These slides explore significant issues arising under data protection for both users and platforms as a result of the publication of third party personal data on such sites. Although the GDPR’s new wording of the household exemption could potentially exclude non-intrusive processing (e.g. sharing innocuous pictures taken in public), the Court of Justice of the EU (CJEU) is increasingly insistent that users acquire responsibilities when the publish such data to an indeterminate number. In principle, most EU Data Protection Authorities (DPAs) accept this although others including the UK and Irish have been very resistant. Many users could therefore have weighty data protection obligations here, although if contributing to a collective public debate they may be covered by the journalistic/special expression derogation and in any case there is a need for a balance with freedom of expression. CJEU ʻjoint controllerʼ case law also points to social networking sites have their own duties here, a proposition which has been backed by Working Party, the UK DPA and the UK courts. Whilst the e-Commerce ʻhostʼ shield should significantly limit ex ante responsibility here, this must be tempered by the ʻduty of careʼ which is inherent in being a ʻcontrollerʼ under data protection. In sum, data protection in principle remains central to the regulation of ʻonline harmsʼ here although ensuring effective and well-balanced regulation in practice remains a formidable challenge.
See further:
“Intermediary Publishers and European data protection: Delimiting the ambit of responsibility for third-party rights through a synthetic interpretation of the EU acquis”, International Journal of Law and Information Technology (Vol. 26(3), pp. 189-225) (2018) - https://academic.oup.com/ijlit/article/26/3/189/5033541
“Beyond ʻHaving a Domesticʼ? Regulatory Interpretation of European Data Protection Law and Individual Publication”, Computer Law and Security Review (Vol. 33 (3), pp. 275-297) (2017) - Pre-print https://www.repository.cam.ac.uk/handle/1810/263883
Data Protection and Journalism: The Changing LandscapeDavid Erdos
These slides provide an overview of the changing landscape for data protection and journalism in decade or so since the Leveson Inquiry. As well as detailing the core public interest and incompatibility tests, they look at developments in case law, at the ICO and under the GDPR and DPA 2018. They are intended to provide background to the ICO consultation on a data protection and journalism code of practice which runs until 10 January 2022.
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
These slides provide an overview of the personal data relationship between the UK and EU after Brexit. Under the Trade and Cooperation Agreement, the UK will have the closest connection with the EU here outside the European Economic Area and Switzerland. This is especially clear in the area of justice and security where there is very extensive provision for data exchange based on common standards. However, in the general area of data protection the framework only points to mutual adequacy. Even with the evolving formulation of this as “essential equivalence”, significant flexibility is retained and this may ultimately result in more substantive divergence than EU-Switzerland given the UK’s more distinct data protection approach. Common bona fide implementation of the Council of Europe’s Data Protection Convention 108+ may provide a good lodestar in the medium term and I very tentatively map out what this may could mean for default standards in the UK related to sensitive data and integrity and also specific substantive restrictions to ensure a more graduated approach and reconciliation with other competing rights.
If the UK leaves the EU and EEA, will it be "adequate" for data transfers from the EU? Evidemnce suggests not, especially following the passing of the IP Act and the Tele2/Watson CJEU decision.
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
*** N.B. For full working paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3505921 ***
This paper argues that Google’s essentially blanket and unsafeguarded dissemination to webmasters of URLs deindexed under the Google Spain judgment involves the disclosure of the claimant’s personal data, cannot be justified either on the purported basis of their consent or that this is legally required but instead seriously infringes European data protection standards. Disclosure of this data would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) was subject to effective safeguards that prevented any unauthorised repurposing or other use. Strict necessity thresholds would need to apply where disclosure involved special category data or was subject to reasoned objection by a data subject and international transfers would require appropriate safeguards as provided by the European Commission’s standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject’s rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of a data subject claims rights in data protection, defamation or civil privacy. The public’s legitimate interests in receiving information on personal data removals should be secured through safeguarded scientific research that the search engines should facilitate and promote.
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveDavid Erdos
These slides look historically at the tension between being in "control" of personal data and benefiting from certain freedom of expression shields when acting as an “intermediary” between an original content producer and an end user. It is show that these tensions emerged as early as the 1980s in European data protection, with both the French and certain Scandinavian Data Protection Authorities (DPAs) adopting a strict construction of law vis-à-vis provides of interactive services on the Minitel and various news archive and other public databases respectively. By the late 1990s when the e-Commerce Directive 2000/31/EC was being negotiated a similar tension re-emerged in the form of the data protection “exemption” (art. 1(5)(b)) and the more general ambiguity as to whether “active” as opposed to “passive” services could benefit from the “host” shield (art. 14) in any case. A partial solution to the latter question was found in the reasonable “duties of care” preamble inserted in the instrument as recital 48. These early debates cast a new perspective on more contemporary developments in EU data protection and e-Commerce case law including C-131/12 Google Spain, C-507/17 Google v CNIL and C-18/18 Glawischnig-Piesczek.
Brexit Data Protection Update: The EU, US and UK PerspectiveTrustArc
On 31 January 2020, the United Kingdom left the European Union. For the first time since its creation, a member state has decided to leave the common market, and for now, it is uncertain what the future holds for current privacy legislation. The new relationship between the UK and the EU will be negotiated in the course of this year, with the agreed transition period ending on 31 December. During this period, GDPR will apply as if nothing has changed. But what will happen after?
This webinar will discuss the following topics:
-What does Brexit mean from a data protection perspective?
-What does it mean for the UK itself and for the position of the Information Commissioner’s Office?
-What will be the impact of Brexit for data flows to and from the remaining 27 EU Member States and the countries of the European Economic Area?
-And will there be any impact on the UK-US data flows?
These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
With General Data Protection Regulation (GDPR) a legal requirement for all UK companies from May 2018, there have been numerous articles written either demonstrating the confusion surrounding the new regulations, or detailing the downsides of the legislation.
Data Protection and Journalism: The Changing LandscapeDavid Erdos
These slides provide an overview of the changing landscape for data protection and journalism in decade or so since the Leveson Inquiry. As well as detailing the core public interest and incompatibility tests, they look at developments in case law, at the ICO and under the GDPR and DPA 2018. They are intended to provide background to the ICO consultation on a data protection and journalism code of practice which runs until 10 January 2022.
