Data Protection – Future EU Law and the Compliance Function Billy Hawkes Data Protection Commissioner ACOI Dublin, 17 April 2012
Presentation Outline Present Law Commission Proposals Some Issues ePrivacy Regulations: Update
EU Data Protection Legislation Data Protection Directive 95/46/EC Internal Market legal basis Electronic Privacy Directive 2002/58/EC (as amended) EUROPOL, EURODAC, EUROJUST, SCHENGEN etc Decisions/Regulations Police & Justice Decision 2008/977/JHA Intra-EU only
EU & Irish Legislation Data Protection Directive 95/46/EC Being updated Electronic Privacy Directive 2002/58/EC (as amended) EUROPOL etc Police & Justice Decision 2008/977/JHA Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2011 (SI 336/2011) Corresponding Acts (To be transposed)
Presentation Outline Present Law Commission Proposals Some Issues ePrivacy Regulations: Update
Lisbon Treaty Article 16 Treaty on the Functioning of the Union 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. …..
EU Charter of Fundamental Rights: Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
EU DP Law Changes: Timetable 2009/2010 Public and Sectoral Consultation “Communication” from EU Commission November 2010 Draft Laws published 25 January 2012 Negotiation in Council and Parliament – 2012/13? Implementation – by ?
Future EU Law: Structure Directly-applicable Regulation Separate Directive for Law Enforcement Area Separate Decision for Foreign Affairs (CFSP) Area Not yet presented
Philosophy The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data. It should contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, the strengthening and the convergence of the economies within the internal market, and the well-being of individuals.
General Principles (1) Protecting Fundamental Right to Data Protection and Free Movement of Personal Data Particular focus on children Applies to Organisations processing personal data either established in the EU or offering goods and services to, or monitoring the behaviour of, EU residents Does not apply to natural person without any gainful interest in the course of its own exclusively personal or household activity
General Principles (2) Data Minimisation “limited to the minimum necessary” Transparency More prescriptive information requirements Strengthened Right of Access More Information No Charge (except “manifestly excessive”) Normally within one month
General Principles (3) Accountability of Data Controller (Joint Controller) “ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation” Documentation Data Protection Officer
General Principles (4) Privacy by Design Privacy Impact Assessment “Seal” systems Data Portability “Right to be Forgotten” Requirement for retention policy On request, delete unless clash with other rights (freedom of expression etc) Strengthened Data Security Data Breach Notification
Lawfulness of Processing Stricter definition of “consent” Burden of proof on data controller Can’t be “buried” in another document Not valid where “significant imbalance” Parental consent for child under 13 “Legal Obligation”, “Public Interest” and “Exercise of Official Authority” must be laid down in law which meets proportionality test “Legitimate Interests” of data controller does not apply to a public organisation
Direct Marketing Strengthened Right to Refuse “right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information” Relationship to ePrivacy Directive
International Transfers: Principle (1) Where the Commission has taken no decision on the adequate level of data protection a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred
International Transfers (2) “Adequacy” Decisions by Commission Standard Clauses Adopted by Commission or Prescribed by DPA and “declared generally valid” by Commission Approved by DPA (subject to Consistency Mechanism) Binding Corporate Rules
International Transfers (3) Informed Consent, Contractual Requirement etc “Legitimate Interests” of data controller or processor and “not frequent, massive or structural” and must inform DPA
Data Protection Officer (1) Must be appointed by Controller or Processor if: Public body OR 250+ employees OR Core activities involve “regular and systematic monitoring of data subjects” Joint appointment possible Publicly named
Data Protection Officer (2) “expert knowledge of data protection law” “ability to fulfil the (designated)tasks” Any other professional duties “compatible” and “do not result in a conflict of interests”
Data Protection Officer (3) Must perform tasks independently Minimum 2-year appointment Protection against dismissal Necessary Resources “involved in all issues which relate to the protection of personal data” Direct report to Management
Data Protection Officer (4) Advise on data protection policy and monitor practice Assignment of internal responsibilities; Training; Privacy Impact Assessments; Privacy by Design; Information to data subjects; Data Security; Documentation Main contact with supervisory authority Main contact with public
Data Protection Authorities (DPAs) (1) Independence Appointment, financial resources, staff Strengthened Powers Conduct investigations on own initiative Investigate complaints “to the extent appropriate” Must be consulted on relevant legislation “One-stop-Shop” for data controllers Location of “main establishment”
DPAs (2) European Cooperation “Consistency Mechanism” Joint Enforcement, Binding Consultation etc Strengthened European Data Protection Board Commission regulatory powers Sanctions
DPA Obligation to impose Administrative Sanctions where data protection law breached “intentionally or negligently” up to €1M or 2% of annual worldwide turnover, depending on breach Separate Penalties for infringements Individual right to a Judicial Remedy Including compensation for damage suffered
Law Enforcement Directive Applies to “any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties” General data protection principles apply, including Access (with restrictions), Data Minimisation, “Privacy by Design”, Security Data Protection Officer (DPO) Maintain Records Need to distinguish different categories of data subjects (suspects, convicted, victims etc)
Presentation Outline Present Law Commission Proposals Some Issues ePrivacy Regulations: Update
Presentation Outline Present EU Law Commission Proposals Some Issues
Some Issues (1) Burden on Data Controllers Fewer Notifications BUT increased responsibility/accountability and Sanctions Restrictions on use of Consent Jurisdiction One-Stop-Shop for Multinationals Politically acceptable? Direct Marketing ePrivacy Directive?
Some Issues (2) International Transfers BCRs Should data controllers be given more discretion on the basis of Accountability? Supervision Will “consistency mechanism” work? Financing of DPAs
Some Issues (3) Data Protection Officer (DPO) New in Irish Law Location in Organisation? Relationship to Board? Qualifications?
Some Issues (4) Ireland’s Position Department of Justice & Equality lead department Public Consultation (closed 31 March) Interests of Domestic and Multinational Companies Impact on DPC Resources
Presentation Outline Present Law Commission Proposals Some Issues ePrivacy Regulations: Update
Regulation 13 – Direct Marketing Requirements for consent clarified : Confirmed that consent needed for voice calls to all mobile phones (“opt-out” assumed unless NDD “opt-in”) Explicit requirement to identify caller/sender No “silent calls” (automated calling machines) No “tagged on” marketing to non-marketing SMS natural person” excludes and SMS sent to a business phone or address where content relates solely to the individual’s business Confirmed existing customer = within 12 months Selective prosecutions being pursued
Regulation 5(3) – “Cookies” Necessary “Session” Cookies normally OK. Full information as to such use should still be available to the website user. Other “Cookies” - “third party” or “tracking” cookies – require consent Current browser settings unlikely to meet “consent” requirement “Wait and See” approach to date to see if Industry (browser providers, ad networks etc) can come up with workable solutions Current initiatives (IAB etc) helpful but insufficient Individual Organisations expected to be working on solutions
Thank You Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall Fax: Website: