Dr. Hielke Hijmans Special Advisor European Data Protection Supervisor

Similar documents
COMMISSION IMPLEMENTING DECISION. of XXX

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

Adequacy Referential (updated)

Working Document Setting Forth a Co-Operation Procedure for the approval of Binding Corporate Rules for controllers and processors under the GDPR

MEMORANDUM. Internet Corporation for Assigned Names and Numbers. Thomas Nygren and Pontus Stenbeck, Hamilton AdvokatbyrÄ

Helping Our Clients Conduct Globally Compliant Market Research. December 14, 2016

Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. on the second annual review of the functioning of the EU-U.S.

18 January Comments

Cross-Border Application of EU s General Data Protection Regulation (GDPR) A private international law study on third state implications

THE HIGH COURT COMMERCIAL

Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

Opinion 6/2015. A further step towards comprehensive EU data protection

Consultation on the General Data Protection Regulation: CAP s evaluation of responses

Bitkom views on EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

The European Union General Data Protection Regulation (GDPR) Barmak Nassirian, Federal Director Thursday, February 22, 2018

A Modern European Data Protection Framework Safeguarding Privacy in a Connected World

Irish Government Publishes Data Protection Bill 2018

16 March Purpose & Introduction

An overview of the EU General Data Protection Regulation ( GDPR ) for media organisations

PROLAW Student Journal of Rule of Law for Development SECURING US-EU PERSONAL DATA FLOWS: A CRITICAL OUTLOOK ON THE RECENT AGREEMENTS

In the present analysis, we cover the most problematic points of the Directive. For our views on the Regulation, please go to our document pool.

Council of the European Union Brussels, 13 April 2015 (OR. en)

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Appendix 1 Data Processing Agreement

LIBE Committee Inquiry on electronic mass surveillance of EU citizens. Public Hearing, Strasbourg, 7 October 2013 Contribution of Peter Hustinx (EDPS)

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,7November /1/13 REV1. InterinstitutionalFile: 2012/0011(COD) LIMITE

SIMON READHEAD Q.C. PRIVACY NOTICE

EXECUTIVE SUMMARY. 3 P a g e

Data class actions. The era of mass data litigation

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

ANNEX CORRIGENDUM. (Official Journal of the European Union L 119 of 4 May 2016) On page 14, recital (71), fifth and sixth sentences: for:

BSA The Software Alliance s Response to the EDPB Public Consultation on the Proposed Guidelines on the Territorial Scope of the GDPR

Interinstitutional File: 2012/0011 (COD)

Information exempt from the subject access right (section 40(4) and

Council of the European Union Brussels, 31 March 2015 (OR. en)

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

European Data Protection Supervisor Transparency in the EU administration: Your right to access documents

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Memorandum of Understanding. between. The Legal Aid Agency (LAA) and. Solicitors Regulation Authority (SRA)

PUBLIC LIMITE EN COUNCILOF THEEUROPEANUNION. Brusels,19December2013 (OR.en) 18031/13 LIMITE. InterinstitutionalFile: 2012/0011(COD)

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

Executive summary. We will continue to pursue any actions still outstanding at the time of writing. Regulatory action taken to date:

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

ARTICLE 29 DATA PROTECTION WORKING PARTY WORKING PARTY ON POLICE AND JUSTICE

AMENDMENTS EN United in diversity EN. European Parliament. PE v

ARTICLE 29 DATA PROTECTION WORKING PARTY

EQUALITIES AND DIVERSITY POLICY

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

1. WHY THE PROPOSAL? Improving the national enforcement of the rules on Free Movement of Workers. 1. Why this proposal? 2. What are the main elements?

A Modern European Data Protection Framework. Bruno Gencarelli DG JUSTICE and CONSUMERS

Data Protection Bill: Collective Redress

NHS ENGLAND Standard Personal Medical Services Agreement Variation Notice May 2018

GDPR and India. By ADITI CHATURVEDI Edited by AMBER SINHA. The Centre for Internet and Society, India

Data Processing Agreement

60 th UIA CONGRESS Budapest / Hungary October 28 November 1, UIA Biotechnology Law Commission Sunday, October 30, 2016

AmCham EU Proposed Amendments on the General Data Protection Regulation

Free and Fair elections GUIDANCE DOCUMENT. Commission guidance on the application of Union data protection law in the electoral context

The BRIBERY ACT 2010: Sanctions & Incentives. Roderick Macauley

Council of the European Union Brussels, 24 July 2017 (OR. en)

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

Media Regulation Roundtable:

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

EUROPEAN GENERAL DATA PROTECTION REGULATION CONSEQUENCES FOR DATA-DRIVEN MARKETING

32000D0520. Official Journal L 215, 25/08/2000 P

Legal Insights. Discovery under the GDPR. Introduction

Data protection anno 2014: how to restore trust? An introduction. Hielke Hijmans and Herke Kranenborg

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,6June2014 (OR.en) 10615/14 InterinstitutionalFile: 2012/0011(COD) LIMITE

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

MEMORANDUM OF UNDERSTANDING

EU Data Protection Law - Current State and Future Perspectives

Indian data protection regime Close to reality? Personal Data Protection Bill, 2018

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

Leicestershire Police Guidance. Freedom of Information Act 2000 Requests for Information

TECHNOLOGY AND DATA PRIVACY. Investigative Powers of the Data Protection Commissioner. by Peter Bolger, Jeanne Kelly