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
These slides provide an overview of the personal data relationship between the UK and EU after Brexit. Under the Trade and Cooperation Agreement, the UK will have the closest connection with the EU here outside the European Economic Area and Switzerland. This is especially clear in the area of justice and security where there is very extensive provision for data exchange based on common standards. However, in the general area of data protection the framework only points to mutual adequacy. Even with the evolving formulation of this as “essential equivalence”, significant flexibility is retained and this may ultimately result in more substantive divergence than EU-Switzerland given the UK’s more distinct data protection approach. Common bona fide implementation of the Council of Europe’s Data Protection Convention 108+ may provide a good lodestar in the medium term and I very tentatively map out what this may could mean for default standards in the UK related to sensitive data and integrity and also specific substantive restrictions to ensure a more graduated approach and reconciliation with other competing rights.
If the UK leaves the EU and EEA, will it be "adequate" for data transfers from the EU? Evidemnce suggests not, especially following the passing of the IP Act and the Tele2/Watson CJEU decision.
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
*** N.B. For full working paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3505921 ***
This paper argues that Google’s essentially blanket and unsafeguarded dissemination to webmasters of URLs deindexed under the Google Spain judgment involves the disclosure of the claimant’s personal data, cannot be justified either on the purported basis of their consent or that this is legally required but instead seriously infringes European data protection standards. Disclosure of this data would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) was subject to effective safeguards that prevented any unauthorised repurposing or other use. Strict necessity thresholds would need to apply where disclosure involved special category data or was subject to reasoned objection by a data subject and international transfers would require appropriate safeguards as provided by the European Commission’s standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject’s rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of a data subject claims rights in data protection, defamation or civil privacy. The public’s legitimate interests in receiving information on personal data removals should be secured through safeguarded scientific research that the search engines should facilitate and promote.
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveDavid Erdos
These slides look historically at the tension between being in "control" of personal data and benefiting from certain freedom of expression shields when acting as an “intermediary” between an original content producer and an end user. It is show that these tensions emerged as early as the 1980s in European data protection, with both the French and certain Scandinavian Data Protection Authorities (DPAs) adopting a strict construction of law vis-à-vis provides of interactive services on the Minitel and various news archive and other public databases respectively. By the late 1990s when the e-Commerce Directive 2000/31/EC was being negotiated a similar tension re-emerged in the form of the data protection “exemption” (art. 1(5)(b)) and the more general ambiguity as to whether “active” as opposed to “passive” services could benefit from the “host” shield (art. 14) in any case. A partial solution to the latter question was found in the reasonable “duties of care” preamble inserted in the instrument as recital 48. These early debates cast a new perspective on more contemporary developments in EU data protection and e-Commerce case law including C-131/12 Google Spain, C-507/17 Google v CNIL and C-18/18 Glawischnig-Piesczek.
Brexit Data Protection Update: The EU, US and UK PerspectiveTrustArc
On 31 January 2020, the United Kingdom left the European Union. For the first time since its creation, a member state has decided to leave the common market, and for now, it is uncertain what the future holds for current privacy legislation. The new relationship between the UK and the EU will be negotiated in the course of this year, with the agreed transition period ending on 31 December. During this period, GDPR will apply as if nothing has changed. But what will happen after?
This webinar will discuss the following topics:
-What does Brexit mean from a data protection perspective?
-What does it mean for the UK itself and for the position of the Information Commissioner’s Office?
-What will be the impact of Brexit for data flows to and from the remaining 27 EU Member States and the countries of the European Economic Area?
-And will there be any impact on the UK-US data flows?
These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
With General Data Protection Regulation (GDPR) a legal requirement for all UK companies from May 2018, there have been numerous articles written either demonstrating the confusion surrounding the new regulations, or detailing the downsides of the legislation.
Comparing EU and Council of Europe Data Protection Standards in the Context o...David Erdos
In the event of Brexit, the UK will leave the EU Charter, the GDPR and related EU instruments. It will, however, remain committed not only to achieving EU ‘adequacy’ standard but doing this within the framework of Council of Europe’s Data Protection Convention 108+. These slides therefore explore the commonalities and contrasts between EU DP and Convention 108+. Both have a similar scope and common principles. However, Convention 108+'s transparency and sensitive data rules are considerably less stringent and there are many fewer compulsory controller discipline provisions. Whilst only modest change should be expected initially as the UK will essentially replicate the GDPR in the short-term, this less prescriptive and more flexible approach is likely to exert an influence on UK data protection should Brexit happen.
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeDavid Erdos
How is and should the future of data protection regulation of the journalistic media develop under the GDPR? State law in this area remains highly divergent but the great majority do recognise that qualified data protection requirements and partial regulatory supervision should apply here. This points to a continuing, albeit sensitive, role for DPAs. But these authorities have many other demands and remain highly resource constrained. It is argued that a co-regulatory synergy between self- and statutory regulation provide the best mechanism to elucidate the necessary detailed balanced standards and for monitoring these. DPAs should develop a strategic approach including through according greater deference to self-regulatory bodies which take data protection standards and this balancing task seriously. The codes of conduct and monitoring provisions in articles 40 and 41 of the GDPR may be deployed directly here or at least provide a guide for a sui generis approach, with the new European Data Protection Board playing a facilitative rather than a controlling role.
N.B. These slides are based on a talk I gave at a joint HEC Paris Law Department and Science Po Law School seminar on 30 November 2018. I am grateful for the feedback I received there.
N.N.B. Please note that the chart in Slide Six unfortunately failed to display that as of Autumn 2018 approximately 40% of statutory data protection laws enacted by EEA jurisdictions still subject journalism to full DPA supervision.
Data Protection and Academic Research: The New GDPR FrameworkDavid Erdos
These slides provide an overview of the new data protection framework for academic research under the GDPR, situating this within the broader context of ethical review. After outlining the broad scope and default duties of the GDPR, the slides look at the critical issue of distinguishing processing for “academic purposes” - common in humanities and social studies – from processing only for “research” – common in the biomedical and other “hard” sciences. Whilst the former is subject to wide and liberal derogations akin to journalism, the latter is subject to mandatory safeguards and limited (and often further safeguarded) derogations. The implications of all this for ensuring lawful processing is outlined focusing on purposes specification, transparency, legal vires, data export and discipline duties as regards processors and co-controllers. It is finally noted that article 23 of the GDPR could permit further flexibility in future through secondary legislation.
Data Protection Reform: What Businesses Need to know About GDPR and its Impac...MediaPost
General Data Protection Regulation (“GDPR”) kicks in next year, and brands will be expected to comply with these consumer privacy rules. In this session, Claire Stockill, Solicitor at Irwin Mitchell LLP will explain what these rules mean for B2C email marketers. The presentation will explore the effects GDPR will have on consent, the need for increased transparency, fines associated with non-compliance and a look at the results of a recent YouGov survey on GDPR readiness.
