Data Protection: Now and the future Gary Davis Deputy Data Protection Commissioner Digital Depot, 15 November 2012 Presentation Outline • • • • Looking to the Now Apps Analysis Future Drivers of Regulation Conclusion Looking to the now • Personal data/information is the oil that fuels the engine of the internet/technology economy. • Technology and the internet are fantastic enablers for individuals. Twitter/Facebook have assisted revolution, Google and others have changed the way we live and work • Like it or not data protection regulators are the only regulators in this space • Free/improved services = your information • Everybody using the internet and technology knows the deal so what is the problem? Looking to the now • Well they don’t fully understand the deal and how could they. Cookies for instance. • No suggestion that technology and internet companies are deliberately acting improperly • Law enforcement and Governments increasingly accessing or seeking to access the information collected • Clear imbalance between what the average individual understands while online and using technology and what actually happens “Cookies” Law (SI 336/2011) • Necessary “Session” Cookies normally OK. Full information as to such use should still be available to the website user. • Other “Cookies” - “third party” or “tracking” cookies – require consent • Current browser settings do not meet “consent” requirement – IE10? • Adopted a “Wait and See” approach in the short-term to see if Industry (browser providers, ad networks etc) could come up with workable solutions • Over now some 15 months later now will move to enforcement. Will commence by contacting approx 50 of the largest websites. Presentation Outline • • • • Looking to the Now Apps Analysis Future Drivers of Regulation Conclusion Topical Issue - Apps Analysis • EU a little behind the curve for once in probing their use of data. • An Opinion from the Article 29 Working Party (over-arching Body of EU Data Protection Commissioners) on Mobile Apps due in coming weeks. Topical Issue - Apps Analysis While not finalised yet the Opinion in essence will point to the responsibilities of App Developers/Owners to: • Provide basic info via the App Store/Shop etc as to the data that will be accessed by installation of the App so that a user can make an informed choice • Include a privacy policy from the Store/Shop so that a user can read it if desired and decide whether the proposed use of data is appropriate • Fully justify why access is sought to each category of data. Topical Issue - Apps Analysis (Ctd) • Not seek data on a just in case or might be useful basis • Have in place appropriate contracts if storage of the data with a third party or cloud provider • Ensure that data transfer requirements are met if the data is transferred outside the EU by you • Ensure that the data is secure within the App and as it moves to/from the App • Remove all user data if the user uninstalls the App Presentation Outline • • • • Looking to the Now Apps Analysis Future Drivers of Regulation Conclusion The challenge • Current imbalance between the capacity of the entities involved and the regulators • The current laws and penalties are too weak • Questions of jurisdiction remain • New EU Data Protection Regulation intended to address the imbalance • Questions remain about law enforcement access. Too pervasive and will discourage internet and technology use EU DP Law Changes: Timetable • 2009/2010 Public and Sectoral Consultation • “Communication” from EU Commission November 2010 • Draft Laws published 25 January 2012 • Negotiation in Council and Parliament – 2012/14? • Implementation – by 2015-16? Future EU Law: Structure • Directly-applicable Regulation • Separate Directive for Law Enforcement Area • Separate Decision for Foreign Affairs (CFSP) Area Not yet presented General Principles (1) • Protecting Fundamental Right to Data Protection and Free Movement of Personal Data Particular focus on children • Applies to Organisations processing personal data either established in the EU or offering goods and services to, or monitoring the behaviour of, EU residents • Does not apply to natural person without any gainful interest in the course of their own exclusively personal or household activity General Principles (2) • Data Minimisation “limited to the minimum necessary” • Transparency More prescriptive information requirements • Strengthened Right of Access More Information No Charge (except “manifestly excessive”) Normally within one month General Principles (3) • Accountability of Data Controller (Joint Controller) “ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation” Documentation Data