Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

Similar documents
ARTICLE 29 DATA PROTECTION WORKING PARTY

Adequacy Referential (updated)

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April on the protection of natural persons

16 March Purpose & Introduction

REGULATION (EU) 2016/679 General Data Protection Regulation

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

GDPR: Belgium sets up new Data Protection Authority

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,7November /1/13 REV1. InterinstitutionalFile: 2012/0011(COD) LIMITE

A Modern European Data Protection Framework. Bruno Gencarelli DG JUSTICE and CONSUMERS

DATA PROCESSING ADDENDUM

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

AmCham EU Proposed Amendments on the General Data Protection Regulation

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Annex - Summary of GDPR derogations in the Data Protection Bill

A Modern European Data Protection Framework Safeguarding Privacy in a Connected World

Opinion 6/2015. A further step towards comprehensive EU data protection

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

EXECUTIVE SUMMARY. 3 P a g e

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Working document 01/2014 on Draft Ad hoc contractual clauses EU data processor to non-eu sub-processor"

Factsheet on the Right to be

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

ARTICLE 29 DATA PROTECTION WORKING PARTY WORKING PARTY ON POLICE AND JUSTICE

Data Processing Agreement

32000D0520. Official Journal L 215, 25/08/2000 P

ARTICLE 29 DATA PROTECTION WORKING PARTY

Comments. made by the Conference of the German Data Protection Commissioners of the Federation and of the Länder. of 11 June 2012

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

General Data Protection Regulation

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

Data Protection Transfer Agreement. Reference Number: CORP_142-a01 Policy

ARTICLE 29 Data Protection Working Party

Telekom Austria Group Standard Data Processing Agreement

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

SAFE HARBOR: STAYING ALIVE?

Council of the European Union Brussels, 13 April 2015 (OR. en)

Working Document Setting Forth a Co-Operation Procedure for the approval of Binding Corporate Rules for controllers and processors under the GDPR

SSLI \6.0 v1.0

GDPR. EU General Data Protection Regulation. ebook Version 1.2

closer look at Rights & remedies

MEMORANDUM. Internet Corporation for Assigned Names and Numbers. Thomas Nygren and Pontus Stenbeck, Hamilton Advokatbyrå

Exhibit MC - Standard Contractual Clauses (processors)

Declaration on the protection of personal data in the company TAJMAC ZPS, a.s.

Article 1. Federal Data Protection Act (BDSG)

DATA PROTECTION LAWS OF THE WORLD. Ireland

DATA PROTECTION LAWS OF THE WORLD. Romania

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

Cybersecurity, Privacy & Data Protection Alert

PRIVACY POLICY STATEMENT ON THE PROCESSING OF PERSONAL AND SENSITIVE DATA OF THE CUSTOMERS WITHIN THE MEANING OF ARTICLE 13 AND FF. OF REGULATION (EU)

FUJITSU Cloud Service K5: Data Protection Addendum

Interinstitutional File: 2012/0011 (COD)

Implementation of GDPR and control mechanisms of data protection institutions in Germany

8557/16 SHO/ra 1 DGD 2

Information about the Processing of Personal Data (Article 13, 14 GDPR)

Free and Fair elections GUIDANCE DOCUMENT. Commission guidance on the application of Union data protection law in the electoral context

The European Union General Data Protection Regulation (GDPR) Barmak Nassirian, Federal Director Thursday, February 22, 2018

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

Brussels, 16 May 2006 (Case ) 1. Procedure

T he European Union s Article 29 Data Protection

Customer Data Annual Privacy Agreement

An overview of the EU General Data Protection Regulation ( GDPR ) for media organisations

RESTREINT UE/EU RESTRICTED

PREPARING FOR NEW PRIVACY REGIMES: PRIVACY PROFESSIONALS VIEWS ON THE GENERAL DATA PROTECTION REGULATION AND PRIVACY SHIELD

EU Data Protection Law - Current State and Future Perspectives

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

In the present analysis, we cover the most problematic points of the Directive. For our views on the Regulation, please go to our document pool.

