Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

State of EU legislation: GDPR & ePrivacy for Superweek

1,100 views

Published on

Building on 3 years worth of presentations on Privacy in the digital data ecosystem for Superweek, tackling transparency and sensitive data, this one addresses data subject rights while grounding the European project into the Charter of Fundamental Rights of the European Union. It includes a word of caution with respect to legitimate interests: not an easy choice to uphold!

Published in: Internet

State of EU legislation: GDPR & ePrivacy for Superweek

  1. 1. State of EU legislation GDPR & ePrivacy January 29th 2018– Budapest Aurélie Pols for Superweek Views from the Privacy Engineering trenches, free of disclaimers aka just my views and not any of my clients European at heart
  2. 2. Data Governance & Privacy Engineer Data is the New Electricity – Privacy is the New Green – Trust is the New Currency Dutch nationality, French mother tongue, works in English, lives in Spain AURELIE POLS, DATA GOVERNANCE & PRIVACY ENGINEER • Chief Visionary Officer – Mind Your Privacy • Ethics Advisory Group (EAG) – European Data Protection Supervisor (EDPS) • Professor of Ethics & Privacy, Big Data & Analytics Master – Instituto de Empresa (IE), Madrid; guest professor DPO certification courses Maastricht University, faculty of law (NL) & Solvay Business School Brussels. • Vice-chair P7002 – Data Privacy Process – IEEE • Speaker/writer/consiglieri: SWSX, Strata (+ Hadoop World), IAPP, Piwik, AT Internet, industry associations, AdTech & MarTech vendors, … 2003: OX2 Co- founder Webanalytics.be 2008: Sold to Digitas LBi (Publicis) 2
  3. 3. Objective: hopefully be able to answer • When does the GDPR come into force? When does ePrivacy come into force? • What happens on the 29th of March 2019 at 11pm? • Is the GDPR, as a Regulation, going to be transposed into national legislation? • Are cookies personal data? • Are unique IDs personal data? • If I delink CMR data, is that enough? • How much time does a company have to report a data breach? • How much time does a company have to answer a subject access request? • Does the right to erasure always apply? • Does the right to restriction of processing always apply? • Does the right not to be subject to automated processing always apply? • Consent is one way to assure lawfulness of processing. How many methods are there in the GDPR?
  4. 4. 2016 2017 1. Define yourself 2. Define data flows 3. Align liabilities 4. Purpose & consent 5. Risk based approach i. Data Security & breach notification ii. Codes of Conduct & Certifications iii. Data Pseudony- mization iv. Data subject consent & purpose of processing v. Profiling & the Right to Object vi. Cross border data transfers vii. Erasure / Rectification Rights viii. Data Portability ix. Duties & responsibilities x. Procedures & Fines Privacy engineering 1. Incentives beyond accountability? 2. Data ownership? never! 3. Blurring lines of personal data ( ≠ PII !!! despite NIST) 4. Standards
  5. 5. The EU vs. the US The EU has created a privacy culture around “rights talk” that protects its “data subjects”. In the EU moreover, rights talk forms a critical part of the postwar European project of creating the identity of the European citizen. In the United States in contrast, the focus is on a “marketplace discourse” about personal information and the safeguarding of “privacy consumers”. In the United States, data privacy law focuses on protecting consumers in a data marketplace. Transatlantic Data Privacy Law, Paul M. Schwartz & Karl-Nikolaus Peifer 6
  6. 6. The inevitable question! (≠ PII!) Personal data in the GDPR (article 4.1) ‘personal data’: any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 7
  7. 7. When the law kicks in 8 Depends on variables and combinations Hashing & encryption (by default) enough??? NO Some privacy law Possible privacy law? Privacy law Consent required! Anonymous data Pseudonymous data Personal data & PII Sensitive data: health, financial, racial, political, biometric, genetic
  8. 8. 2018 http://europa.eu/!PX68WN
