ISACA Belgium Privacy Open Forum - Draft EU Data Protection Regulation

Click to edit Master title stylePrivacy Open Forum

Wednesday, 17th

of September 2014

Brussels, 17 September 2014 2

Agenda

1. 18:30 Welcome

2. 18:45 Draft EU Privacy Regulation

3. 19:30 Break

4. 19:50 Draft EU Privacy Regulation

5. 20:30 Close


Close

Brussels, 17 September 2014

DRAFT EU PRIVACY

REGULATION – IT

ASPECTS

JOHAN VANDENDRIESSCHE

4


Data Protection Reform

• 2012: EC proposes comprehensive

reform of the existing data protection

rules

• Draft Regulation (COM) 2012 11 final

• Draft Directive (COM) 2012 10 final

• 2014: EP

• Amended text adopted

• Co-decision (EP/Council) procedure still needs

to be followed

• Passed a resolution asking a.o. for a

suspension of Safe Harbor

5



• Focus on Draft Regulation only

• Legislative process is currently ongoing

• Review of Safe Harbor?

• EP Resolution does not impact legal status of

Safe Harbor, but strong message

• New EC Commission

6



• Regulation – what’s in the name?

• EU-wide application

• One legal instrument for all EU Member States

• ‘Direct effect’ – no implementation required

• Substantial delegation to the European

Commission

• Administrative simplification (e.g. ‘one

stop shop’)

• Enforcement is reinforced

7


GENERAL ASPECTS

8


Material Scope

• Processing of personal data

• Wholly or partly by automatic means

• Other means, if part of filing systems (or

intended therefore)

• Clarification on household exemption

in EP text

• Publication with reasonable expectation of

access by limited number of people

9


Territorial Scope

• Regulation applies if:

• Processing in the context of an

establishment of a controller or processor

in the EU

• Processing of personal data of data

subject residing in the EU in the context of

a controller not located in the EU

• The offering of goods or services to data

subject

• The monitoring of their behaviour

10


Territorial Scope

• Amendments in text approved by EP:

• Processor is added in non-EU case

• Residence requirement is deleted

• Any monitoring of data subjects

11


Personal Data

• Definition of personal data

• Addition of ‘pseudonymous data’

• Inability to comply: no obligation to comply

• Addition of ‘encrypted data’

12


Consent

• Consent

• Processing consent must be

distinguished from other matters

• Consent may be withdrawn

• EP text

• If withdrawal of consent has an impact on

service delivery: warning

• Contract may not be conditional on data

not necessary for performance

13


IMPACT ON CLOUD

COMPUTING

14


Dataflow overview

15

Data Transfer

CSP inside EU (but other EU

Member State)

Data Transfer

Data Controller inside EU

1

Data Import

CSP insideEU

Data Export

Data Controller

outside EU

Data Export

CSP outsideEU

Data Import

Data Controller inside EU

2 3

EU28-2013 European Union map

CC-BY 3.0 Kolja21

http://commons.wikimedia.org/wiki/File:EU28-

2013_European_Union_map.svg


Dataflow within the EEA (1) (Directive)

• Law of the country of establishment of

data controller applies to data

processing operation

• Subsequent transfers to sub-processors

located within the EEA are possible

• Subsequent transfers to subprocessors

located outside the EEA are in principle

not possible• There is no P2P Model Contract

• New Model Contract leaves the door partially open

• Multiparty C2P Model Contract offers a solution

16


Dataflow from a DC outside the EEA to

a CSP inside the EEA (2) (Directive)

• National data protection law applies if

‘means’ are applied by the data

controller on the territory of a member

state

• Cumulation of applicable laws if

‘means’ are applied on the territory of

several member states

17


Dataflow from a DC outside the EEA to

a CSP inside the EEA (2) (Directive)

• ‘Worst case situation’ as the data

controller is subjected to data

protection law due to the location of

the CSP (or its subcontractors)

• Art. 29 WP Opinion 8/2010 on

applicable law

• this criterion has shown to have

undesirable consequences, such as a

possible universal application of EU law

18


Dataflow from a DC inside the EEA to a

CSP outside the EEA (3) (Directive)

• Law of the country of establishment of

data controller applies to data

processing operation

• No export to countries outside EEA,

except if they offer adequate protection

• White-listed countries (e.g. Switzerland, USA if

Safe Harbor, ...)