ARTICLE 29 Data Protection Working Party

ARTICLE 29 DATA PROTECTION WORKING PARTY. Article 29 Working Party Guidelines on consent under Regulation 2016/679

Law Enforcement processing (Part 3 of the DPA 2018)

Code of Conduct under the Provision of The Education (Penalty Notices) Regulation 2004 and Subsection (1) Section 23 Anti-Social Behaviour Act 2003

General Data Protection Regulation

Supreme Court of the United States

The modernised Convention 108: novelties in a nutshell

Q. What do the Law Commission and the Ministry of Justice recommend?

Implementation of GDPR and control mechanisms of data protection institutions in Germany

Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

ARTICLE 29 DATA PROTECTION WORKING PARTY

AMENDMENTS EN United in diversity EN. European Parliament Draft motion for a resolution Claude Moraes (PE595.

Ashley Green Sensitive Information in a Wired World Professor Joan Feigenbaum Yale University December 12, 2003

closer look at Rights & remedies

Pastoral Care and Redress Process Information Document

COMPUTERS ON WHEELS WHO OWNS WHICH DATA?

Derbyshire Constabulary VICTIM S RIGHT TO REVIEW POLICY POLICY REFERENCE 15/330. This policy is suitable for Public Disclosure

MEMORANDUM OF UNDERSTANDING

Privacy and Protection of Personal Data in the EU Transfers of Personal Data to third Countries

Data Processing Agreement

ARTICLE 29 DATA PROTECTION WORKING PARTY

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

Transcription:

Dr. Hielke Hijmans Special Advisor European Data Protection Supervisor Reforming the EU Rules on Privacy and Data Protection What Should Companies and Citizens Expect? 1

Outline Privacy in a global data driven economy The GDPR, the main legal EU instrument (from May 2018) One law for the whole EU The global reach of EU Privacy The EU-US Privacy Shield The companies perspective The citizen s perspective The relevance of privacy for test publishers and assessment service providers

Privacy in global data driven economy Big Data: data everywhere; economic value. Increasingly difficult to protect individuals' privacy. Privacy remains a value that is essential in our societies. In EU: recognised as fundamental right. Why is this so crucial? Nothing to hide -notion as fundamentally erroneous. People may become less private (by connecting to wide groups on Facebook), but have all reason to become more private. Anyone can find out anything about you, by combining information. Bridge to (pre-) employment testing.

GDPR: main instrument of EU privacy law Applicable: 25 May 2018 Fairness as core of the system. Other main principles: Consent or any other legal ground for processing. Purpose limitation, data minimisation. Data subjects rights. Obligations controllers and processors based on accountability. Independent supervisory authorities. NB: EU-US Privacy Shield contains similar principles.

One European space, one law Rationale of the internal market, one European legal space for companies. The glass half full, taking account of EU reality. Countries do not wish to give up national specificities. Employment context is an area where Member States can do more (Art 88 GDPR). Control with national authorities, but strong incentives for cooperation. Independence. One stop shop and lead authority. Article 29 Working Party and EDPB.

Global reach of EU privacy The internet, as a borderless zone. Effectiveness of protection of EU citizens as driver. Main link: place of establishment of controller, not place where data are processed. EU rules, also covering non EU companies: offering services to persons in EU, such as on line testing. Monitoring behaviour (e.g., search engines). For testing business: If data EU residents are processed: GDPR will in many cases apply. EU-US Privacy Shield.

EU-US Privacy Shield Safe Harbour annulled by EU Court, now Privacy Shield. Privacy Shield: commercial layer, law enforcement access and national security access. Self-Certification. Voluntary, but once an organisation adheres, subject to enforcement (in U.S.: by DoC and FTC). Privacy principles: Notice, Data integrity/purpose limitation, Security, Access, Recourse/Enforcement/Liability, Accountability for Onward Transfer.

Companies perspective: do the right thing Accountability as overall notion. Certification system is strengthened. Onward transfer. Obligations now also apply to controller-processor relation. Controller: make assessment before involving processor. Contracts with third parties should be revised. Much more should be laid down in contract. DoC guidance: Develop a Privacy Shield compliant Policy Statement.

EU-resident s perspective GDPR may apply directly, relevance Privacy Shield. Transparency. DOC maintains list of companies adhering. Redress mechanism for data subjects (pts 43-63). Direct towards self-certified companies. Independent dispute resolution body. DPAs: on a voluntary basis, or compulsory for human resources data. A panel of DPAs will be set up (in future, possibly role for EDPB), Procedure with DoC, which may ultimately remove organisation from Privacy Shield list. Investigation and enforcement by FTC. Arbitration panel. Pool of at least 20 arbitrators, admitted to practice law in the U.S. General issue: low threshold. Arbitration panel will be paid from fees. Ombudsperson, only dealing with National Security Access.

Business of on line testing Global information flows, with companies testing globally. Different types of processing activities and information. Educational context (e.g. for university admissions) or (pre)-employment context. Sensitive data? Two main issues: Sensitive data, e.g. psychological testing data revealing health. The link with employment context and the imbalance between employer and employee. Also: Privacy Shield: additional protection for human resources data (pt 48 Recitals Privacy Shield). In principle, consent not used in employment context, and probably neither in a recruitment process. Pre-employment data, where is the boundary? Does it cover additional information provided voluntarily?

THANK YOU! (edps@edps.europa.eu)

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback