CIPP E Summary [PDF]

Zitiervorschau

Richard C. Hsu Shearman & Sterling [email protected]

CIPP/E Privacy Summary* Data Protection Concepts

Personal Data • “Any Information” • “Relating to” • Content: if about an an individual • Purpose: processed to affect individual • Results: impact on individual • “Identified or Identifiable” • Directly: possible to identify using all means likely to be used • Indirectly: eg using pseudonymous data • “Natural Person” • May extend to deceased persons

Sensitive Personal Data • Special Categories • Racial or ethnic origin • Political Opinions • Religious Beliefs • Philosophical Beliefs • Trade Union Memberships • Health or Sex Life • Directive has general prohibition, subject to exceptions • Some member states have created “midcategories”

Legitimate Processing Criteria

Controller

Processor • “Natural or legal person (other than EE of controller)” • Separate legal entity from Controller • “Processes personal data on behalf of controller” • Does not have authority to allocate rights to process data

Data Subject

• “Natural or legal person, public authority or agency” • Should be corporate entity, not individual • “Alone or jointly with others” • Does not have to be same time or equal in proportion • “Determines the purposes and means of processing data” • Ability to decide how personal data is being processed

Personal Data

Fair and Lawful

Purpose Limitation • Article 6(1)(b) • Attempts to set boundaries on use and purpose • Exception for research purposes • Principle of Finality (only purpose) • A29WP says ok to use for other purposes if data is anonymized

Proportionality • Article 6(1)(c) • Use of data cannot be excessive or irrelevant • “You must not use a steam hammer to crack a nut, if a nutcracker will do”

*Adapted from IAPP CIPP/E Privacy Certification

• Article 8 • Processing is generally prohibited unless: • Explicit Consent • Like Article 7 consent but must be clear affirmative act • Employment Law • Protection of Vital Interests • Non-Profit Memberships • Made public by individual • Defense of Legal Claims

Application of the Law

Fundamental Data Protection Principles • Article 6(1)(a) • “Fair” -- must disclose • Identity of controller • Purpose of data • Right to access and rectify data • “Lawful” -- Must satisfy data protection laws and cannot be in breach of: • Enforceable Contract • Duty of Confidence • Human right to privacy

Sensitive Personal Data

• Article 7 • Can process Personal Data if satisfies 1 of the following criteria: 1. Unambiguous Consent • Freely given • Specific • Informed 2. Contractual Necessity 3. Compliance with Law 4. Protection of Vital Interests 5. Public Interest/Official Authority 6. Legitimate Interests of Controller

Data Quality

EU Directive

• Accuracy • Must be accurate when collected and remain accurate • Retention • Article 6(1)(e) • Requires controllers to (a) delete data after no longer needed or (b) anonymize

Establishment in the EU

• Article 4(1)(b) • Law of a member state applies when data processing is carried out • “in the context of the activities” of an • “establishment” of Controller • Article applies only if (a) entity is involved in actual processing and (b) does so as a Controller

• Article 4(1)(c) • More controversial than any other provision in the Directive • National data protection law applies to a Controller that makes use of Equipment in that member state, unless that Equipment is used for “transit”

Equipment • Article 4(1)(c) • Applies to physical computer network located in the EU and operated remotely (but could apply to the entire Internet!)

Transit • Article 4(1)(c) • No authoritative guidance on definition of “transit” • If Equipment used in processing merely receives and automatically transmits data (solely as a conduit), it is exempt

Richard C. Hsu Shearman & Sterling [email protected]

CIPP/E Privacy Summary* International Data Transfer Derogations • Article 26(1) provides for general prohibition of data transfer with 6 Exceptions: 1. Consent 2. Contract Performance 3. Substantial Public Interest 4. Legal Claims 5. Vital Interests 6. Public Registers

Safe Jurisdictions • Switzerland; Hungary (part of EEA); Canada; Argentina; Guernsey; Isle of Man; Jersey; Faroe Islands; Andorra; Israel

