Upload
jan-dhont
View
70
Download
0
Embed Size (px)
Citation preview
The New and Expanded Privacy Rights: How Businesses Are Operationalizing Compliance
September 27, 2016
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2
Speakers
Peter SwireSenior Counsel, Atlanta
Alston & Bird
Jan DhontPartner, Brussels
Alston & Bird
David KeatingPartner, Atlanta
Alston & Bird
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 3
Cultural Underpinning Expanded Rights
Right to data protection is constitutionalized Doctrine of “Informational self-determination” (1983, German Federal
Constitutional Court)
Data protection is protected by EU Charter
Purpose limitation, fair processing, access and rectification are specifically recognized in the EU Charter
Right to data protection is inalienable
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 4
GDPR Increases Individuals’ Control
“Natural persons should have control over their own data” (Recital 7 GDPR)
Increase protections in face of (1) technological changes and (2) member states’ inconsistent applications of the Directive (Recitals 6 and 11 GDPR)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 5
Rights Management and Accountability
GDPR requires tracking of: Actions taken further to individuals’ requests concerning administration of their
rights/reasons for refusing rights
Consent and capability to demonstrate validity of consent
Refusal of access for reasons of inability to identify an individual
Refusal to stop processing further to objection
Controller has burden of proof (Art. 12 (5) GDPR) Ensure that rights are reflected in policies and procedures
PIA process should consider rights management
Required capability to (i) accommodate rights from an IT/systems perspective and (ii) track and record adequate administration of rights
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 6
Role of Controller/Processor
Controller is primarily required to implement rights
Data processing agreement should set forth a cooperation duty for processor with respect to rights administration/management (Art. 28(3)(e) GDPR) Adequate data processing language
Cooperation protocols to ensure effective operationalization of rights
Market opportunities for thoughtful processors
Joint controllers should be thoughtful about rights management (Art. 26 GDPR)
7Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Privacy Rights and the EU Project
The European Court of Justice (ECJ) opinions have direct effect since 2009
Scholars and court watchers have seen court decisions on fundamental rights as part of the “EU Project” – how to bring consistency across growing number of Member States
Not just “privacy rights” -- is an expansion of the role of Europe-wide institutions
Even more important to have ways to strengthen Europe when have Brexit and other threats to the EU
8Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Burden of Proof and Derogations
In US law, a rule and its exceptions are legally (mostly) the same
Can have “broad” and “narrow” exceptions
Can have “the exception swallow the rule”
In EU law, the rule is considered paramount
Derogations (exceptions) permitted only when “necessary”
Similar to US insurance law, where contract is interpreted against the insurance company that drafted it
A related doctrine: burden of proof
First, the data subject has the right and the exception is narrow
Second, the burden of proof for the exception is on the controller
In any particular case, therefore, the first part of the analysis heavily favors the individual asserting the right
9Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Necessity and Proportionality
The scope of exceptions, in EU law, governed by the principles of “necessity” and “proportionality”
As applied to privacy:
“Necessity” means no good way to avoid violating the right: does the controller need the data?
“Proportionality” means that there are important limits on the quantity and types of data processing even where necessity exists
Example: Digital Rights Ireland case, where ECJ struck down the Data Retention Directive, which required retention of telecomm records Even if “necessary,” the length of time held to be too long and so not proportionate
10Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Prominent ECJ Examples
The ECJ asserts its role to protect EU fundamental rights: Digital Rights Ireland: data retention; over-ruled the EU Commission
Google Spain: in Right to be Forgotten case, ECJ announced new right not in the text of the Directive
Schrems v. Facebook: overruled the Commission decision that US practices were “adequate”
Highly relevant to our discussion of individual rights under the GDPR Jurisprudential principles re-affirm individual rights: read derogations narrowly; burden of proof on
the controller; necessity principle for an exception; proportionality principle for an exception
Apparent willingness of the EU courts to re-shape major industries and national crime initiatives
Compliance – don’t count too much on the exceptions to rights
11Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Enforcement Risk Increases
Enforcement risk increases with GDPR
Potential Class Action in the EU
Max Schrems is attempting to certify an EU-wide consumer class action against Facebook Ireland in Austrian courts, claiming € 500 per consumer
Unusual procedural posture: no Austrian Rule 23 – claimants must assign claims to Schrems – Schrems appears as sole plaintiff in proceedings – Schrems is actively soliciting consumer claims online
Austrian Supreme Court has referred questions to European Court of Justice:
Is Schrems a “consumer” for purposes of EU jurisdiction regulations?
If yes, can he assert claims belonging to consumers from other EU states in Austrian courts?
12Follow us: @AlstonPrivacy www.AlstonPrivacy.com
GDPR’s Expansion of the Right to Erasure
The GDPR incorporates Google Spain v. AEPD into a new provision governing the right to erasure.