  9. 9. We are Data Subjects as • Parents, Caretakers, • Consumers, Customers, • Citizens, • Business Partners, Employees, • Men and women, • Young and old, • ….
  10. 10. Autonomy, beyond Dignity 13 Charter of Fundamental Rights of the European Union Article 1: “Human dignity is inviolable. It must be respected and protected”. Charter articles Charter text GDPR Art. 8: Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. ePrivacy Art. 7: Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications.
  11. 11. 2 different legislations, 1 of which is decided 15 Today: Directives As of May 2018: Regulations Data Protection Directive 95/46/EC GDPR: Regulation (EU) 2016/679 “ePrivacy” and Electronic Communications (the cookie wall thing) Directive 2002/58/EC Intermediary version, not definitive, possibly some form of this (Waiting for Trialogue) ePrivacy is lex specialis to GDPR, dealing with confidentiality of communication & access to “stuff on your appliances” like cookies, IDs, etc.
  12. 12. GDPR (+ ePrivacy!) • Alignment between trackers & privacy policy • Recital 30 of the GDPR: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” • DNT? => ePrivacy Regulation 16
  13. 13. Test: Does the GDPR apply? It used to be, DPD art. 4: Does the entity use any means of processing (automated or otherwise) located in any Member State? It is under the GDPR (as of May 2018), art. 3: Does the entity either (i) Offer goods and services to EU residents; or (ii) Monitor EU residents’ behavior? 17
  14. 14. I am a Data Subject (Bits of Me) The GDPR is 1. a base line for compliance, 2. re-introducing the Data Subject into the data ecosystem’s equation (not new!) 3. where each actor is accountable 19
  15. 15. Obligations under the GDPR data ecosystem 20 Source: https://www.rizikon.oi/gdpr-compliance Appointing a DPO – Data Protection Officer – or not? Described in section 4 of the GDPR, art. 37: Designation of a data protection officer. Following articles talk of position and tasks. The choice remains to appoint one even if not directly required: moving beyond compliance!
  16. 16. Once you know who you are Controller: art. 25; Processor: art. 28; Joint-Controller: art. 26 Art. 5: Principles relating to processing of Personal Data “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” Art. 6: Lawfulness of processing (a) to (f) options, typically consent or legitimate interests used 21
  17. 17. Getting back to the beginning Principles relating to processing of personal data (art. 5) • Lawfulness, fairness and transparency • Purpose limitation • Data minimization • Accuracy • Storage limitation • Integrity and confidentiality • + accountability! 22 Transparency Choice Information review & correction Information protection Accountability FIPPs: Fair information Practice Principles
  18. 18. An accountability chain 23
  19. 19. And then lawfulness of processing (art. 6) Can be either: a) Consent b) Performance of a contract c) Necessary for compliance d) In order to protect the vital interests e) Necessary for the performance of a task carried out in the public interest f) Legitimate interests 24
  20. 20. A word of extreme caution About the fallacy of legitimate interests i.e. we don’t want consent only in ePrivacy! (certain associations)
  21. 21. Transparency Trackers & permissions on Android SDKs Know who: - Accesses them - Sets them up - Ensures maintenance, within your company? If any… 26Source: https://framapiaf.org/system/media_attachments/files/000/415/923/original/9124597811744249.png
  22. 22. To make all that lawful (art.6) in the digital realm 2 things need to be specified: 1.Purpose: the reason for all this 2.Consent: the ok by the ‘data subject’ Note: data controllers are responsible for defining this (unless data is being passed along to another legal entity) 27
  23. 23. Same idea at Apple (this is iOS 10) 28
  24. 24. Sloppy privacy work: this is not consent!
  25. 25. Data Subjects Rights • Article 15: Right of access by the data subject • Article 16: Right to rectification • Article 17: Right to erasure (“right to be forgotten”) • Article 18: Right to restriction of processing • Article 20: Right to data portability • Article 21: Right to object • Article 22: automated individual decision-making, including profiling 30 Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
