Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Transcription

1 Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie

2 Rewriting the Past Oisin Tobin

3 Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A data controller c) The right to be forgotten 3

4 Background The Timeline 1998 Auction notices published Content digitized, appeared in Google search 2010 Complaint filed with the Spanish Data Protection Authority 4

5 Background - Spanish DPA Decision The original notice was lawfully published However, Google s linking to that notice violated González s data protection rights 5

6 Background CJEU appeal Google appealed decision to CJEU Not within jurisdiction Google search is not a data controller Advocate General Google was not a data controller CJEU Disagreed affirmed Spanish DPA No appeal possible deleting the index cards 6

7 Issue 1: Jurisdiction Applicable law 2 Jurisdictional tests in EU Data Protection Law (Article 4) DC is established in member state and processes personal data in the context of that establishment (Article 4(1)(a)) DC has no EU establishment, but uses equipment in Europe (Article 4(1)(c)) 7

8 Issue 1: Jurisdiction Google s case Google search is provided by Google, Inc. Google, Inc. has no presence in the EU Google Spain promotes the sale of ads (an unrelated activity) No evidence of servers located in EU Therefore: No relevant establishment in the EU (per Article 4(1)(a)) No equipment (per Article 4(1)(c)) No jurisdiction 8

9 Issue 1: Jurisdiction Court s Response An economic link between Google search and the ads sold by Google Spain (one pays for the other) The separate legal personality of Google, Inc. and Google Spain can be disregarded Google Spain deemed to be an establishment of Google Inc. that processes personal data in the context of the activities of Google search Therefore, jurisdiction (per Article 4(1)(a)) 9

10 Issue 1: Jurisdiction Court s Response It cannot be accepted that the processing of personal data carried out for the purposes of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would compromise the directive s effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure 10

11 Issue 1: Jurisdiction Practical Impact The establishment, by a non-eu company, of an EU marketing sub may cause EU privacy law to apply to the operations of the non-eu company. Even where the EU sub is not factually involved in the processing of personal data Risk of overlapping regulators (one per marketing sub) Strategic decision: Concede that an EU data protection law is to apply and have a designated data controller or subsidiary responsible for DP issues in a member state 11

12 Issue 1: Jurisdiction Questions If a multinational company ask: Do we have a clear EU data controller? Where do we have marketing subs? Do our parent s operations comply with applicable local law? Where necessary - consider data protection jurisdiction risk when expanding operations 12

13 Issue 2: Data Controller Applicable Law Data Protection obligations fall on data controllers An entity that determines the purposes and means of processing personal data 13

14 Issue 2: Data Controller Google s case Scan and cache content to provide access No real control over that information. Advocate General agreed A proportionate reading of DP law 14

15 Issue 2: Data Controller Court s finding Google programmed the software that scanned, indexed and cached content (including personal data) Sufficient to show Google was a data controller 15

16 Issue 2: Data Controller Impact Search engines are responsible in data protection law, for the results they return Any business could be treated as a data controller in respect of data it collects/obtains in course of trade Even where the business is not really concerned about the content of that data 16

17 Issue 2: Data Controller Questions Have we considered all circumstances where we may be acting as a data controller? 17

18 Issue 3: Right to be Forgotten Law Controllers need to ensure a pre-condition to processing has been met, e.g. consent, legitimate interests Compliance with general data protection principles (i.e. not excessive, limited retention etc ) 18

19 Issue 3: Right to be Forgotten Google Principle of Proportionality: Any request for removal of content should be made to the website, not Google (a mere intermediary) 19

20 Issue 3: Right to be Forgotten Court Google lacks consent Must rely on legitimate interests Balancing test Public interest v privacy rights Must also comply with general DP principles (data not excessive, up to date etc ) As a rule privacy rights take precedence over public s interest in accessing information Where a data subject objects to search results those should be removed, save in limited circumstances (e.g. public figures) 20

21 Issue 3: Right to be Forgotten Impact Does not create a general right to demand deletion of data Ruling was based on Articles 12 and 14 of the Directive Article 12 allows deletion where a breach of DP law (akin to Section 6 of Irish DP Act) Article 14 - a right to object where processing based on legitimate interests (akin to Section 6A of Irish DP Act) 21

22 Issue 3: Right to be Forgotten Impact Right to be forgotten does not arise where: Data is being lawfully processed; AND There is an alternative basis to justify the processing including: Consent Necessary to perform a contract with data subject (NB for difficult customers) Necessary to comply with a legal obligation 22

23 Issue 3: Right to be Forgotten Questions If a right to be forgotten request comes in, check: What s our justification for keeping this data? Are we happy that this data generally complies with data protection law? If: Relying on consent, contract or legal obligations as a justification; and Satisfied that data otherwise complies with the DP Acts Deletion should not be required No proactive screening requirement 23

24 Issue 3: Right to be Forgotten Policy Increased ability of individuals to manage their online reputations Broader trends towards human rights style data protection decisions: SABAM; Digital Rights Ireland; Schrems Likely to lead to more litigation in this space Potential Trade implications TTIPs Divergence between US and EU law 24

