Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Digital law and GDPR

5 168 vues

Publié le

lecture given at ESC Rennes in November 2017

Publié dans : Formation
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Digital law and GDPR

  1. 1. Privacy 2.0 Jacques Folon Partner Edge Consulting Maître de conférences Université de Liège Professeur ICHEC Professeur invité Université de Lorraine (Metz) Visiting professor ESC Rennes School of Business
  2. 2. http://www.jerichotechnology.com/wp-content/uploads/2012/05/SocialMediaisChangingtheWorld.jpg
  3. 3. Average number of Facebook « friends » in France: 170 30
  4. 4. privacy ????? 5 http://www.fieldhousemedia.net/wp-content/uploads/2013/03/fb-privacy.jpg
  5. 5. 6 http://1.bp.blogspot.com/-NqwjuQRm3Co/UCauELKozrI/AAAAAAAACuQ/MoBpRZVrZj4/s1600/Party-Raccoon-Get-Friends-Drunk-Upload-Facebook.jpg
  6. 6. The person who took the photo is a real friend 7 http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg
  7. 7. privacy and graph search ?
  8. 8. 9
  9. 9. 10
  10. 10. 11
  11. 11. 12
  12. 12. From Big Brother to Big Other
  13. 13. http://fr.slideshare.net/bodyspacesociety/casilli-privacyehess-2012def Antonio Casili • Importance of T&C • Everybody speaks • mutual surveillance • Lateral surveillance
  14. 14. geolocalisation http://upload.wikimedia.org/wikipedia/commons/thumb/9/99/Geolocalisation_GPS_SAT.png/267px-Geolocalisation_GPS_SAT.png
  15. 15. data collection 1
  16. 16. 20
  17. 17. Interactions controlled by citizens in the Information Society http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm
  18. 18. Interactions NOT controlled by citizens in the Information Society http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm
  19. 19. GDPR
  20. 20. May 25, 2018 GDPR !!!
  21. 21. 32 A.CONTEXT B.SOME DEFINITIONS C.THE 12 PRINCIPLES D.GDPR CONSEQUENCES E.METHODOLOGY
  22. 22. A : CONTEXTE 33
  23. 23. IN 3 WORDS 34 • GDPR IS A "REGULATION" >< "DIRECTIVE" • WORLDWIDE INFLUENCE • CONSEQUENCES FOR COMPANIES AND PUBLIC SECTOR
  24. 24. 35 MAY 2018 ENTRY INTO FORCE MAY 25,2018 DISCUSSED SINCE 2014 VOTED IN 2016 RISKS PENALTIES 4% ANNUAL TO 20 M € COMPENSATION IN COURT REPUTATION IMPACT CONTRACT PROCESSES MARKETING ORGANISATION
  25. 25. B : SOME DEFINITIONS… 36
  26. 26. PERSONAL DATA 37 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  27. 27. PROCESSING 38 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  28. 28. CONTROLLER 39 controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  29. 29. processor or sub-contractor 40 processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
  30. 30. Sub-contractor 129 The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures
  31. 31. 42 The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: - the processor shall act only on instructions from the controller, - the obligations as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor
  32. 32. data breach 43 personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
  33. 33. C : 12 MAIN PRINCIPLES OF GDPR 44 1. Accountability 2. Consumer / citizen rights 3. Privacy by design 4. Information security 5. Data breach 6. Penalties 7. identity access management 8. lawfulness for processing 9. Register 10.Risk analysis and PIA 11.Training 12.Data privacy officer
  34. 34. 1/ ACCOUNTABILITY 45
  35. 35. 2/ Consumer/citizen's right 46 TRANSPARENCY SENSITIVE INFORMATIONS INFORMATION COLLECTED RIGHT OF ACCESS RIGHT TO RECTIFICATION RIGHT TO ERASE RIGHT OF PROCESSING LIMITATION PORTABILITY RIGHT OF OPPOSITION TO PROFILING
  36. 36. 3/ PRIVACY BY DESIGN 47
  37. 37. 4/INFORMATION SECURITY 48
  38. 38. 5/ DATA BREACH 49
  39. 39. 6/ PENALTIES 50
  40. 40. 7/ IDENTITY ACCESS MANAGEMENT 51
  41. 41. 8/ LAWFULNESS OF PROCESSING 52 CONSENT MUST BE EXPLICIT
  42. 42. 53 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed
  43. 43. 54
  44. 44. OPT IN
  45. 45. 56 Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
  46. 46. 57 Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
  47. 47. 58 Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life
  48. 48. 125 Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; (c) any further information such as - the recipients or categories of recipients of the data, - whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, - the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject
  49. 49. 9/ RECORD OF PROCESSING ACTIVITIES 60 RECORD
  50. 50. 10/ RISK ANALYSIS AND PIA 61
  51. 51. 11/ TRAINING 62
