current trends in data protection law
play

Current Trends in Data Protection Law Berlin, 05 th December 2013 - PowerPoint PPT Presentation

Current Trends in Data Protection Law Berlin, 05 th December 2013 Dr. Annette Demmel Matei Ujica, LL.M. 37 Offices in 18 Countries 39 Offices in 19 Countries Who we are Dr. Annette Demmel Matei Ujica, LL.M. 2 and where we are We are


  1. Current Trends in Data Protection Law Berlin, 05 th December 2013 Dr. Annette Demmel Matei Ujica, LL.M. 37 Offices in 18 Countries 39 Offices in 19 Countries

  2. Who we are… Dr. Annette Demmel Matei Ujica, LL.M. 2

  3. … and where we are We are sitting here… … and have a view of one of the largest construction sites in Berlin Unter den Linden, Subway line U55 3

  4. Planned EU Data Protection Reform  How important is it for you that your personal information is Original draft of the Commission protected in the same way regardless in which EU country these dated 25 January 2012, information is collected and processed? amended by Parliament on 21 October 2013  EU Basic Regulation shall be directly applicable in all Member States  Date of entry into force still unknown, prospectively in 2014  Objective: Adjustment of EU data protection law to the Internet age  Affected: All citizens and companies as well as public authorities Source: European Commission, Eurobarometer 74.3, Results for 4 Germany, Attitude towards data privacy and electronic identity in the European Union

  5. Scope of Application • Content:  All automated processing of personal data is covered  Saving in filing systems • Personal:  Applicable for those individuals responsible for the processing (whoever makes decisions concerning the purposes, conditions and means of processing)  Applicable for commissioned data processors (whoever processes data on behalf of the responsible individual) • Territorial: Responsible bodies Responsible bodies outside of the within the EU, EU provided that the independent of whether concerned individual is based the data is processed in the EU and the processing serves the purpose of • Offering such individual goods and services in the EU or • Observing the individual’s behavior. 5

  6. Complete Harmonization? • Health data • Employment relationship Specific Exemptions • Processing by public Intended authorities • Other reasons of public interest 6

  7. Permissible Data Processing Processing special personal The processing of personal data principally data is permissible impermissible. • To the extent required for • Exceptions: • Fulfilling a contract with • Employment relationship the concerned individual; • Execution of a contract • Fulfilling a statutory with the concerned obligation; individual • Protecting vital interests of the concerned individual; • Performing a public task; • Safeguarding legitimate interests of the responsible individual provided such interests are not outweighed by the interests or basic rights of the concerned individual. Consent ?…. 7

  8. Consent Would you prefer that your explicit consent is obtained before personal information is collected and processed? 8 Source: European Commission, Eurobarometer 74.3, Results for Germany, Attitude towards data privacy and electronic identity in the European Union

  9. Consent  Data processing can in principle be based on consent  Exceptions o Consent within the context of an employment relationship only valid if voluntary o Other EU or national regulations can exclude such consent  Responsible body has burden of proof  If consent is given in writing, it must be clearly separate from the remaining text Text: blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla Consent: I consent to my personal data ….. 9

  10. Duties Privacy by design: Technical procedures are to be used, which offer the concerned individual the greatest amount of protection • e.g. Privacy by default settings for social networks Documentation • Replaces the general reporting obligations concerning data processing to the authorities; • Does not apply for companies, which do not process the data of more than 5,000 concerned individuals per year ! Children Observance of data protection standards Notification of public authorities and concerned individual of data protection violations Data protection – Risk analysis of certain activities Appointment of a company data protection officer • If the data of more than 5,000 concerned individuals is processed within one year 10

  11. Rights of the Concerned Individual If you decide to change the internet service provider or terminate the relationship how important is it for you that your personal information from this service may be transferred to another service? Source: European Commission, Eurobarometer 74.3, Results for Germany, Attitude towards data privacy and electronic identity in the European Union 11

  12. Rights of the Concerned Individual Right to object Right to data portability Right to “be • Right to demand a copy of the processed data in forgotten” a common format • Concerned individual can demand the deletion of his data and omission of any further processing 12

  13. Sanctions  Original requirement:  Monetary fine of up to EUR 1 million or 2 % of the annual worldwide turnover for severe breaches  New draft provides for higher fines of up to EUR 100 million and 5 % of the annual turnover worldwide 13

  14. PRISM & Co. According to an article in The Washington Post, the US National Security Agency has supposedly broken data protection rules thousands of times each year since 2008 or overstepped its authority. This was reported by the newspaper with reference to an internal investigation of the NSA and other strictly confidential documents. The newspaper received such documents during the summer from the former NSA employee Edward Snowden. 14 Quelle: Spiegel Online

  15. PRISM & Co. Press release of the German data protection authorities dated 24 July 2013: • For the time being, no new authorizations for data transfers to the USA, particularly for certain cloud services Excursus: How does the US transfer function under German law? Work arounds? • Investigation announced whether all transfers on the basis of Safe Harbor and EU standard contractual clauses are faulty (completion expected by the end of 2013) 15

  16. Excursus: How does the data transfer function in other countries? Two-step Assessment: Step 1: Data transfer from one company to another • Must be justified by particular interests • Interest in the transfer must be greater than the right of the concerned individual to exclusion of the transfer Step 2: Reasonable level of protection in the recipient country a) Exists in the EU, the EEA (Norway, Liechtenstein, Iceland) b) Exists in Canada, Switzerland, Argentina, Israel, Guernsey, Andorra, Faroe Islands, Australia, Isle of Man, Jersey, Uruguay, New Zealand c) Exists for Safe Harbor certification in the USA plus diverse and regular confirmations d) Exists for the stipulation of EU standard contractual clauses e) Exists in the case of agreement of binding corporate rules (for intra-group transfers) Transfers according to a) - d) are principally not subject to authorization – If a company data protection officer has been appointed and – Has assessed the data processing in advance and endorsed it 16

  17. Excursus: Safe Harbor from a German Perspective  Data protection authorities have already been demanding the regular review of the guarantees of US importers by German companies since 2010  PRISM has further increased the skepticism of the authorities  Politicians are demanding the renegotiation of the Safe Harbor Agreement  EU Commission is currently assessing a suspension of the agreement 17

  18. Cloud: Requirements of the German Authorities in 2011 • Resolution of the 82 nd conference on 28/29 September 2011: Data protection compliant design and use of Cloud computing services • Requirements for the use:  The duties of the responsible bodies must continue to be fulfilled,  The implementation of the data protection and IT security requirements has to have been reviewed • Which data protection and IT security requirements are to be reviewed?  Confidentiality  Integrity  Availability  Checkability  Transparency  Ability to influence the data processing. • Requirement in the resolution: The management of the body processing the data must continue to be able to bear responsibility for its own data processing. 18

  19. Cloud: Implementation of the Requirements from 2011 Cloud users should demand • Provision of straightforward, transparent and detailed information on the – Technical and organizational measures including security concepts and – Legal framework conditions. • Conclusion of transparent, detailed and clear contractual regulations, in particular concerning the – Location of the data processing, – Notification of any change of location, – Portability, – Interoperability, – Implementation of the agreed IT security and data protection measures => Current and persuasive proof (e.g. certificates of recognized and independent audit organizations) 19

  20. Cloud: Help with Implementation Paper: Guidance – Cloud Computing of the Technology and Media Task Force of the Conference of Data Protection Officers of the Federal and State Government Version 1.0 Effective date: 26 September 2011 http://www.datenschutz-bayern.de/technik/orient/oh_cloud.pdf 20

Recommend


More recommend