Presentation is loading. Please wait.

Presentation is loading. Please wait.

The EU Data Protection Directive revised: New challenges and perspectives Maria Giannakaki Attorney at Law – D.E.A. 4 th International Conference on Information.

Published byNoreen Jones Modified over 8 years ago

Similar presentations

Presentation on theme: "The EU Data Protection Directive revised: New challenges and perspectives Maria Giannakaki Attorney at Law – D.E.A. 4 th International Conference on Information."— Presentation transcript:

1 The EU Data Protection Directive revised: New challenges and perspectives Maria Giannakaki Attorney at Law – D.E.A. 4 th International Conference on Information Law 4 th International Conference on Information Law 20-21 May 2011 Thessaloniki

2 The EU Data Protection Directive revised: New challenges and perspectives  Challenges  Cloud computing  Web 2.0  Perspectives for amendment  Applicable law  Cross-border issues  Right to be forgotten  Quasi-legal measures

3 Cloud computing  Cloud computing allows users  to access and store information and  use software functionality on remote servers hosted in data servers world wide  Delivery models  IaaS (Windows Live Skydrive, Rackspace Cloud)  PaaS (Google Apps Engine)  SaaS (Zoho.com, Google docs)

4 Which law applies in the cloud?  ‘ Place of establishment’ and ‘use of means’ - no longer suitable determinative factors for applicable law  Data centers located in several jurisdictions  Data transferred randomly, processed and duplicated in a variety of locations  The cloud requires a different approach based on  the place where the processing takes place  targeted individuals

5 Who is responsible for data protection compliance?  Data Controller vs processor:  Data Controller: the party who determines the purpose and means of processing  Data processor: the party who acts on the data controllers behalf  Issues when applied in cloud computing context:  Multiple offers and different clients targeted  Difficult to determine who acts as data controller  Customers may end up to be solely responsible for data protection compliance  Sub-contracting concerns

6 Which legal basis for cross border data transfers?  Countries with non-adequate level of protection  US Safe Harbor  Model contracts  Binding Corporate Rules  Onward transfers

7 WEB 2.0 - Characteristics  Social Computing/Web as a Platform  Web 2.0 Characteristics  Ubiquitous character of information  Different type of information is aggregated and made available on a single view  Information used in a different context than this originally published  No oblivion on the Internet  the “Hotel California effect”

8 WEB 2.0 - Data Privacy Challenges  Ignorance of the danger of exposure:  Privacy is no more a social norm  Illusion of intimacy on the Web  Publication of much more information than they think  Information which would otherwise be forgotten or forgiven can be easily retrieved  Data subjects are loosing control over their data

9 Perspectives for amendment  European Commission Communication “A comprehensive approach on personal data protection in the EU”  Council’s Conclusions on the Communication  WP29 “The future of privacy”  European Commission DG JFS Study “New Challenges to Data Protection”  Summary of replies to the Public Consultation

10 Applicable law  Current provisions  “context of the activities” principle  “use of equipment” unless such equipment is used for purposes of transit  Suggestions for improving the Directive  Swift back to the “country of origin” principle  Concept of “targeted individuals” or “service oriented approach”  Children’s Online Privacy Protection Act  Rome I

11 Cross-border issues  Harmonization within the EEA countries  Amendment of the Directive or Regulation  Best practices and suggested interpretations by the WPa29  Simplification of International Data Transfers  Improvement of the current procedures for international data transfers  International Standards on the Protection of Privacy

12 Right to be forgotten  Right to be forgotten  The right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes  The right of individuals not to be accountable for their conduct after a certain amount of time and beyond a given framework of relationships  The right is innovative but it not new  It is implicitly established in the EU Directive with the principle of data retention and the existing duty to keep data no longer than necessary  It also forms part of the right to informational self-determination (right to oblivion – droit a l’ oubli)

13 Right to be forgotten  Questions about its content and achievability in practice  What kind of information/records?  Who will be entitled to such right?  How can it be exercised when information appears in different platforms through the Internet (search engines, internet archive, mash-ups, social network aggregators)?

14 Right to be forgotten  Criticism  Conflicting rights (freedom of speech, freedom of press, freedom of society to record history)  Fears that it can be used as a tool for censorship or suppression of civil liberties or exercised by data subjects in circumstances where negative information about them is processed for lawful purposes  Different approaches (US)  “Google case” - Spanish Data Protection Authority

15 Recommendations  Raise data subjects awareness on the implications of sharing their personal data  Increase users control over their profile data -“easiest personal data to forget are those which have never been collected”  Reinforce data subjects rights to access, rectify or delete data  Impose privacy - friendly default settings to SNS providers  Regulate third parties access to data subjects data

16 Quasi-legal measures  Principle of Accountability  Data controllers are requested to:  put in place proactive measures ensuring compliance and  retain adequate evidence to prove compliance and effectiveness of measures adopted  Opinion 3/2010 WP29

17 Quasi-legal measures  Personal Data Breach Notification  E-Privacy Directive: Notification requirements to providers of publicly available services  Amended Directive 95/46/EC: Sector specific data breach notification requirements  Opinion 13/2011 WP29  Data Breach Notification Procedures  Standard EU Data Breach Notification Form  Modalities for implicated individuals’ information  Technological protection measures for notification exemption  Guidance on information to be retained by providers

18 Quasi-legal measures  Assessment of the effectiveness of technical and organizational measures:  Privacy Impact Assessments (PIAs)  Opinion 9/2011 WPa29 on RFID  EU Certification Schemes  European Privacy Seal, European Codes of Conduct, BCRs  Empowerment of data subjects control over their data:  “ Privacy by Design” Principle  Privacy - Friendly Default Settings  Privacy Enhancing Technologies (PETs)  Cookie cutters, out of tag mechanisms

19 Conclusions  The Commission is expected to unveil legislative proposals to update the EU data protection framework this summer.  However it is going to be several years before the revised Directive is agreed and implemented in the EU Member States.  Until then:  Data controllers are encouraged to implement Quasi-Legal Measures  Data subjects awareness on the impact of publication of their personal data on the Internet should be raised

20 The EU Data Protection Directive revised: New challenges and perspectives Thank you for your attention Maria Giannakaki Attorney at law – D.E.A.

Download ppt "The EU Data Protection Directive revised: New challenges and perspectives Maria Giannakaki Attorney at Law – D.E.A. 4 th International Conference on Information."

Similar presentations

1 IS THERE A FUNDAMENTAL RIGHT TO FORGET? Bruxelles – 20 May 2009.

1 IS THERE A FUNDAMENTAL RIGHT TO FORGET? Bruxelles – 20 May 2009.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Geneva, Switzerland, 25-26 September 2012 m-Cloud for Homecare - Policy & Regulatory Challenges - Francesca Fontana, Associate at ICT Legal Consulting.

Geneva, Switzerland, September 2012 m-Cloud for Homecare - Policy & Regulatory Challenges - Francesca Fontana, Associate at ICT Legal Consulting.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Sarah Branam Mehmet MunurDino Tsibouris

Sarah Branam Mehmet MunurDino Tsibouris
The Geopolitics of Personal Data and the Governance of Privacy Colin J. Bennett Department of Political Science University of Victoria BC, Canada www.colinbennett.ca.

The Geopolitics of Personal Data and the Governance of Privacy Colin J. Bennett Department of Political Science University of Victoria BC, Canada
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.

1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.
Lecture to Carleton University, Center for European Studies, December 1, 2010.

Lecture to Carleton University, Center for European Studies, December 1, 2010.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.

THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
RESPECT Guidelines regarding data protection aspects whithin socio-economic research Y. Poullet, K. Rosier, I. Vereecken CRID-FUNDP in cooperation with.

RESPECT Guidelines regarding data protection aspects whithin socio-economic research Y. Poullet, K. Rosier, I. Vereecken CRID-FUNDP in cooperation with.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
1 Freedom of Information (Scotland) Act 2002 A strategic view.

1 Freedom of Information (Scotland) Act 2002 A strategic view.
Dr Sharon Azzopardi. k What is Convergence? A Union of Media Print Television Camera Telephone Radio Internet A Union of Services Data Voice Video.

Dr Sharon Azzopardi. k What is Convergence? A Union of Media Print Television Camera Telephone Radio Internet A Union of Services Data Voice Video.

Similar presentations

Ads by Google