Personal Data Particular focus on children
• Applies to Organisations processing personal data either established in the EU or offering goods and services to, or monitoring the behaviour of, EU residents
• Does not apply to natural person without any gainful interest in the course of its own exclusively personal or household activity
General Principles (2)• Data Minimisation
“limited to the minimum necessary”• Transparency
More prescriptive information requirements
• Strengthened Right of Access More Information No Charge (except “manifestly
excessive”) Normally within one month
General Principles (3)• Accountability of Data Controller (Joint
Controller) “ensure and demonstrate for each processing
operation the compliance with the provisions of this Regulation”
Documentation Data Protection Officer
General Principles (4)• Privacy by Design
Privacy Impact Assessment “Seal” systems
• Data Portability• “Right to be Forgotten”
Requirement for retention policy On request, delete unless clash with
other rights (freedom of expression etc)• Strengthened Data Security
Data Breach Notification
Lawfulness of Processing• Stricter definition of “consent”
Burden of proof on data controller Can’t be “buried” in another document Not valid where “significant imbalance” Parental consent for child under 13
• “Legal Obligation” , “Public Interest” and “Exercise of Official Authority” must be laid down in law which meets proportionality test
• “Legitimate Interests” of data controller does not apply to a public organisation
Direct Marketing
• Strengthened Right to Refuse “right shall be explicitly offered to the
data subject in an intelligible manner and shall be clearly distinguishable from other information”
• Relationship to ePrivacy Directive
International Transfers: Principle (1)• Where the Commission has taken no
decision on the adequate level of data protection a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred
International Transfers (2) • “Adequacy” Decisions by
Commission• Standard Clauses
Adopted by Commission or Prescribed by DPA and “declared generally valid” by Commission
Approved by DPA (subject to Consistency Mechanism)
• Binding Corporate Rules
International Transfers (3)
• Informed Consent, Contractual Requirement etc
• “Legitimate Interests” of data controller or processor and “not frequent, massive or structural” and must inform DPA
Data Protection Officer (1)• Must be appointed by Controller or Processor
if: Public body OR 250+ employees OR Core activities involve “regular and systematic
monitoring of data subjects”• Joint appointment possible
• Publicly named
Data Protection Officer (2)
• “expert knowledge of data protection law”
• “ability to fulfil the (designated)tasks”
• Any other professional duties “compatible” and “do not result in a conflict of interests”
Data Protection Officer (3)
• Must perform tasks independently Minimum 2-year appointment
• Protection against dismissal Necessary Resources “involved in all issues which relate to the
protection of personal data”• Direct report to Management
Data Protection Officer (4)• Advise on data protection policy and
monitor practice Assignment of internal responsibilities;
Training; Privacy Impact Assessments; Privacy by Design; Information to data subjects; Data Security; Documentation
• Main contact with supervisory authority• Main contact with public
Data Protection Authorities (DPAs) (1)
• Independence Appointment, financial resources, staff
• Strengthened Powers Conduct investigations on own initiative Investigate complaints “to the extent
appropriate” Must be consulted on relevant
legislation
• “One-stop-Shop” for data controllers Location of “main establishment”
DPAs (2)• European Cooperation
“Consistency Mechanism”• Joint Enforcement, Binding
Consultation etc Strengthened European Data
Protection Board Commission regulatory powers
• Sanctions
Sanctions• DPA Obligation to impose Administrative
Sanctions where data protection law breached “intentionally or negligently” up to €1M or 2% of annual worldwide
turnover, depending on breach
• Separate Penalties for infringements• Individual right to a Judicial Remedy
Including compensation for damage suffered
Law Enforcement Directive Applies to “any public authority competent
for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”
General data protection principles apply, including Access (with restrictions), Data Minimisation, “Privacy by Design”, Security
Data Protection Officer (DPO) Maintain Records Need to distinguish different categories of
data subjects (suspects, convicted, victims etc)
Presentation Outline
• Present Law• Commission Proposals • Some Issues• ePrivacy Regulations: Update
Presentation Outline
• Present EU Law• Commission Proposals • Some Issues
Some Issues (1)• Burden on Data Controllers
Fewer Notifications BUT increased responsibility/accountability and Sanctions
Restrictions on use of Consent
• Jurisdiction One-Stop-Shop for Multinationals
• Politically acceptable?
• Direct Marketing ePrivacy Directive?
Some Issues (2)• International Transfers
BCRs Should data controllers be given more
discretion on the basis of Accountability?• Supervision
Will “consistency mechanism” work? Financing of DPAs
Some Issues (3)
• Data Protection Officer (DPO) New in Irish Law Location in Organisation? Relationship to Board? Qualifications?
Some Issues (4)• Ireland’s Position
Department of Justice & Equality lead department• Public Consultation (closed 31 March)
Interests of Domestic and Multinational Companies
Impact on DPC• Resources
Presentation Outline
• Present Law• Commission Proposals • Some Issues• ePrivacy Regulations: Update
Regulation 13 – Direct Marketing• Requirements for consent clarified :
Confirmed that consent needed for voice calls to all mobile phones (“opt-out” assumed unless NDD “opt-in”)
Explicit requirement to identify caller/sender No “silent calls” (automated calling machines) No “tagged on” marketing to non-marketing SMS natural person” excludes e-mail and SMS sent to
a business phone or address where content relates solely to the individual’s business
Confirmed existing customer = within 12 months
• Selective prosecutions being pursued
Regulation 5(3) – “Cookies” • Necessary “Session” Cookies normally OK.
Full information as to such use should still be available to the website user.
• Other “Cookies” - “third party” or “tracking” cookies – require consent
• Current browser settings unlikely to meet “consent” requirement
• “Wait and See” approach to date to see if Industry (browser providers, ad networks etc) can come up with workable solutions Current initiatives (IAB etc) helpful but insufficient Individual Organisations expected to be working on
solutions
Thank YouOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlingtonCo LaoisPhone: LoCall 1890 252231
057 8684800Fax: 057 8684757Email: [email protected]: www.dataprotection.ie