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Annex 1: Standard Contractual Clauses (processors)

The modernised Convention 108: novelties in a nutshell

Data Protection Policy. Malta Gaming Authority

Data Processing Addendum

SUPPLIER DATA PROCESSING AGREEMENT

Module 1 - Introduction

Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

European Data Protection Supervisor Transparency in the EU administration: Your right to access documents

Individual Rights (Data Privacy) Policy

PUBLIC LIMITE EN COUNCILOF THEEUROPEANUNION. Brusels,19December2013 (OR.en) 18031/13 LIMITE. InterinstitutionalFile: 2012/0011(COD)

General guidance on EFSA procurements

LIBE Committee Inquiry on electronic mass surveillance of EU citizens. Public Hearing, Strasbourg, 7 October 2013 Contribution of Peter Hustinx (EDPS)

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

Second Opinion of the Joint Supervisory Body of Eurojust about the data protection regime in the proposed Eurojust Regulation

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

AGREEMENT FOR ACCESS, WHICH MAY RESULT IN PERSONAL DATA PROCESSING

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

Appendix 1 Data Processing Agreement

The Act on Processing of Personal Data

BINDING CORPORATE RULES PRIVACY policy. Telekom Albania. Çaste që na lidhin.

Transcription:

Presentation to IAPP November 18, 2013 EU Data Protection 1

Table of Contents 1. Introduction 2. Scope 3. Substantive Obligations 4. Formal Obligations 5. International Transfers 6. Enforcement 7. Sanctions, Remedies, Liability 8. What Next? 2 2

INTRODUCTION to the draft Regulation 3 3

The race to Spring 2014 Legislative Agenda January 2012 Draft Regulation Proposal by Commission January 2012 October 2013 European Parliament and European Council separately debated the draft text 21 October 2013 LIBE Committee orientation vote on compromise text Expected timeline: October - December2013 Dec 2013/Jan 2014 April 2014 European Council formulates its position on text for negotiation with Parliament and Commission Trialogue negotiations between Commission, Council and Parliament Parliament intends to have first reading vote in plenary session, based on agreement from trialogue if possible May 2014 European Parliament elections. 5 4

Legal Instrument: Regulation or Directive? Regulation has direct effect. Legal certainty (?). Remaining political divide Regulation or Directive. 4 5

SCOPE of the draft Regulation 7 6

Territorial and Personal Scope Old Directive New Draft Regulation Processing carried out in the context of the activities of an establishment of the controller on the territory of the Member State The controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community Processing of personal data in the context of the activities of an establishment of the controller or a processor in the Union Processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: (a)the offering of goods or services to such data subjects in the Union; or (b)the monitoring of their behavior 8 7

Territorial Scope Broader application than Directive. More non EU-based companies offering services on internet within reach of Regulation. LIBE Committee: also non-eu based processors are in scope. Not clear: monitoring ; individuals residing in EU ; offering goods or services. 13 8

Personal Scope Changes to the existing legal framework. Obligations directly imposed on processors. Processors subject to sanctions provided in the Regulation. 9 9

Personal Scope Specific obligations for processors. Directly liable for: Maintaining documentation concerning processing activities. Cooperating with supervisory authority. Implementing appropriate technical and organizational information security measures. Appointing a data protection officer. Informing data controller immediately of a data breach. 10 10

Personal Scope Specific new obligations for processors. Conducting data protection impact assessment. Prior DPA authorization or consultation (where required). Complying with the requirements regarding international data transfers. LIBE Committee additions: privacy by design, data protection compliance reviews (bi-annually). 11 11

Personal Scope Practical implications. Significant increase of enforcement risks and administrative burden. Contract negotiations between controllers and processors will become more difficult and important (high sanctions and controllers/processors will be jointly and severally liable). 12 12

Material Scope No fundamental changes. Updates of definitions in light of Working Party positions and online processing (e.g., means of identifying an individual to include location data and online identifiers). LIBE Committee: gender identity is sensitive information. 14 13

SUBSTANTIVE OBLIGATIONS in the draft Regulation 15 14

Accountability Responsibilities and paper trail. Data controllers will be obliged to adopt policies and implement measures not just to ensure compliance, but to be able to demonstrate compliance, including: Documentation of all processing operations (also Ps); Appropriate information security (also Ps); Privacy impact assessments (Cs or Ps); Consultation and authorization of DPAs (Cs or Ps); Designation of a DPO where relevant (also Ps). 16 15

