Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

The GDPR is here. So do you know what the courts are saying?

658 vues

Publié le

While the ink is dry on the final text of the GDPR since May 2016, the same can not be said for the courts. They are busier than ever with respect to data protection litigation! (there hasn't been a lot before to be honest as the legal instruments weren't as adequate)

One could say former legal student Max Schrems partially paved the way by getting the European Court of Justice (ECJ) to declare SafeHarbour invalid and today again with his not-for-profit NOYB.eu. (that's for Non of Your Business)

While we might discuss Cambridge Analitica in light of a potential class action against Facebook in Belgium, this presentation will mainly walk the audience through those case laws (Digital Rights Ireland, Google Spain, Schrems, Wirtschatfstsakademie) that are shaping the interpretation of the previous Data Protection Directive and the GDPR. Hopefully this would allow us to better understands where those clear red lines are being drawn in the sand, for now.

So, Right to be Forgotten: is it still comparable to "book burning in the Nazi period" or can we move beyond to find better ways to balance technological opportunities with societal needs, for the benefit of all?

Publié dans : Droit
  • Identifiez-vous pour voir les commentaires

The GDPR is here. So do you know what the courts are saying?

  1. 1. THE GDPR IS THERE DO YOU KNOW WHAT THE COURTS ARE SAYING? Aurélie Pols for Superweek January 28th 2019 Views from the Privacy Engineering trenches, free of disclaimers aka just my views and not any of my clients European at heart, recovering dataholic 1@aureliepols aurelie@mindyourprivacy.com
  2. 2. @aureliepols aurelie@mindyourprivacy.com Data Governance & Privacy Engineer Data is the New infrastructure – Privacy is the New Green – Trust is the New Currency Dutch nationality, French mother tongue, works in English, lives in Spain AURELIE POLS, DATA GOVERNANCE & PRIVACY ENGINEER • DPO for mParticle (Customer Data platform) – contractor (USA, New York) • Chief Visionary Officer – Competing on Privacy; Founder – Aurélie Pols and Associates • Professor of Ethics & Privacy in Big Data & Business Analytics Master – Instituto de Empresa (IE), Madrid (ES); guest professor DPO certification courses Maastricht University, faculty of law (NL) & Solvay Business School Brussels (B) • Board Member European Center On Privacy and Security, Maastricht University (NL) • Ethics Advisory Group (EAG) – European Data Protection Supervisor (EDPS) Towards a digital ethics • Former Vice-chair P7002 – Data Privacy Process – IEEE • Speaker/writer/consiglieri: Mobile World Congress, SWSX, Strata (+ Hadoop World), IAPP, Piwik, AT Internet, industry associations, AdTech & MarTech vendors, … 2003: OX2 Co-founder Webanalytics.be 2008: Sold to Digitas LBi (Publicis) 2
  3. 3. @aureliepols aurelie@mindyourprivacy.com Got worried about privacy in 2007 3 Source: https://www.ftc.gov/sites/default/files/documents/public_statements/statement-matter-google/doubleclick/071220harbour_0.pdf
  4. 4. 2016 2017 1. Define yourself 2. Define data flows 3. Align liabilities 4. Purpose & consent 5. Risk based approach i. Data Security & breach notification ii. Codes of Conduct & Certifications iii. Data Pseudony- mization iv. Data subject consent & purpose of processing v. Profiling & the Right to Object vi. Cross border data transfers vii. Erasure / Rectification Rights viii. Data Portability ix. Duties & responsibilities x. Procedures & Fines Privacy engineering 1. Incentives beyond accountability? 2. Data ownership? never! 3. Blurring lines of personal data ( ≠ PII !!! despite NIST) 4. Standards 4
  5. 5. @aureliepols aurelie@mindyourprivacy.com Autonomy, beyond Dignity 5 Charter of Fundamental Rights of the European Union Article 1: “Human dignity is inviolable. It must be respected and protected”. Charter articles Charter text GDPR Art. 8: Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. ePrivacy Art. 7: Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications.
  6. 6. @aureliepols aurelie@mindyourprivacy.com Gentle reminder about ePrivacy Consent is a horizontal obligation in the GDPR, independent on how ePrivacy will pan out! https://www.youtube.com/ watch?v=gLW_y_cucUQ 6
  7. 7. @aureliepols aurelie@mindyourprivacy.com 7
  8. 8. @aureliepols aurelie@mindyourprivacy.com https://techcrunch.com/2 018/11/20/how-a-small- french-privacy-ruling- could-remake-adtech-for- good/ And then, • NOYB • Privacy International • Brave.. 8
  9. 9. Because ladies and gentlemen It gets worse! 9@aureliepols aurelie@mindyourprivacy.com
  10. 10. @aureliepols aurelie@mindyourprivacy.com 10
