SlideShare una empresa de Scribd logo

Draft data protection regn 2012

Descargar como PPTX, PDF
L
lilianedwards

Discussion of the main elements of the draft Data Protection Regulation: what difference will it make to industry practice and user rights to control their data?

TecnologíaEmpresariales
1 de 18
First they came for cookies, then they came for Facebook? Potential Pitfalls of Upcoming EU Data Protection Reform Lilian Edwards Professor of E-Governance, Strathclyde Law School SSCL, MARCH 2012 Lilian.edwards@strath.ac.uk Pangloss: http://blogscript.blogspot.com @lilianedwards
Hard times for the data industries? • Revision of art 5(3) of the Privacy and Electronic Communications Directive 2002 to require “informed opt- in”? • “Please kill this cookie monster to save EU’s websites” • UK ICO “year of grace” since May 2011 – or of confusion? • US: FTC settlement with Google, Oct 2011 (Google Buzz); FB over “deceptive practices”, November 2011.
Why? .. Breaking news!!.. C4, May 2010
22 May 2011
Difficult priorities & conflicts for DP regulation.. • “..That's why I say that data is the new oil for the digital age. How many other ways could stimulate a market worth 70 billion euros a year, without spending big budgets? Not many, I'd say.” N Kroes, March 2012 • “Isn’t it sexy to be a data protection officer now? The staggering revelations at HMRC have propelled DP out of the shadowy domain of geeks and anoraks and into the bright sunlight of public debate.” OUT-Law, 2007 • “Rapid technological developments have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities…Building trust in the online environment is key to economic development. Personal data protection therefore plays a central role in the Digital Agenda for Europe..” Draft DPR introduction, Jan 2012
EC citizen attitudes towards data privacy – EuroBarometer 2011 Attitudes towards data protection • 60% of Europeans who use the internet (40% of all EU citizens) shop or sell things online and use social networking sites. • People disclose personal data, including biographical information (almost 90%), social information (almost 50%) and sensitive information (almost 10%) on these sites. • 70% said they were concerned about how companies use this data and they think that they have only partial, if any, control of their own data. • 74% want to give their specific consent before their data is collected and processed on the Internet.
Reform of the DPD? Nov 2010 consultation -> Jan 2012 draft Regulation • Main issues • Combine rules on DP police & LEAs sector with existing rules for “civilian” data controllers? (in fact kept separate) • Address globalisation better – data flows out of EU • Improve harmonisation within EU (binding interpretation by Art 29 WP?) • Strengthen Data Subject’s rights/ enhancing control over PD eg, online subject access, clarifying definitions of consent • Reduce red tape for Data Controllers – multinationals only to be regulated by 1 EC DPA - saving 2.3 billion Euros for EU industry - quid pro quo? • -> Make DCs more accountable, eg, must have a CPO; audit trails of processing; “privacy by design” (?) • Clarify rules on jurisdiction, applicable law and DP (eg Facebook? Google?)
New Regulation? – 1- definitions – personal data • New Art 2: • 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; • 'personal data' means any information relating to a data subject; • Will the UK definition remain compatible? “) • cf “Personal Data” is data which relates to a living individual who can be identified from that data, or with other data likely to be held by data controller • Cf Durant • FTC/Danish idea of “singling out” – widening existing EU definition? • Will anonymised profiles become “personal data”? User rights of access, rectification, deletion? Security, retention?
New Regulation – 2; definitions - data processors • Considerable redistribution of responsibilities between data controllers and data processors. Why? the cloud. • Art 29 WP on SWIFT case – Opinion 10/2006 • Held : SWIFT not just agent of Belgian banks (processor) but itself controller • Art 29 WP Report 169, Feb 2010, definition of processor vs controller – distinction based on “the possibility of pluralistic control (“which alone or jointly with others”), and.. the essential elements to distinguish the controller from other actors (“determines the purposes and the means of the processing of personal data”). Factual, not a legal choice made by DC etc.
The cloud, accountability and controller/processor • New art 26 Article 26 expands on old art 17(2) adding new elements, including that a processor who processes data beyond the controller's instructions is to be considered as a joint controller • Industry fearful of need to renegotiate all delegation contracts to cloud providers. • New art 28 introduces obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, replacing general notification duty (see later)
