Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service



Similar documents
Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

5419/16 ADD 1 VH/np 1 DGD 2C

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Recommendations for companies planning to use Cloud computing services

Article 29 Working Party Issues Opinion on Cloud Computing

New EU Data Protection legislation comes into force today. What does this mean for your business?

Application of Data Protection Concepts to Cloud Computing

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

How To Regulate Data Processing In European Union

Declaration of Internet Rights Preamble

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

CHAPTER I GENERAL PROVISIONS

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Big Data for Mutuals. Marc Dautlich 25 November 2013

Factsheet on the Right to be

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

Data and Cyber Laws Up-date 9 July 2015

The potential legal consequences of a personal data breach

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

13772/14 GS/np 1 DG D 2C

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

BCS, The Chartered Institute for IT Consultation Response to:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Data Protection and Cloud Computing: an Overview of the Legal Issues

Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) 2014: 245 incidents reported

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament

Privacy & Data Security: The Future of the US-EU Safe Harbor

Council of the European Union Brussels, 26 June 2015 (OR. en)

technical factsheet 176

A guide for in-house lawyers

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

Data transfers in the Cloud

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

BEREC Monitoring quality of Internet access services in the context of Net Neutrality

REGULATION (EU) No XXX/2016 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

The European General Data Protection Regulation. A guide for the insurance industry

Contact: Kostas Rossoglou and Nuria Rodríguez

1. General questions. 2. Personal data protection rights of employees PERSONAL DATA PROTECTION FAQ

FRANCE. Chapter XX OVERVIEW

slaughter and may The new EU Data Protection Regulation revolution or evolution?

COMMISSION REGULATION (EU) No /.. of XXX

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

ACT on Payment Services 1 ) 2 ) of 19 August Part 1 General Provisions

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 3 February /12 LIMITE JAI 53 USA 2 DATAPROTECT 13 RELEX 76

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Data protection compliance checklist

Using AWS in the context of Australian Privacy Considerations October 2015

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

How To Regulate Data Protection In European Union

RESTREINT UE/EU RESTRICTED

10227/13 GS/np 1 DG D 2B

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Future-proofing privacy. A guide to preparing for the EU Data Protection Regulation

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

ARTICLE 29 DATA PROTECTION WORKING PARTY

How To Write A Report On A Recipe Card

(a) the kind of data and the harm that could result if any of those things should occur;

Cloud Computing. Introduction

POLICY. on the Protection of Personal Data of Persons of Concern to UNHCR DATA PROTECTION POLICY

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

DATA PROTECTION AND DATA STORAGE POLICY

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Information Technology: This Year s Hot Issue - Cloud Computing

Transcription:

Data protection in a swirl of change Overview 1 Data protection issues in cloud computing 2 Consent for mobile applications Security Seminar 2014: Privacy Radboud University Nijmegen 3 The WhatsApp case Friday, 28 March 2014 Dr Eleni Kosta Assistant Professor of Technology Regulation TILT - Tilburg University 4 Review of the data protection directive computing Software as a service computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction MELL PETER, GRANCE TIM, The NIST Definition of Computing, Version 15, 10 July 2009 Customer relationship management (CRM) Online word processing Financial planning Control and transparency over data use Platform as a service Infrastructure as a service Facilities for application design Firewalls Data center space tool development platform deployment Access to operating systems Network equipment Servers 1

Why data protection? Actors European Data Protection Supervisor Key question in the context of cloud computing services is whether the current legal framework provides for appropriate safeguards to ensure the protection of individuals personal data SaaS User Actors Applicable law computing is blurring the distinction between data subject, data controller and data processor Rights Obligations SaaS User Applicable law Applicable law SaaS User The processing of personal data is carried out in the context of the activities of an establishment within the EU Equipment based within the EU is used for the processing of data 2

Applicable law International transfers SaaS User The transfer of personal data to third countries is only allowed when the third country in question ensures an adequate level of protection International transfers International transfers computing: SaaS User The transfer of personal data is done in an automatic and continuous way Recommendations Privacy by design in cloud computing services from the French Data Protection Authority (CNIL) for companies planning to use computing services, especially in cases of standard offers with standard contracts that cannot be negotiated 3

Why these recommendations Recommendation 1 - Lack of transparency of the conditions for the provision of the service - Assistance to companies to make enlightened decisions - Based on risk analysis Clearly identify the data and processing operations which will be passed to Recommendation 2 Recommendation 3 Define your own requirements for technical and legal security Carry out a risk analysis to identify the security measures essential for the company Recommendation 4 Recommendation 5 Identify the relevant type of for the planned processing Choose a service provider offering sufficient guarantees 4

