Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
Preparing for the new General Data Protection Regulation? Here is a presentation to help you to engage your employees with their new information security requirements. In this ppt presentation, you will find out: why GDPR, steps to manage compliance, important information security facts and some of the key articles.
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
An overview of the principles of GDPR and some tips to implement it in your organization. I would be more than happy to share my views with stakeholders in your company.
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
This free Lasa webinar looks at why data protection is important in a digital world, and what practical things charities and civil society organisations can do to prepare for when the EU General Data Protection Regulations come into force in May 2018.
It is vital charities use the next 12 months to understand their new responsibilities and put the required processes in place.
Our webinar gives you the opportunity to ensure you are prepared for what’s to come by putting your #GDPR questions to our data protection expert and published author, Paul Ticher.
Lasa does lots more charity tech help and advice - find out more at: Twitter: @lasaict
Acknowledgements:
Lasa actively promotes and supports the Way Ahead – Civil Society at the Heart of London. See www.citybridgetrust.org.uk/publications/way-ahead/
This webinar is supported by the City of London Corporation's charity, City Bridge Trust. www.citybridgetrust.org.uk
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
Preparing for the new General Data Protection Regulation? Here is a presentation to help you to engage your employees with their new information security requirements. In this ppt presentation, you will find out: why GDPR, steps to manage compliance, important information security facts and some of the key articles.
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
An overview of the principles of GDPR and some tips to implement it in your organization. I would be more than happy to share my views with stakeholders in your company.
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
This free Lasa webinar looks at why data protection is important in a digital world, and what practical things charities and civil society organisations can do to prepare for when the EU General Data Protection Regulations come into force in May 2018.
It is vital charities use the next 12 months to understand their new responsibilities and put the required processes in place.
Our webinar gives you the opportunity to ensure you are prepared for what’s to come by putting your #GDPR questions to our data protection expert and published author, Paul Ticher.
Lasa does lots more charity tech help and advice - find out more at: Twitter: @lasaict
Acknowledgements:
Lasa actively promotes and supports the Way Ahead – Civil Society at the Heart of London. See www.citybridgetrust.org.uk/publications/way-ahead/
This webinar is supported by the City of London Corporation's charity, City Bridge Trust. www.citybridgetrust.org.uk
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
GDPR (EU 2016/679) and NIS are intended to strengthen data protection for people in the EU, replacing Directive 95/46/EC. Learn how HyTrust can help with compliance.
This webinar covers:
- An overview of the regulatory landscape and territorial scope
- Principles of the EU GDPR
- Breach notification rules
- Data subject rights
- Changes to consent
- Processor liabilities
- Role of the Data Protection Officer
A recording of this webinar is available here: https://www.youtube.com/watch?v=bEvXj2nhPd0
This webinar gives an overview of:
- The regulation landscape
- Territorial scope
- Remedies, liabilities and penalties
- Privacy notices
- The right of data subject
- Consent
- Data processing
- Profiling or "automated individual decision-making"
- International marketing and data transfers
A recording of this webinar is available here:
https://www.youtube.com/watch?v=Vr_CT24v2iI
In this Story, we follow Sophie in her life and job. In her new job, she meets Marco, who chose Microsoft Solutions to be as compliant as possible with GDPR.
If you want to hear the story behind the slides, feel free to get in touch via www.thedataprotectionoffice.eu
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
This is a session given by Agnes Andersson Hammarstrand at Nordic APIs 2016 Platform Summit on October 25th, in Stockholm Sweden.
Description:
This spring a new EU General Data Protection Regulation was adopted to replace the current personal data legislations. Companies that break the rules risk fines of up to 4 % of the worldwide group turnover. The new regulations entail a large number of news that all companies should be informed about. Among other things, IT systems need to be adapted to privacy under the principles of privacy by design.
Agnes Hammarstrand, partner at Delphi Law firm and expert within IT and online provides an introduction to the new regulations and what you need to do.