New Regulation? – 3- DS Rights + the Right to Forget • Right to forget – new art 17, rec 45-46 • Right to “obtain from the DC the erasure of *their+ personal data” but also to have no further “dissemination” of it - especially re data exposed when a child • Would a host have to go track down everywhere on the web the data was held or linked to and delete it? Responsibilities of search engines? Google cache? See new art 17(2) • Balance with freedom of expression? With proof? • Can you be a “data controller” for these purposes and yet not a “publisher” (Tamiz v Google Inc [2012] EWHC 449 (QB)) re Google Blogger) • What about exemptions from liability for hosting providers and mere conduits under EC E-Commerce Directive 2000? Currently DP not included. • Balance with “historical, statistical and scientific research”? (cf Wikipedia on criminal convictions) • Restricting access to data rather than deleting may be interim solution if dispute
“Foggy thinking about the right to oblivion” • Peter Fleischer, Google, March 9 2011 • “More and more, privacy is being used to justify censorship. In a sense, privacy depends on keeping some things private, in other words, hidden, restricted, or deleted. And in a world where ever more content is coming online, and where ever more content is find- able and share-able, it's also natural that the privacy counter- movement is gathering strength. Privacy is the new black in censorship fashions. It used to be that people would invoke libel or defamation to justify censorship about things that hurt their reputations. But invoking libel or defamation requires that the speech not be true. Privacy is far more elastic, because privacy claims can be made on speech that is true.” • OTOH - The “PR” society and super injunctions.. • OTOtherH - Cf to Rehabilitation of Offenders? In practice how French/Spanish laws have been used • Should main concern not be mundane profile data – not big historical issues?
More new DS rights.. • Right to access your data electronically if it is held electronically – ie “online subject access” (new art 10) • Right to data portability, ie, get a copy of the data to take elsewhere (new art 16) - “in an electronic format which is commonly used” ? • Right to object not just to use of data for direct marketing but to decision solely based on automated profiling (new art 20) • Insurance? Employment? Working with kids? “Location, health, personal preferences, reliability or behaviour”. The new “credit checking”. • Note this right does NOT apply to police/LEA profiling – separate Directive re LEA use of data/profiles – may not pass. • However (both art 20, Draft Reg; 9, Draft Dir) - DS cannot be automatically evaluated by profile (with or without consent) by police solely on basis of sensitive personal data – expanded to include genetic and biometric data
New Regulation? – 4- enforcement • Big headline figures - Penalties of up to €1 million or up to 2% of the global annual turnover of a company. • Why not disqualification of directors, as per company fraud? Jail? • Cf UK - DPA s55A (but not negligent breaches) – now max £500,000 fine, jail sentences still not implemented. In 2011, 7 cos fined – average £77K. • Cf USA – no immediate fine but FTC would fine FB/Google $16,000/day per violation of agreed privacy settlements • Will EC DPAs have the resources to go after these big enforcement actions? • Will multinationals arrange to have a “compliant” DPA as their sole regulator – UK/Ireland – race to the bottom or “corporation tax” opportunity? • Absence of technological knowledge by regulators?
Security breach notification • Mandatory security breach notification proposed (new arts 30-32). • Already introduced for telcos/ISPs in PEC Dir art 17(1) • Aim is naming and shaming; also notice to public enables them to get remedies, take protective steps • Details are controversial: what triggers; how long to fix before notifying; how long to advise (24 hours?!) ; to whom? – police/Inf Commr; data subjects affected. • No notification if data was encrypted (?) • Not to “public as whole” • Breach ennui? US experience not that helpful • But Sony didn’t notify breach of 10 m people for a week.. • What of collective action rights by hacked DS victims? Depends on other EU initiatives currently mired in doubt.
Conclusion? • “We have a tough regulation here – because there ARE big problems. • How do you comply with regulation? • This is where the real problem seemed to come for me. All the businesses want to know how to comply with regulations – but they don’t seem to understand the real point. These kinds of regulations aren’t really supposed to be about ticking boxes, or finding the right words to describe your activities in order to comply with the technical details of the relevant laws. Nigel Parker from Allen and Overy gave a very revealing and detailed picture of how he had to navigate some of his multi-national clients through the complexities of the different international regulations concerning data protection – but he seemed not to want to offer one particular piece of advice. He didn’t seem to want to tell his clients that they might well have to change what they do – or perhaps even decide not to do it. The purpose of the very existence of these regulations are to make businesses (and governments) change what they do, or at least how they do it.” • Paul Bernal’s blog, March 8 2012. (paulbernal.wordpress.com) • ?