Reconciling Humanities and Social Science Research With Data ProtectionDavid Erdos
Humanities and social science research contribute enormously to collective public knowledge and discussion. Such activity will almost invariably involve the processing of personal information and will, therefore, trigger the application of EU data protection law including the forthcoming General Data Protection Regulation (GDPR). This presentation argues that the GDPR’s default provisions – especially as regards the presumption of consent for sensitive data, data subject notification rules and strict discipline provisions – pose an acute threat to such activity. Moreover, whilst the research derogations (Art. 89) ameliorate a few of the issues, they are principally designed for work based on a highly structured, predetermined and largely fiduciary model such as is common in bio-medicine. As recognised by a wide variety of research organizations during debate on the GDPR (including the Wellcome Trust and UK Economic and Social Research Council), given that social/humanities scholarship is intrinsically linked to public knowledge and discussion, it should in fact benefit not just from these research derogations but also from the more permissive (but not absolute) derogations for free speech. The GDPR now recognises this but granting free speech protection for “academic expression” alongside that of journalism, literature and art (Art. 85 (2)). (N.B. These slides are based on a talk given at the University of Hong Kong “Positioning Privacy and Transparency in Data-intensive Research and Data-drive Regulation” on 8 November 2016).
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Helena Wootton looks at the things you need to do to get prepared for the new data protection regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
The pandemic has changed the way the world works, shops, and interact; the consequences of this have included an increased reliance on technology for all of these activities and a corresponding increased sharing of personal information through technological mediums. Even before the pandemic, a global push was on to strengthen the protection of personal and health information and the results of these various influences has been an enhancement of privacy legislations globally. Compliance with global security laws is now also a larger concern for organizations everywhere.
The webinar will cover:
Global trends in privacy legislations
Some commonalities between privacy laws
Compliance requirements which can affect your organization
Recorded webinar > https://www.youtube.com/watch?v=BKWf6GTlgAM&feature=youtu.be
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
https://pecb.com/en/education-and-cer...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
Legal & General Surveying Services have published an article in their magazine Perspective on The General Data Protection Regulation (GDPR), due April of next year, which will govern how businesses process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act.
European Data Protection, the Right to be Forgotten and Search EnginesDavid Erdos
Provides background and explores the interpretation and enforcement of search engines' obligations under European data protection almost four years on from Google Spain (2014) and on the cusp of the new GDPR era. Focuses on four ongoing controversies: (i) the scope of such responsibilities under DP, (ii) the regulation of sensitive persona data, (iii) the legitimacy of webmaster notification and (iv) the geographical scope of action required.
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsAnitafin
This is the presentation from the class I taught at the University of Toronto Faculty of Information Sciences graduate school - a major challenge to capture the concepts in less than 3 hours!
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
Do You Have a Roadmap for EU GDPR Compliance?
Description : The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.
Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?
Webcast URL : https://www.brighttalk.com/webcast/14723/259741
"The EU General Data Protection Regulation: GDPR" - workshop held by Beatrice Masserini (Studio Cassinis, Italy) at the TRA Annual Meeting 2018 in Athens
Discussion of the main elements of the draft Data Protection Regulation: what difference will it make to industry practice and user rights to control their data?
Comparing EU and Council of Europe Data Protection Standards in the Context o...David Erdos
In the event of Brexit, the UK will leave the EU Charter, the GDPR and related EU instruments. It will, however, remain committed not only to achieving EU ‘adequacy’ standard but doing this within the framework of Council of Europe’s Data Protection Convention 108+. These slides therefore explore the commonalities and contrasts between EU DP and Convention 108+. Both have a similar scope and common principles. However, Convention 108+'s transparency and sensitive data rules are considerably less stringent and there are many fewer compulsory controller discipline provisions. Whilst only modest change should be expected initially as the UK will essentially replicate the GDPR in the short-term, this less prescriptive and more flexible approach is likely to exert an influence on UK data protection should Brexit happen.
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeDavid Erdos
How is and should the future of data protection regulation of the journalistic media develop under the GDPR? State law in this area remains highly divergent but the great majority do recognise that qualified data protection requirements and partial regulatory supervision should apply here. This points to a continuing, albeit sensitive, role for DPAs. But these authorities have many other demands and remain highly resource constrained. It is argued that a co-regulatory synergy between self- and statutory regulation provide the best mechanism to elucidate the necessary detailed balanced standards and for monitoring these. DPAs should develop a strategic approach including through according greater deference to self-regulatory bodies which take data protection standards and this balancing task seriously. The codes of conduct and monitoring provisions in articles 40 and 41 of the GDPR may be deployed directly here or at least provide a guide for a sui generis approach, with the new European Data Protection Board playing a facilitative rather than a controlling role.
N.B. These slides are based on a talk I gave at a joint HEC Paris Law Department and Science Po Law School seminar on 30 November 2018. I am grateful for the feedback I received there.
N.N.B. Please note that the chart in Slide Six unfortunately failed to display that as of Autumn 2018 approximately 40% of statutory data protection laws enacted by EEA jurisdictions still subject journalism to full DPA supervision.
Data Protection and Academic Research: The New GDPR FrameworkDavid Erdos
These slides provide an overview of the new data protection framework for academic research under the GDPR, situating this within the broader context of ethical review. After outlining the broad scope and default duties of the GDPR, the slides look at the critical issue of distinguishing processing for “academic purposes” - common in humanities and social studies – from processing only for “research” – common in the biomedical and other “hard” sciences. Whilst the former is subject to wide and liberal derogations akin to journalism, the latter is subject to mandatory safeguards and limited (and often further safeguarded) derogations. The implications of all this for ensuring lawful processing is outlined focusing on purposes specification, transparency, legal vires, data export and discipline duties as regards processors and co-controllers. It is finally noted that article 23 of the GDPR could permit further flexibility in future through secondary legislation.
Data Protection Reform: What Businesses Need to know About GDPR and its Impac...MediaPost
General Data Protection Regulation (“GDPR”) kicks in next year, and brands will be expected to comply with these consumer privacy rules. In this session, Claire Stockill, Solicitor at Irwin Mitchell LLP will explain what these rules mean for B2C email marketers. The presentation will explore the effects GDPR will have on consent, the need for increased transparency, fines associated with non-compliance and a look at the results of a recent YouGov survey on GDPR readiness.
