CEE CMS Data Protection webinar series - Part 2

  • 279 views
Uploaded on

This webinar aims to provide you with an overview of the various national personal data protection frameworks that exist in CEE, particularly in Bulgaria, Czech Republic, Hungary, Poland, Romania, …

This webinar aims to provide you with an overview of the various national personal data protection frameworks that exist in CEE, particularly in Bulgaria, Czech Republic, Hungary, Poland, Romania, Russia, Slovakia, and Ukraine. CMS have provided legal assistance in each of these jurisdictions for many years.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
279
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 2nd of April 2014 CMS CEE Data Protection Webinar series PART 2 Digital Legal Guardians
  • 2. 2nd of April 2014 Your presenters today Hungary Dóra Petrányi Hungary Márton Domokos Poland Marcin Lewoszewski Romania Marius Petroiu Russia Elena Baryshnikova Ukraine Nataliya Nakonechna Ukraine Olga Belyakova
  • 3. Poland Russia Countries covered Ukraine Bulgaria Romania Hungary Slovakia Czech Republic
  • 4. 2nd of April 2014 Agenda - Demystifying Big Data - Cookie Compliance - Rules on security breach - Workplace Privacy - The New EU Data Protection Regulation - Check List
  • 5. Cyber criminals hack smart fridge to send out spam Internet of Things will impact law ”Big Data” gets bigger Big data, big legal trouble? Complex & extensive cloud computing Targeting the $100 Billion Cloud Market Mobile content revolution App Generation will lead to $77bn in revenues by 2017 Wearable technologies How Google Glass Is Redefining Tech Etiquette e-health Oral B's smart toothbrush lets dentists spy on your brushing Introduction Trends in privacy and the risk landscape
  • 6. Microsoft Working On New Tracking Technology To Replace Cookies More personal advertising Finalisation of the EU Regulation Reding: „Full Speed on EU Data Protection Reform 2014” Strong push on compliance (whitleblowing) New Whistleblowing Law Generates New Data Privacy Issues in Hungary Fines, recovery costs and reputation Facebook-WhatsApp Risks Sparking Privacy Probes Tarns-Atlantic tensions EU data protection reform could start 'trade war' Introduction Trends in privacy and the risk landscape
  • 7. Demystifying Big Data Source: IBM official website
  • 8. Demystifying Big Data (1) “The next big thing” − BIG = source, speed, volume - advanced algorithms − New sources (e.g., web data, tweets, social media, email, text messages, instant messages, chat) − Unanticipated insights and low storage cost − To revolutionize business, science, research and education Legal guidance how to demonstrate legitimacy… Fraud prevention Network security Exploring consumer expectations Energy efficiency
  • 9. Demystifying Big Data (2) Data privacy issues Accountability Does it require consent? Any error in the process? Data security measures? How to minimise the data collection? Legitimate data processing purpose? Prohibited decisions?
  • 10. Demystifying Big Data (3) „Regulatory changes may require recalibration” Big Data issues in our practice 1. Personalized recommendations, targeted marketing and other services to identifiable users or mobile devices. 2. What is “personal data”? e.g. anonymous data, health, location 3. What shall the privacy notice contain? 4. What about reminders? 5. Get explicit opt-in or rely on implied consent? 6. Opt-out options? 7. Permitted combination of information? 8. No personalized services but still collecting data to improve algorithms? Monitoring procedures relation Big Data projects
  • 11. Cookie Compliance
  • 12. Directive 2002/58/EC on Privacy and Electronic Communications WD 02/2013 Providing Guidance on Obtaining Consent for Cookies Opinion 04/2012 on Cookie Consent Exemption Opinion 2/2010 on Online Behavioural Advertising „The use of e-communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information.” (Article 5 (3)) Cookie Compliance (1)
  • 13. Form Information Exemptions? Term Consent Cookie Compliance (2)
  • 14. Cookie Compliance (3) Verification of internal practice − Types of cookies? − Purpose and technology? − Personal data processing? How long? − Further processing (pl.: combination of data)? − Data transfer (third party cookies)? − Is it necessary to obtain prior, informed consent? − Data privacy notice? − Separate policy + link, format, positioning? − Third party agreements? (advertisement) − Data Protection Registry? − Handling users’ requests?