Accountability 1. Documentation of processing. - Documentation must be kept available to DPAs. - Also for processors. - Obligation watered down by LIBE Committee: documentation necessary in order to fulfill the requirements laid down in the Regulation. 17 16

Accountability Exemptions to documentation. Commission proposal exemption for companies of fewer than 250 people and processing activities are ancillary activity. LIBE Committee: removes exemption. 18 17

Accountability 2. Privacy Impact Assessment. For processing considered risky (e.g. large-scale monitoring or sensitive data processing). Controllers or processors. LIBE Committee: Risk assessment + privacy impact assessment (stress on information lifecycle management). 19 18

Data Minimization Clarification of Fundamental Principle. Personal data shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data. 20 19

Privacy by Design/Default New Principles. Design: Taking into account state of the art and cost of implementation, controller obliged to implement measures to ensure compliance with Regulation and protection of data subject rights. Default: Mechanisms must ensure that default situation is minimum data collection for that purpose both data amount/retention. LIBE Committee: broadens obligation to processors. Obligations apply regardless cost. 21 20

Right to be Forgotten Right to request (i) erasure of personal data, and (ii) abstention from further dissemination. Only in certain cases: (i) data no longer serves purposes; (ii) consent based processing; (iii) right to object (e.g. direct marketing); (iv) illegal processing. Obligations to delete and inform third parties without delay. Restrictions: e.g. if alternative legal basis to keep the data. 22 21

Right to be Forgotten Concerns. LIBE Committee: obtain from third parties the erasure of any links to, or copy or replication of that data. Technical difficulties/investment and anticipate requirement with processors. 23 22

Right to Data Portability Right to obtain a copy of data which allows further use by the data subject; and Right to transmit personal data and other information processed in automated processing system into another system (e.g. when switching service provider) without hindrance of data controller. 24 23

Right to Data Portability Restrictions. Right to obtain a copy of data: only when data are processed by electronic means and in a structured and commonly used format (?) => Commission may clarify; and Right to transmit personal data: only if (i) data subject has provided the personal data and (ii) processing is contract or consent based. 25 24

FORMAL OBLIGATIONS in the draft Regulation 27 25

New Formal Obligations 1) Notification to national DPA abolished. Replaced by obligations regarding accountability. 28 26

New Formal Obligations 2) Formal requirements for consent. Explicit by default (for sensitive and nonsensitive data). Presented distinguishable (e.g. in terms and conditions). Withdrawal at any time. Not if imbalance in position between controller and data subject (e.g., employment context). 29 27

New Formal Obligations 3) Requirement to have clear and easily accessible policies regarding data processing and for the exercise of data subjects' rights. 30 28

New Formal Obligations LIBE Committee Proposal. Introduction of two-step notice procedure with display of basic information at first stage. 38 29

New Formal Obligations 4) Data breach notification obligation. Extreme broad definition data breach. Obligation for data controller to inform (a) the supervisory authority, and (b) the affected data subjects. Obligation for data processor to inform data controller. LIBE Committee: removed 24 hours deadline => without undue delay. EDPB to issue guidance. 34 30

Formal Obligations 5)Prior authorization and prior consultation obligations. Prior authorization: for international data transfers based on ad-hoc contracts or if no appropriate safeguards are provided in a legally binding instrument. Prior consultation : if (a) PIA indicates high degree of specific risks; or (b) intended processing operation is included in DPA-list as high risk. 35 31

New Formal Obligations 6) Appointment of a data protection officer. Data controllers and processors are required to appoint a DPO if, inter alia: the processing is carried out by an enterprise employing 250 persons or more; or the core activities of controller/processor require regular and systematic monitoring of data subjects. LIBE Committee: amended thresholds (e.g. processing of data 5000 individuals over 12 consecutive months, large scale sensitive data processing on children/ employees) + 4 years position (for internal DPO)/2 years if external. 36 32

INTERNATIONAL DATA TRANSFERS in the draft Regulation 39 33

International Transfers Provisions apply to data controllers and processors. Strong focus on onward transfers. Evolution: no transfer unless adequate protection => transfer if the conditions in Regulation are fulfilled. 40 34

International Transfers 4 types. transfers by adequacy decision. transfers by way of appropriate safeguards. transfers by way of binding corporate rules. Derogations. 37 35