Recomendados

IT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestIT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestLilian Edwards
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Cyber Banking Conference
Cyber Banking Conference Cyber Banking Conference
Cyber Banking Conference Endcode_org
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk Endcode_org
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Sarah Jamieson_corrections
Sarah Jamieson_correctionsSarah Jamieson_corrections
Sarah Jamieson_correctionsSarah Jamieson
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesPageFreezer
 

Recomendados

IT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestIT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestLilian Edwards
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Cyber Banking Conference
Cyber Banking Conference Cyber Banking Conference
Cyber Banking Conference Endcode_org
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk Endcode_org
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Sarah Jamieson_corrections
Sarah Jamieson_correctionsSarah Jamieson_corrections
Sarah Jamieson_correctionsSarah Jamieson
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesPageFreezer
 
Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...anthonywong
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookPlr-Printables
 
Big Data and Privacy
Big Data and PrivacyBig Data and Privacy
Big Data and Privacymjsale781
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016Saira Nayak, JD, CIPP/US/E
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...BCC - Solutions for IBM Collaboration Software
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Faidepro
 
E-Commerce 10
E-Commerce 10E-Commerce 10
E-Commerce 10Zarrar Siddiqui
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Freedom in the Days of the Internet
Freedom in the Days of the InternetFreedom in the Days of the Internet
Freedom in the Days of the Internetthinkingeurope2011
 
Apresentação de Jeanette Hofmann
Apresentação de Jeanette HofmannApresentação de Jeanette Hofmann
Apresentação de Jeanette HofmannFórum da Internet no Brasil
 
feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...Timothy Holborn
 
How to Protect Your Data
How to Protect Your DataHow to Protect Your Data
How to Protect Your DataNeopost Mailing Solutions, Digital Communications and Shipping Services
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationcaniceconsulting
 
Obama moves forward with internet id plan by batteryfast
Obama moves forward with internet id plan by batteryfastObama moves forward with internet id plan by batteryfast
Obama moves forward with internet id plan by batteryfastbattery-fast. com
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Anti social networking v 2
Anti social networking v 2Anti social networking v 2
Anti social networking v 2lilianedwards
 
Robbie the robot goes (w)rong!
Robbie the robot goes (w)rong!Robbie the robot goes (w)rong!
Robbie the robot goes (w)rong!lilianedwards
 

Más contenido relacionado

La actualidad más candente

Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...anthonywong
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookPlr-Printables
 
Big Data and Privacy
Big Data and PrivacyBig Data and Privacy
Big Data and Privacymjsale781
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Faidepro
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Freedom in the Days of the Internet
Freedom in the Days of the InternetFreedom in the Days of the Internet
Freedom in the Days of the Internetthinkingeurope2011
 
feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...Timothy Holborn
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationcaniceconsulting
 
Obama moves forward with internet id plan by batteryfast
Obama moves forward with internet id plan by batteryfastObama moves forward with internet id plan by batteryfast
Obama moves forward with internet id plan by batteryfastbattery-fast. com
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 

La actualidad más candente (20)

Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protection
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
 
Big Data and Privacy
Big Data and PrivacyBig Data and Privacy
Big Data and Privacy
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)
 
E-Commerce 10
E-Commerce 10E-Commerce 10
E-Commerce 10
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
 
Freedom in the Days of the Internet
Freedom in the Days of the InternetFreedom in the Days of the Internet
Freedom in the Days of the Internet
 
Apresentação de Jeanette Hofmann
Apresentação de Jeanette HofmannApresentação de Jeanette Hofmann
Apresentação de Jeanette Hofmann
 
feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...
 
How to Protect Your Data
How to Protect Your DataHow to Protect Your Data
How to Protect Your Data
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislation
 
Obama moves forward with internet id plan by batteryfast
Obama moves forward with internet id plan by batteryfastObama moves forward with internet id plan by batteryfast
Obama moves forward with internet id plan by batteryfast
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 

Destacado

Anti social networking v 2
Anti social networking v 2Anti social networking v 2
Anti social networking v 2lilianedwards
 
Robbie the robot goes (w)rong!
Robbie the robot goes (w)rong!Robbie the robot goes (w)rong!
Robbie the robot goes (w)rong!lilianedwards
 
Owl butterfly1
Owl butterfly1Owl butterfly1
Owl butterfly1Eliise
 
Owl butterfly1
Owl butterfly1Owl butterfly1
Owl butterfly1Eliise
 
Location, Location, Location? Legal and Privacy Issues around Processing of P...
Location, Location, Location? Legal and Privacy Issues around Processing of P...Location, Location, Location? Legal and Privacy Issues around Processing of P...
Location, Location, Location? Legal and Privacy Issues around Processing of P...lilianedwards
 
Privacy and care robots
Privacy and care robotsPrivacy and care robots
Privacy and care robotslilianedwards
 

Destacado (6)

Anti social networking v 2
Anti social networking v 2Anti social networking v 2
Anti social networking v 2
 
Robbie the robot goes (w)rong!
Robbie the robot goes (w)rong!Robbie the robot goes (w)rong!
Robbie the robot goes (w)rong!
 