  • 15. Poland: Russia: Romania: Ukraine: Opt-in Non specific guidance DPA: brief privacy information on cookie placement is sufficient No specific regulation Companies place the cookie policies on their websites to protect their interests DPA: official position is not present Opt in: No specific guidance. DPA: brief privacy information on cookie placement is sufficient No specific regulation DPA: - user’s consent on processing of his personal data using ‘cookies’ - clear privacy statement with reference to detailed privacy policy Cookie Compliance (4) CEE Overview Hungary: Slovakia: Bulgaria: Czech Republic: Opt-in Non specific guidance DPA: brief privacy information on cookie placement is sufficient Opt-in (the setting of the internet browser allowing cookies is considered as previous consent) Brief privacy information on cookie placement is sufficient No specific regulation re cookies Failure to fully implement opt-in scheme Arguable if cookies are considered as personal data or not
  • 16. Rules on security breach
  • 17. 17 Security Breach Notifications Hungary Czech Republic Slovakia Bulgaria Sector? Telcos only Telcos only Telcos only Providers of publicly available electronic communications services Specific rules? In line with Regulation 611/2013/EU In line with Regulation 611/2013/EU. In line with Regulation 611/2013/EU Electronic Communications Act (notification to the Data Protection Authority within 3 days vs 24 hours in the Regulation 611/2013/EU) Poland Romania Ukraine Russia Sector? Telcos only Providers of Telco services N/A N/A Specific rules? In line with Regulation 611/2013/EU Law 506/2004 on processing personal data in the Telco field N/A Amendments to the Data Protection Law providing that data processors must inform DPA on breaches are being prepared now.
  • 18. Workplace privacy
  • 19. Workplace privacy “Hot” data privacy topics (2) − Russia − Issue: Monitoring of private correspondence on corporate devices possible? − Internal policies and notifications on the monitoring to be signed by employees − Russia − Issue: Monitoring of private correspondence on corporate devices possible? − Internal policies and notifications on the monitoring to be signed by employees Romania − Interviews / background checks: scope needs to be limited: reasonable & necessary − New DPA rules on CCTV − Criminal Code: correspondence secrecy Romania − Interviews / background checks: scope needs to be limited: reasonable & necessary − New DPA rules on CCTV − Criminal Code: correspondence secrecy Ukraine − No specific regulation. − CCTV and access to corporate e- mail account require employee’s consent Ukraine − No specific regulation. − CCTV and access to corporate e- mail account require employee’s consent Hungary − Labour Code permits monitoring and transfer to processors − Updated employee privacy notices − New rules on CCTV use − DPA fine re employee laptop access − New whistleblowing law Hungary − Labour Code permits monitoring and transfer to processors − Updated employee privacy notices − New rules on CCTV use − DPA fine re employee laptop access − New whistleblowing law
  • 20. Workplace privacy “Hot” data privacy topics Slovakia − Emails or phone calls employees to be informed of the extent of control methods, implementation and duration in advance. − Discussion with the employees´ representative Slovakia − Emails or phone calls employees to be informed of the extent of control methods, implementation and duration in advance. − Discussion with the employees´ representative Bulgaria − Amendment on Labour Code dated 2011 allow video surveillance for monitoring work process and observing working time. Employees shall provide their explicit consent! Bulgaria − Amendment on Labour Code dated 2011 allow video surveillance for monitoring work process and observing working time. Employees shall provide their explicit consent! − Czech Republic − New case law on monitoring: strengthening the position of employers re breach of work duties; stressing the duty of loyalty of employees. − Monitoring must not be excessive. − Czech Republic − New case law on monitoring: strengthening the position of employers re breach of work duties; stressing the duty of loyalty of employees. − Monitoring must not be excessive. Poland − No specific regulation − Good practice: information to employees about monitoring and its extent Poland − No specific regulation − Good practice: information to employees about monitoring and its extent
  • 21. Workplace privacy “Hot” data privacy topics: Bring Your Own Device (BYOD) (1) − Personal devices used for employment / professional purposes vs. company devices − Private and corporate data are accessed with one device − Employer expects control over the data and the device − Control = remote access + administration rights (mobile device management’ security updates, lock access, data removal) − Best practice: • BYOD guidelines / update of existing policies (acceptable use, device management) + training • Separating corporate and private data + alternatives (virtual solutions) • ICO Guidance Revise / review BYOD policies and watch out for regulatory developments
  • 22. Workplace privacy “Hot” data privacy topics: Bring Your Own Device (BYOD) (2) Hungary Czech Republic Romania Ukraine Consent? No Yes No Yes Privacy notice? Yes Yes Internal rules regulate issues e.g. privacy, security Yes Works council involvement? Yes No Iimplemented in consultation with employees’ representatives No Poland Slovakia Bulgaria Russia Consent? Yes Yes No N/A Privacy notice? Yes Yes Yes N/A Works Council Involvement? No No No Internal rules on privacy and security may cover such use
  • 23. Workplace privacy “Hot” data privacy topics: Whistleblowing (1) – best practices Whistleblowing Data privacy information No encouragement of anonymity Data transfer to advisors Data transfer outside the EEA Protection of whistleblowers’ identity Accounting and auditing + related matters Limited data collection and retention (2 months) Rights of the incriminated Notification to / approval by the DPA? Consequences of misuse
  • 24. 24 Workplace privacy “Hot” data privacy topics: Whistleblowing (2) – local requirements Is there a specific law on whistleblowing hotlines? Act CLXV of 2013 on Complaints and Public Interest Disclosure Proposed only for the banking sector (pending parliament procedure) Only in the public sector (whistleblowing in general) NO Is there a specific regulatory guidance on whistleblowing hotlines? NO NO NO NO Notification to / approval by the DPA? YES In non-regulated sectors YES NO Hungary Czech Republic Romania Ukraine
  • 25. Workplace privacy “Hot” data privacy topics: Whistleblowing (3) – local requirements Is there a specific law on whistleblowing hotlines? NO NO NO NO Is there a specific regulatory guidance on whistleblowing hotlines? NO NO NO NO Notification to / approval by the DPA? Yes (notification) YES NO YES Poland Slovakia Bulgaria Russia
  • 26. 26 Workplace privacy “Hot” data privacy topics: Whistleblowing (4) - new law in Hungary − Translation and publication of the internal rules − Registration with the DPA − Article 29 Working Party Opinion 1/2006 − Sensitive data shall not be processed − Enhance permitted data transfers − Outside the EEA: data transfer agreement + ‘adequate protection’ − Specific deadlines for the investigation and data retention − Mandatory notifications to whistleblowers and the reported − Mandatory notification to criminal authorities Verify the operation of whistleblowing and watch out for regulatory developments
  • 27. Workplace privacy “Hot” data privacy topics: Whistleblowing (5) - new law in Hungary Act CLXV of 2013 on Complaints and Public Interest Disclosures Translation and publication of the internal rules Registration with the DPA Sensitive data shall not be processed Works’ council consultation Mandatory notification to criminal authorities Outside the EEA: data transfer agreement + ‘adequate protection’ Specific deadlines for the investigation and data retention Enhances permitted data transfers
  • 28. The Draft EU Data Protection Regulation
  • 29. The draft EU Data Protection Regulation (1) Status and next steps March 2014 June 2013 October 2013 Trilogue negotiations November 2013 December 2013 January 2014 European Parliament's formal approval NSA mass surveillance activities: ”reforms vital to counter PRISM data access” (Reding) „breakthrough”: EU LIBE compromise package EC, Council and Euro MPs EC calls for Safe Harbor reforms Justice Ministers failed to agree on one-stop-shop: ”leading lawyers have public catfight” EDPS calls Germany to take the lead in negotiating New deadline: end of 2014
  • 30. The draft EU Data Protection Regulation (2) − 18 months of ”intense negotiations and fierce lobbying” - across sectors, B2B, B2C, 100 pages, 4,000 amendments − Specific rules are not clear: further interpretation, guidance, industry-specific measures (is it really a Regulation?) − Extra-territorial effect may cause trans-Atlantic tensions − Likely to revolutionize and reshape privacy − Direct effect − ”data protection” or ”data protectionism”?
