Data Protection:
Now and the future
Gary Davis
Deputy Data Protection Commissioner
Digital Depot, 15 November 2012
Presentation Outline
•
•
•
•
Looking to the Now
Apps Analysis
Future Drivers of Regulation
Conclusion
Looking to the now
• Personal data/information is the oil that fuels the
engine of the internet/technology economy.
• Technology and the internet are fantastic enablers for
individuals. Twitter/Facebook have assisted revolution,
Google and others have changed the way we live and
work
• Like it or not data protection regulators are the only
regulators in this space
• Free/improved services = your information
• Everybody using the internet and technology knows
the deal so what is the problem?
Looking to the now
• Well they don’t fully understand the deal and
how could they. Cookies for instance.
• No suggestion that technology and internet
companies are deliberately acting improperly
• Law enforcement and Governments
increasingly accessing or seeking to access the
information collected
• Clear imbalance between what the average
individual understands while online and using
technology and what actually happens
“Cookies” Law (SI 336/2011)
• Necessary “Session” Cookies normally OK.

Full information as to such use should still be available to the
website user.
• Other “Cookies” - “third party” or “tracking” cookies –
require consent
• Current browser settings do not meet “consent”
requirement – IE10?
• Adopted a “Wait and See” approach in the short-term
to see if Industry (browser providers, ad networks etc)
could come up with workable solutions
• Over now some 15 months later now will move to
enforcement. Will commence by contacting approx 50
of the largest websites.
Presentation Outline
•
•
•
•
Looking to the Now
Apps Analysis
Future Drivers of Regulation
Conclusion
Topical Issue - Apps Analysis
• EU a little behind the curve for once in probing
their use of data.
• An Opinion from the Article 29 Working Party
(over-arching Body of EU Data Protection
Commissioners) on Mobile Apps due in coming
weeks.
Topical Issue - Apps Analysis
While not finalised yet the Opinion in essence will point
to the responsibilities of App Developers/Owners to:
• Provide basic info via the App Store/Shop etc as to the
data that will be accessed by installation of the App so
that a user can make an informed choice
• Include a privacy policy from the Store/Shop so that a
user can read it if desired and decide whether the
proposed use of data is appropriate
• Fully justify why access is sought to each category of
data.
Topical Issue - Apps Analysis
(Ctd)
• Not seek data on a just in case or might be useful
basis
• Have in place appropriate contracts if storage of the
data with a third party or cloud provider
• Ensure that data transfer requirements are met if the
data is transferred outside the EU by you
• Ensure that the data is secure within the App and as it
moves to/from the App
• Remove all user data if the user uninstalls the App
Presentation Outline
•
•
•
•
Looking to the Now
Apps Analysis
Future Drivers of Regulation
Conclusion
The challenge
• Current imbalance between the capacity of the
entities involved and the regulators
• The current laws and penalties are too weak
• Questions of jurisdiction remain
• New EU Data Protection Regulation intended to
address the imbalance
• Questions remain about law enforcement
access. Too pervasive and will discourage
internet and technology use
EU DP Law Changes:
Timetable
• 2009/2010 Public and Sectoral
Consultation
• “Communication” from EU Commission
November 2010
• Draft Laws published 25 January 2012
• Negotiation in Council and Parliament –
2012/14?
• Implementation – by 2015-16?
Future EU Law: Structure
• Directly-applicable Regulation
• Separate Directive for Law Enforcement
Area
• Separate Decision for Foreign Affairs
(CFSP) Area
 Not
yet presented
General Principles (1)
• Protecting Fundamental Right to Data
Protection and Free Movement of Personal Data

Particular focus on children
• Applies to Organisations processing personal data
either established in the EU or offering goods
and services to, or monitoring the behaviour
of, EU residents
• Does not apply to natural person without any
gainful interest in the course of their own
exclusively personal or household activity
General Principles (2)
• Data Minimisation
 “limited
to the minimum necessary”
• Transparency
 More
prescriptive information
requirements
• Strengthened Right of Access
 More
Information
 No Charge (except “manifestly excessive”)
 Normally within one month
General Principles (3)
• Accountability of Data Controller (Joint
Controller)



“ensure and demonstrate for each processing
operation the compliance with the provisions of this
Regulation”
Documentation
Data Protection Officer
General Principles (4)
• Privacy by Design


Privacy Impact Assessment
“Seal” systems
• Data Portability
• “Right to be Forgotten”


Requirement for retention policy
On request, delete unless clash with other
rights (freedom of expression etc)
• Strengthened Data Security

Data Breach Notification
Lawfulness of Processing
• Stricter definition of “consent”