Owl butterfly1
Owl butterfly1Owl butterfly1
Owl butterfly1
 
Owl butterfly1
Owl butterfly1Owl butterfly1
Owl butterfly1
 
Location, Location, Location? Legal and Privacy Issues around Processing of P...
Location, Location, Location? Legal and Privacy Issues around Processing of P...Location, Location, Location? Legal and Privacy Issues around Processing of P...
Location, Location, Location? Legal and Privacy Issues around Processing of P...
 
Privacy and care robots
Privacy and care robotsPrivacy and care robots
Privacy and care robots
 

Similar a Draft data protection regn 2012

Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
The death of data protection
The death of data protection The death of data protection
The death of data protection Lilian Edwards
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyLilian Edwards
 
Your Big Data Opportunity
Your Big Data OpportunityYour Big Data Opportunity
Your Big Data OpportunityiCrossing
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Presentatie Giorgos Rossides, Europese Commissie
Presentatie Giorgos Rossides, Europese CommissiePresentatie Giorgos Rossides, Europese Commissie
Presentatie Giorgos Rossides, Europese CommissieEuropadialoog
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
 
Malcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - SocioeconomicsMalcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - SocioeconomicsIrish Future Internet Forum
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberRachel Aldighieri
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberRachel Aldighieri
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRCase IQ
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
DAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.pptDAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.pptGmvViju1
 
Everything you need to know about the GDPR
Everything you need to know about the GDPREverything you need to know about the GDPR
Everything you need to know about the GDPRSpoon London
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social NetworkingDavid Erdos
 
[SLIDES] Internet of Things presentation at AEI (Sept 2014)
[SLIDES] Internet of Things presentation at AEI (Sept 2014)[SLIDES] Internet of Things presentation at AEI (Sept 2014)
[SLIDES] Internet of Things presentation at AEI (Sept 2014)Adam Thierer
 

Similar a Draft data protection regn 2012 (20)

The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 
The death of data protection
The death of data protection The death of data protection
The death of data protection
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obama
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacy
 
Your Big Data Opportunity
Your Big Data OpportunityYour Big Data Opportunity
Your Big Data Opportunity
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
Presentatie Giorgos Rossides, Europese Commissie
Presentatie Giorgos Rossides, Europese CommissiePresentatie Giorgos Rossides, Europese Commissie
Presentatie Giorgos Rossides, Europese Commissie
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
 
Malcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - SocioeconomicsMalcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 October
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
DAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.pptDAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.ppt
 
Everything you need to know about the GDPR
Everything you need to know about the GDPREverything you need to know about the GDPR
Everything you need to know about the GDPR
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social Networking
 
[SLIDES] Internet of Things presentation at AEI (Sept 2014)
[SLIDES] Internet of Things presentation at AEI (Sept 2014)[SLIDES] Internet of Things presentation at AEI (Sept 2014)
[SLIDES] Internet of Things presentation at AEI (Sept 2014)
 

Más de lilianedwards

Social media, surveillance and censorship
Social media, surveillance and censorshipSocial media, surveillance and censorship
Social media, surveillance and censorshiplilianedwards
 
Digital Lives Full Vn
Digital Lives Full VnDigital Lives Full Vn
Digital Lives Full Vnlilianedwards
 
Deb Act Talk April 2010
Deb Act Talk April 2010Deb Act Talk April 2010
Deb Act Talk April 2010lilianedwards
 

Más de lilianedwards (9)

Social media, surveillance and censorship
Social media, surveillance and censorshipSocial media, surveillance and censorship
Social media, surveillance and censorship
 
Wipo 2011
Wipo 2011Wipo 2011
Wipo 2011
 
Igf oecd
Igf oecdIgf oecd
Igf oecd
 
Igf oecd
Igf oecdIgf oecd
Igf oecd
 
Digital Lives Full Vn
Digital Lives Full VnDigital Lives Full Vn
Digital Lives Full Vn
 
Deb Act Talk April 2010
Deb Act Talk April 2010Deb Act Talk April 2010
Deb Act Talk April 2010
 