Reconciling Humanities and Social Science Research With Data ProtectionDavid Erdos
Humanities and social science research contribute enormously to collective public knowledge and discussion. Such activity will almost invariably involve the processing of personal information and will, therefore, trigger the application of EU data protection law including the forthcoming General Data Protection Regulation (GDPR). This presentation argues that the GDPR’s default provisions – especially as regards the presumption of consent for sensitive data, data subject notification rules and strict discipline provisions – pose an acute threat to such activity. Moreover, whilst the research derogations (Art. 89) ameliorate a few of the issues, they are principally designed for work based on a highly structured, predetermined and largely fiduciary model such as is common in bio-medicine. As recognised by a wide variety of research organizations during debate on the GDPR (including the Wellcome Trust and UK Economic and Social Research Council), given that social/humanities scholarship is intrinsically linked to public knowledge and discussion, it should in fact benefit not just from these research derogations but also from the more permissive (but not absolute) derogations for free speech. The GDPR now recognises this but granting free speech protection for “academic expression” alongside that of journalism, literature and art (Art. 85 (2)). (N.B. These slides are based on a talk given at the University of Hong Kong “Positioning Privacy and Transparency in Data-intensive Research and Data-drive Regulation” on 8 November 2016).
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Helena Wootton looks at the things you need to do to get prepared for the new data protection regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
The pandemic has changed the way the world works, shops, and interact; the consequences of this have included an increased reliance on technology for all of these activities and a corresponding increased sharing of personal information through technological mediums. Even before the pandemic, a global push was on to strengthen the protection of personal and health information and the results of these various influences has been an enhancement of privacy legislations globally. Compliance with global security laws is now also a larger concern for organizations everywhere.
The webinar will cover:
Global trends in privacy legislations
Some commonalities between privacy laws
Compliance requirements which can affect your organization
Recorded webinar > https://www.youtube.com/watch?v=BKWf6GTlgAM&feature=youtu.be
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
https://pecb.com/en/education-and-cer...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
Legal & General Surveying Services have published an article in their magazine Perspective on The General Data Protection Regulation (GDPR), due April of next year, which will govern how businesses process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act.
European Data Protection, the Right to be Forgotten and Search EnginesDavid Erdos
Provides background and explores the interpretation and enforcement of search engines' obligations under European data protection almost four years on from Google Spain (2014) and on the cusp of the new GDPR era. Focuses on four ongoing controversies: (i) the scope of such responsibilities under DP, (ii) the regulation of sensitive persona data, (iii) the legitimacy of webmaster notification and (iv) the geographical scope of action required.
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsAnitafin
This is the presentation from the class I taught at the University of Toronto Faculty of Information Sciences graduate school - a major challenge to capture the concepts in less than 3 hours!
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
Do You Have a Roadmap for EU GDPR Compliance?
Description : The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.
Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?
Webcast URL : https://www.brighttalk.com/webcast/14723/259741
"The EU General Data Protection Regulation: GDPR" - workshop held by Beatrice Masserini (Studio Cassinis, Italy) at the TRA Annual Meeting 2018 in Athens
Discussion of the main elements of the draft Data Protection Regulation: what difference will it make to industry practice and user rights to control their data?
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
This week, Europe's data protection rules will undergo their largest reform in several decades. The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive, effective as of May 25, 2018.
The power point presentation of the lecture held by Professor Giovanni Maria Riccio on "Social Networks and Civil Liability" at the International Summer School on Cyber Law which took place in Moscow June 30 - July 4, 2014.
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
Cédric Laurant: Presentation at the SecureWorld Web Conference: "Incident Response: Clean Up on Aisle Nine" (29 Nov. 2012)
Presentation can be downloaded at http://cedriclaurant.com/about/presentations/, http://blog.cedriclaurant.org and http://security-breaches.com.
EU GDPR Lesson 1 - What is the GDPR? Why do we need it?
EU GDPR Lesson 2 - Data Protection by Design and by Default
EU GDPR Lesson 3 - The Right To Be Forgotten
EU GDPR Lesson 4 - Who Does the EU GDPR Apply?
EU GDPR Lesson 5 - What Happens if I Don’t Comply with the EU GDPR?
EU GDPR Lesson 6 - Next Steps - How to Get There?
Over the past few years of monitoring the development of the EU General Data Protection Regulation (GDPR) and its effects on technology, we’ve distilled the parts of the regulation that most affect your business into this practical guide.
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
This free Lasa webinar looks at why data protection is important in a digital world, and what practical things charities and civil society organisations can do to prepare for when the EU General Data Protection Regulations come into force in May 2018.
It is vital charities use the next 12 months to understand their new responsibilities and put the required processes in place.
Our webinar gives you the opportunity to ensure you are prepared for what’s to come by putting your #GDPR questions to our data protection expert and published author, Paul Ticher.
Lasa does lots more charity tech help and advice - find out more at: Twitter: @lasaict
Acknowledgements:
Lasa actively promotes and supports the Way Ahead – Civil Society at the Heart of London. See www.citybridgetrust.org.uk/publications/way-ahead/
This webinar is supported by the City of London Corporation's charity, City Bridge Trust. www.citybridgetrust.org.uk
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
Statement of Michelle Richardson, Director, Privacy & Data
Center for Democracy & Technology
before the
United States Senate Committee on the Judiciary
GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation
March 12, 2019
On behalf of the Center for Democracy & Technology (CDT), thank you for the
opportunity to testify about the importance of crafting a federal consumer privacy law that
provides meaningful protections for Americans and clarity for entities of all sizes and sectors.
CDT is a nonpartisan, nonprofit 501(c)(3) charitable organization dedicated to advancing the
rights of the individual in the digital world. CDT is committed to protecting privacy as a
fundamental human and civil right and as a necessity for securing other rights such as access to
justice, equal protection, and freedom of expression. CDT has offices in Washington, D.C., and
Brussels, and has a diverse funding portfolio from foundation grants, corporate donations, and
individual donations.1
The United States should be leading the way in protecting digital civil rights. This hearing
is an opportunity to learn how Congress can improve upon the privacy frameworks offered in
the European Union via the General Data Protection Regulation (GDPR) and the California
Consumer Privacy Act (CCPA) to craft a comprehensive privacy law that works for the U.S. Our
digital future should be one in which technology supports human rights and human dignity. This
future cannot be realized if people are forced to choose between protecting their personal
information and using the technologies and services that enhance our lives. This future depends
on clear and meaningful rules governing data processing; rules that do not simply provide
1 All donations over $1,000 are disclosed in our annual report and are available online at:
https://cdt.org/financials/.
