Privacy Open Forum Wednesday, 17 th of September 2014
Click to edit Master title stylePrivacy Open Forum
Wednesday, 17th
of September 2014
Brussels, 17 September 2014 2
Agenda
1. 18:30 Welcome
2. 18:45 Draft EU Privacy Regulation
3. 19:30 Break
4. 19:50 Draft EU Privacy Regulation
5. 20:30 Close
Brussels, 17 September 2014 3
Close
Brussels, 17 September 2014
DRAFT EU PRIVACY
REGULATION – IT
ASPECTS
JOHAN VANDENDRIESSCHE
4
Brussels, 17 September 2014
Data Protection Reform
• 2012: EC proposes comprehensive
reform of the existing data protection
rules
• Draft Regulation (COM) 2012 11 final
• Draft Directive (COM) 2012 10 final
• 2014: EP
• Amended text adopted
• Co-decision (EP/Council) procedure still needs
to be followed
• Passed a resolution asking a.o. for a
suspension of Safe Harbor
5
Brussels, 17 September 2014
Data Protection Reform
• Focus on Draft Regulation only
• Legislative process is currently ongoing
• Review of Safe Harbor?
• EP Resolution does not impact legal status of
Safe Harbor, but strong message
• New EC Commission
6
Brussels, 17 September 2014
Data Protection Reform
• Regulation – what’s in the name?
• EU-wide application
• One legal instrument for all EU Member States
• ‘Direct effect’ – no implementation required
• Substantial delegation to the European
Commission
• Administrative simplification (e.g. ‘one
stop shop’)
• Enforcement is reinforced
7
Brussels, 17 September 2014
GENERAL ASPECTS
8
Brussels, 17 September 2014
Material Scope
• Processing of personal data
• Wholly or partly by automatic means
• Other means, if part of filing systems (or
intended therefore)
• Clarification on household exemption
in EP text
• Publication with reasonable expectation of
access by limited number of people
9
Brussels, 17 September 2014
Territorial Scope
• Regulation applies if:
• Processing in the context of an
establishment of a controller or processor
in the EU
• Processing of personal data of data
subject residing in the EU in the context of
a controller not located in the EU
• The offering of goods or services to data
subject
• The monitoring of their behaviour
10
Brussels, 17 September 2014
Territorial Scope
• Amendments in text approved by EP:
• Processor is added in non-EU case
• Residence requirement is deleted
• Any monitoring of data subjects
11
Brussels, 17 September 2014
Personal Data
• Definition of personal data
• Addition of ‘pseudonymous data’
• Inability to comply: no obligation to comply
• Addition of ‘encrypted data’
12
Brussels, 17 September 2014
Consent
• Consent
• Processing consent must be
distinguished from other matters
• Consent may be withdrawn
• EP text
• If withdrawal of consent has an impact on
service delivery: warning
• Contract may not be conditional on data
not necessary for performance
13
Brussels, 17 September 2014
IMPACT ON CLOUD
COMPUTING
14
Brussels, 17 September 2014
Dataflow overview
15
Data Transfer
CSP inside EU (but other EU
Member State)
Data Transfer
Data Controller inside EU
1
Data Import
CSP insideEU
Data Export
Data Controller
outside EU
Data Export
CSP outsideEU
Data Import
Data Controller inside EU
2 3
EU28-2013 European Union map
CC-BY 3.0 Kolja21
http://commons.wikimedia.org/wiki/File:EU28-
2013_European_Union_map.svg
Brussels, 17 September 2014
Dataflow within the EEA (1) (Directive)
• Law of the country of establishment of
data controller applies to data
processing operation
• Subsequent transfers to sub-processors
located within the EEA are possible
• Subsequent transfers to subprocessors
located outside the EEA are in principle
not possible• There is no P2P Model Contract
• New Model Contract leaves the door partially open
• Multiparty C2P Model Contract offers a solution
16
Brussels, 17 September 2014
Dataflow from a DC outside the EEA to
a CSP inside the EEA (2) (Directive)
• National data protection law applies if
‘means’ are applied by the data
controller on the territory of a member
state
• Cumulation of applicable laws if
‘means’ are applied on the territory of
several member states
17
Brussels, 17 September 2014
Dataflow from a DC outside the EEA to
a CSP inside the EEA (2) (Directive)
• ‘Worst case situation’ as the data
controller is subjected to data
protection law due to the location of
the CSP (or its subcontractors)
• Art. 29 WP Opinion 8/2010 on
applicable law
• this criterion has shown to have
undesirable consequences, such as a
possible universal application of EU law
18
Brussels, 17 September 2014
Dataflow from a DC inside the EEA to a
CSP outside the EEA (3) (Directive)
• Law of the country of establishment of
data controller applies to data
processing operation
• No export to countries outside EEA,
except if they offer adequate protection
• White-listed countries (e.g. Switzerland, USA if
Safe Harbor, ...)