  • 31. The draft EU Data Protection Regulation (3) − One-stop-shop: instead of regulatory patchwork of 28 countries, will make the life of company groups easier BUT: what is the ”main establishment”? competence of local DPAs will also remain - More consumer rights & DPA Power: Fine up to EUR 100 million 5% of yearly worldwide turnover) − Less administration: no more Data Protection Registry BUT consultation obligation − Explicit consent: Not required: contracting, compliance, legitimate interests BUT: ”significant imbalance” test
  • 32. The draft EU Data Protection Regulation (4) − Profiling: only upon consent/contract; prohibited: only upon sensitive data - may affect Big Data - Data transfers outside the EU: More practical (e.g.: „Binding Corporate Rules”, „European Data Protection Seal”), BUT restricts ”frequent or massive” transfers + regulatory requests. − Data Protection Officer: mandatory: for companies processing data more than 5,000 individuals/year; independent, 2-4 years − Privacy Notices: More detailed than now + standardised format using icons
  • 33. The draft EU Data Protection Regulation (5)
  • 34. The draft EU Data Protection Regulation (6) adopt policies, implement measures, keep extensive documentation, data security requirements, perform privacy impact assessments, comply with prior authorisation / consultation by DPA, designate a Data Protection Officer, bi-annual update of policies Risk assessment: e.g. data amount type, automatics, industry (e-health!) ”to the entire lifecycle management of data” bi-annual update Accountability Data privacy impact assessment
  • 35. The draft EU Data Protection Regulation (7) data, copy, link Independently from the formatData Portability Right to erasure Data breach notification in all industries – to regulator: immediately; to customers: only in serious cases Documentation + database Privacy By Design Privacy by Design / Default
  • 36. Checklist (1) (* - also to comply with DP Regulation) − ”Data discovery” – reviewing the scope of data collected. − Transparent / accessible policies and governance framework.* − Documentation of data flows and processes.* − Drafting / reviewing agreements, consents, NDAs and confidentiality provisions re data processing and data transfer. − Revise / review DPA notifications. − ”Traditional” outsourcing. Make sure you are compliant with ”traditional” issues and watch out for the new trends and new issues… − New models of outsourcing – the Cloud. Watch out for regulatory developments and the expectations in case of contracting.
  • 37. Checklist (2) - Big Data - watch out for regulatory developments and the expectations in case of contracting. - Ensure compliance in „usual” workplace privacy topics. - Revise / review BYOD and social media policies. - Verify whistleblowing hotlines, especially in Hungary. - Reviewing access rights procedures. - Data breach notifications: implementing internal rules. - Data portability: identify security issues re transmission / access.
  • 38. Any questions? Would like to know more? Contact us! Dóra Petrányi - Hungary CEE Data Protection Lead Partner dora.petranyi@cms-cmck.com +36 1 483 4820 Márton Domokos – Hungary marton.domokos@cms-cmck.com +36 1 483 4824 Marcin Lewoszewski – Poland marcin.lewoszewski@cms-cmck.com +48 22 520 5525 Marius Petroiu – Romania marius.petroiu@cms-cmck.com +40 21 407 3 889 Elena Baryshnikova - Russia elena.baryshnikova@cmslegal.ru +7 495 786 40 99 Nataliya Nakonechna – Ukraine nataliya.nakonechna@cms-cmck.com +380 44 391 7 729 Olga Belyakova – Ukranie olga.belyakova@cms-cmck.com +380 44 391 7 727
  • 39. Thank you for your attention! Please complete our feedback box that opens automatically when this presentation closes. You can download our CMS CEE Guide to Data Protection & webinar materials from our website www.cms-cmck.com