2
people with notices and check boxes but actually protect them from privacy and security
abuses and data-driven discrimination; protections that cannot be signed away.
Congress should resist the narratives that innovative technologies and strong privacy
protections are fundamentally at odds, and that a privacy law would necessarily cement the
market dominance of a few large companies. Clear and focused privacy rules can help
companies of all sizes gain certainty with respect to appropriate and inappropriate uses of data.
Clear rules will also empower engineers and product managers to design for privacy on the
front end, rather than having to wait for a public privacy scandal to force the rollback of a
product or data practice.
We understand that drafting comprehensive privacy legislation is a complex endeavor.
Over the past year we have worked with partners in civil societ.
6 Lesson GDPR Booklet from Varonis to help stay get compliant and stay compliant.
-Locate your sensitive data
-Prevent data breaches
-Rapidly alert to suspicious behavior
-Build long-term data Security
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful.
The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint.
You can find out more about our organisations here:
https://tech-trust.org/
https://www.lightful.com/
https://www.meetup.com/netsquaredlondon/
Similar to European Data Protection and Social Networking (20)
Regulatory Enforcement of UK Data ProtectionDavid Erdos
These slides show that, although the (UK) GDPR mandates strong enforcement and a prioritisation of this by the regulator including through the handling of data subject complaints, severe limitations exist in practice. Indeed, in 2022-23 the Information Commissioner’s Office (ICO) did not serve a single GDPR enforcement notice, secured no criminal convictions and issued only 4 GDPR fines totalling (after later adjustment) less than £0.2M. The Tribunal has removed any substantive bite to the individual order to progress complaints remedy and the Parliamentary Committees have failed to provide effective holistic scrutiny. There is a case for some of the legislative reforms now proposed including reconstituting the ICO as a corporate board and increasing transparency. However, others risk providing a de jure entrenchment of the ICO’s positioning away from being a comprehensive upholder of core data protection rights. None directly address the serious challenges present here but a two-fold approach would do so. The order to progress complaints should police the appropriateness of the ICO’s substantive as well as procedural response and not-for-profit representative complaints should be permitted even without the mandate of data subjects in order to encourage well-argued, strategically important cases. Second, and at least as importantly, the Equality and Human Rights Commission should be obliged to periodically provide holistic scrutiny of the ICO’s enforcement track-record from a human rights perspective within which data protection rights must ultimately sit. These slides are based on a full Working Paper which may be viewed here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4284602
These slides explore the interface between generative AI services such as ChatGPT and Google Bard and the GDPR in light of the experience of search engine indexing under the EU framework. In contrast to search engines, EU data protection authorities have responded promptly to the emergence of generative AI and, in principle, have stressed the need for full data protection compliance. However, in reality a host of legal problems remain live including an absence of a clear legal basis at least for sensitive personal data, uncertainty about whether data quality standards and data subject rights at least as regards background processing are or even can be met and failures of transparency as regards the categories, sources and storage periods for the personal data under processing. There is a serious likelihood, and indeed even present indications, that generative AI services will seek to claim the extra- and even contra-legislative derogations crafted in case law for search engines which limit duties to situations where processing is liable to affect fundamental rights “significantly and additionally” and to actions which are deemed to fall within the “responsibilities, powers and capabilities” of the service operators. Such derogations grant operators too much discretion and pay insufficient attention to the highly active manner in which generative AI services process personal data.
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveDavid Erdos
These slides explore how EU and UK data protection as applied to search engine indexing has evolved in the nine years following the Google Spain (2014) judgment. This judgment has provided a very real and valuable remedy for hundreds of thousands of data subjects but the working out of its rather ad hoc limitations concerning “significant and additional” rights effect and action only in the context of “responsibilities, powers and capabilities” have raised many questions as regards legal certainty, the role of courts as opposed to legislatures and whether “effective and complete protection” is really being secured (an issue which is especially heightened in jurisdictions such as the UK given limited action by the UK DPA in a number of areas). The slides are based my book chapter in Peter Coe and Paul Wragg (eds.), Landmark Cases in Privacy Law (Hart, 2023).as well as talks given at the Universities of Belfast, Cambridge, Leeds, Manchester and Public Service Budapest.
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49David Erdos
This slides reexplore the discussions and outcome surrounding Ireland’s Commonwealth exit in 1948-49 in light of the those which surrounded the UK-EU negotiations vis-à-vis Brexit. In each case it may be argued that a reluctant Member hastily committed to an exit which critics argued put a range of links, especially as regards trade and citizenship, at risk. Nevertheless, Ireland was more akin to a semi-detached Associate as opposed to a full Commonwealth Member at the time of its final exit in the late 1940s and had thereby already taken a number of steps to protect its position. Compared to Brexit, Ireland’s Commonwealth exit was also more concerned with symbolism as opposed to practical change. These factors, as well as decentralisation in the Commonwealth itself and significant support for Ireland from Commonwealth Members with large Irish diaspora populations, limited the trade-offs associated with exit in the Irish case. Nevertheless, similarly to Brexit, the remaining Members were keen safeguard their existing legal obligations, ensure the continuing cohesion of the group and protect their own interests. Costs to the departing Member remained evident. In the case of Ireland, this was apparent in terms of a tightening of links between Northern Ireland and Great Britain, a requirement to commit to more secure and broader reciprocal migration ties and exclusion from full participation in the institutions which shaped the Sterling and Commonwealth Preference Areas which it continued to be a part. Whilst far from a doppleganger, Ireland’s exit can, at least at the time of secession itself, usefully be seen as the Brexit Isles’ alter ego. For the accompanying full Working Paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4437102
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?David Erdos
These slides, based on a talk given to the Society of Legal Scholars’ Conference 2022, finds that the current Data Protection and Digital Information Bill is substantively wide-ranging but not radical. Many of the changes could be considered a plausible gloss on the General Data Protection Regulation (GDPR) or achieve a result which could be justified under its restrictions/derogations clause. Those which go further such as the changes to the solely automated decision-making rights remain well within the parameters of the Data Protection Convention 108+. There is a danger that the Bill’s substantive modifications may be insufficiently innovative to address concerns about the scope and depth of the GDPR’s rules. On the other hand, the Bill’s regulatory changes do little to confront the limited enforcement of data protection and the new de jure flexibility offered to the Information Commissioner may further entrench the existing “soft” supervisory approach.