• BCR / Model Contracts
• Latest C2P Model Contract accepts
‘onward transfer’ to subprocessors,
thereby facilitating Cloud Computing
19
Brussels, 17 September 2014
Dataflow within the EU (1)
(Regulation)
• Regulation applies to data processing
operation
• Subsequent transfers to sub-processors
located within the EU are possible
• Subsequent transfers to subprocessors
located outside the EU are in principle not
possible• There is no P2P Model Contract
• New Model Contract leaves the door partially open
• Multiparty C2P Model Contract offers a solution
20
Brussels, 17 September 2014
Dataflow from a DC outside the EU to
a CSP inside the EU (2) (Regulation)
• Regulation applies if (not cumulative):
• Processing relates to data subjects
residing in the EU, irrespective of
establishment of data controller in the
context of offering of good/services or
monitoring
• Establishment of CSP in the EU
• CSP established in EU, but datacentre outside
EU: Regulation applies
• CSP established outside EU, but datacentre in
EU: Regulation does not apply?
21
Brussels, 17 September 2014
Dataflow from a DC inside the EU to a
CSP outside the EU (3) (Regulation)
• Regulation applies
• No export to countries outside EU, except
if they offer adequate protection
• White-listed countries (e.g. Switzerland, USA if
Safe Harbor, ...)
• BCR / Model Contracts
• Latest C2P Model Contract accepts
‘onward transfer’ to subprocessors,
thereby facilitating Cloud Computing
22
Brussels, 17 September 2014
Dataflow within the EEA (1) (EP text)
• Regulation applies to data processing
operation
• Subsequent transfers to sub-processors
located within the EU are possible
• Subsequent transfers to subprocessors
located outside the EU are in principle not
possible• There is no P2P Model Contract
• New Model Contract leaves the door partially open
• Multiparty C2P Model Contract offers a solution
23
Brussels, 17 September 2014
Dataflow from a DC outside the EU to
a CSP inside the EU (2) (EP Text)
• Regulation applies if (not cumulative):
• Processing relates to data subjects in the
EU, irrespective of establishment of data
controller in the context of offering of
good/services or monitoring
• Establishment of CSP in the EU
• CSP established in EU, but datacentre outside
EU: Regulation applies
• CSP established outside EU, but datacentre in
EU: Regulation does not apply?
24
Brussels, 17 September 2014
Dataflow from a DC inside the EU to a
CSP outside the EU (3) (EP Text)
• Regulation applies
• No export to countries outside EU, except
if they offer adequate protection
• White-listed countries (e.g. Switzerland, USA if
Safe Harbor, ...)
• BCR / Model Contracts
• Latest C2P Model Contract accepts
‘onward transfer’ to subprocessors,
thereby facilitating Cloud Computing
25
Brussels, 17 September 2014
‘Anti-Fisa’
• Tendency of ‘anti-Fisa’ clauses in
contracts and tenders
• So-called ‘anti-Fisa’ clause in article 43
(a) of the Regulation (EP Text)
• Unenforceability of disclosure orders
• Prior information to and authorisation
from Supervisory Authority
• Information to data subjects
26
Brussels, 17 September 2014
SELECTED DATA SUBJECT
RIGHTS
27
Brussels, 17 September 2014
Right to be Forgotten (current
Directive)
• ECJ decision C-131/12
• Internet Search Engines
• Application of the right to rectify and the
right to object
• Removal from search results
• No need for prejudice
• Application of article 7 and 8 of the
Charter of Fundamental Rights of the EU
• Right to have information no longer be made
available to the general public
28
Brussels, 17 September 2014
Right to be Forgotten and to Erasure
• Conditional right to obtain erasure and
abstention from further dissemination
• Generally, ‘relevancy’ and ‘lawfulness’
• What is erasure?
• Not otherwise process => storage is
processing
• Reasonable steps to inform third
parties
• Delegated act shall define criteria and
requirements
29
Brussels, 17 September 2014
Right to be Forgotten and to Erasure
• Implement mechanisms to observe
time limits for erasure and need for
storage
• Exceptions (restriction of processing)
• Dispute
• Proof
• Request for restriction of use
• Retention obligation under EU or Member
State law
• Data Portability
30
Brussels, 17 September 2014
Right to Erasure
• EP text contains some changes
• Right to obtain erasure from third parties
• Exception added (restriction of
processing)
• Storage technology does not allow erasure
and has been installed before the entry into
force of the Regulation
• In case of restriction of processing
• No normal data access and data processing
• Data cannot be changed anymore
31
Brussels, 17 September 2014
Right to Data Portability
• Right to obtain a copy of personal data
• If processed in a structured and
commonly used format
• In an electronic and structured format
which is commonly used
• Right to further use data
• Interference with IP law
32
Brussels, 17 September 2014
Right to Data Portability
• Processing based on consent or
contract
• Right to transmit data into another IT
system
• No hindrance from the data controller
• Data export facility?
