Set up of the European Privacy Seal EuroPriSe
advertisement
Set up of the European Privacy Seal EuroPriSe Christian Prietz Multi-beneficiary Workshop on data protection auditing with special regard to data protection seals, 13. – 14. February 2014, Skopje, Macedonia Agenda p. 2 Part I Privacy Certifications – Legal Basis and Scope (Privacy) Seals in Germany (an overview) Development of the European Privacy Seal “EuroPriSe” Motivation Objectives Depolyment Agenda p. 3 Part II Certification Process Implementation Procedures and EuroPriSe Scope EU Regulations as a Basis for Criteria Development Other Sources Jurisdiction Article 29 WP National Laws Agenda p. 4 Part II EuroPriSe Criteria Set 1 – Overview on Fundamental Issues Set 2 – Legitimacy of Data Processing Set 3 – Technical and Organisational Measures Set 4 – Data Subjects’ Rights Application of Certification Criteria p. 5 Part I Todays Situation p. 6 DP Challenges: Lack of trust in IT Non-compliance Frequent privacy breaches Lack of “Privacy by Design” & PETs Demand for assurance of good privacy Solution Approach p. 7 Design and implementation of trustworthy mechanisms when handling personal data Demonstrating compliance Support of “Privacy by Design” & PETs Expressed by a trustmark Privacy Certifications p. 8 Many organisations (Public or private entities) A wide range of certifications in the area of data protection and privacy for IT products, IT services, Compliance certifications of data processors, Data protection officers, Web pages Etc. Privacy Certifications p. 9 Legal basis for public entities § 9 a BDSG (Federal Data Protection Act) § 4 (2) LDSG (State Data Protection Act ) of Schleswig-Holstein, North Rhine-Westphalia § 7 b State Data Protection Act of Bremen § 11 b (2) State Data Protection Act of Brandenburg § 5 (2) State Data Protection Act of MecklenburgPomerania Privacy Seals today (overview) p. 10 Seals offered by a public body ULD (Office of the Data Protection and Freedom of Information Commissioner of Schleswig-Holstein ) “Gütesiegel Schleswig-Holstein” (IT Products and IT Services) “EuroPriSe” (2009 – 2013) (IT Products and IT-based Services ULD Audit (for public bodies) Data protection authority of Bremen Audit (for public bodies) (Privacy) Seals today II p. 11 Seals offered by a private body EuroPriSe GmbH (since 01.01.2014) Datenschutz Cert (IT-Security, privacy, web pages etc.) DEKRA (IT-Security and privacy) TÜV IT (IT-Security and privacy) Different TÜV Holdings (e.g. TÜV Süd, Rheinland, Nord) SCHUFA Holding (certifications of data processors) Privacy Stiftung (web pages) KPMG (privacy and compliance management) Seal Overload p. 12 A variety of Schemes, Providers, certification bodies Scopes => Reliability and Comparability is important Seal Overload II p. 13 Lack of transparency of the certification criteria, certification process, certification results leads to a • difficult or impossible comparability, • limited significance and • low confidence. Question p. 14 Why EuroPriSe was established and what was and is the difference? p. 15 Development of the European Privacy Seal “EuroPriSe” Objectives p. 16 Foster Privacy Promote privacy best practices Mark privacy sensible choices for consumers Provide an incentive for companies to invest into PETs and better privacy Objectives p. 17 Compliance Guidance Trust Marketing Advantage Transparent Procedures Independent Certifier Adequate Criteria EuroPriSe Project p. 18 Project funding: 1,3 Mio by EU July 2007 – February 2009 18 pilot projects 6 certifications successfully completed Over 65 experts accredited Consortium: 9 partner from 8 EU countries BORKING CONSULTANCY Deployment I p. 19 Permanent since 03/2009 New Logo since 08/2009 Deployment II p. 20 Initiative lead by ULD 24 + 7 successful certifications from Europe, North & South America 152 experts from 19 countries Cooperation with and training of European DPAs Deployment III p. 21 EuroPriSe GmbH starting 1.1.2014 Based in Bonn, Germany Further offices for easy communication e.g. -Berlin and New York Independent Advisory Board planed Enhanced expert support by newsletter, commentary, workshops & marketing p. 22 Part II Certification Process p. 23 Manufacturers Manufacturers or or service service providers providers commission admitted IT commission admitted IT Product Product EuroPriSe Experts of EuroPriSe Experts of or Service or IT-based IT-based Service their their choice choice Monitoring of IT-based Services •• Award Award of of European European Privacy Seal Award of European Privacy Seal Award of European •• Valid for years Privacy Seal Valid for two two years Privacy Seal •• Regular