The GDPR and Journalism: Enforcement and BeyondDavid Erdos
The interface and indeed tension between GDPR rights and journalism freedom of expression is profound. These slides, prepared for the EDPS Enforcement Conference 2022 (https://www.edpsconference2022.eu/en/press-media/media) explore the attempt to ensure a legal reconciliation across the EU Member States and how Data Protection Authorities (DPAs) might address their legal, resource and epistemic challenges here through facilitating meta/co-regulatory strategies including in the area of citizen media.
Constitutional Privacy and Data Protection in the EUDavid Erdos
Although both data protection and the right to privacy (or respect for private life) are recognised within the EU Charter, they are otherwise generally seen as having very different constitutional histories. The right of privacy is often seen as traditional and data protection as novel. Drawing on a comprehensive analysis of rights within EU State constitutions, it can be shown that this distinction is overdrawn. Only five current EU States recognised a constitutional right to privacy prior to 1990, although approximately three quarters and also the European Convention do so today. Subsidiary constitutional rights related to the home and correspondence but not honour and/or reputation are more long-standing and this helps link the core of privacy to the protection of intimacy. Constitutional rights to data protection emerged roughly contemporaneously and were often linked to a general right to privacy but are still only found in around half of EU States. There is also no clear consensus on specific guarantees, although around half of the States which recognise these do include rights to transparency and a slightly lower number right to rectification. This could suggest that data subject empowerment over a wide range of connected information is an important emerging particularity tied to data protection as a constitutional guarantee.
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDavid Erdos
Whilst it is sometimes suggested that the treatment of legal and deceased person data during European data protection’s development has been broadly comparable, this presentation demonstrates the stark divergences which are in fact apparent. Despite early fusion, legal persons have been increasingly seen to have lesser and, more importantly, qualitatively different information entitlements compared to natural persons, thereby leaving European data protection with a very limited and indirect role here. In contrast, natural persons and the deceased have not been conceived as normatively dichotomous and since the 1990s there has been growing interest both in establishing sui generis direct protection for deceased data and also indirect inclusion through a link with living natural persons. Whilst the case for some indirect inclusion is overwhelming, a broad approach to the inter-relational nature of data risks further destabilizing the personal data concept. Nevertheless, given that jurisdictions representing almost half of the EEA’s population now provide some direct protection and the challenges of managing digital data on death continue to grow, the time may be ripe for a ‘soft’ recommendation on direct protection in this area. Drawing on existing law and scholarship, such a recommendation could seek to specify the role of both specific control rights and diffuse confidentiality obligations, the criteria for time-limits in each case and the need for a balance with other rights and interests which recognises the significantly decreasing interest in protection over time. N.B. The full working paper accompanying these slides may be found at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3599852
UK & EU Freedom of Information & Data Protection: Continuity & ChangeDavid Erdos
This presentation explores continuities and changes in the interface between freedom of information and personal information protection at pan-EU level and in the UK under the amended law of the Data Protection Act 2018 and Regulation 2018/1725. Comparing both regimes, it especially focuses on fairness and balancing, the requirement to demonstrate the "necessity" of processing, the position of the deceased and the relationship between disclosure, transparency and sensitive personal data rules.
Data Protection and Academia: Fundamental Rights in ConflictDavid Erdos
This keynote talk to Norwegian National Conference on Research Ethics on 18 September 2018 explored the tension between European data protection norms and the nature of much of academic work, focusing on problems as regards the basic model of data management, the notion of critical inquiry and the need in some circumstances to resort to covert methods. It argued that the "historical and scientific research purposes" provisions in Article 89 of the GDPR largely fail to address these difficulties and stressed the centrality of the protections for "academic expression" including alongside journalism in Article 89 which is correctly predicated on reconciling data protection with the fundamental right to freedom of expression.
Regulation of Medical Research under European Data ProtectionDavid Erdos
Medical research provides unique and critical public benefits but also necessarily involves the processing of some of the most sensitive and private data - which European Data Protection is rightly concerned with safeguarding. Looking at the law across all European Economic Area (EEA) jurisdictions, this presentation outlines the barriers which application of default European data protection norms can pose to such work from requirements to obtain consent for sensitive personal data processing, to data subject notification rules and subject access. Drawing on a survey of Data Protection Authorities it also indicates that regulators are inclined to interpret the law strictly here although enforcement is often rather limited. The presentation then looks forward to the future under the General Data Protection Regulation (GDPR) arguing that the obstacles in the way of getting the law right here remain formidable and, in addition, there is a need for much greater engagement between DPAs and those involved in medical research. (N.B. These slides are based on talk given to the PHG Foundation at Hughes Hall on 13 October 2015 but have been updated in light of the finalization of the GDPR).
New Media Internet Expression and European Data ProtectionDavid Erdos
These slides are based on my keynote address to the Maison Française d'Oxford conference "Data Privacy Law: Policy and Legal Challenges", 20 November 2015. Drawing on both doctrinal analysis and a survey of European Data Protection Authorities (DPAs) it makes four key claims about law and practice as entrenched in C-131/12 Google Spain (2014). Firstly, both the Court of Justice and especially European DPAs have adopted an expansive interpretative stance as regards data protection applied to internet expression. Secondly, that paradigm has serious implications for a range of internet actors beyond search engines. Thirdly, enforcement has been both limited and sporadic. Fourthly, a focus by DPAs on enforcement can result in the production of detailed guidance which "reads down" the law and therefore is some tension with the expansive interpretative stance generally adopted, the implementation of the Google Spain decision against search engines being a case in point.