International Transfers 1. Transfer by adequacy decision. By Commission decision. Somewhat expanded scope => not only a country, but also a territory within a third country, a processing sector (within that country), or international organization can be adequate. LIBE: Sunset clause of 5 years in case of adequacy decision for a specific business sector. 38 36

International Transfers 2. Transfers by way of appropriate safeguards. BCRs. Model contractual clauses (no longer permits). Standard model clauses approved by a DPA (in accordance with consistency mechanism). Ad hoc contractual clauses. Other appropriate safeguards not provided for in a legally binding instrument. LIBE Committee: Adequacy by European Data Protection Seal. 5 Years sunset for current commission decisions. BCR-P deleted. 39 37

International Transfers Generally the same list as article 26 Directive 1995/46. New: transfer can, under limited circumstances, be justified on a legitimate interest of the data controller or processor, but only after having assessed and documented the circumstances of that transfer. 40 38

International Transfers Foreign law access requests. Situation of disclosure to third countries under foreign law was omitted from Commission s draft. Parliament reintroduced this issue in a new Article 43a: - No judgment requiring disclosure will be recognized or enforceable unless under a mutual legal assistance treaty. - Where disclosure requested by foreign judgment, need prior authorization of DPA. - The DPA will assess compliance of disclosure with Regulation and use consistency mechanism if affects data subjects from other member states. - Companies must also inform data subjects of the request and obtain authorization. 43 39

International Transfers Is Safe Harbor doomed? Following Snowden, overarching concern with protection of EU data in the US. Grievances are general, unlikely to crystallize into real action to undermine the Safe Harbor regime. Regime may be strengthened in light of the Regulation. 44 40

ENFORCEMENT in the draft Regulation 48 41

Enforcement Enforcement bodies. National DPAs. European Data Protection Board ( EDPB ). Commission. EDPS. 49 42

National DPAs General. DPAs remain but some change in role and responsibilities. Rules of establishment and internal procedures remain national. Independence requirements for DPAs and members. Member states must provide financial resources. 50 43

National DPAs Competences. Local territorial enforcement (and vis-à-vis local public authorities). Lead DPA for company s main establishment in case of multinationals with centralized EU presence. LIBE Committee: Lead DPA can ask EDPB to issue opinion who is lead. 51 44

National DPAs Duties. General monitoring, complaint investigations as before. Specific mutual assistance obligations with other DPAs. Specific obligations to ensure consistent application and enforcement (inter alia via consistency mechanism ). Specific stress on joint operations of DPAs. Issue opinions on draft codes of conduct and approve BCRs. 52 45

National DPAs Powers. Notify controllers/processors in case of breach and issue orders to (i) remedy breach, (ii) improve compliance or (iii) conduct consumer breach notifications (LIBE) + temporary or definitive bans on processing. Broad investigative powers (including access to any premises and any data processing equipment and means). LIBE: without prior notice (!). 53 46

Powers, continued. National DPAs Suspend data flows. Issue opinions on any issue related to protection of personal data. Issue administrative sanctions, bring violations to attention of judicial authorities and engage in legal proceedings. 54 47

European Data Protection Board European DPA ( EDPB ). Converts ( replaces ) the Art. 29 Working Party into pan-eu DPA. Composed of heads national DPAs and EDPS. Commission is not formal member but can participate. 55 48

European Data Protection Board Tasks. Consistent application Regulation and promotion cooperation between DPAs (e.g. Role in consistency mechanism, opinions). Advice to Commission (e.g., delegated acts, Commission decisions). No appeal to EDPB against decisions of (Lead)DPA => local law remedies. 56 49

Mutual Assistance Mutual Assistance (DPA Cooperation). DPAs must provide mutual information/ assistance to each other to apply / implement Regulation. Commission can determine procedures for cooperation. DPA cannot refuse unless: Requested DPA is not competent for the request; Compliance would be incompatible with provisions of Regulation. 58 50

Mutual Assistance Joint Operations. In certain cases, DPAs can carry out joint operations. Joint operations = investigations, enforcement measures or other operations where staff of other DPAs are involved. DPAs of other member states have a right to participate in joint operations when processing impacts data subjects on their territory. Joint operations will have host DPA which assumes responsibility and coordinates the joint operation. 60 51

