Accountability, Risk Assessment and Binding Corporate Codes.



Similar documents
Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

Response of the Northern Ireland Human Rights Commission on the Health and Social Care (Control of Data Processing) NIA Bill 52/11-16

Data Protection Act. Conducting privacy impact assessments code of practice

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

Privacy and Electronic Communications Regulations

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Supplementary Policy on Data Breach Notification Legislation

RESPONSE TO THE INFORMATION COMMISSIONER S OFFICE BIG DATA AND DATA PROTECTION PAPER 1. BACKGROUND

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

Privacy & Data Security: The Future of the US-EU Safe Harbor

16525/1/12 REV 1 GS/np 1 DG D 2B

The potential legal consequences of a personal data breach

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

A Risk-based Approach to Privacy: Improving Effectiveness in Practice

Privacy Engineering Objectives and Risk Model - Discussion Deck. Objective-Based Design for Improving Privacy in Information Systems

A guide for in-house lawyers

Principles and Guidelines on Confidentiality Aspects of Data Integration Undertaken for Statistical or Related Research Purposes

Risk Management Policy

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

GSK Public policy positions

13772/14 GS/np 1 DG D 2C

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Delegations will find attached a set of Presidency drafting suggestions concerning Articles 1-3 of the above proposal, as well as the Recitals.

Working Lunch The Future of Responsible Big Data

ARTICLE 29 DATA PROTECTION WORKING PARTY

Draft GDPR and health-related scientific research: Where do we stand with the EU Council?

10227/13 GS/np 1 DG D 2B

Auditing data protection a guide to ICO data protection audits

Elaboration of the Declaration on Universal Norms on Bioethics : Third Outline of a Text

The guidance will be developed over time in the light of practical experience.

Inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

RESTREINT UE/EU RESTRICTED

Data and Cyber Laws Up-date 9 July 2015

ARTICLE 29 DATA PROTECTION WORKING PARTY

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

Consultation Paper on the draft proposal for Guidelines on methods for determining the market share for reporting

Data and Information Sharing Protocol and Agreement for Agencies Working with Children and Young People

White paper. The Essential Guide to the EU Data Law Changes. your technology, expertly marketed

Online Research and Investigation

Data protection issues on an EU outsourcing

Freedom of information guidance Exemptions guidance Section 41 Information provided in confidence

wwwww The Code of Ethics for Social Work Statement of Principles

The EBF would like to take the opportunity to note few general remarks on key issues as follows:

7 August I. Introduction

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

slaughter and may The new EU Data Protection Regulation revolution or evolution?

Aberdeen City Council

Information Governance Policy

Data Protection Good Practice Note

VIDEO SURVEILLANCE GUIDELINES

Decision Notice. Decision 119/2015: Mr Tommy Kane and the Scottish Ministers. Use of private contractors in the NHS

Appendix 11 - Swiss Data Protection Act

United Nations Educational, Scientific and Cultural Organisation Organisation des Nations Unies pour l éducation, la science et la culture

Corporate Policy. Data Protection for Data of Customers & Partners.

Proposed Public Records Legislation Consultation

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

incommmsec Whitepaper: Increasing role of employee monitoring within public and private sector organisations.

Guidelines on Data Protection. Draft. Version 3.1. Published by

Dublin City University

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

The EU Democratic Governance Pact

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems

The Manitoba Child Care Association PRIVACY POLICY

TABLE OF CONTENTS. Maintaining the Quality and Integrity of Information. Notification of an Information Security Incident

work Privacy Your Your right to Rights Know

OUTCOME OF PROCEEDI GS from: Working Party on Information Exchange and Data Protection (DAPIX) on: February 2012 Subject: Summary of discussions

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Data Protection for the Guidance Counsellor. Issues To Plan For

Comment of the Centre for Information Policy Leadership on Big Data: A Tool for Inclusion or Exclusion? Workshop, Project No.