Regular monitoring monitoring (if IT-based (if IT-based service) Validity: 2 service) Years •• Recertification Recertification •• Determination Determination of of Target Target of of Evaluation Evaluation (ToE) (ToE) •• Determination Determination of of applicable applicable Admitted Experts Evaluate certification criteria from Admitted Experts Evaluate certification criteria from EuroPriSe Criteria Catalogue Product or EuroPriSe Criteria Catalogue Product or Service Service •• Composition Composition of of evaluation evaluation report report and and short short public public report report •• •• Plausibility Plausibility check check of of report report Check Check of of documentation documentation Accredited Certification (e.g., security policy) Accredited Certification (e.g., security policy) checks ••Authority Queries // or change Authority checks evaluation Queries and and orevaluation change requests requests back back to to evaluators evaluators or // service or manufacturer manufacturer© service EuroPriSe® provider provider (if (if necessary) necessary) •• Check Check of of short short public public report report Pre-Evaluation p. 24 Admitted experts (legal, technical) find manufacturer or manufacturer chooses experts from public list on website Discuss ToE in workshop or first meeting with CB Experts and manufacturer Description negotiate and of ToE in agree on application evaluation Agreement on certification Evaluation p. 25 Is the product suitable for use in a privacy compliant way including setting, configuration, documentation? Experts conduct evaluation Interaction of law and technology Target of Evaluation EuroPriSe Criteria Sets Fundamentals Legitimacy of Data Processing Technical-Organisational Measures Data Subjects’ Rights Evaluation Steps p. 26 Step 1: Define the Target of Evaluation (ToE) - IT product or IT-based service - Parts thereof - Multiple products/services Experts conduct evaluation Step 2: Select the applicable criteria Step 3: Evaluation with respect to selected criteria - Decide and explain whether and why criteria requirements are met Step 4: Write comprehensive report - Content: Steps 1-3 add final evaluation result - Consult with certification body from the beginning During Evaluation p. 27 Discuss problems and obstacles Submit evaluation report and mandatory documents Feedback / validation by CB Corrections and additions if necessary Submission of final report After Evaluation p. 28 Validation by CB Completeness Consistency Compliance Certificati on and award of European Privacy Seal Monitoring for ITbased services Certification Process II p. 29 EuroPriSe certification is a two-step procedures with Independent, accredited and competent experts, An impatial certification body, Transparent criteria, A transparent certification process and Transparent certification results Implementation Procedures p. 30 Relevance of Certification Criteria Consistent and transparent criteria are one crucial factor for guaranteeing high quality of a certification scheme Starting Point for Development of Criteria Starting point for design of EuroPriSe criteria was the ULD Catalogue developed for the regional „Gütesiegel“ EuroPriSe Scope p. 31 Relevant legal sources for the development of Certification Criteria are determined by the EuroPriSe Scope: „The European Privacy Seal certifies that an IT product or ITbased service facilitates the use of that product or service in a way compliant with European regulations on privacy and data protection, taking into account the legislation in the EU Member States.“ Primary legal source: EU data protection regulatory framework EU Regulations p. 32 Data Protection = Fundamental Right - Article 8 of the Charter of Fundamental Rights (ECFR) 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. EU Regulatory Framework p. 33 Main Statutory Rule Data Protection Directive 95/46/EC ( Criteria) Sector-Specific Statutory Rules Directive 2002/58/EC (ePrivacy Directive Criteria) Directive 2006/24/EC (Data Retention Directive) Further Statutory Rules Regulation 45/2001 (Union institutions and bodies) Council Framework Decision 2008/977/JHA (Police and judicial cooperation in criminal matters) EU Regulations p. 34 Need for Concretisation Some provisions of the Directive(s) only provide for abstract guidelines thus leaving some leeway for their implementation in national law. e.g., Article 17 of Directive 95/46/EC These provisions are not suitable to derive concrete certification criteria from them. further sources needed Jurisdiction p. 35 Judgements of European Court of Justice (ECJ) e.g., Judgement of 06 November 2003 (Bodil