DATA PROTECTION & PRIVACY The Upcoming Framework Governing the Protection of Personal Data (GDPR) Challenges and how to strike the right balance UNIVERSITE DE FRIBOURG INFORMATICS COLLOQUIUM 31 Janvier 2017
Overview 1. Introduction 2. GDPR and impact for Tech ventures in CH 3. Specificities for Research Projects 4. Consent & Contract 5. Q&A and Conclusion
Introduction
“Watching the legal system deal with the internet is like watching somebody trying to drive a car by looking only in the rear- view mirror” The Guardian – Oct. 6, 2013
1. Introduction: Context 2018 The year the EU GDPR takes effect: This will be the first significant update of data protection laws in Europe for more that 23 years (i.e. before internet, mobile phones, clouds, big data, AI, etc.).
1. Introduction: Context 20 year old data protection regulation in the EU and in Switzerland. GDPR = EU Regulation 2016/679 (entry into force on May 25, 2018). TECH P-DPA = Draft Data protection Act of Sept. 15, 2017 EVOLUTION Driven by the need to adapt to the technological evolution. Other regulations in the EU and Switzerland (e.g. Swiss Human Research Act of Sept. 30, 2011). Many developments in EU Member States/Courts potentially influencing EU and Swiss Law (e.g. Germany). BUT KEEP IN Privacy Shield. MIND … California Law (dozen new laws every year to address various challenges, including data security breach notification law in 2002, requirement to publish website privacy policies in 2004 and rules for automated license plate scanning in 2016)
1. Introduction: Context GDPR as the regulatory reference. BEST PRACTICE Complying with GDPR as best practice. WORLDWIDE No excuses for penalties: there was a 2 years advance warning ! GDPR applies practically worldwide (e.g. organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of EU data subjects) … NO WAY TO ESCAPE to every entity processing data (collection, recording, structuring, storage, adaptation, consultation, use, disclosure, making available etc.), wholly or partly, by automated or non-automated processing, directly or for others. Almost everything is personal data (names, localization, online ID, cultural profiles, IP address, Dynamic IP Addresses, etc.) Empowerment of data protection authorities.
GDPR and impact for Tech Ventures in Switzerland
2. GDPR and impact for Tech Ventures in Switzerland
2. GDPR and impact for Tech Ventures in Switzerland Examples of Rights of Data Subjects Corresponding Obligations for Controllers Communication and Notification : Information. Right to know how your data is used (for what purposes, how long, if shared, if transferred - Notification to data subject when personal data is outside EU, etc). obtained indirectly, i.e. other than direct from the data subject. - Notification to data subject of his or her right to object to profiling and to processing for direct marketing purposes or automated decisions. - Notification to authorities (and in case of high risk also the data subjects) in case of data breach. Consent. Obligation to get clear consent to process Right to object. Possibility to object at any time to data. processing of personal data. Obligation to provide data to a Data Subject or to Right to Access. Request for confirmation as to whether new supplier chosen by Data Subject in a commonly or not personal data concerning is being processed, used and machine readable format. where and for what purpose. Portability. Request for a copy of the personal data, free of charge, in an electronic format. Delete information (from all servers, backups, etc.) Erasure. Request for the deletion of personal data and provide confirmation of deletion. (+ Right to be forgotten).
