Key issues in data protection: a pan-european view

Transcription

1 Key issues in data protection: a pan-european view 19 th March 2014 Nicola Fulford, Kemp Little LLP, UK Andreas Peschel-Mehner, SKW Schwarz, Germany Marco Bellezza, Portolano Cavallo, Italy Emmanuel Schulte, Bersay & Associes, France

2 Today s Session Transfer of personal data internationally and into the cloud SKW Schwarz Enforcement of data protection laws Kemp Little LLP EU Data Protection Regulation: update on the process / next steps Portolano Cavallo EU Data Protection Regulation: update on some specifics Bersay Associes

3 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 3 Transfer of personal data internationally and into the cloud -The German perspective Dr. Andreas Peschel-Mehner

4 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 4 4 International transfer and cloud 01 Warm up: What is personal data? relating to an identified or identifiable natural person IP address: yes Cookies: it depends on nature of cookie Smartphone identifier: presumably yes

5 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 5 5 International transfer and cloud 01 Warm up: Which law? easy: European principle of origin national law of controller decides also for controllers intending use of data without EEA relevance?

6 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 6 6 International transfer and cloud 01 Warm up: Which law? Example: UK service or company, data of German subjects involved, transferred to Ireland from a German perspective: UK data protection laws applicable! DE service or company, data of UK subjects involved, transferred to Ireland DE data protection law decides whether transfer legitimate.

7 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 7 7 International transfer and cloud 01 Warm up: Consent and third party Transfer to a third party any separate legal entity including all affiliates How to avoid transfer to third party? data processing agreement, where appropriate Caution: only viable for EU/EEA without further requirements Consent Always superseding all requirements but not realistic concept to rely on

8 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 8 8 International transfer and cloud 02 Prerequisites for international transfer: two step test First step: Permission for data use under applicable local law? any authorization under law (fulfillment of contract, mandatory obligations etc.)

9 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 9 9 International transfer and cloud 02 Prerequisites for international transfer: two step test Second step: equal level of protection? First alternative: EU/EEA-transfer? (+) Second alternative: non-eu/eea transfer non-eu/eea, but comparable level of protection: CH, AUS, CAN, Jersey, Guernsey, Isle of Man, Andorra, ARG, ISR, (scenario 1) USA and its safe harbors (scenario 2) transfer to all other countries (scenario 3)

10 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 03 International transfer: equal level of protection Scenario 2: USA and its safe harbors Requirements for safe harbor self certification adherence to principles declared by company towards US authority ( FAQs & Annexes )

11 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 03 International transfer: equal level of protection Scenario 2: USA and its safe harbors safe harbor really safe? post NSA scandal: authorities may suspend data transfer, if great likelihood that safe harbor principles or EU model clauses violated. DSK press release 24 July 2013: This is now the case. factual consequences?

12 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 03 International transfer: equal level of protection Scenario 3: non-eu/eea transfer transfer to all other countries under EU model clauses works as well for Scenario 2, potential solution for German controller during clarification of safe harbor status

13 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 03 International transfer: Summary For the past, additionally self certification of processor under save harbor required, challenged now How to solve scenario 2: Integration of EU model clauses in any event (as standard practice for scenario 3 in the past) If not possible, only way out is consent (or binding corporate rules )

14 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 04 Cloud based services : Any difference? Very short answer: Same same, almost. Why? Any cloud is based somewhere through its provider through its server infrastructure Cloud services are mostly only processing data on behalf of the controller (with the cloud service operator being the processor) Does this data processing structure work in practice? written agreements, TOMs, factual powers/controls, etc.

15 International Data Protection Seminar Enforcement of Data Protection Laws NICOLA FULFORD Kemp Little Privacy & DP Partner 19 / 03 / 2014

16 Agenda Means of Enforcement? Role of the ICO The ICO s enforcement toolkit Changes / trends Rights of individuals Cookies enforcement International comparison and comments _16

17 Means of Enforcement in the UK? The Information Commissioner s Office ICO UK data protection regulator Mission to uphold information rights in the public interest Corporate objective enforcement powers are used proportionately to ensure improved information rights compliance issue penalties as appropriate Individuals have rights to bring action under the DPA (more limited in practice) _17

18 The ICO s enforcement toolkit Criminal Prosecution Monetary Penalty Notice Enforcement Notice Application for an Enforcement Order Audit Factors for enforcement action: Consistently failed to comply; or Significant detriment to individuals Undertaking Information Notice Publicity around bad practice / complaints outcomes (to promote good practice?) _18

19 Enforcement outcomes (from the ICO s website) Investigated; remedial action identified 1252 Investigated; insufficient evidence to prosecute 123 Undertaking obtained 22 Monetary Penalty Notice served 15 Enforcement notice served 8 Prosecuted _19