GDPR will replace national data protection laws of all 28 EU member states in May 2018 and is applying to any organization that processes data of EU data subjects.
Discussion of the main elements of the draft Data Protection Regulation: what difference will it make to industry practice and user rights to control their data?
If the UK leaves the EU and EEA, will it be "adequate" for data transfers from the EU? Evidemnce suggests not, especially following the passing of the IP Act and the Tele2/Watson CJEU decision.
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
GDPR (EU 2016/679) and NIS are intended to strengthen data protection for people in the EU, replacing Directive 95/46/EC. Learn how HyTrust can help with compliance.
This webinar covers:
- An overview of the regulatory landscape and territorial scope
- Principles of the EU GDPR
- Breach notification rules
- Data subject rights
- Changes to consent
- Processor liabilities
- Role of the Data Protection Officer
A recording of this webinar is available here: https://www.youtube.com/watch?v=bEvXj2nhPd0
This webinar gives an overview of:
- The regulation landscape
- Territorial scope
- Remedies, liabilities and penalties
- Privacy notices
- The right of data subject
- Consent
- Data processing
- Profiling or "automated individual decision-making"
- International marketing and data transfers
A recording of this webinar is available here:
https://www.youtube.com/watch?v=Vr_CT24v2iI
In this Story, we follow Sophie in her life and job. In her new job, she meets Marco, who chose Microsoft Solutions to be as compliant as possible with GDPR.
If you want to hear the story behind the slides, feel free to get in touch via www.thedataprotectionoffice.eu
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
This is a session given by Agnes Andersson Hammarstrand at Nordic APIs 2016 Platform Summit on October 25th, in Stockholm Sweden.
Description:
This spring a new EU General Data Protection Regulation was adopted to replace the current personal data legislations. Companies that break the rules risk fines of up to 4 % of the worldwide group turnover. The new regulations entail a large number of news that all companies should be informed about. Among other things, IT systems need to be adapted to privacy under the principles of privacy by design.
Agnes Hammarstrand, partner at Delphi Law firm and expert within IT and online provides an introduction to the new regulations and what you need to do.
GDPR will replace national data protection laws of all 28 EU member states in May 2018 and is applying to any organization that processes data of EU data subjects.
Discussion of the main elements of the draft Data Protection Regulation: what difference will it make to industry practice and user rights to control their data?
If the UK leaves the EU and EEA, will it be "adequate" for data transfers from the EU? Evidemnce suggests not, especially following the passing of the IP Act and the Tele2/Watson CJEU decision.
Data protection and other systems of personal data protection around the globe are fundamentally based on principles of "notice and choice". These basic principles are now however assailed from three directions: the chimera of online consent; the lack of opportunity for consent in the world of ambient intelligence or ubiq; and the destruction of purpose specification by the rise of Big Data. This paper connects the dots between all three and considers if anything is left of DP after.
An overview of GDPR data privacy and the impact on traditional information security practices, which was presented at SecureWorld Dallas, October, 2017
IT law : the middle kingdom between east and WestLilian Edwards
Privacy as a value is often as conflicting with and less important than other major societal goals such as nation state secureity and business profits. China as a socialist state emerging a a major digital economuic force may fall prey to both these assumptions. However the recent history in the West shows that over zealous national secueity infringing citizen privacy, as revealed in the recent Snowden PRISM/TEMPORA etc scandals, may backlash against business profits as well as reducing citizen trust in security.China can learn from these lessons as it expands its own privacy law especially in the IT/telecoms area.
The Countdown is on: Key Things to Know About the GDPRCase IQ
The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens.
Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time.
Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.
How problems with data protection affect science researchers, especially when sharing large datasets with researchers around the globe: issues and solutions?
