Data Protection – Future EU Law and the Compliance Function Billy Hawkes Data Protection Commissioner ACOI Dublin, 17 April 2012.

Slides:



Advertisements
Similar presentations
Public Administration use of Social Networks - Data Protection Implications European Public Administration Network, Dublin Castle, 5 April 2013 Billy Hawkes.
Advertisements

Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The Data Protection (Jersey) Law 2005.
The Treaties, Institutions and Policies of the EU
Europol’s tailor-made data protection framework
EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data protection at Eurojust: a robust, effective and tailor-made regime Diana ALONSO BLAS, LL.M. Head of the DP Service/Data Protection Officer.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
Respecting the Consumer – the Data Protection Perspective Billy Hawkes Data Protection Commissioner Association of Advertisers in Ireland 3 June 2009.
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
Nov/Dec 2003ElectraNet BSP-2 Workshop (khb) 1 EU Telecoms Regulatory Status Governing Legislation Package 2002  Directive 2002/19/EC Access to, and interconnection.
The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.
Update on Data Protection issues Ray Collins Consultant - LGfL.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Data protection and European citizens’ initiatives
Cje Wojciech Jasiński, Ph.D. Department of Criminal Procedure Faculty of Law, Administration and Economics University of Wrocław Lecture Harmonisation.
Data protection and compliance in context 19 November 2007 Stewart Room Partner.
CRIMINAL LAW OF THE EUROPEAN UNION 1 April 2015 THE LISBON TREATY AND CRIMINAL LAW Dr. sc. Zoran Burić Department of Criminal Procedural Law University.
Presentation Title Data Protection The new EU Regulation Insert your logo here.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 6 – Company Law Bilateral screening:
Data Protection – the Lisbon Effect Billy Hawkes Data Protection Commissioner Institute of International and European Affairs Dublin, 17 September 2009.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
František Nonnemann Skopje, 10th October 2012 JHA Data protection and re-use of PSI as a tool for public control–CZ approach.
Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.
General Data Protection Regulation (EU 2016/679)
Data Protection Officer’s Overview of the GDPR
DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing.
GDPR (General Data Protection Regulation)
THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,
Data Protection: EU & International
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
Data Protection The Current Regime
General Data Protection Regulation
Bob Siegel President Privacy Ref, Inc.
Introduction to GDPR 09/11/2018.
Privacy: a work in progress
Bart van der Sloot Data Protection 2.0 The proposal for a General Data Protection Regulation Bart van.
European actions.
General Data Protection Regulation
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Guide to overview of changes under GDPR ww.ZAKSIT.com
How is the GDPR enforced ?
Bart van der Sloot Data Protection 2.0 The proposal for a General Data Protection Regulation Bart van.
European Data Supervisor
Welcome!.
Data transfers to non-EU countries under the new GDPR
The activity of Art. 29. Working Party György Halmos
GDPR & Accountability ISACA Ireland Annual Conference 2018
Is Data Protection a Fundamental Right Protecting the Individual?
Data Protection: The new EU Regulation
Data Protection in Law Enforcement Area Chapter 9a of the draft law
Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.
European Commission proposals for data protection
PRESENTATION OF MONTENEGRO
General Data Protection Regulation “11 months in”
A. Šidlauskas Mykolas Romeris University (LITHUANIA)
Presentation transcript:

Data Protection – Future EU Law and the Compliance Function Billy Hawkes Data Protection Commissioner ACOI Dublin, 17 April 2012

Presentation Outline Present Law Commission Proposals Some Issues ePrivacy Regulations: Update

EU Data Protection Legislation Data Protection Directive 95/46/EC  Internal Market legal basis Electronic Privacy Directive 2002/58/EC (as amended) EUROPOL, EURODAC, EUROJUST, SCHENGEN etc Decisions/Regulations Police & Justice Decision 2008/977/JHA  Intra-EU only

EU & Irish Legislation Data Protection Directive 95/46/EC  Being updated Electronic Privacy Directive 2002/58/EC (as amended) EUROPOL etc Police & Justice Decision 2008/977/JHA Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2011 (SI 336/2011) Corresponding Acts (To be transposed)

Presentation Outline Present Law Commission Proposals Some Issues ePrivacy Regulations: Update

Lisbon Treaty Article 16 Treaty on the Functioning of the Union 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. …..

EU Charter of Fundamental Rights: Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

EU DP Law Changes: Timetable 2009/2010 Public and Sectoral Consultation “Communication” from EU Commission November 2010 Draft Laws published 25 January 2012 Negotiation in Council and Parliament – 2012/13? Implementation – by ?

Future EU Law: Structure Directly-applicable Regulation Separate Directive for Law Enforcement Area Separate Decision for Foreign Affairs (CFSP) Area  Not yet presented

Philosophy The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data. It should contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, the strengthening and the convergence of the economies within the internal market, and the well-being of individuals.