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

Data Protection Policy

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

EU Data Protection Reforms Challenges for Business

How To Regulate Data Processing In European Union

EUROPEAN PARLIAMENT Committee on Industry, Research and Energy. of the Committee on Industry, Research and Energy

UNIVERSITY OF ST ANDREWS. POLICY November 2005

Cloud Software Services for Schools

Quality and Engagement Sub Committee

How To Ensure Health Information Is Protected

technical factsheet 176

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

DATA PROTECTION AND DATA STORAGE POLICY

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 3 February /12 LIMITE JAI 53 USA 2 DATAPROTECT 13 RELEX 76

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Information Governance Policy

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

TRADING POLICY AND GUIDELINES

b. Other serious crimes, including organized crime, that are transnational in nature; and

Code of Practice. Overall. A1.2 Segregation, identification and safeguarding of trust assets is paramount.

ARTICLE 29 DATA PROTECTION WORKING PARTY

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

Statement. on the. Kenya Communications (Broadcasting) Regulations, February 2010

Information Governance Strategy :

Transcription:

~~~"Centre For :::.::(\\ Inf9rmation FO~l~ "'~. ::::~~.Lea ership -"" Hunton&WilliamsLLP Accountability, Risk Assessment and Binding Corporate Codes. DRAFT: March 2013 ei The challenge Any privacy I data protection law should be effective in terms of ensuring strong protection, but without imposing disproportionate administrative burdens or threatening innovation. The draft EU Regulation of January 2012 has been criticised on a number of grounds. Some of these are inter-related and are addressed in this proposal. They include: too prescriptive (especially much of Articles 22-37), not contextualised and with too much of a "One size fits all" approach; insufficient focus on "tick-box" compliance, at the expense of improving information governance in practice; mis-application of the Accountability principle, using it to justify new and inflexible burdens; not sufficiently outcome-focused; arbitrary and inappropriate exemptions (largely based on corporate size); too burdensome on DPAs, and impedes prioritisation on the willful, the cavalier and the non-accountable (Le. not "Selective to be Effective"); mis-alignment between rules for international transfers and "domestic" rules; insufficiently risk-based. Some of these concerns have been recognised. In a December 2012 speech, Viviane Reding said: "I am willing to consider following a more risk-based approach... Such an approach doesn't just mean "Let data controllers choose what they will do"... Instead, we want to build an approach that adequately and correctly takes into

account risk. The approach also has to be simple... We want to make sure that obligations are not imposed except where they are necessary to protect personal data." In the same month, the Presidency Note to the Council of Ministers recorded that "Many delegations stated that the risk inherent in data processing operations should be the main criterion for calibrating the applicability of data processing obligations... There appears to be a general consensus that {we] should aim at introducing a strengthened risk-based approach into the draft Regulation The risks will need to be balanced against entrepreneurial freedom and the tasks of the public sector... Obligations [should therefore be] calibrated to the nature of the processing and of the data...and in relation to their impact on individuals' rights and freedoms." Concrete proposals to fulfill such new thinking have so far been missing. This proposal therefore outlines a new approach, with suggested legislative text. Its key features include: elaboration of a risk-based approach based on specific threats to data subjects; an Accountability principle based upon a wide consensus of how this should function in practice; the principle (as in the draft Regulation) that all Data Controllers should held accountable for a basic level of compliance...... but calibrated with more rigorous requirements where there is a significant risk of serious harm; a comprehensive privacy programme known as a Binding Corporate Code for such cases. Risk The draft Regulation already goes some way to incorporate a risk-based approach. There are references to the "risks to the rights and freedoms of data subjects" and Article 33 identifies types of processing operation which "in particular present specific risks... " In those cases a mandatory Impact Assessment is required and there has to be prior consultation with the DPA where there is likely to be a high degree of risk. But, there are two main problems here: Although important, the language of "risks to the rights and freedoms of data subjects" is insufficiently precise. It does not elaborate which outcomes the