  52. 52. 12/ DATA PRIVACY OFFICER 63
  53. 53. D : CONSEQUENCES 64
  54. 54. E : METHODOLOGY 65
  55. 55. METHODOLOGY 66 1. PRELIMINARY AUDIT 2. RISK ANALYSIS 3. LIST OF SERVICES 4. RECORD OF PROCESSING ACTIVITIES 5. ACTION PLAN 6. SERACH FOR COMPLIANCE 7. SOLUTION FOR NON COMPLIANCE 8. CONTINUOUS PROCESSES 9. TRAINING Préparation Implémentation Pérennisation
  56. 56. Coockies
  57. 57. international transfer
  58. 58. Sub contractor
  59. 59. INTERNAL TRAININGS
  60. 60. SECURITY SOURCE DE L’IMAGE: http://www.techzim.co.zw/2010/05/why-organisations-should-worry-about-security-2/
  61. 61. Source : https://www.britestream.com/difference.html.
  62. 62. Everything must be transparent
  63. 63. Article 16 Confidentiality of processing Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law
  64. 64. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
  65. 65. 86 SECURITY IS A LEGAL OBLIGATION
  66. 66. What your boss thinks...
  67. 67. Employees share (too) many information and also with third parties
  68. 68. Where do one steal data? •Banks •Hospitals •Ministries •Police •Newspapers •Telecoms •... Which devices are stolen? •USB •Laptops •Hard disks •Papers •Binders •Cars
  69. 69. 63 RESTITUTIONS
  70. 70. 84
  71. 71. 154 Source de l’image : http://ediscoverytimes.com/?p=46
  72. 72. 48
  73. 73. 4 By giving people the power to share, we're making the world more transparent. The question isn't, 'What do we want to know about people?', It's, 'What do people want to tell about themselves?' Data privacy is outdated ! Mark Zuckerberg If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. Eric Schmidt
  74. 74. PRIVACYVS SOCIAL NETWORKS https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcQgeY4ij8U4o1eCuVJ8Hh3NlI3RAgL9LjongyCJFshI5nLRZQZ5Bg
  75. 75. 1
  76. 76. 1 Privacy statement confusion • 53% of consumers consider that a privacy statement means that data will never be sell or give • 43% only have read a privacy statement • 45% only use different email addresses • 33% changed passwords regularly • 71% decide not to register or purchase due to a request of unneeded information • 41% provide fake info 112 Source: TRUSTe survey
  77. 77. http://www.psl.cs.columbia.edu/classes/cs6125-s11/presentations/2011/Presentation_Joyce_Chen.ppthy don’t we read privacy policies
  78. 78. http://www.psl.cs.columbia.edu/classes/cs6125-s11/presentations/2011/Presentation_Joyce_Chen.ppthy don’t we read privacy policies
  79. 79. 100SOURCE: http://mattmckeon.com/facebook-privacy/
  80. 80. 101
  81. 81. 102
  82. 82. 103
  83. 83. 104
  84. 84. 105
  85. 85. 106
  86. 86. 107 http://e1evation.com/2010/05/06/growth-of-facebook-privacy-events/
  87. 87. 108 http://blogs.iq.harvard.edu/netgov/2010/05/facebook_privacy_policy.html
  88. 88. DATA PRIVACY & THE EMPLOYER 45http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg
  89. 89. SO CALLED HIDDEN COSTS 46 http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/
  90. 90. E-recruitment 74 http://altaide.typepad.com/.a/6a00d83451e4be69e2015393d67f60970b-500wi
  91. 91. IAM
  92. 92. RISKS SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html
  93. 93. Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
 Chief Information Security Officer Kansas State University
  94. 94. The new head of MI6 has been left exposed by a major personal security breach after his wife published intimate photographs and family details on the Facebook website. Sir John Sawers is due to take over as chief of the Secret Intelligence Service in November, putting him in charge of all Britain's spying operations abroad. But his wife's entries on the social networking site have exposed potentially compromising details about where they live and work, who their friends are and where they spend their holidays. http://www.dailymail.co.uk
  95. 95. Social Media Spam Compromised Facebook account. Victim is now promoting a shady pharmaceutical Source: Social Media: Manage the Security to Manage Your Experience; Ross C. Hughes, U.S. Department of Education
  96. 96. Social Media Phishing To: T V V I T T E R.com Now they will have your username and password Source: Social Media: Manage the Security to Manage Your Experience; Ross C. Hughes, U.S. Department of Education
  97. 97. Social Media Malware Clicking on the links takes you to sites that will infect your computer with malware Source: Social Media: Manage the Security to Manage Your Experience; Ross C. Hughes, U.S. Department of Education