General Principles (1) Protecting Fundamental Right to Data Protection and Free Movement of Personal Data  Particular focus on children Applies to Organisations processing personal data either established in the EU or offering goods and services to, or monitoring the behaviour of, EU residents Does not apply to natural person without any gainful interest in the course of its own exclusively personal or household activity

General Principles (2) Data Minimisation  “limited to the minimum necessary” Transparency  More prescriptive information requirements Strengthened Right of Access  More Information  No Charge (except “manifestly excessive”)  Normally within one month

General Principles (3) Accountability of Data Controller (Joint Controller)  “ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation”  Documentation  Data Protection Officer

General Principles (4) Privacy by Design  Privacy Impact Assessment  “Seal” systems Data Portability “Right to be Forgotten”  Requirement for retention policy  On request, delete unless clash with other rights (freedom of expression etc) Strengthened Data Security  Data Breach Notification

Lawfulness of Processing Stricter definition of “consent”  Burden of proof on data controller  Can’t be “buried” in another document  Not valid where “significant imbalance”  Parental consent for child under 13 “Legal Obligation”, “Public Interest” and “Exercise of Official Authority” must be laid down in law which meets proportionality test “Legitimate Interests” of data controller does not apply to a public organisation

Direct Marketing Strengthened Right to Refuse  “right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information” Relationship to ePrivacy Directive

International Transfers: Principle (1) Where the Commission has taken no decision on the adequate level of data protection a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred

International Transfers (2) “Adequacy” Decisions by Commission Standard Clauses  Adopted by Commission or Prescribed by DPA and “declared generally valid” by Commission  Approved by DPA (subject to Consistency Mechanism) Binding Corporate Rules

International Transfers (3) Informed Consent, Contractual Requirement etc “Legitimate Interests” of data controller or processor and “not frequent, massive or structural” and must inform DPA

Data Protection Officer (1) Must be appointed by Controller or Processor if:  Public body OR  250+ employees OR  Core activities involve “regular and systematic monitoring of data subjects” Joint appointment possible Publicly named

Data Protection Officer (2) “expert knowledge of data protection law” “ability to fulfil the (designated)tasks” Any other professional duties “compatible” and “do not result in a conflict of interests”

Data Protection Officer (3) Must perform tasks independently  Minimum 2-year appointment Protection against dismissal  Necessary Resources  “involved in all issues which relate to the protection of personal data” Direct report to Management

Data Protection Officer (4) Advise on data protection policy and monitor practice  Assignment of internal responsibilities; Training; Privacy Impact Assessments; Privacy by Design; Information to data subjects; Data Security; Documentation Main contact with supervisory authority Main contact with public

Data Protection Authorities (DPAs) (1) Independence  Appointment, financial resources, staff Strengthened Powers  Conduct investigations on own initiative  Investigate complaints “to the extent appropriate”  Must be consulted on relevant legislation “One-stop-Shop” for data controllers  Location of “main establishment”

DPAs (2) European Cooperation  “Consistency Mechanism” Joint Enforcement, Binding Consultation etc  Strengthened European Data Protection Board  Commission regulatory powers Sanctions

DPA Obligation to impose Administrative Sanctions where data protection law breached “intentionally or negligently”  up to €1M or 2% of annual worldwide turnover, depending on breach Separate Penalties for infringements Individual right to a Judicial Remedy  Including compensation for damage suffered

Law Enforcement Directive  Applies to “any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”  General data protection principles apply, including Access (with restrictions), Data Minimisation, “Privacy by Design”, Security  Data Protection Officer (DPO)  Maintain Records  Need to distinguish different categories of data subjects (suspects, convicted, victims etc)

Presentation Outline Present Law Commission Proposals Some Issues ePrivacy Regulations: Update

Presentation Outline Present EU Law Commission Proposals Some Issues

Some Issues (1) Burden on Data Controllers  Fewer Notifications BUT increased responsibility/accountability and Sanctions  Restrictions on use of Consent Jurisdiction  One-Stop-Shop for Multinationals Politically acceptable? Direct Marketing  ePrivacy Directive?

Some Issues (2) International Transfers  BCRs  Should data controllers be given more discretion on the basis of Accountability? Supervision  Will “consistency mechanism” work?  Financing of DPAs

Some Issues (3) Data Protection Officer (DPO)  New in Irish Law  Location in Organisation?  Relationship to Board?  Qualifications?

Some Issues (4) Ireland’s Position  Department of Justice & Equality lead department Public Consultation (closed 31 March)  Interests of Domestic and Multinational Companies  Impact on DPC Resources

Presentation Outline Present Law Commission Proposals Some Issues ePrivacy Regulations: Update

Regulation 13 – Direct Marketing Requirements for consent clarified :  Confirmed that consent needed for voice calls to all mobile phones (“opt-out” assumed unless NDD “opt-in”)  Explicit requirement to identify caller/sender  No “silent calls” (automated calling machines)  No “tagged on” marketing to non-marketing SMS  natural person” excludes and SMS sent to a business phone or address where content relates solely to the individual’s business  Confirmed existing customer = within 12 months Selective prosecutions being pursued

Regulation 5(3) – “Cookies” Necessary “Session” Cookies normally OK.  Full information as to such use should still be available to the website user. Other “Cookies” - “third party” or “tracking” cookies – require consent Current browser settings unlikely to meet “consent” requirement “Wait and See” approach to date to see if Industry (browser providers, ad networks etc) can come up with workable solutions  Current initiatives (IAB etc) helpful but insufficient  Individual Organisations expected to be working on solutions

Thank You Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall Fax: Website: