=> Update on General Data Protection Regulation and Law Enforcement Directive Seamus Carroll Civil Law Reform Division Department of Justice and Reform
Timelines Political deal on data protection reform package in mid-December 2015 Publication of GDPR in May 2016; applies from May 2018 to both public and private sectors; contains some specific rules and limitations for the public sector Separate Directive dealing with law enforcement requires transposition into national law by May 2018 Data Protection Bill which will give ‘further effect’ to GDPR and transpose the Directive approved by Government for drafting; it will also equip the data Protection Commissioner with procedural and due process safeguards Publication in Autumn 2017; enactment in Spring 2018
Objective of Regulation (GDPR) “Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those [in the public and private sectors] who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States” (Recital 11).
Need for higher data protection standards? The Lisbon Treaty introduced a new legal basis for higher data protection standards in the EU (Article 16); the right to data protection is also in the Charter of Fundamental Rights (Article 8) The data protection standards set out in the 1995 Data Protection Directive – on which current data protection law is based – need to be updated to take account of technological advances (Internet; social networking; Big Data) and new business models (cloud computing), i.e. the digital economy Rapidly developing case law of EU Court of Justice on data protection Need for more consistent application of data protection law in the single digital market pointed towards a Regulation to replace the 1995 Directive; increased activity in law enforcement area pointed towards a new Directive
Digital economy – v – human rights Technological advances and innovative business models in the digital economy present opportunities for innovation, job creation and economic growth both in Member States and across the Union Data protection is about the rights and freedoms of individuals: their rights to control the uses to which their personal data are put and their freedom not to be subjected to unnecessary monitoring or observation Data protection rights and safeguards must keep pace with the emerging technologies and new business models; otherwise there will be insufficient consumer trust and confidence in the digital economy to ensure that its jobs and growth potential is fully realised
Benefits for customers and clients More onerous obligations on data controllers to provide information to data subjects in a transparent and speedy manner, and without charge Strengthened rights of data subjects: - to obtain information about the processing of their personal data, whether collected directly or obtained from another source - to obtain copies of personal data undergoing processing - to rectification of incorrect or incomplete data - to erasure (“right to be forgotten”) and to restriction of processing - to data portability (new) - to object to processing - limitation on automated decision-making, including profiling
What’s new for data controllers? More emphasis on transparency Personal data must be processed lawfully, fairly and in a transparent manner: Article 5.1(a) Provide information “in an intelligible and accessible form, using clear and plain language”: Article 12 More emphasis on accountability The controller shall be responsible for and be able to demonstrate compliance with the Regulation: Article 5.2 More emphasis on security Personal data must be processed in a way that ensures appropriate security of the personal data: Article 5 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk: Article 32
Risk-based approach to controller obligations The controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is in compliance with the Regulation, taking into account: the nature, scope, context and purposes of the processing, and the risks of varying likelihood and severity for the rights and freedoms of individuals (Articles 24 and 32 of Regulation)
Mitigation of risk Data protection impact assessments (Articles 35 of Regulation) Mandatory prior consultation of DPA in cases of identified risks and intended legislation (Articles 36 of Regulation) Designation of data protection officer; mandatory for certain data controllers, including public authorities and bodies (Articles 37 of Regulation) Codes of conduct (Articles 40 and 41 of Regulation) Certification mechanisms and data protection seals and marks (Articles 43 and 44 of Regulation)
Mandatory reporting of data breaches Mandatory reporting of personal data breaches to DPA unless a breach is unlikely to result in a risk for rights and freedoms of individuals: without undue delay and, where feasible, not later than 72 hours after becoming aware of it report must identify the likely consequences of the breach and the measures taken, or to be taken, to mitigate possible adverse effects for individuals facts surrounding the breach, its effects and remedial action taken must be documented to verify compliance DPA may require notification of individuals where a breach is likely to result in high risk for their rights and freedoms
Liability and right to compensation A person who has suffered material or non-material damage as a result of an infringement shall have the right to receive compensation from the controller Any controller involved in the processing shall be liable for the damage caused by the processing which is not in compliance with the Regulation; a processor shall be liable for damage only where it has not complied with obligations specifically directed to processors or acted outside the lawful instructions of the controller A controller shall be exempted from liability if it proves that it is not in any way responsible for the event Where more than one controller or processor or a controller and a processor are involved in the same processing and, where they are responsible for any damage caused by the processing, each controller or processor shall be held liable for the entire damage, in order to ensure effective compensation of the data subject; a controller shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage
Contract between controller and processor Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject The processor shall not enlist another processor without the prior specific or general written consent of the controller. In the latter case, the processor should always inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the opportunity to the controller to object to such changes Applies in simple cases (shredding company; off-site storage) and complex cases (provider of cloud services)
Administrative fines Each DPA shall ensure that the imposition of administrative fines in respect of infringements of this Regulation shall in each individual case be effective, proportionate and dissuasive Infringements shall be subject to administrative fines up to €10,000,000 or €20,000,000 (or, in case of an undertaking, up to 2% or 4% of the total worldwide annual turnover of the preceding financial year) Member States may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies The exercise by DPAs of the power to impose fines shall be subject to appropriate procedural safeguards in conformity with Union and national law, including effective judicial remedy and due process
Specific provisions for the public sector Lawful processing consent not a reliable ground (“… where the controller is a public authority … it is unlikely that consent was freely given …”) (recital 43) legitimate interest ground shall not apply to processing carried out by public authorities (Article 6.1) Restrictions on processing of special categories of personal data (sensitive personal data, including data concerning health) processing permitted in certain cases subject to specific measures to safeguard the rights and interests of data subjects specific provisions in relation to the health sector (Article 9.1(h)) and public health (Article 9.1(i)) Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health (Article 9.4)
Further provisions Restrictions on the exercise of data subject rights permitted to safeguard important objectives of general public interest, subject to conditions (Article 23) Must be in the form of a legislative measure Essence of the fundamental rights and freedoms must be respected Must be a necessary and proportionate measure in a democratic society Mandatory designation of data protection officer by public authorities and bodies A single data protection officer may be designated for several public authorities or bodies, taking account of their organisational structure and size Designated on the basis of professional qualities, in particular expert knowledge of data protection law and practice Shall directly report to the highest management level
Application of both GDPR and Directive by some agencies GDPR will generally apply to payroll, HR, licensing activity, regulatory oversight etc. New Data Protection Act (Part 4) will apply to processing of personal data by a ‘competent authority’ for the purposes of prevention, investigation, detection and prosecution of criminal penalties Definition of ‘competent authority’ Some examples: Private Security Authority: section 48 offences Property Services Regulatory Authority: section 94 offences Agencies need to identify whether they act as a ‘competent authority’ and in respect of what activity
Big Data and Data Protection Ensuring personal data protection becomes more challenging as information is multiplied and shared ever more widely around the world. Information regarding individual’s health, location, electricity use, online activity and so forth can be publicised, raising concerns about profiling, discrimination, exclusion and loss of control. Big Data analytics does not always involve personal data. But, when it does, it should comply with the rules and principles of data protection: the EU’s Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet. Big Data is no different. http://ec.europa.eu/justice/data-protection/files/data-protection-big- data_factsheet_web_en.pdf
Archiving; statistics; research Purpose limitation: “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89.1, not be considered incompatible with the initial purposes” (Article 5.1(b)) Storage limitation: “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89.1 subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of data subjects” (Article 5.1(e)) Obligation in Article 14 to provide information to individuals where personal data have not been obtained directly from them does not apply where provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1)
Appropriate safeguards for archiving, scientific or historical research purposes or statistical purposes Article 89 Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
Next steps Department of Justice and Equality has prepared draft Bill to give further effect to Regulation, transpose the law enforcement Directive and confer powers of Data Protection Commissioner All Departments vetting existing legislation in order to identify necessary amendments; should also commence preparation of regulations, e.g. restrictions on data subject rights under Article 23 Oversight by Interdepartmental Committee on Data Issues (chaired by Minister of State Murphy); will now meet on a monthly basis Agencies should ensure that compliance in included in their strategic and business plans, and non-compliance in their risk registers