25 Conclusions Marketing subs can ground data protection jurisdiction over parent An expansive definition of data controller has been adopted The right to be forgotten only arises in limited circumstances Seminal judgment will shape future policy and case law. 25

26 Defending your Data Rob McDonagh

27 Some Quick Facts Average cost is $3.5 million / 145 per record Biggest hit from loss of reputation and customers Incident response plan shown to reduce cost = take security breaches seriously 27

28 Managing a Security Incident You cannot be prepared for a security incident without having prepared for it! 28

29 3 Important Points Data controller primarily responsible, even if caused by data processor what are you? Security breach: not necessarily a breach of dp law could still be a breach of contract You need to consider laws of other countries too 29

30 Key Management Tools Security Breach Policy (and training) IT Security Policy Acceptable Usage Policy Firewalls Logs / red flags Supplier due diligence Contractual measures Insurance 30

31 Security Breach Policy Create a Security Breach Policy Reporting lines Incident management team (and deputies) compliance/audit/legal/it/security/pr/business control etc include senior officer so can make quick decisions Third party advisers Include contact details Identify key action points Training for incident management team 31

32 Key Action Points Initial Steps Act quickly Assemble incident response team Internal escalation Stop or mitigate breach Information lockdown Preserve evidence NB. remember litigation is possible 32

33 Key Action Points - Investigation Identify data controller Determine your status Investigate facts data affected individuals affected cause resulting harm / damage use legal counsel legal privilege? Remember things move and change quickly 33

34 Key Action Points - Implications Consider exposure liability and fines contract termination audit / escalation Contractual obligations? Consider any wider business critical implications Tolling agreement 34

35 Key Action Points - Notifications Notify insurers if required under policy Consider regulatory notifications in Ireland and abroad, e.g. DPC, Gardai, foreign DPC etc Consider data subject / customer / dc notifications Check relevant contracts confidentiality preservation of rights 35

36 Key Action Points Customer Relations Create customer relations strategy Press release Customer relationship management Mitigation measures: hotline, online helpdesk, monitoring service, discounts etc 36

37 Key Action Points Corrective Action Audit Disaster recovery / business continuity etc Implement corrective / disciplinary action 37

38 Should you Notify DPC? No express obligation (except ECSPs / ECNPs) No fines in Ireland (except ECNPs / ECSPs) different in other countries Negative PR resulting from failure to disclose can incident be contained? Have you notified other regulators? Draft EU Regulation 38

39 Should you Notify DPC? DPC has a statutory obligation of confidentiality General practice not to disclose except in response to inquiry by media or concerned person However, may issue press release or notify other DPCs if significant incident 39

40 Should you Notify DPC? Before making disclosure, also consider: is disclosure permitted by contract? must you notify insurers first? implications of DPC finding for third party litigation? other implications? similar issues apply to other notifications, e.g. to individuals Notification based on current information Remember DPC has statutory enforcement powers 40

41 Voluntary Code Applies if personal data put at risk Also earlier DoF public sector guidance Code only applicable if DC or DP subject to DPA Code is not legally binding (unless incorporated into contract) Not applicable to ECNP / ECSP as separate legislation applies 41

42 Voluntary Code DC and DPC Notifications DP must report to DC all incidents of loss of control of data DC must report to DPC incidents in which data put at risk within 2 working days unless: individuals already informed; no more than 100 data subjects; and does not include sensitive personal data or financial data Keep summary record even if don t notify DPC brief description why chose not to notify 42

43 Voluntary Code Notifying Individuals DC must give immediate consideration to informing those affected No obligation if no risk to data due to technological measures of high standard Risk of over notification or more harm than good Audit trail for reasons not to notify 43

44 Steps in a DPC Investigation 1. Initial call / 2. Written submission - amount and nature of personal data - action to secure / recover personal data - action to inform those affected or reasons for the decision not to do so - action to limit damage or distress to those affected - chronology of events leading up to incident - measures to prevent repetition 44

45 Steps in a DPC Investigation 3. Additional Materials - Contract - Recruitment process - Relevant policies - Training documents - Log of training for relevant staff - expressly state it is confidential and commercially sensitive NB: remember your confidentiality obligations 45

46 Steps in a DPC Investigation 4. Site visit - systems - procedures - live demonstrations - questions - (enforcement notice?) 5. Draft finding or report / recommendations 6. Right of reply 7. Final finding or report 46

47 Third Party Contracts Diligence Notification of incident Control of incident Co-operation / information / preservation obligations Right to interrogate devices / data Right to interview personnel 47

48 Third Party Contracts Notification of policies to others Restoration of data Confidentiality clause Indemnity / cap subject to law qualifications 48

49 Covering your bases Ailbhe Gilvarry

50 Civil Liability for Breach Michael Collins v FBD DP complaint and investigation Circuit Court High Court 50

51 Insurance Third Party Claims First Party Expenses

52 Third Party Claims Disclosure Content Reputational Conduit Impaired Access

53 First Party Claims Notification Regulator Reputation and Response Costs Cyber Extortion Network Interruption

54 Q&A