Data Protection – Future EU Law and the Compliance Function

Billy HawkesData Protection Commissioner

ACOI

Dublin, 17 April 2012

Presentation Outline

• Present Law• Commission Proposals • Some Issues• ePrivacy Regulations: Update

EU Data Protection Legislation• Data Protection Directive 95/46/EC

Internal Market legal basis

• Electronic Privacy Directive 2002/58/EC (as amended)• EUROPOL, EURODAC, EUROJUST,

SCHENGEN etc Decisions/Regulations• Police & Justice Decision 2008/977/JHA

Intra-EU only

EU & Irish Legislation• Data Protection

Directive 95/46/EC Being updated

• Electronic Privacy Directive 2002/58/EC

(as amended)• EUROPOL etc• Police & Justice Decision

2008/977/JHA

• Data Protection Acts 1988 & 2003

• EC Electronic Privacy Regulations 2011 (SI 336/2011)

• Corresponding Acts• (To be transposed)

Presentation Outline

• Present Law• Commission Proposals • Some Issues• ePrivacy Regulations: Update

Lisbon Treaty Article 16 Treaty on the Functioning of the Union• 1. Everyone has the right to the protection of personal data

concerning them.• 2. The European Parliament and the Council, acting in

accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.

• Compliance with these rules shall be subject to the control of independent authorities. …..

EU Charter of Fundamental Rights: Article 8• Protection of personal data• 1. Everyone has the right to the protection of personal

data concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.

EU DP Law Changes: Timetable• 2009/2010 Public and Sectoral Consultation• “Communication” from EU Commission

November 2010• Draft Laws published 25 January 2012• Negotiation in Council and Parliament –

2012/13?• Implementation – by 2015-16?

Future EU Law: Structure • Directly-applicable Regulation• Separate Directive for Law

Enforcement Area• Separate Decision for Foreign

Affairs (CFSP) Area Not yet presented

Philosophy• The processing of personal data is designed to

serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data.

• It should contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, the strengthening and the convergence of the economies within the internal market, and the well-being of individuals.

General Principles (1)• Protecting Fundamental Right to Data

Protection and Free Movement of Personal Data Particular focus on children

• Applies to Organisations processing personal data either established in the EU or offering goods and services to, or monitoring the behaviour of, EU residents

• Does not apply to natural person without any gainful interest in the course of its own exclusively personal or household activity

General Principles (2)• Data Minimisation

“limited to the minimum necessary”• Transparency

More prescriptive information requirements

• Strengthened Right of Access More Information No Charge (except “manifestly

excessive”) Normally within one month

General Principles (3)• Accountability of Data Controller (Joint

Controller) “ensure and demonstrate for each processing

operation the compliance with the provisions of this Regulation”

Documentation Data Protection Officer

General Principles (4)• Privacy by Design

Privacy Impact Assessment “Seal” systems

• Data Portability• “Right to be Forgotten”

Requirement for retention policy On request, delete unless clash with

other rights (freedom of expression etc)• Strengthened Data Security

Data Breach Notification

Lawfulness of Processing• Stricter definition of “consent”

Burden of proof on data controller Can’t be “buried” in another document Not valid where “significant imbalance” Parental consent for child under 13

• “Legal Obligation” , “Public Interest” and “Exercise of Official Authority” must be laid down in law which meets proportionality test

• “Legitimate Interests” of data controller does not apply to a public organisation

Direct Marketing

• Strengthened Right to Refuse “right shall be explicitly offered to the

data subject in an intelligible manner and shall be clearly distinguishable from other information”

• Relationship to ePrivacy Directive

International Transfers: Principle (1)• Where the Commission has taken no

decision on the adequate level of data protection a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred

International Transfers (2) • “Adequacy” Decisions by

Commission• Standard Clauses

Adopted by Commission or Prescribed by DPA and “declared generally valid” by Commission

Approved by DPA (subject to Consistency Mechanism)

• Binding Corporate Rules

International Transfers (3)

• Informed Consent, Contractual Requirement etc

• “Legitimate Interests” of data controller or processor and “not frequent, massive or structural” and must inform DPA

Data Protection Officer (1)• Must be appointed by Controller or Processor

if: Public body OR 250+ employees OR Core activities involve “regular and systematic

monitoring of data subjects”• Joint appointment possible

• Publicly named

Data Protection Officer (2)

• “expert knowledge of data protection law”

• “ability to fulfil the (designated)tasks”

• Any other professional duties “compatible” and “do not result in a conflict of interests”

Data Protection Officer (3)

• Must perform tasks independently Minimum 2-year appointment

• Protection against dismissal Necessary Resources “involved in all issues which relate to the

protection of personal data”• Direct report to Management

Data Protection Officer (4)• Advise on data protection policy and

monitor practice Assignment of internal responsibilities;

Training; Privacy Impact Assessments; Privacy by Design; Information to data subjects; Data Security; Documentation

• Main contact with supervisory authority• Main contact with public

Data Protection Authorities (DPAs) (1)

• Independence Appointment, financial resources, staff

• Strengthened Powers Conduct investigations on own initiative Investigate complaints “to the extent

appropriate” Must be consulted on relevant

legislation

• “One-stop-Shop” for data controllers Location of “main establishment”

DPAs (2)• European Cooperation

“Consistency Mechanism”• Joint Enforcement, Binding

Consultation etc Strengthened European Data

Protection Board Commission regulatory powers

• Sanctions

Sanctions• DPA Obligation to impose Administrative

Sanctions where data protection law breached “intentionally or negligently” up to €1M or 2% of annual worldwide

turnover, depending on breach

• Separate Penalties for infringements• Individual right to a Judicial Remedy

Including compensation for damage suffered

Law Enforcement Directive Applies to “any public authority competent

for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”

General data protection principles apply, including Access (with restrictions), Data Minimisation, “Privacy by Design”, Security

Data Protection Officer (DPO) Maintain Records Need to distinguish different categories of

data subjects (suspects, convicted, victims etc)

Presentation Outline

• Present Law• Commission Proposals • Some Issues• ePrivacy Regulations: Update

Presentation Outline

• Present EU Law• Commission Proposals • Some Issues

Some Issues (1)• Burden on Data Controllers

Fewer Notifications BUT increased responsibility/accountability and Sanctions

Restrictions on use of Consent

• Jurisdiction One-Stop-Shop for Multinationals

• Politically acceptable?

• Direct Marketing ePrivacy Directive?

Some Issues (2)• International Transfers

BCRs Should data controllers be given more

discretion on the basis of Accountability?• Supervision

Will “consistency mechanism” work? Financing of DPAs

Some Issues (3)

• Data Protection Officer (DPO) New in Irish Law Location in Organisation? Relationship to Board? Qualifications?

Some Issues (4)• Ireland’s Position

Department of Justice & Equality lead department• Public Consultation (closed 31 March)

Interests of Domestic and Multinational Companies

Impact on DPC• Resources

Presentation Outline

• Present Law• Commission Proposals • Some Issues• ePrivacy Regulations: Update

Regulation 13 – Direct Marketing• Requirements for consent clarified :

Confirmed that consent needed for voice calls to all mobile phones (“opt-out” assumed unless NDD “opt-in”)

Explicit requirement to identify caller/sender No “silent calls” (automated calling machines) No “tagged on” marketing to non-marketing SMS natural person” excludes e-mail and SMS sent to

a business phone or address where content relates solely to the individual’s business

Confirmed existing customer = within 12 months

• Selective prosecutions being pursued

Regulation 5(3) – “Cookies” • Necessary “Session” Cookies normally OK.

Full information as to such use should still be available to the website user.

• Other “Cookies” - “third party” or “tracking” cookies – require consent

• Current browser settings unlikely to meet “consent” requirement

• “Wait and See” approach to date to see if Industry (browser providers, ad networks etc) can come up with workable solutions Current initiatives (IAB etc) helpful but insufficient Individual Organisations expected to be working on

solutions

Thank YouOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlingtonCo LaoisPhone: LoCall 1890 252231

057 8684800Fax: 057 8684757Email: info@dataprotection.ieWebsite: www.dataprotection.ie