6 Lesson GDPR Booklet from Varonis to help stay get compliant and stay compliant.
-Locate your sensitive data
-Prevent data breaches
-Rapidly alert to suspicious behavior
-Build long-term data Security
All You Need To Know About Data Law Changes in 2018The Drum
With the introduction of the General Data Protection Regulation, everything changes for digital media. The reason? GDPR applies to cookies, IP addresses, tags, digital finger printing - in fact, anything that tracks individuals and is used to make decisions or analyse behaviour. So how do you get fit and not get into a fight with the regulator?
EU GDPR Lesson 1 - What is the GDPR? Why do we need it?
EU GDPR Lesson 2 - Data Protection by Design and by Default
EU GDPR Lesson 3 - The Right To Be Forgotten
EU GDPR Lesson 4 - Who Does the EU GDPR Apply?
EU GDPR Lesson 5 - What Happens if I Don’t Comply with the EU GDPR?
EU GDPR Lesson 6 - Next Steps - How to Get There?
Over the past few years of monitoring the development of the EU General Data Protection Regulation (GDPR) and its effects on technology, we’ve distilled the parts of the regulation that most affect your business into this practical guide.
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
Global Governance of Generative AI: The Right Way ForwardLilian Edwards
AI regulation has been a hot topic since the rise of machine learning (ML) in the “big data” era, but generative AI or “foundation models” tools like ChatGPT, DALL-E 2(now 3) and CoPilot, ike ML before them, may create serious societal risks, including embedding and outputting bias; generating fake news, illegal or harmful content and inadvertent “hallucinations”; infringing existing laws relating eg to copyright and privacy; as well as environmental, competition and workplace concerns.
Many nations are now considering regulation to address these worries, and can draw on a number of basic and hybrid models of governance. This paper canvasses models of mandatory comprehensive legislation (where the EU AI Act hopes to place itself as a gold standard model); vertical mandatory legislation (where China has quietly taken a lead); adapting existing law (see the many copyright lawsuits underway); and voluntary “soft law” such as codes of ethics, “blueprints”, or industry guidelines. Both the domestic and international regulatory scenes for AI are also increasingly politicised as the rise of "AI safety" hype shows. Against this backdrop what choices should smaller countries such as the UK and Australia make? will international harmonisation lead to a race to the top as with the GDPR, or the bottom - rule by tech for tech?
How to regulate foundation models: can we do better than the EU AI Act?Lilian Edwards
This talk looks at
(a) the progress in regulating GPAI, renamed foundation models, by the EU AI Act as the EU parliament reaches a final text in May 2023
(b) what other laws exist to regulate generative AI meanwhile , notably copyright and the GDPR (latter dealt with in detail here https://www.slideshare.net/lilianed/can-chatgpt-be-compatible-with-the-gdpr-discuss )
Can ChatGPT be compatible with the GDPR? Discuss.Lilian Edwards
Since the Italian Garantie became the first DP authority in the world to even temporarily ban ChatGPT, debate has broken out as to whether generative AI models can comply with data protection laws, not just in the GDPR but around the world. The use of personal data for training requires a legal basis which is hard to find, special category data raises special problems (duh) and the model itself may be considered personal data due to inversion attacks and data leakage in outputs. Hallucination presents seemingly insuperable problems as to accuracy and rectification. Even though Open AI have temporarily satisfied the Garantie, further disputes still seem likely to eventually reach the courts. In this talk I will attempt to throw the entirety of DP law against the wall of large language and image models and even, jut for fun, raise the spectre of whether AI models can libel
Brief summary of how the law and legal practice may be affected by the ris of AI and autonomous cars, robots, etc - with a look at what harms or biases may result and how law and the market might try to solve those problems.
Updated vesion of my talk from 2013 as given in March 2016.
Coves the basics of why algorithmic governance may be problematic for users and society and suggests some legal remedies for these problems including competition law and defamation law.
Privacy, the Internet of Things and Smart Cities Lilian Edwards
Updated version of my paper, delivered Florence spring 2016. How can we obtain consent to sharing of personal data in a ubiquitous/ioT environment? is it possible given the requeirements of the GDPR and E-Privacy Directive?