Safe Harbor • US Dept of Comm and EU developed 7 requirements that satisfied Directive which must be publicly declared: 1. Notice 2. Choice 3. Onward Transfer 4. Security 5. Data Integrity 6. Access 7. Enforcement • Safe Harbor is no longer in effect as of 2016

Supervision and Enforcement Binding Corporate Rules (BCR)

Regulators Core Powers

• A29WP Advisory Documents • Self-audits • Individual complaints must be addressed • Clear duties of cooperation with DPA • Must have provisions on liability and jurisdiction

• Article 28(3) • Investigative Powers • Powers of Intervention by Regulators • Power to engage in legal proceedings • Receiving and dealing with complaints • Annual Reports • International Cooperation

Model Contracts • Article 26(2): requires adequate safeguards for transfer • Article 26(4): can use standard contractual clauses (ICC and BCI)

Compensation and Sanctions • Article 23: • Pursue damages claims • Article 24 • Member states can create administrative sanctions

Notifying DPA

Purpose of Notifying DPAs • Foster transparency • Assist DPA in regulatory functions • Provide DPA source of funds

Content of Notification • Article 19 stipulates content of notification • “Per System” • Hardware or software a company uses to carry out particular function or activity • “Per Use or Purpose” • Notification for each data processing purpose (eg HR or marketing)

Prior Checking / Authorization • Article 20 • May require processor to perform “prior checking” and approval from DPA (eg Sensitive Personal Data) • “Prior checking” is carried out by DPA following request or notification from Data Controller

*Adapted from IAPP CIPP/E Privacy Certification

European Data Protection Supervisor (EDPS) • EDPS is the data protection regulator for the EU as an entity • Article 46: EDPS’s duties • Article 47: EDPS’s powers • Regulation 45/2001 mirrors the Directive

Confidentiality and Security

Notification Requirements • Article 18(1) • Member states must ensure that Data Controller notify relevant DPA before any processing of Personal Data • Notification must be immediate and could have criminal penalties

Article 29 Working Party • Not a regulatory body, but role is incredibly broad • Principle Outputs • Opinions • Working Documents • Annual Reports • Spots divergences

Appropriate Technical and Organizational Measures to Protect Personal Data • Article 17 • Provides risk based approach for determining appropriate controls • Consider nature of data, threat vector and harm from security breach • Risk Assessment also includes “state of the art” test and cost requirement

In Practice Layered Privacy Notices Human Factors • Board level issue • Culture for security

Physical Environment • Entry control systems, CCTV, lock and key

Data Processors Info Tech and Comm • Encryption, privacyenhancing technologies, 2 factor authentication, etc.

Engaging Processors • Maintain quality control • Checklist for DD and contract provisions

Richard C. Hsu Shearman & Sterling [email protected]

CIPP/E Privacy Summary* Regulators

Legislative Framework European Parliament • Members directly elected European Council • Heads of Member States + Pres of EC • Sets political direction

European Commission • Executive body of the EU • Resp. for Member State implementation and “Adequacy Findings”

Council of the EU • Main decisionmaking body of the EU • One minister from each member state EU Court of Human Rights (ECHR) • No powers of enforcement European Court of Justice • Judicial body of the EU (Luxembourg)

• Article 10 • Must provide Data Subject at least the following info: • “Identity of Controller” • “Purposes of processing” and • “Further information” such as: • “Recipients of subject data” • “Right of access” • “Right to rectify data”

Exemptions to Providing Data Subject Notice • Data Controller does not have to provide Data Subject information under Article 10 if: • Data Subject already has the information • Personal Data used for statistical purposes or for historical or scientific research; and • The provision of information would either be “impossible” or have “disproportionate effect” • Recording or disclosure of Personal Data is required by law

*Adapted from IAPP CIPP/E Privacy Certification

The “Directive” • EU Data Protection Directive (95/46/EC) • Gen’l principles for member states to implement Data Retention Directive • Addresses retention of data • Does not cover actual content; only applies to traffic and location data

E-Privacy Directive • Concerns processing personal data over the Internet and public networks Amendment to e-Privacy Directive • Mandatory data breach notifications • Use of cookies and storage of information on terminal equipment requires user consent