Consistency Mechanism DPA Draft Measures. Prior checking of DPA measures by EDPB. If the draft measures intend to provide legal effects and which: concern data processing relating to goods/services in several member states or monitors behavior; affects free movement of personal data within the EU; aims at determining international transfer mechanisms (e.g. DPA standard data protection clauses, ad hoc data transfer agreements, approvals for BCRs). 61 52

Consistency Mechanism Consistency Mechanism Additional Grounds. Upon request of a DPA or EDPB. Upon request Commission. 62 53

Consistency Mechanism EDPB Opinion. The EDPB will issue an opinion on the matter within one week of the provision of information. This opinion will be adopted within one month. The DPA issuing the draft measure and the lead DPA have two weeks to maintain or amend its draft measure. LIBE Committee: Amends process and distinguishes between measures of general application and individual cases. 63 54

SANCTIONS, REMEDIES, LIABILITY in the draft Regulation 64 55

Administrative Sanctions Regime proposed by Commission. New sanctions have teeth to ensure compliance. DPA shall impose fines for negligent or intentional violations: Up to EUR 250,000 or 0.5% of annual global turnover for companies for lesser offenses (e.g. not promptly responding to with data subjects requests); Up to EUR 500,000 or 1% of annual global turnover for companies for medium offenses (e.g. not maintaining required documentation or not providing information to data subjects); and Up to EUR 1,000,000 or 2% of annual global turnover for companies, for most serious offenses 65 56

Administrative Sanctions Regime proposed by Commission. Each DPA empowered to issue fines. Some DPA has discretion to ensure sanctions are effective, proportionate and dissuasive. The amount of fine is determined based on the following criteria: nature, gravity and duration of breach; character of breach (negligent versus intentional); degree of responsibility of natural/legal person and previous breaches; technical and organizational measures implemented; and degree of cooperation with DPA to remedy breach. 66 57

Administrative Sanctions Regime proposed by LIBE Committee. Even more aggressive sanctions: DPA shall impose at least one of the following: Written warning regular data protection audits fine of up to EUR 100,000,000 or up to 5% of the annual global turnover Companies with EDP Seals will only be fined in cases of intentional or negligent non-compliance. Fines may take into account certain factors, e.g. Nature, gravity, intentional or negligent character, repetitive nature, etc. 67 58

Remedies and Liabilities Right to lodge complaint before DPA. Every data subject or organization representing individuals interests. In any Member State. Complaint can also concern data pertaining to other individuals than complainant. 68 59

Remedies and Liabilities Right to judicial remedy against DPA. Each individual / company has right to judicial remedy against a DPA. Normally, the local courts will have jurisdiction. However, in case of multi-jurisdictional issues, data subject may ask local DPA to bring proceedings on its behalf against the competent DPA in other Member State. 69 60

Remedies and Liabilities Compensation, Liabilities & Remedies. Individuals and organization/association representing individuals can initiate proceedings. Competent courts are the courts where controller or processor has establishment; alternatively, courts of habitual residence of the data subject. harmed by unlawful processing can claim compensation from controller/processor for damages. Joint and several liability where there is more than one controller or processor. 70 61

WHAT NEXT? 71 62

Delegated & Implementing Acts Critique for leaving too much uncertainty: contains 26 opportunities for Commission to later adopt Delegated Acts and 22 provisions contemplating Implementing Acts. Both the Parliament and the Council have proposed the removal of most of these powers, and instead increase the role of the European Data Protection Board. 72 63

Being Prepared Once the Regulation is passed there will likely be a two year period before it comes into force. As soon as there is a clear text, businesses should begin preparation - 2 years will not be much time considering the significant changes contemplated! 73 64

Take-away for US companies Lower threshold for applicability of EU laws. Privacy higher priority for compliance. Greater administrative burden documentation obligations, appointment of DPO. New obligations for processors with EU establishments. Greater flexibility for international transfers. More harmonization...? 74 65

We appreciate the opportunity to be of service to you. Lorenz Regentlaan 37-40 Boulevard du Régent 1000 Brussels, Belgium Telephone +32 2 239 2000 - Fax +32 2 239 2002 www.lorenz-law.com 66

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback