1 / 20

The EU Data Protection Directive revised: New challenges and perspectives

This conference paper discusses the challenges and perspectives of the revised EU Data Protection Directive, focusing on issues related to cloud computing, Web 2.0, applicable law, cross-border data transfers, and the right to be forgotten. The paper explores the legal implications and suggests potential amendments and improvements to the directive.

anitadaniels
Download Presentation

The EU Data Protection Directive revised: New challenges and perspectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The EU Data Protection Directive revised: New challenges and perspectives Maria Giannakaki Attorney at Law – D.E.A. 4th International Conference on Information Law 20-21 May 2011 Thessaloniki

  2. The EU Data Protection Directive revised:New challenges and perspectives • Challenges • Cloud computing • Web 2.0 • Perspectives for amendment • Applicable law • Cross-border issues • Right to be forgotten • Quasi-legal measures

  3. Cloud computing • Cloud computing allows users • to access and store information and • use software functionality on remote servers hosted in data servers world wide • Delivery models • IaaS (Windows Live Skydrive, Rackspace Cloud) • PaaS (Google Apps Engine) • SaaS (Zoho.com, Google docs)

  4. Which law applies in the cloud? • ‘Place of establishment’ and ‘use of means’ - no longer suitable determinative factors for applicable law • Data centers located in several jurisdictions • Data transferred randomly, processed and duplicated in a variety of locations • The cloud requires a different approach based on • the place where the processing takes place • targeted individuals

  5. Who is responsible for data protection compliance? • Data Controller vs processor: • Data Controller: the party who determines the purpose and means of processing • Data processor: the party who acts on the data controllers behalf • Issues when applied in cloud computing context: • Multiple offers and different clients targeted • Difficult to determine who acts as data controller • Customers may end up to be solely responsible for data protection compliance • Sub-contracting concerns

  6. Which legal basis for cross border data transfers? • Countries with non-adequate level of protection • US Safe Harbor • Model contracts • Binding Corporate Rules • Onward transfers

  7. WEB 2.0 - Characteristics • Social Computing/Web as a Platform • Web 2.0 Characteristics • Ubiquitous character of information • Different type of information is aggregated and made available on a single view • Information used in a different context than this originally published • No oblivion on the Internet • the “Hotel California effect”

  8. WEB 2.0 - Data Privacy Challenges • Ignorance of the danger of exposure: • Privacy is no more a social norm • Illusion of intimacy on the Web • Publication of much more information than they think • Information which would otherwise be forgotten or forgiven can be easily retrieved • Data subjects are loosing control over their data

  9. Perspectives for amendment • European Commission Communication “A comprehensive approach on personal data protection in the EU” • Council’s Conclusions on the Communication • WP29 “The future of privacy” • European Commission DG JFS Study “New Challenges to Data Protection” • Summary of replies to the Public Consultation

  10. Applicable law • Current provisions • “context of the activities” principle • “use of equipment” unless such equipment is used for purposes of transit • Suggestions for improving the Directive • Swift back to the “country of origin” principle • Concept of “targeted individuals” or “service oriented approach” • Children’s Online Privacy Protection Act • Rome I

  11. Cross-border issues • Harmonization within the EEA countries • Amendment of the Directive or Regulation • Best practices and suggested interpretations by the WPa29 • Simplification of International Data Transfers • Improvement of the current procedures for international data transfers • International Standards on the Protection of Privacy

  12. Right to be forgotten • Right to be forgotten • The right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes • The right of individuals not to be accountable for their conduct after a certain amount of time and beyond a given framework of relationships • The right is innovative but it not new • It is implicitly established in the EU Directive with the principle of data retention and the existing duty to keep data no longer than necessary • It also forms part of the right to informational self-determination (right to oblivion – droit a l’ oubli)

  13. Rightto be forgotten • Questions about its content and achievability in practice • What kind of information/records? • Who will be entitled to such right? • How can it be exercised when information appears in different platforms through the Internet (search engines, internet archive, mash-ups, social network aggregators)?

  14. Right to be forgotten • Criticism • Conflicting rights (freedom of speech, freedom of press, freedom of society to record history) • Fears that it can be used as a tool for censorship or suppression of civil liberties or exercised by data subjects in circumstances where negative information about them is processed for lawful purposes • Different approaches (US) • “Google case” - Spanish Data Protection Authority

  15. Recommendations • Raise data subjects awareness on the implications of sharing their personal data • Increase users control over their profile data -“easiest personal data to forget are those which have never been collected” • Reinforce data subjects rights to access, rectify or delete data • Impose privacy - friendly default settings to SNS providers • Regulate third parties access to data subjects data

  16. Quasi-legal measures • Principle of Accountability • Data controllers are requested to: • put in place proactive measures ensuring compliance and • retain adequate evidence to prove compliance and effectiveness of measures adopted • Opinion 3/2010 WP29

  17. Quasi-legal measures • Personal Data Breach Notification • E-Privacy Directive: Notification requirements to providers of publicly available services • Amended Directive 95/46/EC: Sector specific data breach notification requirements • Opinion 13/2011 WP29 • Data Breach Notification Procedures • Standard EU Data Breach Notification Form • Modalities for implicated individuals’ information • Technological protection measures for notification exemption • Guidance on information to be retained by providers

  18. Quasi-legal measures • Assessment of the effectiveness of technical and organizational measures: • Privacy Impact Assessments (PIAs) • Opinion 9/2011 WPa29 on RFID • EU Certification Schemes • European Privacy Seal, European Codes of Conduct, BCRs • Empowerment of data subjects control over their data: • “Privacy by Design” Principle • Privacy - Friendly Default Settings • Privacy Enhancing Technologies (PETs) • Cookie cutters, out of tag mechanisms

  19. Conclusions • The Commission is expected to unveil legislative proposals to update the EU data protection framework this summer. • However it is going to be several years before the revised Directive is agreed and implemented in the EU Member States. • Until then: • Data controllers are encouraged to implement Quasi-Legal Measures • Data subjects awareness on the impact of publication of their personal data on the Internet should be raised

  20. The EU Data Protection Directive revised: New challenges and perspectives Thank you for your attention Maria Giannakaki Attorney at law – D.E.A.

More Related