The GDPR is here. So do you know what the courts are saying?

THE GDPR IS THERE
DO YOU KNOW WHAT THE
COURTS ARE SAYING?
Aurélie Pols for Superweek January 28th 2019
Views from the Privacy Engineering trenches,
free of disclaimers aka just my views and not any of my clients
European at heart, recovering dataholic
1@aureliepols aurelie@mindyourprivacy.com

@aureliepols aurelie@mindyourprivacy.com
Data Governance & Privacy Engineer
Data is the New infrastructure – Privacy is the New Green – Trust is the New Currency
Dutch nationality, French mother tongue, works in English, lives in Spain
AURELIE POLS,
DATA GOVERNANCE
& PRIVACY ENGINEER
• DPO for mParticle (Customer Data platform) – contractor (USA, New York)
• Chief Visionary Officer – Competing on Privacy; Founder – Aurélie Pols and Associates
• Professor of Ethics & Privacy in Big Data & Business Analytics Master – Instituto de Empresa (IE), Madrid (ES);
guest professor DPO certification courses Maastricht University, faculty of law (NL) & Solvay Business School Brussels (B)
• Board Member European Center On Privacy and Security, Maastricht University (NL)
• Ethics Advisory Group (EAG) – European Data Protection Supervisor (EDPS) Towards a digital ethics
• Former Vice-chair P7002 – Data Privacy Process – IEEE
• Speaker/writer/consiglieri: Mobile World Congress, SWSX, Strata (+ Hadoop World), IAPP, Piwik, AT Internet, industry
associations, AdTech & MarTech vendors, …
2003:
OX2 Co-founder
Webanalytics.be
2008:
Sold to Digitas LBi
(Publicis)
2

Got worried
about
privacy in
2007
3
Source: https://www.ftc.gov/sites/default/files/documents/public_statements/statement-matter-google/doubleclick/071220harbour_0.pdf

2016 2017
1. Define yourself
2. Define data flows
3. Align liabilities
4. Purpose & consent
5. Risk based approach
i. Data
Security &
breach
notification
ii. Codes of
Conduct &
Certifications
iii. Data
Pseudony-
mization
iv. Data subject
consent &
purpose of
processing
v. Profiling
& the Right
to Object
vi. Cross
border data
transfers
vii. Erasure /
Rectification
Rights
viii. Data
Portability
ix. Duties &
responsibilities
x.
Procedures
& Fines
Privacy
engineering
1. Incentives beyond
accountability?
2. Data ownership? never!
3. Blurring lines of personal
data ( ≠ PII !!! despite NIST)
4. Standards
4

Autonomy, beyond Dignity
5
Charter of Fundamental Rights of the European Union
Article 1: “Human dignity is inviolable. It must be respected and protected”.
Charter articles Charter text
GDPR Art. 8: Protection
of personal data
1. Everyone has the right to the protection of
personal data concerning him or her.
2. Such data must be processed fairly for
specified purposes and on the basis of the
consent of the person concerned or some
other legitimate basis laid down by law.
Everyone has the right of access to data which
has been collected concerning him or her, and
the right to have it rectified.
3. Compliance with these rules shall be
subject to control by an independent
authority.
ePrivacy Art. 7: Respect
for private and
family life
Everyone has the right to respect for his or her
private and family life, home and
communications.

Gentle reminder about ePrivacy
Consent is a horizontal
obligation in the GDPR,
independent on how
ePrivacy will pan out!
https://www.youtube.com/
watch?v=gLW_y_cucUQ
6

@aureliepols aurelie@mindyourprivacy.com 7

https://techcrunch.com/2
018/11/20/how-a-small-
french-privacy-ruling-
could-remake-adtech-for-
good/
And then,
• NOYB
• Privacy International
• Brave..
8

Because ladies and
gentlemen
It gets worse!

Back to the GDPR

Obligations under the GDPR data ecosystem
12
Source: https://www.rizikon.oi/gdpr-compliance
Appointing a DPO –
Data Protection
Officer – or not?
Described in section
4 of the GDPR, art.
37: Designation of a
data protection
officer.
Following articles
talk of position and
tasks.
The choice remains
to appoint one even
if not directly
required: moving
beyond
compliance!