• Interference with IP law
• Formats and modalities may be
specified by EC
• Removed from EP text
33
Brussels, 17 September 2014
Data Protection by Design
• DP by design
• Data controller
• Implement appropriate technical and
organisational measures
• State of the art and cost of implementation
• When determining means and when
processing
• To ensure compliance with Regulation and
protection of the rights of the data subject
• EC may define technical standards
34
Brussels, 17 September 2014
Data Protection by Design
• DP by Design (EP text)
• Also data processors
• Also when defining purpose of processing
• Entire lifecycle management
• Taking into account:
• State of the art
• Current technical knowledge
• International best practice
• Risks presented by the data processing
• Prerequisite for public procurement
tenders
35
Brussels, 17 September 2014
Data Protection by Default
• Implementation of mechanisms
• Data controller
• Limitation of processing in terms of
amount and time
• Not made available by default to an
indefinite number of individuals
• EP text: data subjects must be able to
control distribution of their personal
data
36
Brussels, 17 September 2014
DATA SECURITY
37
Brussels, 17 September 2014
General
• Key principle: accountability
• Ensure and be able to demonstrate
compliance
• Adopt policies
• Implement appropriate measures
• Documentation
• Implementing data security requirements
• Performing data protection impact assessment
• Prior authorization or consultation (where
required)
• Data protection officer (DPO)
38
Brussels, 17 September 2014
General Security Obligation
• General obligation to implement
security measures
• Technical measures
• User access management
• IT security (anti-virus, firewall, …)
• Fire prevention measures
• Organizational measures
• Data categorization (confidentiality level)
• Employee policies
39
Brussels, 17 September 2014
General Security Obligation
• General obligation to implement
security measures
• Both types of measures are
interchangeable
• Protection against any unauthorized
processing
• Adequate level of protection taking into
account:
• Available technology and costs;
• Nature of concerned personal data and the
potential risks
40
Brussels, 17 September 2014
Personal Data Breach Notification
• Data breach notification duty
• Data controller and data processor
• Notification to supervisory authorities
• Detailed information
• Without undue delay and at the latest within 24
hours after becoming aware of the breach
• If not within 24 hours, reasoned justification
for the delay
• Standard format is likely
• Document data breach for verification
purposes
41
Brussels, 17 September 2014
Personal Data Breach Notification
• Data breach notification duty
• Notification to data subjects
• Likelihood of adversely impacting a data
subject
• Encryption may provide exemption
• May be imposed by supervisory authorities
• Tendency to include data breach
notification obligations in contracts
42
Brussels, 17 September 2014
Personal Data Breach Notification
• EP text render the notification
obligation slightly lighter
• No 24-hour period, only ‘without undue
delay’
• The same applies to the data processor
(previously ‘immediately’)
• Phased information on mitigation
measures
• Public register of personal data
breaches
43
Brussels, 17 September 2014
Data Protection Impact Assessment
• When?
• Specific risk to rights and freedoms of
data subject
• Nature
• Scope
• Purpose
• General description
• Consultation of data subjects
• Significantly expanded by EP text (DP
lifecycle management)
44
Brussels, 17 September 2014
Data Protection Officer
• Who?
• Public authority
• Large companies (>250 employees)
• Groups of companies may designate a single
DPO
• Companies with data processing as ‘core
business’
• Regular and systematic monitoring of
employees
45
Brussels, 17 September 2014
Data Protection Officer
• Specific guarantees for the DPO
• Tasks
• Advice
• Monitor compliance
• Contact Point
46
Brussels, 17 September 2014
Data Protection Officer
• EP text changes requirements
• SME (250 employees) => legal person
processing personal data relating to more
than 5000 data subjects in any
consecutive 12-month period
• Single DPO => main responsible DPO
• Protection is extended
47
Brussels, 17 September 2014
Certification
• Expansion of data protection
certification mechanisms, seals and
marks
• Certification for compliance with
Regulation (‘European Data Protection
Seal’)
• Supervisory authority
• Reasonable fee
48
Brussels, 17 September 2014
ENFORCEMENT
49
Brussels, 17 September 2014
Enforcement
• Liability
• In principle, joint and several liability
• Penalties
• Administrative sanctions
• Fine of max. 1,000,000 EUR or, in case of
an enterprise, 2% of annual global
turnover, whichever is higher
• Much stricter and higher in EP text
50
Brussels, 17 September 2014 51
Contact details
Johan Vandendriessche
Partner
crosslaw CVBA
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
Brussels, 17 September 2014 52
ISACA BELGIUM