Ratemylegalrisknew
RatemylegalrisknewRatemylegalrisknew
Ratemylegalrisknew
 
Sible 09
Sible 09Sible 09
Sible 09
 
Death And The Web
Death And The WebDeath And The Web
Death And The Web
 

Último

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Último (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Draft data protection regn 2012

  • 1. First they came for cookies, then they came for Facebook? Potential Pitfalls of Upcoming EU Data Protection Reform Lilian Edwards Professor of E-Governance, Strathclyde Law School SSCL, MARCH 2012 Lilian.edwards@strath.ac.uk Pangloss: http://blogscript.blogspot.com @lilianedwards
  • 2. Hard times for the data industries? • Revision of art 5(3) of the Privacy and Electronic Communications Directive 2002 to require “informed opt- in”? • “Please kill this cookie monster to save EU’s websites” • UK ICO “year of grace” since May 2011 – or of confusion? • US: FTC settlement with Google, Oct 2011 (Google Buzz); FB over “deceptive practices”, November 2011.
  • 3. Why? .. Breaking news!!.. C4, May 2010
  • 5.
  • 6. Difficult priorities & conflicts for DP regulation.. • “..That's why I say that data is the new oil for the digital age. How many other ways could stimulate a market worth 70 billion euros a year, without spending big budgets? Not many, I'd say.” N Kroes, March 2012 • “Isn’t it sexy to be a data protection officer now? The staggering revelations at HMRC have propelled DP out of the shadowy domain of geeks and anoraks and into the bright sunlight of public debate.” OUT-Law, 2007 • “Rapid technological developments have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities…Building trust in the online environment is key to economic development. Personal data protection therefore plays a central role in the Digital Agenda for Europe..” Draft DPR introduction, Jan 2012
  • 7. EC citizen attitudes towards data privacy – EuroBarometer 2011 Attitudes towards data protection • 60% of Europeans who use the internet (40% of all EU citizens) shop or sell things online and use social networking sites. • People disclose personal data, including biographical information (almost 90%), social information (almost 50%) and sensitive information (almost 10%) on these sites. • 70% said they were concerned about how companies use this data and they think that they have only partial, if any, control of their own data. • 74% want to give their specific consent before their data is collected and processed on the Internet.
  • 8. Reform of the DPD? Nov 2010 consultation -> Jan 2012 draft Regulation • Main issues • Combine rules on DP police & LEAs sector with existing rules for “civilian” data controllers? (in fact kept separate) • Address globalisation better – data flows out of EU • Improve harmonisation within EU (binding interpretation by Art 29 WP?) • Strengthen Data Subject’s rights/ enhancing control over PD eg, online subject access, clarifying definitions of consent • Reduce red tape for Data Controllers – multinationals only to be regulated by 1 EC DPA - saving 2.3 billion Euros for EU industry - quid pro quo? • -> Make DCs more accountable, eg, must have a CPO; audit trails of processing; “privacy by design” (?) • Clarify rules on jurisdiction, applicable law and DP (eg Facebook? Google?)
  • 9. New Regulation? – 1- definitions – personal data • New Art 2: • 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; • 'personal data' means any information relating to a data subject; • Will the UK definition remain compatible? “) • cf “Personal Data” is data which relates to a living individual who can be identified from that data, or with other data likely to be held by data controller • Cf Durant • FTC/Danish idea of “singling out” – widening existing EU definition? • Will anonymised profiles become “personal data”? User rights of access, rectification, deletion? Security, retention?
  • 10. New Regulation – 2; definitions - data processors • Considerable redistribution of responsibilities between data controllers and data processors. Why? the cloud. • Art 29 WP on SWIFT case – Opinion 10/2006 • Held : SWIFT not just agent of Belgian banks (processor) but itself controller • Art 29 WP Report 169, Feb 2010, definition of processor vs controller – distinction based on “the possibility of pluralistic control (“which alone or jointly with others”), and.. the essential elements to distinguish the controller from other actors (“determines the purposes and the means of the processing of personal data”). Factual, not a legal choice made by DC etc.
  • 11.
  • 12. The cloud, accountability and controller/processor • New art 26 Article 26 expands on old art 17(2) adding new elements, including that a processor who processes data beyond the controller's instructions is to be considered as a joint controller • Industry fearful of need to renegotiate all delegation contracts to cloud providers. • New art 28 introduces obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, replacing general notification duty (see later)