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...Lilian Edwards
Short paper by Laurence Diver and myself on why the IoT is a special problem for privacy and how we can and should try to build such systems using Privacy by Design
UK copyright, online intermediaries and enforcementLilian Edwards
What evidence do judges take into acount when they decide to block websites to prevent copyright infringement? Using case reports of s 97A CPDA cases in the UK, this paper shows a number of problems with judicial use of empirical evidnece especially as to whether blocking is effective.
Can privacy survive the onslaught of online standard form "consent"; big data; and the Internet of Things? This paper wonders, and considers in particular the challenges of privacy and smart cities, which combine all three issues.
An iterative update on my ongoing work on revenge porn and how to deal with it. This talk analyses recent legislation and Google's recent decision to extend the "right to be forgotten" to revenge porn and argues both forgiving (restorative justice) and forgetting (RTBF) may be more useful remedies than the crimainal law alone for victims.
the music industry has many problems, and , some would say, enemies. THis talk looks at some of these and summarises the outcomes to date of the "war on piracy". It also however foresees a newer threat - the algorithmic curation and , perhaps, creation, of popular music. Do we need new music and human musicians any more?
A brief account of the current state of EU data protection laws accompanied by the suggestion they face almost insuperable challenge from the combination of the illusory nature of consent in most online contracts; the rise of big data as a "treasure hunt"; and the rise oambient environments for data colelction (the "Internet of Things") where design imperatives push towards an absence of opportunities for informed specific consent.
Police surveillance of social media - do you have a reasonable expectation of...Lilian Edwards
This paper (co-authored with lachlan Urquart of U of Nottingham) discusses if we have any expectations of privacy in content we make public on;line on social media - or can such content be data mined by the police at will? Should any kind of surveillance warrant be required of the police to use such material? has social jmedia become the new panopticon?
What do we do with aproblem like revenge porn ?Lilian Edwards
Revenge porn is a vile and growing phenomenon. Thuis talk discusses its origins and gendered nature, what UK criminal law applies to stop it, and what other solutions there might be eg faster take down by socuial networks, the "right to be forgotten"
Algorithms are taking control of our information rich world. As the twin sibling to Big Data, increasingly they decide how society views us via constructed profiles (as criminals? as terrorists? as rich or poor consumers?); what we see as important, newsworthy, cool or profitable (eg Twitter trending topics, automated stock selling, Amazon recommendations, BBC website top news topics etc); and indeed what we see at all as algorithms are increasingly used to filter our illegal or undesirable content as tools of public policy. Algorithms are peceived by virtue of their automation as neutral, objective and fair, unlike human decision makers - yet evidence increasingly shows the opposite - eg a series of legal complaints assert that Google games its own search results to promote its own economic interests and demote those of competitors or annoyances; while in the defamation field, French, German and Italian courts have decided that algorithmically generated autosuggests in search can be libellous (eg "Bettina Wolf prostitute"). . This paper asks if any legal remedies do or should exist to *audit* proprietary algorithms , given their importance, and asks if one way forward might be via existing and future subject access rights to personal data in EU data protection law. The transformation of these rights as proposed in the draft Data Protection Regulation is not however hopeful.
Robots are no longer creatures of science fiction nor even restricted to industrial and warfare contexts but moving into sensitive domnestic worlds such as homes, hospitals and schools. How will laws about liability, privacy, evidence etc apply in this brave new world? How do we avoid creating kneejerk moral panic laws which may restrict the vaule of robotics to society?
Cdas 2012, lilian edwards and edina harbinjaLilian Edwards
A number of technological systems , sometimes known as "digital wills" are appearing on the market to help people bequeath digital assets such as passwords, emails, virtual game assets etc. Do these help provide a legal solution? Or do they merely confuse further a landscape alreqdy lacking good practice?
