This document summarizes a webinar on data protection held on April 2nd, 2014. It covered several topics: demystifying big data and the privacy issues it raises; ensuring cookie compliance; rules around security breaches; hot topics in workplace privacy like bring your own device policies and whistleblowing; and an overview of the draft EU Data Protection Regulation. The webinar provided guidance on these issues and emphasized the need for organizations to review their policies and practices to ensure compliance. It also noted ongoing negotiations around the EU regulation and implications for the future of data protection.
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
CEE CMS Data Protection webinar series - Part 2
1. 2nd of April 2014
CMS CEE Data Protection Webinar series
PART 2
Digital Legal Guardians
2. 2nd of April 2014
Your
presenters
today
Hungary
Dóra Petrányi
Hungary
Márton Domokos
Poland
Marcin Lewoszewski
Romania
Marius Petroiu
Russia
Elena Baryshnikova
Ukraine
Nataliya
Nakonechna
Ukraine
Olga Belyakova
4. 2nd of April 2014
Agenda
- Demystifying Big Data
- Cookie Compliance
- Rules on security breach
- Workplace Privacy
- The New EU Data Protection Regulation
- Check List
5. Cyber criminals hack smart fridge to
send out spam
Internet of Things will
impact law
”Big Data” gets bigger Big data, big legal trouble?
Complex & extensive
cloud computing
Targeting the
$100 Billion Cloud Market
Mobile content revolution
App Generation will lead to
$77bn in revenues by 2017
Wearable technologies
How Google Glass Is Redefining
Tech Etiquette
e-health
Oral B's smart toothbrush lets
dentists spy on your brushing
Introduction
Trends in privacy and the risk landscape
6. Microsoft Working On New Tracking
Technology To Replace Cookies
More personal advertising
Finalisation of the EU
Regulation
Reding: „Full Speed on EU Data
Protection Reform 2014”
Strong push on compliance
(whitleblowing)
New Whistleblowing Law Generates
New Data Privacy Issues in Hungary
Fines, recovery costs and
reputation
Facebook-WhatsApp Risks
Sparking Privacy Probes
Tarns-Atlantic tensions
EU data protection reform could
start 'trade war'
Introduction
Trends in privacy and the risk landscape
8. Demystifying Big Data (1) “The next big thing”
− BIG = source, speed, volume - advanced algorithms
− New sources (e.g., web data, tweets, social media, email, text
messages, instant messages, chat)
− Unanticipated insights and low storage cost
− To revolutionize business, science, research and education
Legal guidance how to demonstrate legitimacy…
Fraud prevention Network security
Exploring consumer
expectations
Energy efficiency
9. Demystifying Big Data (2) Data privacy issues
Accountability
Does it require consent?
Any error in
the process?
Data security
measures?
How to minimise the data collection?
Legitimate data
processing purpose?
Prohibited decisions?
10. Demystifying Big Data (3) „Regulatory changes may
require recalibration” Big Data issues in our practice
1. Personalized recommendations, targeted marketing and other services to
identifiable users or mobile devices.
2. What is “personal data”? e.g. anonymous data, health, location
3. What shall the privacy notice contain?
4. What about reminders?
5. Get explicit opt-in or rely on implied consent?
6. Opt-out options?
7. Permitted combination of information?
8. No personalized services but still collecting data to improve algorithms?
Monitoring procedures relation Big Data projects
12. Directive 2002/58/EC on Privacy
and Electronic Communications
WD 02/2013 Providing Guidance
on Obtaining Consent for Cookies
Opinion 04/2012 on Cookie
Consent Exemption
Opinion 2/2010 on Online
Behavioural Advertising
„The use of e-communications
networks to store information or
to gain access to information
stored in the terminal
equipment of a subscriber or
user is only allowed on
condition that the subscriber or
user concerned is provided
with clear and comprehensive
information.” (Article 5 (3))
Cookie Compliance (1)
14. Cookie Compliance (3) Verification of internal
practice
− Types of cookies?
− Purpose and technology?
− Personal data processing? How long?
− Further processing (pl.: combination of data)?
− Data transfer (third party cookies)?
− Is it necessary to obtain prior, informed consent?
− Data privacy notice?
− Separate policy + link, format, positioning?