Data Subject Rights

Information Provision Obligations Notice

108 Convention (1981)

Layered Privacy Notices • Layer 1: the short notice, which includes the requirements of Article 10 • Layer 2: the condensed notice, which includes point of contact for questions • Layer 3: the full notice

Right of Access • Article 12(a) • Provides right of access “without constraint at reasonable intervals and without excessive delay or consent” • Reasonable interval is generally interpreted as once a year

Right to Rectification • Article 12 • Data must be “accurate and, where necessary, kept up to date” • With or w/out specific request, Data Controller must remedy inaccurate data on his own accord

Right to Object to Marketing • Drafted favorably toward controller • Default is that Controller can send marketing messages until recipient “opts out”

Right to Object to Processing • Article 14 • Allows individuals to assert their right to “informational selfdetermination”

Right not to be subject to fully automated decisions • Article 15 • Right is cast narrowly, entitling individuals to prevent the automated decision from being made, not automated processing itself

Richard C. Hsu Shearman & Sterling [email protected]

CIPP/E Privacy Summary* Surveillance

Employment Processing Employee Data • Legal Basis: 1. Consent from EE 2. Necessary to fulfill employment contract 3. Necessary to meet legal obligation 4. Legitimate interest • Explicit consent required for processing Sensitive Personal Data • Must provide EE with notice about use and purpose of data • Storage of data is permissible while employed

•

• • • • •

Whistle Blowing Policies Limit reporting individuals (vs individuals incriminated) Anonymous reporting should not be encouraged Limit scope of reports Establish strict data retention policy Policies should be provided to EE Reports must be secure

Workplace Monitoring • EE has right to privacy; but must be balanced with ER’s right to protect business from harm • Monitoring must be in compliance with data protection principles: • Necessity • Legitimacy • Proportionality • Transparency

Marketing Direct Marketing • Direct Marketing is marketing to an individual • Direct Marketing is broadly defined by A2WP; but Directive only applies to marketing which uses personal data (including charities and non-profits) • Postal marketing which uses personal data must comply with Directive, but not e-Privacy Directive

Telemarketing • Telemarketing is form of digital marketing and subject to Directive • No prior consent required; but Article 13(3) requires right to “opt-out” • Most member states have national opt-out register • Prior “opt-in” consent req’d for automated calling

*Adapted from IAPP CIPP/E Privacy Certification

3 Types of Comms Data • Content (conversation; email) • Traffic Data (metadata of content) • Location Data (could be traffic data) Communications • Article 5(1) • Prohibits surveillance without user consent, except when legally authorized under Article 15(1) • Does not include technical storage or recording of comms to evidence a business transaction • Article 15(1) enables member states to make exceptions for national security or public safety, etc

Closed Circuit TV (CCTV) • If video surveillance falls under Directive, must comply with its requirements • Compliance requires: • Prior Checking • Lawful • Proportion ality • Rights of Individual

Biometric Data • Ex: DNA or fingerprints • Used for ID purposes • Constitutes personal data, could be sensitive personal data • Processing of Biometric Data may require “Prior Checking” • Use must be proportional to need

Internet Direct email Marketing • Generally requires prior “opt-in” consent before email marketing by providing “fair processing notice” at the time of data collection • “Soft Opt-In Rule”: email marketing ok w/out consent “in the context of the sale of a product or service” • Must be similar product or services • Must provide free and easy opt-out availability

Cloud Computing • EU-based controllers must comply w/Directive in member state which they operate • Controller based outside EU but has equipment located in EU must comply • Controller is responsible for data protection rules • Cloud service providers must ensure that suppliers: • Process personal data in accordance with customer’s instruction • Process only as necessary for provision of services • Implement appropriate tech and org measures • International data transfer rules apply • Can rely on Article 26 Derogations or model contracts

• • • •

Web Cookie Issues ID non-essential cookies Assess level of intrusion Provide enhanced notice Consider options to provide choices

IP Addresses • Some member states consider personal data

Outsourcing • Ensure suppliers put into place data protection and appropriate security measures