370 likes | 532 Views
Data Protection – Future EU Law and the Compliance Function. Billy Hawkes Data Protection Commissioner. ACOI Dublin, 17 April 2012. Presentation Outline. Present Law Commission Proposals Some Issues e Privacy Regulations: Update. EU Data Protection Legislation.
E N D
Data Protection – Future EU Law and the Compliance Function Billy Hawkes Data Protection Commissioner ACOI Dublin, 17 April 2012
Presentation Outline • Present Law • Commission Proposals • Some Issues • ePrivacy Regulations: Update
EU Data Protection Legislation Data Protection Directive 95/46/EC Internal Market legal basis Electronic Privacy Directive 2002/58/EC (as amended) EUROPOL, EURODAC, EUROJUST, SCHENGEN etc Decisions/Regulations Police & Justice Decision 2008/977/JHA Intra-EU only
EU & Irish Legislation Data Protection Directive 95/46/EC Being updated Electronic Privacy Directive 2002/58/EC (as amended) EUROPOL etc Police & Justice Decision 2008/977/JHA Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2011 (SI 336/2011) Corresponding Acts (To be transposed)
Presentation Outline • Present Law • Commission Proposals • Some Issues • ePrivacy Regulations: Update
Lisbon Treaty Article 16 Treaty on the Functioning of the Union • 1. Everyone has the right to the protection of personal data concerning them. • 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. • Compliance with these rules shall be subject to the control of independent authorities. …..
EU Charter of Fundamental Rights: Article 8 • Protection of personal data • 1. Everyone has the right to the protection of personal data concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.
EU DP Law Changes: Timetable • 2009/2010 Public and Sectoral Consultation • “Communication” from EU Commission November 2010 • Draft Laws published 25 January 2012 • Negotiation in Council and Parliament – 2012/13? • Implementation – by 2015-16?
Future EU Law: Structure • Directly-applicable Regulation • Separate Directive for Law Enforcement Area • Separate Decision for Foreign Affairs (CFSP) Area • Not yet presented
Philosophy • The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data. • It should contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, the strengthening and the convergence of the economies within the internal market, and the well-being of individuals.
General Principles (1) • Protecting Fundamental Right to Data Protectionand Free Movement of Personal Data • Particular focus on children • Applies to Organisations processing personal data either established in the EU oroffering goods and services to, or monitoring the behaviour of, EU residents • Does not apply to natural person without any gainful interest in the course of its own exclusively personal or household activity
General Principles (2) • Data Minimisation • “limited to the minimum necessary” • Transparency • More prescriptive information requirements • Strengthened Right of Access • More Information • No Charge (except “manifestly excessive”) • Normally within one month
General Principles (3) • Accountability of Data Controller (Joint Controller) • “ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation” • Documentation • Data Protection Officer
General Principles (4) • Privacy by Design • Privacy Impact Assessment • “Seal” systems • Data Portability • “Right to be Forgotten” • Requirement for retention policy • On request, delete unless clash with other rights (freedom of expression etc) • Strengthened Data Security • Data Breach Notification
Lawfulness of Processing • Stricter definition of “consent” • Burden of proof on data controller • Can’t be “buried” in another document • Not valid where “significant imbalance” • Parental consent for child under 13 • “Legal Obligation” , “Public Interest” and “Exercise of Official Authority” must be laid down in law which meets proportionality test • “Legitimate Interests” of data controller does not apply to a public organisation
Direct Marketing • Strengthened Right to Refuse • “right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information” • Relationship to ePrivacy Directive
International Transfers: Principle (1) • Where the Commission has taken no decision on the adequate level of data protection a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred
International Transfers (2) • “Adequacy” Decisions by Commission • Standard Clauses • Adopted by Commission or Prescribed by DPA and “declared generally valid” by Commission • Approved by DPA (subject to Consistency Mechanism) • Binding Corporate Rules
International Transfers (3) • Informed Consent, Contractual Requirement etc • “Legitimate Interests” of data controller or processor and “not frequent, massive or structural” and must inform DPA