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
DNA Testing in Civil and Criminal Matters.pptxpatrons legal
Get insights into DNA testing and its application in civil and criminal matters. Find out how it contributes to fair and accurate legal proceedings. For more information: https://www.patronslegal.com/criminal-litigation.html
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
Victims of crime have a range of rights designed to ensure their protection, support, and participation in the justice system. These rights include the right to be treated with dignity and respect, the right to be informed about the progress of their case, and the right to be heard during legal proceedings. Victims are entitled to protection from intimidation and harm, access to support services such as counseling and medical care, and the right to restitution from the offender. Additionally, many jurisdictions provide victims with the right to participate in parole hearings and the right to privacy to protect their personal information from public disclosure. These rights aim to acknowledge the impact of crime on victims and to provide them with the necessary resources and involvement in the judicial process.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
ADR in criminal proceeding in Bangladesh with global perspective.
The GDPR for Techies
1. Be Careful For What You Wish For!
The Great Data Protection Law Reform Saga of 2012-6
Lilian Edwards
Professor of E-Governance
University of Strathclyde
Lilian.edwards@strath.ac.uk
@lilianedwards
2. A. Europe: from the DPD to the GDPR
• Directive 95/46/EC of EU on the protection of individuals with regard
to the processing of personal data and on the free movement of such
data. Human rights based. Much case law now draws on Charter of
Rights and ECtHR as well as European Court of Justice.
• 1998 - intended to address computerisation/databases but NOT the
Internet
• DPD extended to deal with technology challenges eg spam, cookies, by
Privacy and Electronic Communications Directive 2002/58/EC revised
Oct 2009, i’f May 2011 (the “cookie” or E-Privacy Directive)
• Proposed reform as Regulation (GDPR), plus Directive on policing, plus
more – draft out, Jan 25 2012;
• Final compromise, Jan 2016; text April 2016
• 2 yrs implementation then DIRECT EFFECT.
3. Technological challenges to privacy/DP law
• 1995
• Volume of personal data processed, and number of data controllers,
enormous
• Data flows globally but lack of global harmonisation on DP laws
• Lack of public consumer awareness about privacy regulation
• Lack of compliant major actors in web 1.0 (SMEs, spammers, scams
etc)
• -> huge enforcement problems
• 2000 on
• “Consent” as perceived primary protection no longer works well in
web 2.0 click-wrap world (standard terms, privacy policies )
• Post 9/11 politics & low tech costs favour default surveillance and
data retention and mining – if you can do it, why not do it? ->
• Snowden revelations, June 2013 of mass extra legal surveillance by
public/private entities – safe harbor, Data Retention Dir struck down
• New innovative tech nearly always involves networking and data
collection eg robots; music online services; social media; e-voting
• The Cloud – signifies loss of control and visibility as to how/where
data processed
=> Public loss of confidence in privacy law
4. Attitudes to privacy protection - EU
• June 2011 Eurobarometer
• Just over a quarter of social network users (26%) and even
fewer online shoppers (18%) feel in complete control [of
their PD]
• Less than one-third trust phone companies, mobile phone
companies and Internet service providers (32%); and just
over one-fifth trust Internet companies such as search
engines, social networking sites and e-mail services (22%)
• 70% of Europeans are concerned that their personal data
held by companies may be used for a purpose other than
that for which it was collected.
• Only one-third of Europeans are aware of the existence of a
national public authority responsible for protecting their
rights regarding their personal data (33%).
5. Reform of the DPD? Nov 2010
consultation
• Main aims :
– Strengthen Data Subject’s (DS) rights/ trust – eg enhancing
control over PD eg “right to be forgotten”
– Reduce red tape for Data Controllers (DC) -> dump notification;
“one stop shop” national DP regulator
– BUT Make DCs more accountable, eg, must have a CPO;
– Give DP more teeth; higher penalties, security breach
notification
– Address global flows of data better, eg, to US cloud
providers
– Improve harmonisation within EU (binding interpretation
across EU DPAs via EU DP Board; Regulation not Directive)
6. DPD art 2(a)) Personal data is “information relating to an
identified or identifiable natural person ('data subject'); an
identifiable person is one who can be identified, directly or
indirectly,
• ..in particular by reference to an identification number or to
one or more factors specific to his physical, physiological,
mental, economic, cultural or social identity + see recital 26
[itals added]
Q. What of IP addresses; cookies, profiled data as collected by
FB, Google, police, insurers? Are they PD?