Spot the difference: controller vs. processor
• Controller decides:
• Purpose
• Means of processing
• Processor
acts/processes data
upon instructions of the
data controller
Increasingly a question of
data flows, not contracts!
15

Interlocking liabilities & obligations
People
Company
(Telco,
Bank,
Insurance..)
Company
(Agency,
consultancy,
vendor, ...)
Cloud
provider• Aligning contract obligations
• (+ enforcement?)
• Providing
• Security
• Privacy features
• Privacy engineering
B2C
B2B
B2B
Privacy
policies
Consent
MSA
SOW
T&C
16

As a processor, can I engage a controller?
• Yes if you have the necessary permission / instructions from the initial
controller
• Processor may need to amend contract with initial controller
Data Subject
Data
Controller
(first / initial)
Data
Processor
Data
Controller
(receiving)?
17

Data subject’s consent questions
Do I have to get a DS’s consent to share data with another controller?
As the receiving controller, should I insist that the 1st controller has
sought consent?
• General rule = no
ü Data controller needs to have a legal basis for sharing; needs to provide
notice, and all the other things controllers need to do (art. 24)
• Exceptions so BUT if data and purposes for which the receiving
Controller plans to use the data are:
ü E-Marketing?
ü “Special categories of data”
18

Gentle reminder: lawful basis examples
19

How can you
be confident
about
Legitimate
Interests?
20
Source: https://fpf.org/2017/12/11/unfairness-by-algorithm-distilling-the-harms-of-automated-decision-making/

Data Subject
Data
Controller
(first / initial)
Data
Processor
Data
Controller
(receiving)
Consent?
Notice obligations for (behind the scenes)
service provider
How to provide notice?
21

That’s for the lawyers who like
contracts and to scare them,
while engineering teams smile
What about the courts?

The CJEU
cares about
data
protection
Working from country references
and supervisory authorities
23

Fact: not a lot
of litigation
with respect to
data protection
• Most notorious? RTBF: the Right to be Forgotten
• Data protection inferred from EU primary law: level
of constitution
• Not the case in ECHR (4/11/1950): mentions only
privacy
• Yet a step forward to the US Constitution for
eg.(200 years older) Griswald vs. Connecticut
1965 where Right to Privacy belongs to
penumbras of the Constitution: a right without
which the remainder of the other rights
wouldn’t make any sense
• EU less complicated: it’s in the texts in
• the Charter of Fundamental Rights (art. 7 & 8)
• Art. 16 TFEU: horizontal provision (consent)
24

Autonomy, beyond Dignity
26
Charter of Fundamental Rights of the European Union
Article 1: “Human dignity is inviolable. It must be respected and protected”.
Charter articles Charter text
GDPR Art. 8: Protection
of personal data
1. Everyone has the right to the protection of
personal data concerning him or her.
2. Such data must be processed fairly for
specified purposes and on the basis of the
consent of the person concerned or some
other legitimate basis laid down by law.
Everyone has the right of access to data which
has been collected concerning him or her, and
the right to have it rectified.
3. Compliance with these rules shall be
subject to control by an independent
authority.
ePrivacy Art. 7: Respect
for private and
family life
Everyone has the right to respect for his or her
private and family life, home and
communications.

Treaty of Functioning of the European Union
(TFEU)
27

Typically 2 types of cases at the ECJ
1. Public interest vs. individual interest
• Law Enforcement Directive 2016/680
• Data Retention Directive of 2006 invalidated in 2014 in Digital Rights vs.
Seitlinger case, Tele2 Sverige & Watson, … mainly telcos and profiling, serious
crime
• Schrems vs. Facebook invalidated Safeharbour in October 2015 (adequacy,
following Snowden. Also PNR in Canada, sensitive data)
2. Interpretation of EU secondary law to foster accountability of
individuals
28

Threats of private persons to the protection of personal data
Pending cases which came under the Directive, are now under the GDPR
• Accountability & balancing of rights:
• “Right to be Forgotten” (2014), Costeja González with AEPD (Google actually
complained in front of audiencia nacional)
• Joint responsibility?
• Wirtschaftsakademie vs. Facebook (June 2018) about fan pages and FB =
controller & a fan page administrator is jointly responsible (key is profiling + also
those who are not on FB!)
• Derogations? Not everything is digital!
• Jehovah Witness from Finland
• Planet 49: pre-ticked boxes & consent
29

Processors refusing to be joint controllers
NISTIR 8062
An introduction to
privacy
engineering & Risk
Management in in
Federal Systems
(Jan 2017)
http://nvlpubs.nist
.gov/nistpubs/ir/2
017/NIST.IR.8062.p
df
31

Processor obligations (I)
32
Responsibility of the
data processor
Contract with
obligations and
indications
Standard
Contractual Clauses
Census data
processed
> 250 employees
Records of
processing activities
Security of
processing (art. 32)
Officer’s obligation
in confidentiality
Evaluation on risk
management
Right to
compensation and
liability (art. 82)
Responsibility for the
entire damage
Penalties (artt. 83 &
84)
PDCA on security
measures
Support data
controllers on
security
management
Security of
processing (art. 82)
Notification of a
personal data breach
to the supervisory
authority (art.33)
Communication of a
personal data breach
to the data subject
(art.34)
Cases provided by
Data Protection
Supervisor
Data protection
impact assessment
(art. 35)
Prior consultation
(art. 36)
Support data
controller’s
obligations (art. 28)
Facilitate inspections
Obligation to report
opposite indications
of the Regulation
Support data
controller on the
rights of data subject
Transparency (art.
12)
Right of access (art.
15)
Right to rectification
(art. 16)
Right to erasure (art.
17)
Right to restriction
of processing (art.
18)
Right to data
portability (art. 20)
Right to object (art.
21)
Information (artt. 13
& 14)
Personal data
collected from the
data subject (art. 13)
Personal data not
obtained from the
data subject (art. 14)

Processor obligations (II)
Responsibility of the data
processor
Education of data officers
(art. 29)
Public authority
DPO (art. 37)
Guidelines on DPOs (WP29
#243)
Monitoring on large scale
DPO (art. 37)
#243)
Sensitive data (art. 9) and
personal data relating to
criminal convictions (art. 10)
Records of processing
activities (art. 30)
Large scale
Data protection impact
assessment (art. 35)
DPO (art. 37)
#243)
Nominate other data
processor
Cautious choice
Data controller’s
authorisation (art. 28 c.2)
Contract
Transfer to a 3rd country
Statutory obligation
Data controller's
authorisation
Transfer on the basis of an
adequacy decision (art. 45)
PrivacyShield
Transfer subject to
appropriate safeguards (art.
46)
Binding corporate rules (art.
47)
Adherence to codes of
conduct
Certification (art. 42) (market
leverage)
A processor, who establishes
autonomous purposes and
means, is considered to be a
controller

Is every service provider a processor?
• How as the view changed since the Directive?
• GDPR changes:
• Direct obligations
• Audit rights
• Limits of sub-processing
• Article 28 limits
• Cannot improve product/service!
Roles a becoming less clear with data processing operations such as ML

Worlds are colliding!
Privacy by Design lady
7 principles:
1. Proactive not reactive, preventive not
remedial
2. Privacy as the default
3. Privacy embedded into Design
4. Full functionality – positive sum, no
zero sum
5. End-to-end security – Lifecycle
protection
6. Visibility and transparency
7. Respect for user privacy
37

Recommended reading?
https://iapp.org/news/a/if-privacy-principles-are-from-venus-then-engineering-rules-are-from-mars/
38

An algorithm walks into a bar
39

What I teach
my children
40

Thank you for coming to my presentation
History is important, it shapes our lives, entire generations!
• Today is
#dataprotectionday
• Yesterday was
#holocaustday
• The future doesn’t have
to be Black Mirror
41
Picture of
my
beautiful
daughter
My grandfather
Apparently I have uncles…

Thank you for
your attention
aurelie@mindyourprivacy.com
42

The GDPR is here. So do you know what the courts are saying?

Recommended

Recommended

More Related Content

What's hot

What's hot (8)

Similar to The GDPR is here. So do you know what the courts are saying?

Similar to The GDPR is here. So do you know what the courts are saying? (20)

More from Aurélie Pols

More from Aurélie Pols (13)

Recently uploaded

Recently uploaded (20)

The GDPR is here. So do you know what the courts are saying?