200 likes | 211 Views
This conference paper discusses the challenges and perspectives of the revised EU Data Protection Directive, focusing on issues related to cloud computing, Web 2.0, applicable law, cross-border data transfers, and the right to be forgotten. The paper explores the legal implications and suggests potential amendments and improvements to the directive.
E N D
The EU Data Protection Directive revised: New challenges and perspectives Maria Giannakaki Attorney at Law – D.E.A. 4th International Conference on Information Law 20-21 May 2011 Thessaloniki
The EU Data Protection Directive revised:New challenges and perspectives • Challenges • Cloud computing • Web 2.0 • Perspectives for amendment • Applicable law • Cross-border issues • Right to be forgotten • Quasi-legal measures
Cloud computing • Cloud computing allows users • to access and store information and • use software functionality on remote servers hosted in data servers world wide • Delivery models • IaaS (Windows Live Skydrive, Rackspace Cloud) • PaaS (Google Apps Engine) • SaaS (Zoho.com, Google docs)
Which law applies in the cloud? • ‘Place of establishment’ and ‘use of means’ - no longer suitable determinative factors for applicable law • Data centers located in several jurisdictions • Data transferred randomly, processed and duplicated in a variety of locations • The cloud requires a different approach based on • the place where the processing takes place • targeted individuals
Who is responsible for data protection compliance? • Data Controller vs processor: • Data Controller: the party who determines the purpose and means of processing • Data processor: the party who acts on the data controllers behalf • Issues when applied in cloud computing context: • Multiple offers and different clients targeted • Difficult to determine who acts as data controller • Customers may end up to be solely responsible for data protection compliance • Sub-contracting concerns
Which legal basis for cross border data transfers? • Countries with non-adequate level of protection • US Safe Harbor • Model contracts • Binding Corporate Rules • Onward transfers
WEB 2.0 - Characteristics • Social Computing/Web as a Platform • Web 2.0 Characteristics • Ubiquitous character of information • Different type of information is aggregated and made available on a single view • Information used in a different context than this originally published • No oblivion on the Internet • the “Hotel California effect”
WEB 2.0 - Data Privacy Challenges • Ignorance of the danger of exposure: • Privacy is no more a social norm • Illusion of intimacy on the Web • Publication of much more information than they think • Information which would otherwise be forgotten or forgiven can be easily retrieved • Data subjects are loosing control over their data
Perspectives for amendment • European Commission Communication “A comprehensive approach on personal data protection in the EU” • Council’s Conclusions on the Communication • WP29 “The future of privacy” • European Commission DG JFS Study “New Challenges to Data Protection” • Summary of replies to the Public Consultation
Applicable law • Current provisions • “context of the activities” principle • “use of equipment” unless such equipment is used for purposes of transit • Suggestions for improving the Directive • Swift back to the “country of origin” principle • Concept of “targeted individuals” or “service oriented approach” • Children’s Online Privacy Protection Act • Rome I
Cross-border issues • Harmonization within the EEA countries • Amendment of the Directive or Regulation • Best practices and suggested interpretations by the WPa29 • Simplification of International Data Transfers • Improvement of the current procedures for international data transfers • International Standards on the Protection of Privacy
Right to be forgotten • Right to be forgotten • The right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes • The right of individuals not to be accountable for their conduct after a certain amount of time and beyond a given framework of relationships • The right is innovative but it not new • It is implicitly established in the EU Directive with the principle of data retention and the existing duty to keep data no longer than necessary • It also forms part of the right to informational self-determination (right to oblivion – droit a l’ oubli)
Rightto be forgotten • Questions about its content and achievability in practice • What kind of information/records? • Who will be entitled to such right? • How can it be exercised when information appears in different platforms through the Internet (search engines, internet archive, mash-ups, social network aggregators)?
Right to be forgotten • Criticism • Conflicting rights (freedom of speech, freedom of press, freedom of society to record history) • Fears that it can be used as a tool for censorship or suppression of civil liberties or exercised by data subjects in circumstances where negative information about them is processed for lawful purposes • Different approaches (US) • “Google case” - Spanish Data Protection Authority
Recommendations • Raise data subjects awareness on the implications of sharing their personal data • Increase users control over their profile data -“easiest personal data to forget are those which have never been collected” • Reinforce data subjects rights to access, rectify or delete data • Impose privacy - friendly default settings to SNS providers • Regulate third parties access to data subjects data
Quasi-legal measures • Principle of Accountability • Data controllers are requested to: • put in place proactive measures ensuring compliance and • retain adequate evidence to prove compliance and effectiveness of measures adopted • Opinion 3/2010 WP29
Quasi-legal measures • Personal Data Breach Notification • E-Privacy Directive: Notification requirements to providers of publicly available services • Amended Directive 95/46/EC: Sector specific data breach notification requirements • Opinion 13/2011 WP29 • Data Breach Notification Procedures • Standard EU Data Breach Notification Form • Modalities for implicated individuals’ information • Technological protection measures for notification exemption • Guidance on information to be retained by providers
Quasi-legal measures • Assessment of the effectiveness of technical and organizational measures: • Privacy Impact Assessments (PIAs) • Opinion 9/2011 WPa29 on RFID • EU Certification Schemes • European Privacy Seal, European Codes of Conduct, BCRs • Empowerment of data subjects control over their data: • “Privacy by Design” Principle • Privacy - Friendly Default Settings • Privacy Enhancing Technologies (PETs) • Cookie cutters, out of tag mechanisms
Conclusions • The Commission is expected to unveil legislative proposals to update the EU data protection framework this summer. • However it is going to be several years before the revised Directive is agreed and implemented in the EU Member States. • Until then: • Data controllers are encouraged to implement Quasi-Legal Measures • Data subjects awareness on the impact of publication of their personal data on the Internet should be raised
The EU Data Protection Directive revised: New challenges and perspectives Thank you for your attention Maria Giannakaki Attorney at law – D.E.A.