• Increasing problem in era of Big Data – reidentification
possibility increases – “mosaic” effect and persistent
identifiers like photo icons – tech driven by marketing and
surveillance needs
• When is “anonymization” sufficient to make sure NOT PD?
1. Personal data – scope of
GDPR
7. Personal data definition problems
• GDPR Art 4 (1) – almost identical to DPD – adds “by
reference to .. location data, an online identifier..”
• But GDPR recital 26: “to determine whether a person is
identifiable, account should be taken of all the means
reasonable likely to be used, such as singling out either
by the controller or any other person to identify the
individual” [italics added]
• Nb recital 30 :“traces” left by IP addresses, cookies and
RFID tages when “combined with unique identifiers”
may create profiles of natural persons and identify
them”
• Contextual tests – may depend what DPA gets to
decide on it (tho harmonisation will prevail)
• NB Special rules for consent to cookies exist in PECD because in
2002 not clearly regarded as personal data AND felt consent was
required, no alternatives.
8. 2. Anonymisation and pseudonymisation
Much “profile data” used to finance the Web – targeted ads – is presented
as “anonymous.” Therefore can be used and reused without DP constraint.
• Arguments over “effective” anonymization
– Privacy fundamentalist – everything can be re-identified with enough
data and time
– High degree of diligence – EU A29 WP
– “risk assessment” – UK approach – ICO Code
• Which won in GDPR?
– No defn anonymous data but pseudonymous data is encouraged
(GDPR art 4(5) and recitals 23-23a)
– “pseudonymisation” means processing such that the data can no
longer be attributed to a specific data subject without the use of
additional information so long as such info is “kept separately” and
held securely to ensure this
– Still personal data – but relaxed rules eg no security breach notifn
necc; POSSIBLY easier to re-use for “compatible” purposes(art 6(4 (e) );
and a plus for “privacy by design”
9. 3. Consent
DPD , Art 2 “any freely given specific and informed indication of
his wishes by which the data subject signifies his agreement to
personal data relating to him being processed.”
GDPR art 4 (11) adds unambiguous
And revocability as key aspect of valid consent (GDPR art 7(3)).
And “a clear affirmative action” ie silence is not acceptance
Arguably new(er) requirements in GDPR (art 7(2) and (4))
– written consent to processing should not be “bundled” ie one
consent to everything at once
- consent not free if tied to providing a service but the processing
not necessary for that service(cf FB etc)
BUT
NOT required all consent be “explicit” – sensitive PD only
NOT explicit that consent void if “significant imbalance of power”
Children’s consent – 13 lowest, 16 highest, depending EU state – is
messy
Privacy icons NOT required for policies but are encouraged
10. 4. New user rights – the “Right to Be
Forgotten”
• Right to be forgotten (RTBF) – GDPR, art 17. Right of DS to “obtain from the
DC the erasure of personal data” if
– data no longer necessary for original purpose
– DS withdraws consent
– DS objects to their PD being used for profiling
– They have been “unlawfully processed”
• Aimed at hosts/publishers, esp social networks. Intended to protect children
from own folly! NOT JUST SEARCH ENGINES – see G Spain v Costeja.
• DC also has further duties when data passed to 3rd parties to process: “shall
take reasonable steps, including technical measures, to inform controllers which are
processing the personal data that the data subject has requested the erasure” (GDPR
art 17(2a))
• Implications for cloud service providers?? Not always controllers.
• Exceptions – see art 17(3).
– Freedom of expression
– Archives, historical, statistical and scientific research? (cf Wikipedia on criminal convictions)
– For proof in legal claims
11. Right to data portability
• Right to data portability, ie, for DS to get a copy of their data to
take elsewhere (GDPR art 20) - “in in a structured, commonly used
and machine-readable format”
• Also right to have such data transmitted directly from co A to B
“where technically feasible”
– Aimed at breaking “lock in” to sites like Facebook – network
effects
– But some see as additional burden for service providers OR as
new market opportunity for infomediaries
– UK MiData initiative has already kicked off – mainly re energy cos,
also banks, mobile phone cos – see Enterprise & Regulatory Reform
Act 2013 – powers in reserve, not yet implemented
– Not a right to interoperability
12. 5. Increased enforcement - 1
• Mandatory security breach notification (GDPR art 33-34).
• Already introduced for telcos/ISPs in PECD art 17(1)
• Aim is naming and shaming to prevent breaches; also notice
to public enables them to get remedies, take protective steps
• Devil in the details:
– what triggers (all PD breaches “unless the personal data breach is unlikely
to result in a risk to the rights and freedoms of natural persons – data
encrypted or pseudonymised?);
– Tell DPA – for UK, ICO
– communication to individual DSs only if “high risk” of above
– Public announcement only necc if too hard to notify individuals in high
risk cases
– how long to fix before notifying (within 72 hours if feasible)
– Parallel notification under EU Network Information Security Directive (NIS)
likely (affects non PD breaches as well)
• How effective? US, Japanese experience found SBN not that
helpful. Lack of US style class action rules.
• In UK Vidal-Hall v Google may help DSs in collective claims in
allowing action for DP breach even where harm not economic
13. Heavier penalties
• GDPR originally suggested penalties of up to €1 million or
up to 2% of the global annual turnover of a company. EU
Parl suggested 5% turnover, up to 100 mn Euros.
• Final GDPR – two levels
– Up to 10 mn Euros or 2% annual global turnover
– Up to 20 mn Euros or 4% global turnover for more severe
infringements
• Cf USA –big privacy breach cases, FTC large fines – 2012,
Google fined $22.5m (but < 1 day’s profit) ; FB, 2012, no
fine but $16,000/day per violation of agreed privacy
settlements & 20 years audit
• Small more effective remedies? Disqualification from
company directorship??
• Competition remedies to break up infomonopoloies??
14. Preventing breaches?
• More guidance on security obligation, art 32, inc using
pseudonymisation and encryption, restoring access in timely
fashion, adhering to codes of conduct or certificates/seals
• “Privacy by design and default”
• Mandatory! “the controller shall.. having regard to the state of the
art and the cost of implementation” (art 25)
– Implement “technical and organisational” measures to implement DP
principles
– Pseudonymisation and data minimisation specially mentioned
– “privacy by default” – only collect the data necc for each specific purpose
– Art 35; DP impact assessments – if “high risk” processing, esp using “new
technologies”, DPIA to be carried out before processing
– Esp likely for automated profiling systems, or “systematic monitoring of
public areas”
– UK ICO has much guidance on PIAs but little use in private sector
– Lists of likely systems needing DPIAs to be issued by DPAs
Editor's Notes
Move from mainframes to client/server technology, + web 2.0, => millions of “data controllers” – private as well as state/big commerce; mice not elephants
Sheer amount of data processed + traffic data, profiling, data mining – the “database nation”
Internet/digitisation allows global rapid spread of data
But- Lack of harmonisation in transnational cyberspace/outside EU (also lack of harmonisation WITHIN EC – see definitions
=> DP does not fit corporate data sharing models and globalisation/out sourcing
Lack of public pressure/knowledge of rights – dullness! => Lack of enforcement resources
Review by E Comm overdue.
“identification numbers, location data, online identifiers or other specific factors as such should as a rule be considered personal data.“ (draft GDPR, recital 24), removed in final compromise