Protection Officer General Principles (4) • Privacy by Design Privacy Impact Assessment “Seal” systems • Data Portability • “Right to be Forgotten” Requirement for retention policy On request, delete unless clash with other rights (freedom of expression etc) • Strengthened Data Security Data Breach Notification Lawfulness of Processing • Stricter definition of “consent” Burden of proof on data controller Can’t be “buried” in another document Not valid where “significant imbalance” Parental consent for child under 13 • “Legal Obligation” , “Public Interest” and “Exercise of Official Authority” grounds must be laid down in law which meets proportionality test • “Legitimate Interests” of data controller does not apply to a public organisation Direct Marketing • Strengthened Right to Refuse “right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information” International Transfers: Principle (1) • Where the Commission has taken no decision on the adequate level of data protection a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred International Transfers (2) • “Adequacy” Decisions by Commission • Standard Clauses Adopted by Commission or Prescribed by DPA and “declared generally valid” by Commission Approved by DPA (subject to Consistency Mechanism) • Binding Corporate Rules International Transfers (3) • Informed Consent, Contractual Requirement etc • “Legitimate Interests” of data controller or processor and “not frequent, massive or structural” and must inform DPA Data Protection Officer (1) • Must be appointed by Controller or Processor if: Public body OR 250+ employees OR Core activities involve “regular and systematic monitoring of data subjects” • Joint appointment possible • Publicly named Data Protection Officer (2) • “expert knowledge of data protection law” • “ability to fulfil the (designated) tasks” • Any other professional duties “compatible” and “do not result in a conflict of interests” Data Protection Officer (3) • Must perform tasks independently Minimum 2-year appointment • Protection against dismissal Necessary Resources “involved in all issues which relate to the protection of personal data” • Direct report to Management Data Protection Officer (4) • Advise on data protection policy and monitor practice Assignment of internal responsibilities; Training; Privacy Impact Assessments; Privacy by Design; Information to data subjects; Data Security; Documentation • Main contact with supervisory authority • Main contact with public Data Protection Authorities (DPAs) (1) • Independence Appointment, financial resources, staff • Strengthened Powers Conduct investigations on own initiative Investigate complaints “to the extent appropriate” Must be consulted on relevant legislation • “One-stop-Shop” for data controllers Location of “main establishment” DPAs (2) • European Cooperation “Consistency Mechanism” • Joint Enforcement, Binding Consultation etc Strengthened European Data Protection Board Commission regulatory powers • Sanctions Sanctions • DPA Obligation to impose Administrative Sanctions where data protection law breached “intentionally or negligently” up to €1M or 2% of annual worldwide turnover, depending on breach • Separate Penalties for infringements • Individual right to a Judicial Remedy Including compensation for damage suffered Presentation Outline • • • • Looking to the Now Apps Analysis Future Drivers of Regulation Conclusion The Future and the Now – Ireland a Key Player • We will be chairing the final discussions at Council level on the draft Regulation in the first six months of next year • At present we are home to the lead EU operations of some of the largest technology players so very likely to be lead regulator for at least some or all of: Google, Facebook, Apple, Linkedin, Twitter, Intel • Can we do the job? 13 August • Evgeny Morozov (@evgenymorozov) 13/08/2012 01:25 A new algorithm uses tracking data on people’s phones to predict where they’ll be in 24 hours. Average error: 20 meters slate.com/blogs/future_t… 14 August • PrivacyDigest (@PrivacyDigest) 14/08/2012 07:34 Psa: Watch Out: "We Know Your House" Uses Twitter to Find Out Where You Live and Then Posts It Online gizmodo.com/5934062/watch-… #Privacy 14 August • Ryan Calo (@rcalo) 14/08/2012 19:53 My colleague Anita @UWSchoolofLaw writes about driver tracking by insurance companies. #privacy verdict.justia.com/2012/08/14/pro… 19 August • Abine, Inc. (@GetAbine) 19/08/2012 15:24 In addition to a credit score, you now have an e-score that rates your desirability as a customer: ow.ly/d4zUv #privacy • Harvard Biz Review (@HarvardBiz) 19/08/2012 22:12 Customer Intelligence, Privacy, and the "Creepy Factor" s.hbr.org/RnVLNe