  98. 98. Phishing Sources/ Luc Pooters, Triforensic, 2011
  99. 99. DATA THEFT
  100. 100. Social engineering Sources/ Luc Pooters, Triforensic, 2011
  101. 101. Take my stuff, please! Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
 Chief Information Security Officer Kansas State University
  102. 102. 3rd Party Applications •Games, quizzes, cutesie stuff •Untested by Facebook – anyone can write one •No Terms and CondiVons – you either allow or you don’t •InstallaVon gives the developers rights to look at your profile and overrides your privacy seYngs! Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
 Chief Information Security Officer Kansas State University
  103. 103. Right to be forgotten • On 13.05.2014 the European Union Court of Justice backed a ruling called “the right to be forgotten,” which allows individuals to control their data and ask search engines, such as Google, to remove inadequate personal results from the Internet. • However, the decision cannot be interpreted as a “victory” for the protection of the personal data of Europeans, according to privacy experts.
  104. 104. • In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper with the national Data Protection Agency and against Google Spain and Google Inc. • The citizen complained that an auction notice of his repossessed home on Google’s search results infringed his privacy rights because the proceedings concerning him had been fully resolved for a number of years and hence the reference to these was entirely irrelevant. • He requested, first, that the newspaper be required either to remove or alter the pages in question so that the personal data relating to him no longer appeared; • and second, that Google Spain or Google Inc. be required to remove the personal data
  105. 105. • In its ruling of 13 May 2014 the EU Court said : • a)On the territoriality of EU rules: Even if the physical server of a company processing data islocated outside Europe, EU rules apply to search engine operators if they have a branch or a sub sidiary in a Member State which promotes the selling of advertising space offered by the search engine; • b)On the applicability of EU data protection rules to a search engine : Search engines are controllers of personal data. Google can therefore not escape its responsibilities before European lawwhen handling personal data by saying it is a search engine. EU data protection law applies and so does the right to be forgotten. • c) On the “Right to be Forgotten” : Individuals have the right - under certain conditions - to ask search engines to remove links with personal information about them.This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data
  106. 106. • At the same time, the Court explicitly clarified that the right to be forgotten is not absolute but will always need to be balanced against other fundamental rights, such as the freedom of expression and of the media
  107. 107. • Right to erasure (future rules?) • 1.The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, and to obtain from third parties the erasure of any links to, or copy or replication of that data, where one of the following grounds applies: • (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed • (b) the data subject withdraws consent on which the processing is based according • (c) when the storage period consented to has expired and where there is no other legal ground for the processing of the data
  108. 108. New EU Regulation • right to be forgotten • no more notification to data privacy authorities • data privacy officer • up to 2% turnover penalty • information of data theft
  109. 109. Control by the employer 161SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/
  110. 110. what your boss thinks
  111. 111. BUT…
  112. 112. May the employer control everything?
  113. 113. Who controls what?
  114. 114. Could my employer open my emails? 169
  115. 115. 137 CODE OF CONDUCTS
  116. 116. TELEWORKING
  117. 117. Employer’s control 177 http://fr.slideshare.net/olivier/identitenumeriquereseauxsociaux
  118. 118. Big data 182
  119. 119. SOLOMO 184http://www.youngplanneur.fr/wp-content/uploads/2011/06/companies-innovating.jpg
  120. 120. Biometry 186
  121. 121. facial recognition 187
  122. 122. RFID & internet of things 188 http://www.ibmbigdatahub.com/sites/default/files/public_images/IoT.jpg
  123. 123. SECURITY ???
  124. 124. 87 “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” C. Darwin
  125. 125. ANY QUESTIONS ?

×