The EU Data Protection Directive revised: New challenges and perspectives Maria Giannakaki Attorney at Law – D.E.A. 4 th International Conference on Information Law 4 th International Conference on Information Law May 2011 Thessaloniki

The EU Data Protection Directive revised: New challenges and perspectives  Challenges  Cloud computing  Web 2.0  Perspectives for amendment  Applicable law  Cross-border issues  Right to be forgotten  Quasi-legal measures

Cloud computing  Cloud computing allows users  to access and store information and  use software functionality on remote servers hosted in data servers world wide  Delivery models  IaaS (Windows Live Skydrive, Rackspace Cloud)  PaaS (Google Apps Engine)  SaaS (Zoho.com, Google docs)

Which law applies in the cloud?  ‘ Place of establishment’ and ‘use of means’ - no longer suitable determinative factors for applicable law  Data centers located in several jurisdictions  Data transferred randomly, processed and duplicated in a variety of locations  The cloud requires a different approach based on  the place where the processing takes place  targeted individuals

Who is responsible for data protection compliance?  Data Controller vs processor:  Data Controller: the party who determines the purpose and means of processing  Data processor: the party who acts on the data controllers behalf  Issues when applied in cloud computing context:  Multiple offers and different clients targeted  Difficult to determine who acts as data controller  Customers may end up to be solely responsible for data protection compliance  Sub-contracting concerns

Which legal basis for cross border data transfers?  Countries with non-adequate level of protection  US Safe Harbor  Model contracts  Binding Corporate Rules  Onward transfers

WEB Characteristics  Social Computing/Web as a Platform  Web 2.0 Characteristics  Ubiquitous character of information  Different type of information is aggregated and made available on a single view  Information used in a different context than this originally published  No oblivion on the Internet  the “Hotel California effect”

WEB Data Privacy Challenges  Ignorance of the danger of exposure:  Privacy is no more a social norm  Illusion of intimacy on the Web  Publication of much more information than they think  Information which would otherwise be forgotten or forgiven can be easily retrieved  Data subjects are loosing control over their data

Perspectives for amendment  European Commission Communication “A comprehensive approach on personal data protection in the EU”  Council’s Conclusions on the Communication  WP29 “The future of privacy”  European Commission DG JFS Study “New Challenges to Data Protection”  Summary of replies to the Public Consultation

Applicable law  Current provisions  “context of the activities” principle  “use of equipment” unless such equipment is used for purposes of transit  Suggestions for improving the Directive  Swift back to the “country of origin” principle  Concept of “targeted individuals” or “service oriented approach”  Children’s Online Privacy Protection Act  Rome I

Cross-border issues  Harmonization within the EEA countries  Amendment of the Directive or Regulation  Best practices and suggested interpretations by the WPa29  Simplification of International Data Transfers  Improvement of the current procedures for international data transfers  International Standards on the Protection of Privacy

Right to be forgotten  Right to be forgotten  The right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes  The right of individuals not to be accountable for their conduct after a certain amount of time and beyond a given framework of relationships  The right is innovative but it not new  It is implicitly established in the EU Directive with the principle of data retention and the existing duty to keep data no longer than necessary  It also forms part of the right to informational self-determination (right to oblivion – droit a l’ oubli)

Right to be forgotten  Questions about its content and achievability in practice  What kind of information/records?  Who will be entitled to such right?  How can it be exercised when information appears in different platforms through the Internet (search engines, internet archive, mash-ups, social network aggregators)?

Right to be forgotten  Criticism  Conflicting rights (freedom of speech, freedom of press, freedom of society to record history)  Fears that it can be used as a tool for censorship or suppression of civil liberties or exercised by data subjects in circumstances where negative information about them is processed for lawful purposes  Different approaches (US)  “Google case” - Spanish Data Protection Authority

Recommendations  Raise data subjects awareness on the implications of sharing their personal data  Increase users control over their profile data -“easiest personal data to forget are those which have never been collected”  Reinforce data subjects rights to access, rectify or delete data  Impose privacy - friendly default settings to SNS providers  Regulate third parties access to data subjects data

Quasi-legal measures  Principle of Accountability  Data controllers are requested to:  put in place proactive measures ensuring compliance and  retain adequate evidence to prove compliance and effectiveness of measures adopted  Opinion 3/2010 WP29

Quasi-legal measures  Personal Data Breach Notification  E-Privacy Directive: Notification requirements to providers of publicly available services  Amended Directive 95/46/EC: Sector specific data breach notification requirements  Opinion 13/2011 WP29  Data Breach Notification Procedures  Standard EU Data Breach Notification Form  Modalities for implicated individuals’ information  Technological protection measures for notification exemption  Guidance on information to be retained by providers

Quasi-legal measures  Assessment of the effectiveness of technical and organizational measures:  Privacy Impact Assessments (PIAs)  Opinion 9/2011 WPa29 on RFID  EU Certification Schemes  European Privacy Seal, European Codes of Conduct, BCRs  Empowerment of data subjects control over their data:  “ Privacy by Design” Principle  Privacy - Friendly Default Settings  Privacy Enhancing Technologies (PETs)  Cookie cutters, out of tag mechanisms

Conclusions  The Commission is expected to unveil legislative proposals to update the EU data protection framework this summer.  However it is going to be several years before the revised Directive is agreed and implemented in the EU Member States.  Until then:  Data controllers are encouraged to implement Quasi-Legal Measures  Data subjects awareness on the impact of publication of their personal data on the Internet should be raised

The EU Data Protection Directive revised: New challenges and perspectives Thank you for your attention Maria Giannakaki Attorney at law – D.E.A.