Overview. Data protection in a swirl of change Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Transcription

1 Data protection in a swirl of change Overview 1 Data protection issues in cloud computing 2 Consent for mobile applications Security Seminar 2014: Privacy Radboud University Nijmegen 3 The WhatsApp case Friday, 28 March 2014 Dr Eleni Kosta Assistant Professor of Technology Regulation TILT - Tilburg University 4 Review of the data protection directive computing Software as a service computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction MELL PETER, GRANCE TIM, The NIST Definition of Computing, Version 15, 10 July 2009 Customer relationship management (CRM) Online word processing Financial planning Control and transparency over data use Platform as a service Infrastructure as a service Facilities for application design Firewalls Data center space tool development platform deployment Access to operating systems Network equipment Servers 1

2 Why data protection? Actors European Data Protection Supervisor Key question in the context of cloud computing services is whether the current legal framework provides for appropriate safeguards to ensure the protection of individuals personal data SaaS User Actors Applicable law computing is blurring the distinction between data subject, data controller and data processor Rights Obligations SaaS User Applicable law Applicable law SaaS User The processing of personal data is carried out in the context of the activities of an establishment within the EU Equipment based within the EU is used for the processing of data 2

3 Applicable law International transfers SaaS User The transfer of personal data to third countries is only allowed when the third country in question ensures an adequate level of protection International transfers International transfers computing: SaaS User The transfer of personal data is done in an automatic and continuous way Recommendations Privacy by design in cloud computing services from the French Data Protection Authority (CNIL) for companies planning to use computing services, especially in cases of standard offers with standard contracts that cannot be negotiated 3

4 Why these recommendations Recommendation 1 - Lack of transparency of the conditions for the provision of the service - Assistance to companies to make enlightened decisions - Based on risk analysis Clearly identify the data and processing operations which will be passed to Recommendation 2 Recommendation 3 Define your own requirements for technical and legal security Carry out a risk analysis to identify the security measures essential for the company Recommendation 4 Recommendation 5 Identify the relevant type of for the planned processing Choose a service provider offering sufficient guarantees 4

5 Recommendation 6 Recommendation 7 Review the internal security policy Monitor changes over time 1 Data protection issues in cloud computing 2 Consent for mobile applications Consent to the processing of location data for mobile applications 3 The WhatsApp case 4 Review of the data protection directive What the law says Personal data may be processed when the data subject has unambiguousy given his consent [ ] (Art. 7(a) Data Protection Directive) What happens in practice Location data for the provision of a Location Based Service can only be processed when they are made anonymous ot with the consent of the user or the subscriber (Art. 9 eprivacy Directive) 5

6 What happens in practice What happens in practice Should one worry? 6

7 1 Data protection issues in cloud computing 2 3 Consent for mobile applications The WhatsApp case 4 Reform of the Data Protection Directive Personal data processed by WhatsApp mobile phone number unique customer identifier device identifier (where relevant) the push ID the profile name of whatsapp users mobile phone numbers of non-users listed in the address books of whatsapp users Using WhatsApp Solution? Access to the entire electronic address book of users, including the mobile phone numbers of contacts that are not using the app Compare and forget 7

8 1 Data protection issues in cloud computing 2 Consent for mobile applications 3 The WhatsApp case Replacement of the Data Protection Directive with a Regulation 4 Reform of the Data Protection Directive Where we are now Where we are now October 2013: Compromise text adopted by the Parliament Committee on Civil Liberties, Justice and Home Affairs ( LIBE compromise text ) 8

9 Where we are now Where we are now 12 March 2014: Official first reading at the European Parliament. Goals: - Ensure a consistent level of protection for individuals among the 27 Member States - Provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises - Ensure consistent monitoring of the processing of personal data - Ensure equivalent sanctions in all Member States - Ensure effective co-operation between the DPAs Territorial application - Data controller/processor has an establishment in the EU - Data controllers not established in the EU processing data of data subjects residing in the European Union Offer goods or services to data subjects in the Union (irrespective of payment) Monitor data subjects behaviour Focus on personal data 9

10 Pseudonymous data if data do not permit the identification of a natural person, or consist only of pseudonymous data, the controller shall not process or acquire additional information (for identification in order to comply) Profiling based solely on pseudonymous data is presumed not to significantly affect the interests, rights or freedoms of the data subject Consent Consent means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed Conditions for consent The controller shall bear the burden of proof If consent is given together in a written declaration, it has to be distinguishable in its appearance Consent shall be purpose-limited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected. Limitations in the use of consent For processing of personal data of children below the age of 13 in relation to the offering of goods and services, the controller shall make reasonable efforts to verify consent, taking into consideration available technology. Icons for standardised information policies Right to be forgotten RIGHT-TO-BE-FORGOTTEN-large570.jpg 10

11 Right to erasure Erasure when processing is illegal Parliament first reading: Erasure of illegally processed data and legally processed data, when processed for legitimate interest Measures to ensure and demonstrate compliance: Keep documentation Implement security requirements Perform data protection impact assessment Comply with requirements re. DPA Designate data protection officer Responsibility and accountability of data controllers Data protection impact assessment Specific risk to the rights and freedoms of data subject by virtue of their nature, scope or purposes Specific risks Risk-based Life cycle PD management Processing on data re 5000 DS within 12 months; Sensitive data, location data, children s data; Profiling significantly affecting individuals; Healthcare sector, epidemiological research Large scale automatic monitoring of publicly accessible areas Regular and systematic monitoring of DS; Access to PD cannot be reasonably limited 11

12 Data protection by design & by default by design implement appropriate and proportionate technical and organisational measures and procedures in order to meet the legal requirements and ensure the protection of rights of the data subject by default ensure that, by default, only necessary personal data are processed in terms of amount of data and time of storage. Notification of personal data breaches Notify Data Protection Authority When a personal data breach is likely to adversely affect the protection of personal data, privacy of the legitimate interests of data subjects, they should be notified without undue delay Certification International data transfers Adequacy decision for countries Adequacy decision for specific sectors Appropriate safeguards - Binding Corporate Rules - Standard data protection clauses (EC) - Standard data protection clauses (DPA) - Contractual clauses (authorised) 12

13 Thank you for your attention! Dr. Eleni KOSTA Assistant Professor of Technology Regulation Tilburg Institute for Law, Technology, and (TILT) Tilburg University 13