• BCR / Model Contracts

• Latest C2P Model Contract accepts

‘onward transfer’ to subprocessors,

thereby facilitating Cloud Computing

19


Dataflow within the EU (1)

(Regulation)

• Regulation applies to data processing

operation


located within the EU are possible


located outside the EU are in principle not

possible• There is no P2P Model Contract



20


Dataflow from a DC outside the EU to

a CSP inside the EU (2) (Regulation)

• Regulation applies if (not cumulative):

• Processing relates to data subjects

residing in the EU, irrespective of

establishment of data controller in the

context of offering of good/services or

monitoring

• Establishment of CSP in the EU

• CSP established in EU, but datacentre outside

EU: Regulation applies

• CSP established outside EU, but datacentre in

EU: Regulation does not apply?

21


Dataflow from a DC inside the EU to a

CSP outside the EU (3) (Regulation)

• Regulation applies

• No export to countries outside EU, except

if they offer adequate protection


Safe Harbor, ...)





22


Dataflow within the EEA (1) (EP text)

• Regulation applies to data processing

operation


located within the EU are possible


located outside the EU are in principle not

possible• There is no P2P Model Contract



23


Dataflow from a DC outside the EU to

a CSP inside the EU (2) (EP Text)

• Regulation applies if (not cumulative):

• Processing relates to data subjects in the

EU, irrespective of establishment of data

controller in the context of offering of

good/services or monitoring

• Establishment of CSP in the EU

• CSP established in EU, but datacentre outside

EU: Regulation applies

• CSP established outside EU, but datacentre in

EU: Regulation does not apply?

24


Dataflow from a DC inside the EU to a

CSP outside the EU (3) (EP Text)

• Regulation applies

• No export to countries outside EU, except

if they offer adequate protection


Safe Harbor, ...)





25


‘Anti-Fisa’

• Tendency of ‘anti-Fisa’ clauses in

contracts and tenders

• So-called ‘anti-Fisa’ clause in article 43

(a) of the Regulation (EP Text)

• Unenforceability of disclosure orders

• Prior information to and authorisation

from Supervisory Authority

• Information to data subjects

26


SELECTED DATA SUBJECT

RIGHTS

27


Right to be Forgotten (current

Directive)

• ECJ decision C-131/12

• Internet Search Engines

• Application of the right to rectify and the

right to object

• Removal from search results

• No need for prejudice

• Application of article 7 and 8 of the

Charter of Fundamental Rights of the EU

• Right to have information no longer be made

available to the general public

28


Right to be Forgotten and to Erasure

• Conditional right to obtain erasure and

abstention from further dissemination

• Generally, ‘relevancy’ and ‘lawfulness’

• What is erasure?

• Not otherwise process => storage is

processing

• Reasonable steps to inform third

parties

• Delegated act shall define criteria and

requirements

29


Right to be Forgotten and to Erasure

• Implement mechanisms to observe

time limits for erasure and need for

storage

• Exceptions (restriction of processing)

• Dispute

• Proof

• Request for restriction of use

• Retention obligation under EU or Member

State law

• Data Portability

30


Right to Erasure

• EP text contains some changes

• Right to obtain erasure from third parties

• Exception added (restriction of

processing)

• Storage technology does not allow erasure

and has been installed before the entry into

force of the Regulation

• In case of restriction of processing

• No normal data access and data processing

• Data cannot be changed anymore

31


Right to Data Portability

• Right to obtain a copy of personal data

• If processed in a structured and

commonly used format

• In an electronic and structured format

which is commonly used

• Right to further use data

• Interference with IP law

32


Right to Data Portability

• Processing based on consent or

contract

• Right to transmit data into another IT

system

• No hindrance from the data controller

• Data export facility?