Data Protection Officer (1) • Must be appointed by Controller or Processor if: • Public body OR • 250+ employees OR • Core activities involve “regular and systematic monitoring of data subjects” • Joint appointment possible • Publicly named
Data Protection Officer (2) • “expert knowledge of data protection law” • “ability to fulfil the (designated)tasks” • Any other professional duties “compatible” and “do not result in a conflict of interests”
Data Protection Officer (3) • Must perform tasks independently • Minimum 2-year appointment • Protection against dismissal • Necessary Resources • “involved in all issues which relate to the protection of personal data” • Direct report to Management
Data Protection Officer (4) • Advise on data protection policy and monitor practice • Assignment of internal responsibilities; Training; Privacy Impact Assessments; Privacy by Design; Information to data subjects; Data Security; Documentation • Main contact with supervisory authority • Main contact with public
Data Protection Authorities (DPAs) (1) • Independence • Appointment, financial resources, staff • Strengthened Powers • Conduct investigations on own initiative • Investigate complaints “to the extent appropriate” • Must be consulted on relevant legislation • “One-stop-Shop” for data controllers • Location of “main establishment”
DPAs (2) • European Cooperation • “Consistency Mechanism” • Joint Enforcement, Binding Consultation etc • Strengthened European Data Protection Board • Commission regulatory powers • Sanctions
Sanctions • DPA Obligation to impose Administrative Sanctions where data protection law breached “intentionally or negligently” • up to €1M or 2% of annual worldwide turnover, depending on breach • Separate Penalties for infringements • Individual right to a Judicial Remedy • Including compensation for damage suffered
Law Enforcement Directive • Applies to “any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties” • General data protection principles apply, including Access (with restrictions), Data Minimisation, “Privacy by Design”, Security • Data Protection Officer (DPO) • Maintain Records • Need to distinguish different categories of data subjects (suspects, convicted, victims etc)
Presentation Outline • Present Law • Commission Proposals • Some Issues • ePrivacy Regulations: Update
Presentation Outline • Present EU Law • Commission Proposals • Some Issues
Some Issues (1) • Burden on Data Controllers • Fewer Notifications BUT increased responsibility/accountability and Sanctions • Restrictions on use of Consent • Jurisdiction • One-Stop-Shop for Multinationals • Politically acceptable? • Direct Marketing • ePrivacy Directive?
Some Issues (2) • International Transfers • BCRs • Should data controllers be given more discretion on the basis of Accountability? • Supervision • Will “consistency mechanism” work? • Financing of DPAs
Some Issues (3) • Data Protection Officer (DPO) • New in Irish Law • Location in Organisation? • Relationship to Board? • Qualifications?
Some Issues (4) • Ireland’s Position • Department of Justice & Equality lead department • Public Consultation (closed 31 March) • Interests of Domestic and Multinational Companies • Impact on DPC • Resources
Presentation Outline • Present Law • Commission Proposals • Some Issues • ePrivacy Regulations: Update
Regulation 13 – Direct Marketing • Requirements for consent clarified : • Confirmed that consent needed for voice calls to all mobile phones (“opt-out” assumed unless NDD “opt-in”) • Explicit requirement to identify caller/sender • No “silent calls” (automated calling machines) • No “tagged on” marketing to non-marketing SMS • natural person” excludes e-mail and SMS sent to a business phone or address where content relates solely to the individual’s business • Confirmed existing customer = within 12 months • Selective prosecutions being pursued
Regulation 5(3) – “Cookies” • Necessary “Session” Cookies normally OK. • Full information as to such use should still be available to the website user. • Other “Cookies” - “third party” or “tracking” cookies – require consent • Current browser settings unlikely to meet “consent” requirement • “Wait and See” approach to date to see if Industry (browser providers, ad networks etc) can come up with workable solutions • Current initiatives (IAB etc) helpful but insufficient • Individual Organisations expected to be working on solutions
Thank You Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall 1890 252231 057 8684800 Fax: 057 8684757 Email: info@dataprotection.ie Website: www.dataprotection.ie