− Third party agreements? (advertisement)
− Data Protection Registry?
− Handling users’ requests?
15. Poland: Russia: Romania: Ukraine:
Opt-in
Non specific guidance
DPA: brief privacy
information on cookie
placement is sufficient
No specific regulation
Companies place the
cookie policies on their
websites to protect
their interests
DPA: official position
is not present
Opt in: No specific
guidance. DPA: brief
privacy information
on cookie placement
is sufficient
No specific regulation
DPA:
- user’s consent on
processing of his personal
data using ‘cookies’
- clear privacy statement
with reference to detailed
privacy policy
Cookie Compliance (4) CEE Overview
Hungary: Slovakia: Bulgaria: Czech Republic:
Opt-in
Non specific guidance
DPA: brief privacy
information on cookie
placement is sufficient
Opt-in (the setting of
the internet browser
allowing cookies is
considered as previous
consent)
Brief privacy
information on cookie
placement is sufficient
No specific
regulation re
cookies
Failure to fully implement
opt-in scheme
Arguable if cookies are
considered as personal
data or not
17. 17
Security Breach Notifications
Hungary Czech
Republic
Slovakia Bulgaria
Sector? Telcos only Telcos only Telcos only
Providers of publicly
available electronic
communications services
Specific
rules?
In line with Regulation
611/2013/EU
In line with Regulation
611/2013/EU.
In line with
Regulation
611/2013/EU
Electronic Communications
Act (notification to the Data
Protection Authority within 3
days vs 24 hours in the
Regulation 611/2013/EU)
Poland Romania Ukraine Russia
Sector?
Telcos only
Providers of Telco services N/A
N/A
Specific
rules?
In line with Regulation
611/2013/EU
Law 506/2004 on
processing personal data in
the Telco field
N/A
Amendments to the Data
Protection Law providing
that data processors must
inform DPA on breaches are
being prepared now.
19. Workplace privacy
“Hot” data privacy topics (2)
− Russia
− Issue: Monitoring of private
correspondence on corporate
devices possible?
− Internal policies and notifications
on the monitoring to be signed by
employees
− Russia
− Issue: Monitoring of private
correspondence on corporate
devices possible?
− Internal policies and notifications
on the monitoring to be signed by
employees
Romania
− Interviews / background checks:
scope needs to be limited:
reasonable & necessary
− New DPA rules on CCTV
− Criminal Code: correspondence
secrecy
Romania
− Interviews / background checks:
scope needs to be limited:
reasonable & necessary
− New DPA rules on CCTV
− Criminal Code: correspondence
secrecy
Ukraine
− No specific regulation.
− CCTV and access to corporate e-
mail account require employee’s
consent
Ukraine
− No specific regulation.
− CCTV and access to corporate e-
mail account require employee’s
consent
Hungary
− Labour Code permits monitoring and
transfer to processors
− Updated employee privacy notices
− New rules on CCTV use
− DPA fine re employee laptop access
− New whistleblowing law
Hungary
− Labour Code permits monitoring and
transfer to processors
− Updated employee privacy notices
− New rules on CCTV use
− DPA fine re employee laptop access
− New whistleblowing law
20. Workplace privacy
“Hot” data privacy topics
Slovakia
− Emails or phone calls employees to
be informed of the extent of control
methods, implementation and
duration in advance.
− Discussion with the employees´
representative
Slovakia
− Emails or phone calls employees to
be informed of the extent of control
methods, implementation and
duration in advance.
− Discussion with the employees´
representative
Bulgaria
− Amendment on Labour Code
dated 2011 allow video
surveillance for monitoring work
process and observing working
time. Employees shall provide
their explicit consent!
Bulgaria
− Amendment on Labour Code
dated 2011 allow video
surveillance for monitoring work
process and observing working
time. Employees shall provide
their explicit consent!
− Czech Republic
− New case law on monitoring:
strengthening the position of
employers re breach of work
duties; stressing the duty of
loyalty of employees.
− Monitoring must not be excessive.
− Czech Republic
− New case law on monitoring:
strengthening the position of
employers re breach of work
duties; stressing the duty of
loyalty of employees.
− Monitoring must not be excessive.