Burden of proof on data controller
Can’t be “buried” in another document
Not valid where “significant imbalance”
Parental consent for child under 13
• “Legal Obligation” , “Public Interest” and
“Exercise of Official Authority” grounds
must be laid down in law which meets
proportionality test
• “Legitimate Interests” of data controller
does not apply to a public organisation
Direct Marketing
• Strengthened Right to Refuse
 “right
shall be explicitly offered to the data
subject in an intelligible manner and shall be
clearly distinguishable from other
information”
International Transfers:
Principle (1)
• Where the Commission has taken no decision
on the adequate level of data protection a third
country, the controller or processor should
make use of solutions that provide data
subjects with a guarantee that they will
continue to benefit from the fundamental
rights and safeguards as regards
processing of their data in the Union once
this data has been transferred
International Transfers (2)
• “Adequacy” Decisions by Commission
• Standard Clauses
 Adopted
by Commission or Prescribed by
DPA and “declared generally valid” by
Commission
 Approved by DPA (subject to
Consistency Mechanism)
• Binding Corporate Rules
International Transfers (3)
• Informed Consent, Contractual
Requirement etc
• “Legitimate Interests” of data
controller or processor and “not
frequent, massive or structural” and
must inform DPA
Data Protection Officer (1)
• Must be appointed by Controller or
Processor if:
 Public
body OR
 250+ employees OR
 Core activities involve “regular and
systematic monitoring of data subjects”
• Joint appointment possible
• Publicly named
Data Protection Officer (2)
• “expert knowledge of data protection
law”
• “ability to fulfil the (designated) tasks”
• Any other professional duties
“compatible” and “do not result in a
conflict of interests”
Data Protection Officer (3)
• Must perform tasks independently
 Minimum
2-year appointment
• Protection against dismissal
 Necessary
Resources
 “involved in all issues which relate to the
protection of personal data”
• Direct report to Management
Data Protection Officer (4)
• Advise on data protection policy and
monitor practice
 Assignment
of internal responsibilities;
Training; Privacy Impact Assessments;
Privacy by Design; Information to data
subjects; Data Security; Documentation
• Main contact with supervisory authority
• Main contact with public
Data Protection Authorities
(DPAs) (1)
• Independence

Appointment, financial resources, staff
• Strengthened Powers



Conduct investigations on own initiative
Investigate complaints “to the extent
appropriate”
Must be consulted on relevant legislation
• “One-stop-Shop” for data controllers

Location of “main establishment”
DPAs (2)
• European Cooperation
 “Consistency
Mechanism”
• Joint Enforcement, Binding Consultation
etc
 Strengthened
European Data Protection
Board
 Commission regulatory powers
• Sanctions
Sanctions
• DPA Obligation to impose
Administrative Sanctions where data
protection law breached “intentionally
or negligently”
 up
to €1M or 2% of annual worldwide
turnover, depending on breach
• Separate Penalties for infringements
• Individual right to a Judicial Remedy
 Including
compensation for damage suffered
Presentation Outline
•
•
•
•
Looking to the Now
Apps Analysis
Future Drivers of Regulation
Conclusion
The Future and the Now –
Ireland a Key Player
• We will be chairing the final discussions at
Council level on the draft Regulation in the first
six months of next year
• At present we are home to the lead EU
operations of some of the largest technology
players so very likely to be lead regulator for at
least some or all of: Google, Facebook, Apple,
Linkedin, Twitter, Intel
• Can we do the job?
13 August
• Evgeny Morozov (@evgenymorozov)
13/08/2012 01:25
A new algorithm uses tracking data on
people’s phones to predict where they’ll
be in 24 hours. Average error: 20 meters
slate.com/blogs/future_t…
14 August
• PrivacyDigest (@PrivacyDigest)
14/08/2012 07:34
Psa: Watch Out: "We Know Your House"
Uses Twitter to Find Out Where You Live
and Then Posts It Online
gizmodo.com/5934062/watch-… #Privacy
14 August
• Ryan Calo (@rcalo)
14/08/2012 19:53
My colleague Anita @UWSchoolofLaw
writes about driver tracking by insurance
companies. #privacy
verdict.justia.com/2012/08/14/pro…
19 August
• Abine, Inc. (@GetAbine)
19/08/2012 15:24
In addition to a credit score, you now have an
e-score that rates your desirability as a
customer: ow.ly/d4zUv #privacy
• Harvard Biz Review (@HarvardBiz)
19/08/2012 22:12
Customer Intelligence, Privacy, and the
"Creepy Factor" s.hbr.org/RnVLNe