EU General Data Protection Regulation & Transborder Information FlowDavid Erdos
These slides are based on the talk I gave to the Wisconsin International Law Journal's Annual Symposium "Stamping Privacy's Passport? The Role of International Law in Safeguarding Individual Privacy" (Wisconsin, USA; 8 April 2016). This talk argued that European data protection's formal understanding of transborder data flow regulation (TBDF) is not only potentially very broad but has not appropriately balanced data protection against other key rights such as freedom of information and association. Many of these existing structural difficulties are exacerbated under the newly agreed General Data Protection Regulation (GDPR). In order to better reconcile the values at stake, Data Protection Authorities (DPAs) should also develop models to "authorize" low-risk TBDFs via self-certification by data controllers themselves. Member States should also make broad use of the derogations the Regulation leaves available. More generally, a contextual, risk-based interpretation of the GPDR must be developed which seeks to provide robust privacy and other individual safeguards without putting in jeopardy Europe’s other core values and liberties.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
Matthew Professional CV experienced Government LiaisonMattGardner52
As an experienced Government Liaison, I have demonstrated expertise in Corporate Governance. My skill set includes senior-level management in Contract Management, Legal Support, and Diplomatic Relations. I have also gained proficiency as a Corporate Liaison, utilizing my strong background in accounting, finance, and legal, with a Bachelor's degree (B.A.) from California State University. My Administrative Skills further strengthen my ability to contribute to the growth and success of any organization.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
2. Outline
Social Networking Sites (SNS) and SNS Content
Potential DP concerns arising from SNS Content
Potential DP responsibilities of SNS Users
Potential DP responsibilities of SNS Providers
Conclusions
3. Background: Social Networking Sites
According to the A29 WP, SNS are:
Private message and a homepage almost always provided.
The centrality of the network per se may also differ.
Given this, it might be better to think about SNS within a
broader category of “online forums” (ICO, 2013).
The rise of ubiquitous and profitable SNS is a reality of Web 2.0.
Nevertheless, platforms for social communication go back to the
early days of online technology (even before the Web).
“online communication platforms which enable individuals to
join or create networks of like-minded users.” (p. 4)
4. SNS and ʻContentʼ Personal Information
SNS results in the processing of vast amounts of
personal information.
Very broadly, information use may be divided into:
ʻBackgroundʼ information used to manage essential site
services, personalize content, target adverts and sell as a
commodity.
ʻContentʼ information including of third parties (3Ps)
published by SNS users and/or providers on the site
Clearly there is an overlap between these two classes &
to an extent we may need to look at SNS roles as a whole
However, we focus only on “content information”.
5. SNS ʻContentʼ Personal Info. and DP
Use of personal information as SNS content has resulted
in a wide range of concerns potentially related to DP.
Many concerns focus on 3P dissemination including:
Invasion of privacy,
Unwarranted denigration (incl. linked to discrimination),
Spreading of inaccuracies,
Loss of information control
Dissemination of information which is excessive,
irrelevant etc. (or which becomes so over time)
We will look at the potential responsibilities of two
key actors here: (a) SNS Users and (b) SNS Providers.
6. SNS Users as Controllers? Introduction
SNS User activity generally falls within general
material scope of data protection (DP).
However, is the household exemption engaged?
SNS Users are generally natural persons.
Processing is ʻon behalf ofʼ if not strictly ʻbyʼ them.
What SNS activity is “purely personal or household”?
Generally agreed can’t cover professional/commercial activity.
Many Data Protection Authorities would confine to small-scale
dissemination, perhaps limited to friends and family or consent.
However, other DPAs concerned about such an interpretation.
7. Common WP29 Position: Opinion 5/2009
“In most cases, users are considered to be data subjects”
“[I]f a user takes an informed decision to extend access beyond self-
selected “friends” data controller responsibilities come into force.”
“A high number of contacts could be an indication that the
household exemption does not apply and therefore that the user
would be considered a data controller.”
“The application of the household exemption is also constrained by
the need to guarantee the rights of third parties, particularly with
regard to sensitive data.”
8. ICO Position: SNS & Online Forum Guide (c. 2013)
“42. The ICO will not consider complaints made against individuals
who have posted personal data whilst acting in a personal capacity,
no matter how unfair, derogatory or distressing the posts may be.
This is because where an individual is posting for the purposes of
their personal, family[,] household or recreational purposes the
section 36 exemption will apply.
43. The ICO will consider complaints about posts made by
businesses, organisations, or individuals acting for non-domestic
purposes in the normal way, using a proportionate approach.”
9. Irish DPA Position in Facebook Audit (2011)
“Under Irish law where an individual uses Facebook for purely social
and personal purposes to interact with friends etc they are
considered to be doing so in a private capacity with no consequent
individual data controller responsibility. This so-called domestic
exemption means for instance that there are no fair processing
obligations that arise for an individual user when posting
information about other individuals on their Facebook page. The
Article 29 Working Party Opinion 5/2009 on online social
networking also recognised this distinction.” (p. 24)
10. CJEU: Core ruling in C-101/01 Lindqvist
Articulated categorical rule that indeterminate
publication is outside the household exception.
CJEU also suggested should apply narrow concept of
“private and family life” to exception as a whole.
The household exception must “be interpreted as relating only to
activities which are carried out in the course of private or family life
of individuals, which is clearly not the case with the processing of
personal data consisting in publication on the internet so that
those data are made accessible to an indefinite number of people.”
(at [47])
11. CJEU: Related ruling in C-212/13 Rynes
Facts: About householders’ CCTV overlooking public area outside
house. Disclosure only to police. Did the exemption apply?
Ruling: No
Reasoning:
“the exception provided for … must be narrowly construed.” (at [29])
“the processing of personal data comes within the exception … only
where it is carried out in the purely personal or household
setting of the person processing the data.” (at [31])
12. ICO: Response to Rynes (outside CCTV)
Guidance on drones altered but no change otherwise.
But practical, philosophical etc. obstacles to full acceptance by
ICO of thrust of CJEU case law here remain formidable.
“Clearly this is a significant judgment. We’ve previously considered
the domestic exemption to be quite broad, but the judgment suggests
a more narrower interpretation, which could have an effect beyond
surveillance cameras.
There’s work for us to do now. We are talking to the Ministry of
Justice about the effects on our UK law. We’ll be studying the
judgment in detail before deciding what steps we need to take …
Once we’ve done that, we’ll provide another update.”
13. CJEU: Further ruling in C-345/17 Buivids
Fact that recording public officials performing public
duties did not change this (at [44]).
Stressed again that exceptions must be “interpreted
strictly” (at [41])
[S]ince Mr Buivids published the video in question on a video
website [YouTube] on which users can send, watch and share
videos, without restricting access to that video, thereby permitting
access to personal data to an indefinite number of people, the
processing of personal data at issue … does not come within the
context of purely personal or household activities. (at [43]).
14. Household Exemption under GDPR
Article 2(2):
“This Regulation does not apply to the processing of personal data:
….
(c) by a natural persona in the course of a purely personal or household
activity”
Recital 18:
“This Regulation does not apply to the processing of personal data by a natural
person in the course of a purely personal or household activity and thus
with no connection to a professional or commercial activity. Personal or
household activities could include correspondence and the holding of
addresses, or social networking and online activity undertaken within the
context of such activities. However, this Regulation applies to controllers or
processors which provide the means for processing personal data for such
personal or household activities.”