  • 13. New Regulation? – 3- DS Rights + the Right to Forget • Right to forget – new art 17, rec 45-46 • Right to “obtain from the DC the erasure of *their+ personal data” but also to have no further “dissemination” of it - especially re data exposed when a child • Would a host have to go track down everywhere on the web the data was held or linked to and delete it? Responsibilities of search engines? Google cache? See new art 17(2) • Balance with freedom of expression? With proof? • Can you be a “data controller” for these purposes and yet not a “publisher” (Tamiz v Google Inc [2012] EWHC 449 (QB)) re Google Blogger) • What about exemptions from liability for hosting providers and mere conduits under EC E-Commerce Directive 2000? Currently DP not included. • Balance with “historical, statistical and scientific research”? (cf Wikipedia on criminal convictions) • Restricting access to data rather than deleting may be interim solution if dispute
  • 14. “Foggy thinking about the right to oblivion” • Peter Fleischer, Google, March 9 2011 • “More and more, privacy is being used to justify censorship. In a sense, privacy depends on keeping some things private, in other words, hidden, restricted, or deleted. And in a world where ever more content is coming online, and where ever more content is find- able and share-able, it's also natural that the privacy counter- movement is gathering strength. Privacy is the new black in censorship fashions. It used to be that people would invoke libel or defamation to justify censorship about things that hurt their reputations. But invoking libel or defamation requires that the speech not be true. Privacy is far more elastic, because privacy claims can be made on speech that is true.” • OTOH - The “PR” society and super injunctions.. • OTOtherH - Cf to Rehabilitation of Offenders? In practice how French/Spanish laws have been used • Should main concern not be mundane profile data – not big historical issues?
  • 15. More new DS rights.. • Right to access your data electronically if it is held electronically – ie “online subject access” (new art 10) • Right to data portability, ie, get a copy of the data to take elsewhere (new art 16) - “in an electronic format which is commonly used” ? • Right to object not just to use of data for direct marketing but to decision solely based on automated profiling (new art 20) • Insurance? Employment? Working with kids? “Location, health, personal preferences, reliability or behaviour”. The new “credit checking”. • Note this right does NOT apply to police/LEA profiling – separate Directive re LEA use of data/profiles – may not pass. • However (both art 20, Draft Reg; 9, Draft Dir) - DS cannot be automatically evaluated by profile (with or without consent) by police solely on basis of sensitive personal data – expanded to include genetic and biometric data
  • 16. New Regulation? – 4- enforcement • Big headline figures - Penalties of up to €1 million or up to 2% of the global annual turnover of a company. • Why not disqualification of directors, as per company fraud? Jail? • Cf UK - DPA s55A (but not negligent breaches) – now max £500,000 fine, jail sentences still not implemented. In 2011, 7 cos fined – average £77K. • Cf USA – no immediate fine but FTC would fine FB/Google $16,000/day per violation of agreed privacy settlements • Will EC DPAs have the resources to go after these big enforcement actions? • Will multinationals arrange to have a “compliant” DPA as their sole regulator – UK/Ireland – race to the bottom or “corporation tax” opportunity? • Absence of technological knowledge by regulators?
  • 17. Security breach notification • Mandatory security breach notification proposed (new arts 30-32). • Already introduced for telcos/ISPs in PEC Dir art 17(1) • Aim is naming and shaming; also notice to public enables them to get remedies, take protective steps • Details are controversial: what triggers; how long to fix before notifying; how long to advise (24 hours?!) ; to whom? – police/Inf Commr; data subjects affected. • No notification if data was encrypted (?) • Not to “public as whole” • Breach ennui? US experience not that helpful • But Sony didn’t notify breach of 10 m people for a week.. • What of collective action rights by hacked DS victims? Depends on other EU initiatives currently mired in doubt.
  • 18. Conclusion? • “We have a tough regulation here – because there ARE big problems. • How do you comply with regulation? • This is where the real problem seemed to come for me. All the businesses want to know how to comply with regulations – but they don’t seem to understand the real point. These kinds of regulations aren’t really supposed to be about ticking boxes, or finding the right words to describe your activities in order to comply with the technical details of the relevant laws. Nigel Parker from Allen and Overy gave a very revealing and detailed picture of how he had to navigate some of his multi-national clients through the complexities of the different international regulations concerning data protection – but he seemed not to want to offer one particular piece of advice. He didn’t seem to want to tell his clients that they might well have to change what they do – or perhaps even decide not to do it. The purpose of the very existence of these regulations are to make businesses (and governments) change what they do, or at least how they do it.” • Paul Bernal’s blog, March 8 2012. (paulbernal.wordpress.com) • ?