Upload
blancco
View
978
Download
0
Embed Size (px)
Citation preview
Right to be Forgotten &EU GDPR
Data Security Day London
EU GDPR: IMPORTANT MOMENTS & DECISIONS
Europe's top court supports
'right to be forgotten' in
Google privacy case
2010 MAY ‘14 JUN ‘15 DEC ‘15
EU GDPR: IMPORTANT MOMENTS & DECISIONS
2010
EU Court ruled on a number of areas related to data
protection. These include the territoriality
of EU rules, the applicability of EU data
protection rules to a search engine and the “right to be forgotten.”
MAY ‘14 JUN ‘15 DEC ‘15
EU GDPR: IMPORTANT MOMENTS & DECISIONS
The European Commission, the
European Parliament and the European Council all met to
negotiate the requirements of the
proposed EU General Data Protection
Regulation
JUN ‘152010 MAY ‘14 DEC ‘15
EU GDPR: IMPORTANT MOMENTS & DECISIONS
2010 MAY ‘14DEC ‘15
Final version of GDPR expected
JUN ‘15
The Territoriality of EU Rules
The Applicability of EU Data Protection Rules to a Search Engine
The “Right to be Forgotten”
EU COURT RULES ON THREE KEY AREAS
Even if the physical server of a company processing data is located
outside Europe, EU rules apply to search engine operators if they have a
branch or a subsidiary in a Member State, which promotes the selling of
advertising space offered by the search engine.
THE TERRITORIALITY OF EU RULES
Search engines are controllers of personal data. Google can therefore not escape its responsibilities before
European law when handling personal data by saying it is a search engine.
EU data protection law applies and so does the right to be forgotten.
THE APPLICABILITY OF EU DATA PROTECTION RULES TO A SEARCH
ENGINE
Individuals have the right - under certain conditions - to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing. At the same
time, the Court explicitly clarified that the “right to be forgotten” is not absolute but will always need to be balanced against other
fundamental rights, such as the freedom of expression and of the media. A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual’s private
life and the interest of the public in having access to that information. The role the person requesting the deletion plays in
public life might also be relevant.
THE RIGHT TO BE FORGOTTEN
EU GDPR:
KEY REQUIREMENTS
The GDPR’s jurisdiction will reach outside the EU, with extraterritorial jurisdiction tied to the offering of
goods or services to, or the monitoring of, data subjects in the EU. Non-EU
controllers that satisfy this jurisdictional nexus will need to
appoint an EU representative “unless the processing is occasional and
unlikely to result in a risk for the rights and freedoms of individuals.”
The draft mandates breach notification to Supervisory Authorities and affected individuals;
specifically, Supervisory Authorities and affected individuals must be notified of
breaches that are likely to result in a high risk for the rights and freedoms of individuals, with notice to Supervisory Authorities due in within 72 hours, and notices to affected individuals
due “without undue delay.”
The information that must be provided to data subjects regarding the processing of their
personal data remains extensive, including specifying the legitimate interests pursued by the controller or the statutory or contractual
requirements that are being relied on to justify processing (if this is the case); data subjects
must also receive an explanation of the various rights they have in relation to the data (but none of the Parliament’s icons that signpost
data use has been included).
The maximum administrative fines proposed on a tiered system are up to 2-5% of annual worldwide turnover, or €100m, depending on which amount is
higher.
EU GDPR:
IMPORTANT TERMS & DEFINITIONS
An incident in which sensitive, protected or confidential data has
potentially been viewed, stolen or used by an individual unauthorized to do
so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual
property*
DATA BREACH
* Tech Target
Operations performed on a given set of data to extract the required
information in an appropriate form*
DATA PROCESSING
* Business Dictionary
An all-encompassing term for any collection of data sets so large and complex that it
becomes difficult to process using on-hand data management tools or traditional data
processing applications
BIG DATA
* Wikipedia
A tool that you can use to identify and reduce the privacy risks of your projects
A PIA can reduce the risks of harm to individuals through the misuse of their personal
information. It can also help you to design more efficient and effective processes for handling
personal data.
DATA PROTECTION IMPACT ASSESSMENT
* ICO