15. SNS Users DP Responsibilities
SNS users publishing 3P personal data could have duty to:
Register with the ICO
Provide notice to individuals (at least re direct collection)
Gain consent re: many forms of ʻsensitiveʼ data
Answer subject access requests
Take steps to ensure accuracy, non-excessiveness etc.
But as regards some/all of this, it could be argued that:
If non-intrusive may fall within GDPR household exemption
May fall within special purposes (cf. art. 85(2) GDPR), or may
Require other explicit rights balancing (cf. art. 85(1)).
16. Lindqvist & Buivids on Rights Balance
C-101/01 Lindqvist (2003):
“Mrs Lindqvist’s freedom of expression in her work preparing people for
Communion and her freedom to carry out activities contributing to religious life
have to be weighed against the protection of the private life of the individuals
about whom Mrs Lindqvist has placed data her internet site” (at [86])
C-345/17 Buivids (2019)
“ʻ[J]ournalistic activitiesʼ are those which have as their purpose the disclosure
to the public of information, opinions or ideas” (at [53])
“[I]f [that] should transpire … it is for the referring court to determine whether
the exemptions or derogations provided for … are necessary in order to reconcile
the right to privacy with the rules governing freedom of expression, and whether
those exemptions and derogations are applied only in so far as is strictly
necessary.” (at [68]).
17. SNS Providers as Controllers: Introduction
Clearly re: ʻbackgroundʼ personal information.
Bit more complex re: ʻcontentʼ personal information:
Are SNS Providers only processors of personal information?
If they exercise control, is this only partial?
If so, does this limit their duties as data controllers?
“controller” = anyone who “alone or jointly with others determines the
purposes and means of the processing of personal data”
18. Irish DPA: Position in Facebook Audit (2011)
“Complaint 18 – Obligations as Processor from “Europe-v-Facebook”
contended that Facebook’s operation as a processor is at variance
with both Irish Data Protection legislation and Directive 95/46/EC.
The complaint states that Facebook and its users can only process
data legally if Facebook clearly defines, in relation to each piece of
data held, who is the data controller and who is the data processor.
This issue is deal with in the introduction to this Report by reference
to what is termed the household or domestic exemption and the
responsibilities of a business for instance when using the site.”
(pp. 38-39)
19. Common WP 29 Position in Opinion 5/2009
“SNS providers are data controllers … They provide the means for the
processing of user data and provide all the “basic” services related to
user management (e.g. registration and deletion of accounts).” (p. 5)
Should establish clearly visible complaints handling office for DP &
privacy issues/complaints for members & non-members. (p. 11)
Recommends as regards the upload of information that:
• Provide adequate warnings about privacy risks and fact may
impinge of privacy and DP rights.
• “SNS user should be advised by SNS that if they wish to upload
pictures or information about others individuals, this should be
done with the individual’s consent.” (p. 7)
20. ICO Position: SNS & Online Forum Guide (c. 2013)
“26. The first issue a person or organisation that runs a social
networking site or other online forum needs to consider is the extent
to which they are a data controller. …
…
31. … If the site only allows posts subject to terms and conditions
which cover acceptable content, and if it can remove posts which
breach its policies on such matters, then it will still, to some extent,
be determining the purposes and manner in personal data is
processed. It will therefore be a data controller.”
21. ICO Position Continued:
Focus on policies and ex post control can be seen as
reflecting (i) idea of a granular “controller” and/or (ii) need
for a balance with other fundamental rights.
“40. We would expect a person or organisation running a social
networking site or online forum to have policies in place that are
sufficient to deal with:
• Complaints from people who believe that their personal data
may have been processed unfairly or unlawfully because they
have been the subject of derogatory, threatening or abusive
online postings by third parties;
• Disputes between individuals about the factual accuracy of
posts”
22. e-Commerce Directive (ECD) Host Shield
Definition (art. 14): Storing information at request of recipient
and where recipient not acting under their authority or control.
General liability shield (art. 14(1)): Exemption if:
No actual knowledge of illegality (or re: damages, awareness of facts
or circumstances from which illegality apparent).
Upon obtaining knowledge/awareness, act expeditiously to
remove/disable access.
Injunction possibility remains (art. 14(3): May be administrative
&/or court injunction – terminating or preventative.
General monitoring prohibition (art. 15): No general obligation to
monitor for illegality (but may be specified monitoring)
23. ECD: Special Aspects Relevant to DP?
Duty of care possibility (recital 48):
“This Directive does not affect the possibility for Member States of requiring
service providers, who host information provided by recipients of their service,
to applying duties of care, which can reasonably be expected from them and
which are specified by national law, in order to detect and prevent certain
types of illegal activity.”
Data protection clause (art. 1(5)):
Excludes “questions relating to information society services covered
by” EU data protection framework.
GDPR text maintains with this but adds that it is “without prejudice”
to Directive 2000/31 and intermediary shields (GPDR, art. 2 (4)).
24. CG v Facebook Ireland (2016) (NICA)
Facts: Various postings related to a convicted sex
offender (CG) including information on his home
address.
Held: Facebook liable but only for failure to promptly
take down material specifically flagged up to it.
Reasoning: Facebook was a controller of this data. But
also a “host” within ECD 2000/31 (art. 14), data protection
clause (art. 1(5)(b) not true exemption and “no general
obligation to monitor” (art. 15) interpreted broadly.
25. AY v Facebook Ireland (2016) (NIHC)
Facts: Repeated publication of naked photos of plaintiff
when aged 14 including on “shame page”.
Held: Facebook might be liable to filter via PhotoDNA.
Reasoning: Even if ECD host shield applied “the trial judge
might conclude, having regard to existing technology, that
blocking could be achieved without impermissible
monitoring”. (But blocking “shame page” would require
general monitoring).
N.B.: ICO looked likely to intervene; Facebook then settled.
26. Conclusions
SNS Content can raise significant DP/privacy concerns,
whilst also engaging freedom of expression.
SNS Users – Some may benefit from domestic exemption
but many are full controllers & outside special expression.
Implies wide-ranging DP responsibilities but some DPAs
including ICO unwilling to accept this.
SNS Providers also exert some control over SNS Content.
Many DPAs increasing hold that this results in at least ex
post DP responsibilities.
Courts seem to be moving in similar direction but see e-
Commerce Directive as limiting scope of duties here.