20 Monetary Penalties Maximum 500,000 S.55A-E DPA serious contravention, of a kind likely to cause substantial damage or substantial distress; deliberate or [reckless] ICO 2013 framework: relevant issues for the ICO to determine the appropriate amount CLCH v. ICO [2013] UKUT 551 (AAC) fine valid despite co-operation early payment discount scheme is lawful Scottish Borders v. ICO EA/2012/0212 what is the actual contravention of the DPA and was that contravention likely to directly cause substantial damage or distress? _20

21 Possible changes / trends in the ICO s approach? Indications: Public Private? Security Fairness / other principles? Advice Penalties? New approach for complaints and concerns (more proactive?) More co-ordinated enforcement with other regulators? Increased publicity? Changes to the law so imprisonment for unauthorised obtaining of personal data this year? _21

22 Rights of individuals to enforce the DPA Individuals rights under the DPA Section 13 of DPA (1) compensation for damage (2) compensation for distress if (a) damage is suffered or (b) contravention relates to processing for special purposes Vidal-Hall and Others v. Google Inc [2014] EWHC 13 (QB) _22

23 Final thoughts Cookies enforcement The first fine! International comparison and comments? Thank you _23

24 Coffee Break

25 EU Data Protection Regulation: update on the process / next steps LONDON, MARCH 19, 2014

26 MAIN TOPICS What happened till now? Update on current status One Stop Shop Is it really a big change? Next steps portolano.it 26

27 PREVIOUSLY ON THE GDP REGULATION Commission Proposal on January 2012 EU Parliament Compromise Amendments on October 2013 Text under discussion before the EU Council portolano.it 27

28 CURRENT STATUS (1/4) The Regulation is currently under 1 st reading at EU Council New timeline: end of 2014? portolano.it 28

29 CURRENT STATUS (2/4) One Stop Shop: lead supervisory authority in the State where controller/processor has "main establishment" - What is main establishment? - What are the roles of the leading authorities and other authorities? - Risk of forum shopping portolano.it 29

30 CURRENT STATUS (3/4) EU Parliament: - The lead authority supervises the processing activities of controller/processor in all Member States - It shall consult with authorities of the other Member States before taking measures EU Council: - Debate in the Eu Council - Legal service for the Eu Council: one-stop shop undermines EU citizens human rights - Criticism from Germany, Denmark, Hungary and Czech Republic portolano.it 30

31 CURRENT STATUS (4/4) Is it really a big change? - Yes, as to the scope of application (single law for Europe) - No (at least in Italy) as to the approach Risk assessment Accountability Documentation to demonstrate compliance with GDP Direct obligations on Processors - Yes, as to how the approach should be translated in practice Not a formalistic approach to compliance portolano.it 31

32 NEXT STEPS Priority for EU institutions Approval: end of 2014? portolano.it 32

33 EU DATA PROTECTION REGULATION Update on some specifics 33

34 1. T E R R I TO R I A L S COPE One Continent One Law Harmonization of all national legislations 1 Regulation instead of 28 Broad Territorial Scope Processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, even if processing outside the EU Extraterritorial Effect When offering services to European consumers, non-european companies, will have to apply the same rules and adhere to the same levels of protection of personal data if: Offer goods or services in the EU (even for free) Monitor data subjects in the EU 34

35 2. R I G H T TO E R A S U R E From Controller Erasure and abstention of further dissemination if no longer needed for any legitimate purpose Take all reasonable steps to have the data erased (including by third parties) where it has made the personal data public without justification From Third Parties Erasure of any links to, copy or replication of personal data Exceptions Historical, statistical and scientific research, freedom of expression and press, public health, legal obligation of retention 35

36 3. P RO F I L I N G Profiling leading to measures producing legal effects or significantly affect the interests, rights or freedoms of individuals Allowed only if: - Necessary to conclude or perform a contract - Based on individual s consent - Expressly authorized by European or national law Shall include human assessment and not be based solely or predominantly on automated processing Profiling leading to discrimination is prohibited Profiling based solely on the processing of pseudonymous data is presumed not to significantly affect the interests, rights or freedoms Right to object and related information 36

37 4. OT H E R ITEMS DPOs DPOs required where the processing relates to more than 5000 data subjects in any consecutive 12-month period or the core activities consist of processing special categories of data, location data or data on children or employees in large filing system Sanctions 100M or up to 5% of the annual worldwide turnover Cookies and IP Addresses constitute personal data 37

38 Questions?

39 Contact Us Nicola Fulford Privacy & DP Partner, Kemp Little LLP Andreas Peschel-Mehner Partner, SKW Schwarz ddi +44 (0) ddi Emmanuel Schulte Partner, Bersay Associes Marco Bellezza Associate, Portolano Cavallo ddi + 33 (0) eschulte@bersay-associes.com ddi mbellezza@portolano.it