2. Do I need a DPO 1 I am a Public Authority or Body NO YES My core activities consist of processing on a 2 large scale data relating to criminal YES convictions and offences (Art. 10 GDPR) YES NO My core activities consist of processing on a 3 large scale data pursuant to Art. 9 ( sensitive YES DPO Needed data ) (Art. 37 (1) (a) GDPR) NO My core activities consist of processing operations which, by virtue of their nature, 4 their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
2. GDPR and impact for Tech Ventures in Switzerland - Examples Example of Right to Access : You bought a fitness tracker and subscribed to a health app that monitors your activity. You can ask the app operator for all the information processed on you. This includes all subscription data (such as your name and contact details where relevant) and all information collected about you through the tracker (such as heart rate, performance, etc.). Source:https://www.edoeb.admin.ch/edoeb/fr/home/documentation/bases-legales/Datenschutz%20- %20International/DSGVO.html Example of compliance for a Data Controller: Thomson Reuters World check https://risk.thomsonreuters.com/en/products/world-check-know-your-customer/am-i-on-world-check.html
2. GDPR and impact for Tech Ventures in Switzerland - Examples
2. GDPR and impact for Tech Ventures in Switzerland - Examples
Specificities for Research Projects
3. Data Protection and Research Projects
3.1 Right to Collect and Use for Research Purposes Specific assessment in Right based each case on… Other lawful Consent bases, including … Legitimate interest of Public controller Ordinary Qualified interest (except if overriden by interest of data subject) Interpretation of GDPR (in particular Recital GDPR 4(11): statement or clear 157): research purpose as public interest. affirmative action GDPR (interpretation): If carried out by private organization or for (not enough: silence, explicit consent for commercial purposes: balancing test? pre-ticked boxes, sensitive data GDPR 89: safeguards to be put in place. inactivity, failure to opt-out) GDPR 40: codes of conduct
3.2 Right to Reuse for Research Purposes Specific assessment in Right based each case on… Other lawful Consent bases, including … Legitimate Public Ordinary Qualified interest of interest controller GDPR 4(11): GDPR 6(4) : processing operations for another purpose statement or clear compatible with initial purpose (compatibility test) affirmative action GDPR (interpretation): GDPR, 5(1)(b): further processing for research purpose shall (not enough: silence, explicit consent for not be considered to be incompatible with the initial pre-ticked boxes, sensitive data purposes (purpose limitation) inactivity, failure to GDPR 89: safeguards to be put in place. opt-out)
3.3 Processing for Research Purposes: Safeguards Specific assessment in each case Safeguards Obligation to inform Processes, incl: Principles, incl: data subjects / Transparency Exemption in case of disproportionate Privacy policy efforts relating to a Accountability Data integrity and research project (records of confidentiality processing) Data Protection Notification in case DPO Protection by design Impact Assessment of breach Protection by (anonymisation, default pseudonymisation, (initial set-up) minimisation)
3.3 Processing for Research Purposes: Safeguards Specific assessment in each case Principles, incl: Protection by design Accountability Protection by default Data integrity and (anonymisation, (records of confidentiality pseudonymisation, (initial set-up) processing) minimisation)
3.3 Processing for Research Purposes: Safeguards Specific assessment in each case Obligation to inform data subjects / Transparency Exemption in case of disproportionate Privacy policy efforts relating to a research project
3. Specificities for Research Projects Right to Collect and Use
Contracts and Policies
4. Consent & Contracts Possible contractual relationships to consider Tech Service Other Providers Provider (Lawyers, Public Institutions (Swisscom, Cloud accountants, Service, XaaS) consultants) Sister, mother and Tech Partners daughter entities Joint Ventures (branch, venture Investors subsidiairies) Employees Customers Customers Customers Customers Board members Customers
4. Consent & Contracts Specific assessment in Right based each case on… Other lawful Consent bases, including … Legitimate interest of Public controller Ordinary Qualified interest (except if overriden by interest of data subject) Interpretation of GDPR (in particular Recital GDPR 4(11): statement or clear 157): research purpose as public interest. affirmative action GDPR (interpretation): If carried out by private organization or for (not enough: silence, explicit consent for commercial purposes: balancing test? pre-ticked boxes, sensitive data GDPR 89: safeguards to be put in place. inactivity, failure to opt-out) GDPR 40: codes of conduct
Consent forms: example Users Users Advertisers Users Users Users Users
http://www.dw.com/en/facebook-faces-german-cartel-office-probe-on-exploiting-user-data/a-42001928
5. Conclusion: Right Balance and Guidance? GDPR SPECIFITIES FOR RESEARCH CONSENT & CONTRACT
Recommend
More recommend