Lindqvist) Judgements of General Court (EGC) So far only relatively few relevant judgements (cf. EuroPriSe Commentary (Nov. 2013), page 31 ff.) further sources needed to concretise abstract provisions of Directive 95/46/EC Article 29 WP p. 36 Documents adopted by Art. 29 Working Party Independent advisory council of the European Union with regard to data protection issues Art. 29 WP adopted more than 200 documents since 1997 (cf. EuroPriSe Commentary (Nov. 2013), page 33 ff.) In particular, documents on general issues may serve to derive certification criteria from them (e.g., WP 136 – personal data, 169 – controller/processor, 187 – consent, and 203 – purpose limitation) However, still further sources for concretisation needed National Laws p. 37 Developing criteria, national laws are taken into account if a provision of the Data Protection Directive only provides for abstract guidelines (e.g., Art. 17) and neither jurisdiction of the European Courts nor documents adopted by the Art. 29 WP provide guidance on concretisation EuroPriSe does not certify compliance with national data protection laws of EU Member states Criteria Set 1 p. 38 Overview on Fundamental Issues Fundamental Aspects of Processing Subset serves to provide an overall picture of the product or service (processing operations, purposes, processed data, controller etc.) Fundamental Technical Construction Data Avoidance and Minimisation Transparency: Documentation of the product or service Criteria Set 1 p. 39 Overview on Fundamental Issues Fundamental Technical Construction Requirement 1.2.2.2 Special Case: Privacy Statement If the manufacturer of an IT product or the provider of an IT-based service runs a website and markets the product or service via the website, EuroPriSe Experts are expected to check whether a Privacy Statement meeting the preconditions of criterion 1.2.2.2 is in place and whether the (potential) use of cookies and logging of IP addresses is in line with the requirements of European data protection law. Further issues: Tracking tools, collection of data via web forms Criteria Set 2 p. 40 Legitimacy of Data Processing Legal Basis for the Processing of Personal Data - Personal data - Special categories of personal data („sensitive data“) - Cookies and traffic / location data (ePrivacy Directive) Special Reqs to Different Processing Phases - Data collection (information duties) - Internal data disclosure („need-to-know“) - Disclosure of data to third parties - Erasure of data after cessation of requirement Criteria Set 2 p. 41 Compliance with Data Protection Principles - Purpose–specification and –limitation - Proportionality - Quality of Data Special Types of Processing Operations - Processing of Data by a Processor - Transfer to Third Countries - Automated Individual Decisions Formalities Notification and Prior Checking Criteria Set 3 p. 42 Technical-Organisational Measures Protection goals: confidentiality, integrity and availability as well as transparency, intervenability, and unlinkability CIA: Focus shall be on data subjects rather than on interests of the organisation processing personal data Intervenability: Operationalisation of data subject rights vis-à-vis the controller, ability of organisations to have steering control over systems & processing operations Unlinkability: Measures which aim at guaranteeing that personal data may not be processed for other than the initial purpose Criteria Set 3 p. 43 General Duties, e.g. - access control (physical and logical) - logging mechanisms - network and transport security - backup mechanisms - procedures to react on security incidents Technology-specific and service-specific requirements e.g., encryption, anonymisation and pseudonymisation Criteria Set 3 p. 44 Appropriate measures (Article 17(1) of Directive 95/46/EC) Consideration of - state of the art - costs of implementation - risks of the processing - nature of processed data Criteria Set 4 p. 45 Data Subjects‘ Rights Rights under the Directive 95/46/EC - right to be informed - right of access - right of correction, erasure and blocking - right of objection to processing Rights under the Directive 2002/58/EC - right to be informed of personal data breaches - right to be informed of security risks - right to confidentiality of communications EuroPriSe Certification p. 46 EuroPriSe certification is a two-step procedures with Independent, accredited and competent experts, An impatial certification body, Transparent and relevant criteria, A transparent certification process and Transparent certification results Thank you! p. 47 Contact: cprietz@datenschutzzentrum.de +49 431 988 1224