  26. 26. Articles 16 & 17: Rectification & deletion 31 General Data Protection Regulation (GPDR) - May 25 2018 Which variables or combination exactly? Hashing & encryption (by default): not enough! Processor Controller
  27. 27. 32
  28. 28. Depend upon • Recognition of compliance obligation • Linkability of data, even pseudonymized, and possibility to decouple • Available options: typically deletion probable (Adobe) Article 18: Restriction of processing. When? • Data accuracy • Unlawful processing, typically 6.1(f) legitimate interests • Internal process flow! 33
  29. 29. SSO Delinking: avoid leaking! (breach?) • Adobe: delinking inside contracts, not a feature! • See in Gigya etc. it’s about leaking 34 Source: https://www.arte.tv/sites/en/corporate/arte-and-your-online-privacy/
  30. 30. Article 15: Data Subject Access Requests 35 Source: DataGuidance GDPR Essentials: Data Subject Rights
  31. 31. Take note of • Article 12.4 to develop communication around your stance: “if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the supervisory authority and seeking judicial remedy”. • Recital 63 • Article 15.4, which shows it’s about 1. The right to obtain certain information on the activities a company performs 2. The right to obtain a copy of the data undergoing processing 36
  32. 32. Practical steps for SARs: 37 Source: DataGuidance GDPR Essentials: Data Subject Rights
  33. 33. Article 16: Right to Rectification 38 See also recital 65 which provides examples and links rectification to erasure Source: DataGuidance GDPR Essentials: Data Subject Rights
  34. 34. Article 17: Right to erasure (to be forgotten) 39 Source: DataGuidance GDPR Essentials: Data Subject Rights
  35. 35. Note that • Erasure applies to all systems: includes back-ups, copies leans & extends to 3rd parties! • Applicable when individuals have removed their consent for processing activities based on consent (no other legal ground) or have objected to processing based on legitimate interests or they have objected to direct marketing activities • Refusal for deletion doesn’t mean access should not be granted! • Automated deletion? Unlikely! 40
  36. 36. Erasure is a similar process to SARs 41 Source: DataGuidance GDPR Essentials: Data Subject Rights
  37. 37. Art. 18: Restriction of processing 42 Source: DataGuidance GDPR Essentials: Data Subject Rights
  38. 38. Article 20: Data Portability 43 Source: DataGuidance GDPR Essentials: Data Subject Rights
  39. 39. The coming of age of Transparency Wars? 44
  40. 40. Profiling 45 Source: DataGuidance GDPR Essentials: Data Subject Rights
  41. 41. Assuring compliance with profiling activities 46 Source: DataGuidance GDPR Essentials: Data Subject Rights
  42. 42. Minimize risks: do Data Protection Impact Assessments • Art. 35: Data protection impact assessments, §1: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data." 47 Tip from a digital analytics guru turned privacy geek: you bet that applies to us! (EACA seminar, December 2017 aka digital transformation)
  43. 43. When to undergo a DPIA – eg. digital analytics Why? Criteria #6 to undergo a DPIA: “Matching or combining datasets, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject” 48
  44. 44. What happens on the 29th of March 2019 at 11pm?
  45. 45. Can you answer • When does the GDPR come into force? When does ePrivacy come into force? • What happens on the 29th of March 2019 at 11pm? • Is the GDPR, as a Regulation, going to be transposed into national legislation? • Are cookies personal data? • Are unique IDs personal data? • If I delink CMR data, is that enough? • How much time does a company have to report a data breach? • How much time does a company have to answer a subject access request? • Does the right to erasure always apply? • Does the right to restriction of processing always apply? • Does the right not to be subject to automated processing always apply? • Consent is one way to assure lawfulness of processing. How many methods are there in the GDPR?
  46. 46. Thank you for your attention aurelie@mindyourprivacy.com 53

×