  11. 11. Back to the GDPR 11@aureliepols aurelie@mindyourprivacy.com
  12. 12. @aureliepols aurelie@mindyourprivacy.com Obligations under the GDPR data ecosystem 12 Source: https://www.rizikon.oi/gdpr-compliance Appointing a DPO – Data Protection Officer – or not? Described in section 4 of the GDPR, art. 37: Designation of a data protection officer. Following articles talk of position and tasks. The choice remains to appoint one even if not directly required: moving beyond compliance!
  13. 13. 13
  14. 14. An accountability chain 14
  15. 15. @aureliepols aurelie@mindyourprivacy.com Spot the difference: controller vs. processor • Controller decides: • Purpose • Means of processing • Processor acts/processes data upon instructions of the data controller Increasingly a question of data flows, not contracts! 15
  16. 16. Interlocking liabilities & obligations People Company (Telco, Bank, Insurance..) Company (Agency, consultancy, vendor, ...) Cloud provider• Aligning contract obligations • (+ enforcement?) • Providing • Security • Privacy features • Privacy engineering B2C B2B B2B Privacy policies Consent MSA SOW T&C 16
  17. 17. @aureliepols aurelie@mindyourprivacy.com As a processor, can I engage a controller? • Yes if you have the necessary permission / instructions from the initial controller • Processor may need to amend contract with initial controller Data Subject Data Controller (first / initial) Data Processor Data Controller (receiving)? 17
  18. 18. @aureliepols aurelie@mindyourprivacy.com Data subject’s consent questions Do I have to get a DS’s consent to share data with another controller? As the receiving controller, should I insist that the 1st controller has sought consent? • General rule = no ü Data controller needs to have a legal basis for sharing; needs to provide notice, and all the other things controllers need to do (art. 24) • Exceptions so BUT if data and purposes for which the receiving Controller plans to use the data are: ü E-Marketing? ü “Special categories of data” 18
  19. 19. @aureliepols aurelie@mindyourprivacy.com Gentle reminder: lawful basis examples 19
  20. 20. @aureliepols aurelie@mindyourprivacy.com How can you be confident about Legitimate Interests? 20 Source: https://fpf.org/2017/12/11/unfairness-by-algorithm-distilling-the-harms-of-automated-decision-making/
  21. 21. @aureliepols aurelie@mindyourprivacy.com Data Subject Data Controller (first / initial) Data Processor Data Controller (receiving) Consent? Notice obligations for (behind the scenes) service provider How to provide notice? 21
  22. 22. That’s for the lawyers who like contracts and to scare them, while engineering teams smile What about the courts? 22@aureliepols aurelie@mindyourprivacy.com
  23. 23. The CJEU cares about data protection Working from country references and supervisory authorities 23
  24. 24. Fact: not a lot of litigation with respect to data protection • Most notorious? RTBF: the Right to be Forgotten • Data protection inferred from EU primary law: level of constitution • Not the case in ECHR (4/11/1950): mentions only privacy • Yet a step forward to the US Constitution for eg.(200 years older) Griswald vs. Connecticut 1965 where Right to Privacy belongs to penumbras of the Constitution: a right without which the remainder of the other rights wouldn’t make any sense • EU less complicated: it’s in the texts in • the Charter of Fundamental Rights (art. 7 & 8) • Art. 16 TFEU: horizontal provision (consent) 24
  25. 25. 25
  26. 26. @aureliepols aurelie@mindyourprivacy.com Autonomy, beyond Dignity 26 Charter of Fundamental Rights of the European Union Article 1: “Human dignity is inviolable. It must be respected and protected”. Charter articles Charter text GDPR Art. 8: Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. ePrivacy Art. 7: Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications.
  27. 27. @aureliepols aurelie@mindyourprivacy.com Treaty of Functioning of the European Union (TFEU) 27
  28. 28. @aureliepols aurelie@mindyourprivacy.com Typically 2 types of cases at the ECJ 1. Public interest vs. individual interest • Law Enforcement Directive 2016/680 • Data Retention Directive of 2006 invalidated in 2014 in Digital Rights vs. Seitlinger case, Tele2 Sverige & Watson, … mainly telcos and profiling, serious crime • Schrems vs. Facebook invalidated Safeharbour in October 2015 (adequacy, following Snowden. Also PNR in Canada, sensitive data) 2. Interpretation of EU secondary law to foster accountability of individuals 28