Poland
− No specific regulation
− Good practice: information to
employees about monitoring
and its extent
Poland
− No specific regulation
− Good practice: information to
employees about monitoring
and its extent
21. Workplace privacy “Hot” data privacy topics:
Bring Your Own Device (BYOD) (1)
− Personal devices used for employment / professional purposes vs.
company devices
− Private and corporate data are accessed with one device
− Employer expects control over the data and the device
− Control = remote access + administration rights (mobile device
management’ security updates, lock access, data removal)
− Best practice:
• BYOD guidelines / update of existing policies (acceptable use, device
management) + training
• Separating corporate and private data + alternatives (virtual
solutions)
• ICO Guidance
Revise / review BYOD policies and watch out for regulatory developments
22. Workplace privacy “Hot” data privacy topics:
Bring Your Own Device (BYOD) (2)
Hungary Czech
Republic
Romania Ukraine
Consent? No Yes No Yes
Privacy notice? Yes Yes
Internal rules regulate
issues e.g. privacy,
security
Yes
Works council
involvement?
Yes No
Iimplemented in
consultation with
employees’
representatives
No
Poland Slovakia Bulgaria Russia
Consent? Yes Yes No N/A
Privacy notice? Yes Yes Yes N/A
Works Council
Involvement?
No No No
Internal rules on
privacy and security
may cover such use
23. Workplace privacy
“Hot” data privacy topics:
Whistleblowing (1) – best practices
Whistleblowing
Data privacy information
No encouragement of anonymity
Data transfer to advisors
Data transfer outside the EEA
Protection of whistleblowers’ identity
Accounting and auditing + related matters
Limited data collection and retention (2 months)
Rights of the incriminated
Notification to / approval by the DPA?
Consequences of misuse
24. 24
Workplace privacy
“Hot” data privacy topics:
Whistleblowing (2)
– local requirements
Is there a specific
law on
whistleblowing
hotlines?
Act CLXV of 2013
on Complaints and
Public Interest
Disclosure
Proposed only for
the banking sector
(pending
parliament
procedure)
Only in the public
sector
(whistleblowing in
general)
NO
Is there a specific
regulatory
guidance on
whistleblowing
hotlines?
NO NO NO NO
Notification to /
approval by the
DPA?
YES
In non-regulated
sectors
YES NO
Hungary Czech Republic Romania Ukraine
25. Workplace privacy
“Hot” data privacy topics:
Whistleblowing (3)
– local requirements
Is there a specific
law on
whistleblowing
hotlines?
NO NO NO
NO
Is there a specific
regulatory
guidance on
whistleblowing
hotlines?
NO NO NO NO
Notification to /
approval by the
DPA?
Yes (notification) YES NO YES
Poland Slovakia Bulgaria Russia
26. 26
Workplace privacy
“Hot” data privacy topics:
Whistleblowing (4)
- new law in Hungary
− Translation and publication of the internal rules
− Registration with the DPA
− Article 29 Working Party Opinion 1/2006
− Sensitive data shall not be processed
− Enhance permitted data transfers
− Outside the EEA: data transfer agreement + ‘adequate protection’
− Specific deadlines for the investigation and data retention
− Mandatory notifications to whistleblowers and the reported
− Mandatory notification to criminal authorities
Verify the operation of whistleblowing and watch out for regulatory developments
27. Workplace privacy
“Hot” data privacy topics:
Whistleblowing (5)
- new law in Hungary
Act CLXV of 2013 on Complaints and Public Interest Disclosures
Translation and publication of the
internal rules
Registration with the DPA
Sensitive data shall not be
processed
Works’ council consultation
Mandatory notification to criminal
authorities
Outside the EEA: data transfer
agreement + ‘adequate protection’
Specific deadlines for the
investigation and data retention
Enhances permitted data transfers
29. The draft
EU Data Protection Regulation (1)
Status and next steps
March 2014
June 2013
October
2013
Trilogue
negotiations
November
2013
December
2013
January
2014
European Parliament's formal approval
NSA mass surveillance
activities: ”reforms vital to counter PRISM data access” (Reding)
„breakthrough”: EU LIBE compromise package
EC, Council and Euro MPs
EC calls for Safe Harbor reforms
Justice Ministers failed to agree on one-stop-shop:
”leading lawyers have public catfight”
EDPS calls Germany to take the lead in negotiating
New deadline: end of 2014
30. The draft
EU Data Protection Regulation (2)
− 18 months of ”intense negotiations and fierce
lobbying” - across sectors, B2B, B2C, 100 pages,
4,000 amendments
− Specific rules are not clear: further interpretation,
guidance, industry-specific measures (is it really a
Regulation?)
