Dr. Hielke Hijmans Special Advisor European Data Protection Supervisor Reforming the EU Rules on Privacy and Data Protection What Should Companies and Citizens Expect? 1
Outline Privacy in a global data driven economy The GDPR, the main legal EU instrument (from May 2018) One law for the whole EU The global reach of EU Privacy The EU-US Privacy Shield The companies perspective The citizen s perspective The relevance of privacy for test publishers and assessment service providers
Privacy in global data driven economy Big Data: data everywhere; economic value. Increasingly difficult to protect individuals' privacy. Privacy remains a value that is essential in our societies. In EU: recognised as fundamental right. Why is this so crucial? Nothing to hide -notion as fundamentally erroneous. People may become less private (by connecting to wide groups on Facebook), but have all reason to become more private. Anyone can find out anything about you, by combining information. Bridge to (pre-) employment testing.
GDPR: main instrument of EU privacy law Applicable: 25 May 2018 Fairness as core of the system. Other main principles: Consent or any other legal ground for processing. Purpose limitation, data minimisation. Data subjects rights. Obligations controllers and processors based on accountability. Independent supervisory authorities. NB: EU-US Privacy Shield contains similar principles.
One European space, one law Rationale of the internal market, one European legal space for companies. The glass half full, taking account of EU reality. Countries do not wish to give up national specificities. Employment context is an area where Member States can do more (Art 88 GDPR). Control with national authorities, but strong incentives for cooperation. Independence. One stop shop and lead authority. Article 29 Working Party and EDPB.
Global reach of EU privacy The internet, as a borderless zone. Effectiveness of protection of EU citizens as driver. Main link: place of establishment of controller, not place where data are processed. EU rules, also covering non EU companies: offering services to persons in EU, such as on line testing. Monitoring behaviour (e.g., search engines). For testing business: If data EU residents are processed: GDPR will in many cases apply. EU-US Privacy Shield.
EU-US Privacy Shield Safe Harbour annulled by EU Court, now Privacy Shield. Privacy Shield: commercial layer, law enforcement access and national security access. Self-Certification. Voluntary, but once an organisation adheres, subject to enforcement (in U.S.: by DoC and FTC). Privacy principles: Notice, Data integrity/purpose limitation, Security, Access, Recourse/Enforcement/Liability, Accountability for Onward Transfer.
Companies perspective: do the right thing Accountability as overall notion. Certification system is strengthened. Onward transfer. Obligations now also apply to controller-processor relation. Controller: make assessment before involving processor. Contracts with third parties should be revised. Much more should be laid down in contract. DoC guidance: Develop a Privacy Shield compliant Policy Statement.
EU-resident s perspective GDPR may apply directly, relevance Privacy Shield. Transparency. DOC maintains list of companies adhering. Redress mechanism for data subjects (pts 43-63). Direct towards self-certified companies. Independent dispute resolution body. DPAs: on a voluntary basis, or compulsory for human resources data. A panel of DPAs will be set up (in future, possibly role for EDPB), Procedure with DoC, which may ultimately remove organisation from Privacy Shield list. Investigation and enforcement by FTC. Arbitration panel. Pool of at least 20 arbitrators, admitted to practice law in the U.S. General issue: low threshold. Arbitration panel will be paid from fees. Ombudsperson, only dealing with National Security Access.
Business of on line testing Global information flows, with companies testing globally. Different types of processing activities and information. Educational context (e.g. for university admissions) or (pre)-employment context. Sensitive data? Two main issues: Sensitive data, e.g. psychological testing data revealing health. The link with employment context and the imbalance between employer and employee. Also: Privacy Shield: additional protection for human resources data (pt 48 Recitals Privacy Shield). In principle, consent not used in employment context, and probably neither in a recruitment process. Pre-employment data, where is the boundary? Does it cover additional information provided voluntarily?
THANK YOU! (edps@edps.europa.eu)