Recommendation 6 Recommendation 7 Review the internal security policy Monitor changes over time 1 Data protection issues in cloud computing 2 Consent for mobile applications Consent to the processing of location data for mobile applications 3 The WhatsApp case 4 Review of the data protection directive What the law says Personal data may be processed when the data subject has unambiguousy given his consent [ ] (Art. 7(a) Data Protection Directive) What happens in practice Location data for the provision of a Location Based Service can only be processed when they are made anonymous ot with the consent of the user or the subscriber (Art. 9 eprivacy Directive) 5

28.03.2014 What happens in practice What happens in practice Should one worry? 6

1 Data protection issues in cloud computing 2 3 Consent for mobile applications The WhatsApp case 4 Reform of the Data Protection Directive Personal data processed by WhatsApp mobile phone number unique customer identifier device identifier (where relevant) the push ID the profile name of whatsapp users mobile phone numbers of non-users listed in the address books of whatsapp users Using WhatsApp Solution? Access to the entire electronic address book of users, including the mobile phone numbers of contacts that are not using the app Compare and forget 7

1 Data protection issues in cloud computing 2 Consent for mobile applications 3 The WhatsApp case Replacement of the Data Protection Directive with a Regulation 4 Reform of the Data Protection Directive Where we are now Where we are now October 2013: Compromise text adopted by the Parliament Committee on Civil Liberties, Justice and Home Affairs ( LIBE compromise text ) 8

Where we are now Where we are now 12 March 2014: Official first reading at the European Parliament. Goals: - Ensure a consistent level of protection for individuals among the 27 Member States - Provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises - Ensure consistent monitoring of the processing of personal data - Ensure equivalent sanctions in all Member States - Ensure effective co-operation between the DPAs Territorial application - Data controller/processor has an establishment in the EU - Data controllers not established in the EU processing data of data subjects residing in the European Union Offer goods or services to data subjects in the Union (irrespective of payment) Monitor data subjects behaviour Focus on personal data 9

Pseudonymous data if data do not permit the identification of a natural person, or consist only of pseudonymous data, the controller shall not process or acquire additional information (for identification in order to comply) Profiling based solely on pseudonymous data is presumed not to significantly affect the interests, rights or freedoms of the data subject Consent Consent means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed Conditions for consent The controller shall bear the burden of proof If consent is given together in a written declaration, it has to be distinguishable in its appearance Consent shall be purpose-limited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected. Limitations in the use of consent For processing of personal data of children below the age of 13 in relation to the offering of goods and services, the controller shall make reasonable efforts to verify consent, taking into consideration available technology. Icons for standardised information policies Right to be forgotten http://i.huffpost.com/gen/258133/thumbs/r- RIGHT-TO-BE-FORGOTTEN-large570.jpg 10

Right to erasure Erasure when processing is illegal Parliament first reading: Erasure of illegally processed data and legally processed data, when processed for legitimate interest Measures to ensure and demonstrate compliance: Keep documentation Implement security requirements Perform data protection impact assessment Comply with requirements re. DPA Designate data protection officer Responsibility and accountability of data controllers Data protection impact assessment Specific risk to the rights and freedoms of data subject by virtue of their nature, scope or purposes Specific risks Risk-based Life cycle PD management Processing on data re 5000 DS within 12 months; Sensitive data, location data, children s data; Profiling significantly affecting individuals; Healthcare sector, epidemiological research Large scale automatic monitoring of publicly accessible areas Regular and systematic monitoring of DS; Access to PD cannot be reasonably limited 11

Data protection by design & by default by design implement appropriate and proportionate technical and organisational measures and procedures in order to meet the legal requirements and ensure the protection of rights of the data subject by default ensure that, by default, only necessary personal data are processed in terms of amount of data and time of storage. Notification of personal data breaches Notify Data Protection Authority When a personal data breach is likely to adversely affect the protection of personal data, privacy of the legitimate interests of data subjects, they should be notified without undue delay Certification http://www.mauisundivers.com/scuba/certification/ International data transfers Adequacy decision for countries Adequacy decision for specific sectors Appropriate safeguards - Binding Corporate Rules - Standard data protection clauses (EC) - Standard data protection clauses (DPA) - Contractual clauses (authorised) 12

Thank you for your attention! Dr. Eleni KOSTA e.kosta@tilburguniversity.edu Assistant Professor of Technology Regulation Tilburg Institute for Law, Technology, and (TILT) Tilburg University 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information