law is seeking to secure or avoid. Nor will businesses easily know what, if anything, they should be doing or avoiding. The listing of "risky" types of processing is indicative, but does not sufficiently capture what actually are the risks to data subjects, nor allow for differing degrees of seriousness. Accountability How should Accountability be captured in legislative text? A broad statement of the principle, backed up by Guidance from the Commissioner, could be adopted. This is the approach adopted in Canada, although the widelypraised Guidance has only recently been published. The explicit Accountability Principle reads simply: "An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles." (see Annex 2 for full text of section 14 of PIPEDA) Article 22(1) of the draft Regulation is (by itself) also a simple, sound and flexible articulation of the Accountability Principle: lithe controller shall adopt policies and implement appropriate measures to ensure, and be able to demonstrate, that the processing of personal data is performed in compliance with this Regulation. " However, many of the obligations which then follow in Part IV are excessively prescriptive and burdensome and do not need to be imposed in all cases, especially where the risks are not serious. In particular, much of the following Articles, as drafted, could be withdrawn as mandatory provisions and replaced by less much prescriptive wording and by the new requirements proposed below. Article 23 Article 28 Article 30 Article 33 Article 34 Articles 35-37 Data Protection by Design Documentation Security Data protecting Impact Assessment Prior Authorisation and Consultation Data Protection Officer Outline of new requirements It is very doubtful that the Canadian approach of very simple legislative text, backed up by non-statutory Guidance would ever be acceptable for the draft Regulation.

It is proposed, therefore, to develop text on the following lines: All Controllers should be ready to demonstrate their policies and measures upon reasonable demand from a DPA; Where the processing involves a risky type of processing, an Impact Assessment should be carried out; A Binding Corporate Code, which meets certain standards, should be adopted as the principal instrument of Accountability where: 1. the Impact Assessment indicates a high risk that non-compliant processing could present serious harm to data subjects; or 2. the Controller otherwise knows, or should know, that there is a high risk non-compliant processing could present serious harm to data subjects. Risky types of processing The risky types of processing, requiring an Impact Assessment, are broadly those set out in Article 33 (2) as follows: (a) (b) (c) (d) Automated profiling Information on sex life, health, racial I ethnic oriqin etc Public surveillance Large systems on children genetic data or biometric data Impact Assessments The Impact Assessment should be internal and not have to be shared routinely with the DPA or approved. Otherwise, Assessments are unlikely to be frank, full or helpful. But they should be subject to disclosure, after due process, in appropriate cases of enforcement action and sanctions would be greater where there has been no Impact Assessment or it is inadequate. High risk of serious harm The risk test should be elaborated in terms of the likelihood of serious harm which could be presented. Harm could be Material (tangible) or Moral (nontangible), could involve Denial of rights or could be Societal. The following formulation is proposed as the test: u where the processing operations present a high risk of serious harm to the rights and freedoms of data subjects by virtue of their nature, their

scope or their purposes. Such harm shall include in particular outcomes or events which would foreseeably cause damage or distress: 1. to the life and physical well-being of data subjects; 2. to the liberty or freedom of movement of data subjects; 3. to the livelihoods of data subjects; 4. to the financial interests of data subjects; 5. to the family life and social relationships of data subjects; 6. to the reputations of data subjects, 7. to the personal autonomy or freedom of data subjects as a result of unjustifiable intrusion, breach of confidentiality, discrimination or other interference. Such harm shall also include: 1. denying the rights of data subjects created by this Regulation; 2. harm to the democratic values of a free society. Binding Corporate Codes (BCCs) It is proposed that Binding Corporate Codes should be required where the risk of serious harm is high. BCCs are broadly similar in concept, status and content to Binding Corporate Rules which have been developed for international transfers. A Code must be legally binding, must be adequately certified and must be adequately publicised. As a comprehensive privacy programme (tailored and contextualized for the actual processing undertaken by the data controller) it will operate as a flexible instrument of Accountability. But each Code will have to incorporate the core policies and measures as stipulated in the Regulation. Without undue difficulty (though not attempted here) the Regulation could be amended so that a Binding Corporate Code could also operate as the Data Controller's Binding Corporate Rules for international transfers. Proposed legislative text Annex 1 sets out proposed legislative Text for incorporation (with corresponding deletions) into the draft Regulation which seeks to capture the above approach. CIPl 23 March 2013

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information