  29. 29. @aureliepols aurelie@mindyourprivacy.com Threats of private persons to the protection of personal data Pending cases which came under the Directive, are now under the GDPR • Accountability & balancing of rights: • “Right to be Forgotten” (2014), Costeja González with AEPD (Google actually complained in front of audiencia nacional) • Joint responsibility? • Wirtschaftsakademie vs. Facebook (June 2018) about fan pages and FB = controller & a fan page administrator is jointly responsible (key is profiling + also those who are not on FB!) • Derogations? Not everything is digital! • Jehovah Witness from Finland • Planet 49: pre-ticked boxes & consent 29
  30. 30. @aureliepols aurelie@mindyourprivacy.com 30
  31. 31. @aureliepols aurelie@mindyourprivacy.com Processors refusing to be joint controllers NISTIR 8062 An introduction to privacy engineering & Risk Management in in Federal Systems (Jan 2017) http://nvlpubs.nist .gov/nistpubs/ir/2 017/NIST.IR.8062.p df 31
  32. 32. @aureliepols aurelie@mindyourprivacy.com Processor obligations (I) 32 Responsibility of the data processor Contract with obligations and indications Standard Contractual Clauses Census data processed > 250 employees Records of processing activities Security of processing (art. 32) Officer’s obligation in confidentiality Evaluation on risk management Right to compensation and liability (art. 82) Responsibility for the entire damage Penalties (artt. 83 & 84) PDCA on security measures Support data controllers on security management Security of processing (art. 82) Notification of a personal data breach to the supervisory authority (art.33) Communication of a personal data breach to the data subject (art.34) Cases provided by Data Protection Supervisor Data protection impact assessment (art. 35) Prior consultation (art. 36) Support data controller’s obligations (art. 28) Facilitate inspections Obligation to report opposite indications of the Regulation Support data controller on the rights of data subject Transparency (art. 12) Right of access (art. 15) Right to rectification (art. 16) Right to erasure (art. 17) Right to restriction of processing (art. 18) Right to data portability (art. 20) Right to object (art. 21) Information (artt. 13 & 14) Personal data collected from the data subject (art. 13) Personal data not obtained from the data subject (art. 14)
  33. 33. @aureliepols aurelie@mindyourprivacy.com Processor obligations (II) Responsibility of the data processor Education of data officers (art. 29) Public authority DPO (art. 37) Guidelines on DPOs (WP29 #243) Monitoring on large scale DPO (art. 37) Guidelines on DPOs (WP29 #243) Sensitive data (art. 9) and personal data relating to criminal convictions (art. 10) Records of processing activities (art. 30) Large scale Data protection impact assessment (art. 35) DPO (art. 37) Guidelines on DPOs (WP29 #243) Nominate other data processor Cautious choice Data controller’s authorisation (art. 28 c.2) Contract Transfer to a 3rd country Statutory obligation Data controller's authorisation Transfer on the basis of an adequacy decision (art. 45) PrivacyShield Transfer subject to appropriate safeguards (art. 46) Binding corporate rules (art. 47) Adherence to codes of conduct Certification (art. 42) (market leverage) A processor, who establishes autonomous purposes and means, is considered to be a controller
  34. 34. Meanwhile @Superweek 34
  35. 35. @aureliepols aurelie@mindyourprivacy.com Is every service provider a processor? • How as the view changed since the Directive? • GDPR changes: • Direct obligations • Audit rights • Limits of sub-processing • Article 28 limits • Cannot improve product/service! Roles a becoming less clear with data processing operations such as ML
  36. 36. @aureliepols aurelie@mindyourprivacy.com 36
  37. 37. @aureliepols aurelie@mindyourprivacy.com Worlds are colliding! Privacy by Design lady 7 principles: 1. Proactive not reactive, preventive not remedial 2. Privacy as the default 3. Privacy embedded into Design 4. Full functionality – positive sum, no zero sum 5. End-to-end security – Lifecycle protection 6. Visibility and transparency 7. Respect for user privacy 37
  38. 38. @aureliepols aurelie@mindyourprivacy.com Recommended reading? https://iapp.org/news/a/if-privacy-principles-are-from-venus-then-engineering-rules-are-from-mars/ 38
  39. 39. @aureliepols aurelie@mindyourprivacy.com An algorithm walks into a bar 39
  40. 40. @aureliepols aurelie@mindyourprivacy.com What I teach my children 40
  41. 41. @aureliepols aurelie@mindyourprivacy.com Thank you for coming to my presentation History is important, it shapes our lives, entire generations! • Today is #dataprotectionday • Yesterday was #holocaustday • The future doesn’t have to be Black Mirror 41 Picture of my beautiful daughter My grandfather Apparently I have uncles…
  42. 42. Thank you for your attention aurelie@mindyourprivacy.com 42

×