• Interference with IP law

• Formats and modalities may be

specified by EC

• Removed from EP text

33


Data Protection by Design

• DP by design

• Data controller

• Implement appropriate technical and

organisational measures

• State of the art and cost of implementation

• When determining means and when

processing

• To ensure compliance with Regulation and

protection of the rights of the data subject

• EC may define technical standards

34


Data Protection by Design

• DP by Design (EP text)

• Also data processors

• Also when defining purpose of processing

• Entire lifecycle management

• Taking into account:

• State of the art

• Current technical knowledge

• International best practice

• Risks presented by the data processing

• Prerequisite for public procurement

tenders

35


Data Protection by Default

• Implementation of mechanisms

• Data controller

• Limitation of processing in terms of

amount and time

• Not made available by default to an

indefinite number of individuals

• EP text: data subjects must be able to

control distribution of their personal

data

36


DATA SECURITY

37


General

• Key principle: accountability

• Ensure and be able to demonstrate

compliance

• Adopt policies

• Implement appropriate measures

• Documentation

• Implementing data security requirements

• Performing data protection impact assessment

• Prior authorization or consultation (where

required)

• Data protection officer (DPO)

38


General Security Obligation

• General obligation to implement

security measures

• Technical measures

• User access management

• IT security (anti-virus, firewall, …)

• Fire prevention measures

• Organizational measures

• Data categorization (confidentiality level)

• Employee policies

39


General Security Obligation

• General obligation to implement

security measures

• Both types of measures are

interchangeable

• Protection against any unauthorized

processing

• Adequate level of protection taking into

account:

• Available technology and costs;

• Nature of concerned personal data and the

potential risks

40


Personal Data Breach Notification

• Data breach notification duty

• Data controller and data processor

• Notification to supervisory authorities

• Detailed information

• Without undue delay and at the latest within 24

hours after becoming aware of the breach

• If not within 24 hours, reasoned justification

for the delay

• Standard format is likely

• Document data breach for verification

purposes

41



• Data breach notification duty

• Notification to data subjects

• Likelihood of adversely impacting a data

subject

• Encryption may provide exemption

• May be imposed by supervisory authorities

• Tendency to include data breach

notification obligations in contracts

42



• EP text render the notification

obligation slightly lighter

• No 24-hour period, only ‘without undue

delay’

• The same applies to the data processor

(previously ‘immediately’)

• Phased information on mitigation

measures

• Public register of personal data

breaches

43


Data Protection Impact Assessment

• When?

• Specific risk to rights and freedoms of

data subject

• Nature

• Scope

• Purpose

• General description

• Consultation of data subjects

• Significantly expanded by EP text (DP

lifecycle management)

44


Data Protection Officer

• Who?

• Public authority

• Large companies (>250 employees)

• Groups of companies may designate a single

DPO

• Companies with data processing as ‘core

business’

• Regular and systematic monitoring of

employees

45



• Specific guarantees for the DPO

• Tasks

• Advice

• Monitor compliance

• Contact Point

46



• EP text changes requirements

• SME (250 employees) => legal person

processing personal data relating to more

than 5000 data subjects in any

consecutive 12-month period

• Single DPO => main responsible DPO

• Protection is extended

47


Certification

• Expansion of data protection

certification mechanisms, seals and

marks

• Certification for compliance with

Regulation (‘European Data Protection

Seal’)

• Supervisory authority

• Reasonable fee

48


ENFORCEMENT

49


Enforcement

• Liability

• In principle, joint and several liability

• Penalties

• Administrative sanctions

• Fine of max. 1,000,000 EUR or, in case of

an enterprise, 2% of annual global

turnover, whichever is higher

• Much stricter and higher in EP text

50


Contact details

Johan Vandendriessche

Partner

crosslaw CVBA

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

mailto:[email protected]

http://www.crosslaw.be/


ISACA BELGIUM