− Extra-territorial effect may cause trans-Atlantic tensions
− Likely to revolutionize and reshape privacy
− Direct effect
− ”data protection” or ”data protectionism”?
31. The draft
EU Data Protection Regulation (3)
− One-stop-shop: instead of regulatory patchwork of 28
countries, will make the life of company groups easier
BUT: what is the ”main establishment”? competence of
local DPAs will also remain
- More consumer rights & DPA Power: Fine up to EUR 100
million 5% of yearly worldwide turnover)
− Less administration: no more Data Protection Registry
BUT consultation obligation
− Explicit consent: Not required: contracting, compliance, legitimate
interests
BUT: ”significant imbalance” test
32. The draft
EU Data Protection Regulation (4)
− Profiling: only upon consent/contract; prohibited: only upon
sensitive data - may affect Big Data
- Data transfers outside the EU: More practical (e.g.: „Binding
Corporate Rules”, „European Data Protection Seal”), BUT
restricts ”frequent or massive” transfers + regulatory
requests.
− Data Protection Officer: mandatory: for companies processing
data more than 5,000 individuals/year; independent, 2-4
years
− Privacy Notices: More detailed than now + standardised
format using icons
34. The draft
EU Data Protection Regulation (6)
adopt policies, implement measures, keep extensive
documentation, data security requirements, perform
privacy impact assessments, comply with prior
authorisation / consultation by DPA, designate a Data
Protection Officer, bi-annual update of policies
Risk assessment: e.g. data amount type,
automatics, industry (e-health!)
”to the entire lifecycle management of data”
bi-annual update
Accountability
Data privacy impact
assessment
35. The draft
EU Data Protection Regulation (7)
data, copy, link
Independently from the formatData Portability
Right to erasure
Data breach
notification
in all industries – to regulator: immediately; to
customers: only in serious cases
Documentation + database
Privacy By Design Privacy by Design / Default
36. Checklist (1)
(* - also to comply with DP Regulation)
− ”Data discovery” – reviewing the scope of data collected.
− Transparent / accessible policies and governance framework.*
− Documentation of data flows and processes.*
− Drafting / reviewing agreements, consents, NDAs and
confidentiality provisions re data processing and data transfer.
− Revise / review DPA notifications.
− ”Traditional” outsourcing. Make sure you are compliant with
”traditional” issues and watch out for the new trends and new
issues…
− New models of outsourcing – the Cloud. Watch out for regulatory
developments and the expectations in case of contracting.
37. Checklist (2)
- Big Data - watch out for regulatory developments and the
expectations in case of contracting.
- Ensure compliance in „usual” workplace privacy topics.
- Revise / review BYOD and social media policies.
- Verify whistleblowing hotlines, especially in Hungary.
- Reviewing access rights procedures.
- Data breach notifications: implementing internal rules.
- Data portability: identify security issues re transmission / access.
38. Any questions? Would like to know more?
Contact us!
Dóra Petrányi - Hungary
CEE Data Protection Lead Partner
dora.petranyi@cms-cmck.com
+36 1 483 4820
Márton Domokos – Hungary
marton.domokos@cms-cmck.com
+36 1 483 4824
Marcin Lewoszewski – Poland
marcin.lewoszewski@cms-cmck.com
+48 22 520 5525
Marius Petroiu – Romania
marius.petroiu@cms-cmck.com
+40 21 407 3 889
Elena Baryshnikova - Russia
elena.baryshnikova@cmslegal.ru
+7 495 786 40 99
Nataliya Nakonechna – Ukraine
nataliya.nakonechna@cms-cmck.com
+380 44 391 7 729
Olga Belyakova – Ukranie
olga.belyakova@cms-cmck.com
+380 44 391 7 727
39. Thank you for your attention!
Please complete our feedback box that opens automatically when this
presentation closes.
You can download our CMS CEE Guide to Data Protection
& webinar materials from our website
www.cms-cmck.com