“the right to obtain from the controller the erasure of personal data concerning him or her without undue delay” if:
“the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”;
“the data subject withdraws consent on which the processing is based . . . ”;
“the data subject objects to the processing” by invoking the “Right to object” provision;
“the personal data have been unlawfully processed”;
“the personal data have to be erased for compliance with a legal obligation in Union or Member State law”; or
“the personal data have been collected in relation to the offer of information society services” to a child.
Art. 17, § 1.
13Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Erasure Under the GDPR
Limits on the Right to Erasure
- Right does not apply to the extent processing is necessary
“for exercising the right of freedom of expression and information”;
“for compliance with a legal obligation . . . [or] for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”;
“for reasons of public interest in the area of public health . . .”;
“for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”; or
“for the establishment, exercise or defence of legal claims.”
Art. 17, § 3.
14Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Erasure: Tips For Complying
Develop a process for deciding how to respond to a request to erase. For example, post an online form for erasure requests. Note Microsoft’s form* on its search engine Bing for “right to be forgotten” requests.
Develop a process for technically enabling compliance with a request to erase.
It’s not easy to “erase” a computer file completely.
One main goal is to stop displaying or disseminating data once you have agreed to erase it.
Develop a system for submitting the notices required following a request to erase.
*https://www.bing.com/webmaster/tools/eu-privacy-request
15Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Right to Data Portability
“The data subject shall have the right to receive the personal data concerning him or her . . . in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance” where the processing is “based on consent . . . or on a contract” or “carried out by automated means.”
Art. 20, § 1.
May sound like common sense If the data subject has the right of access, then should be able to receive the personal data in a
commonly used and machine-readable format, e.g., all of your records from a social network.
If your data is on one platform, then users understandably don’t want to be locked in if a new service comes along, so they should have a way to move the data to a different platform, e.g., contacts on your phone.
16Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Data Portability Concerns
A new right, with no real precedents in EU, U.S., or elsewhere – uncertainty on interpretation
Swire & Lagos: “Why The Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique,” 72 Maryland Law Review 335 (2013), http://ssrn.com/abstract=2159157
Final GDPR provision very similar to the 2012 proposal analyzed there
Some concerns:
Scope not limited to social networks, also cloud computing, web services, smartphone apps, other data processing.
“Lock-in” concern sounds like monopoly power, but right to portability applies to companies of all sizes, even start-ups.
Little attention to the cybersecurity problems – instant, easy exfiltration of data is a security risk. We suggest the right to security means the right to portability should be read more narrowly.
Mysterious what it means to enable transfer of user data “without hindrance” to another service –what kind of software writing do you have to do?
17Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Data Portability Compliance
Somewhat early to give detailed compliance advice, due to uncertainty of a new legal regime
One comfort – right to portability applies only to “commonly used and machine-readable formats” Where the format is non-standard, then you are less likely to be required to provide
portability
Consider building capability for individuals to download the personal information themselves
Consider capability to prevent disclosure of sensitive business information/IP rights
Consider secure communication channels for data portability requests
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 18
IT Engagement
New rights require specific capabilities from IT perspective to ensure effective implementation
Involvement of IT from very beginning is quintessential To identify information systems/processes that will be impacted
To understand and address system limitations and build solutions (e.g., turn off analytics, restrict processing, ensure secured communication in context of access/portability right, etc.)
To automate rights management where possible
To ensure effective auditing and tracking of rights management (accountability)
To obtain appropriate feedback to upgrade policies adequately and provide for effective procedures
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 19
Consent and Right to Object
Codification of Working Party Opinion (WP187) on Consent
Consent to become a more prominent basis for processing (?)
Consent- Controller has burden of proof that individual
consented- Genuine free choice- Clear affirmative act
- Consent language must be presented in a manner which is clearly distinguishable from other matters
- Possibility to withdraw anytime “without detriment”- Provision of a service must not be made conditional
on consenting to collection of data that is not required for service (Art. 4 (11) jo. 7 GDPR)
Right to ObjectA. Any processing based on legitimate interests
- Individuals no longer need “compelling” grounds to object - Obligation to document “compelling” legitimate interests that
override privacy concerns
B. Direct Marketing - Must stop processing as soon as consumer objects to it
- A successful objection requires you to delete the user’s data (Art. 21 GDPR)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 20
Consent and Right to Object
Situations where the GDPR recognizes companies’ overriding interests and where processing may continue: The establishment, exercise or defense of legal claims
The individual is a client or in the service of the controller
Fraud prevention
Transfer of employee data within a group of companies for internal administrative purposes
Network and information security
Overriding interests cannot be invoked by direct marketing objection
Required to assess in each specific case and document decision!
21Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Consent and Right to Object
Mapping/Scoping
Policies, Procedures, and Records
Technology Builds
Map out: - What processing is subject to consent/objection- Where systems data is located
- Ensure policies reflect interests that will override user objections - Draft procedures for receiving, evaluating, and responding to user
objections- Build back-end fulfillment procedures- Institute recordkeeping to record objections as well as
grant/denial- Draft template denial-of-objection for customer
- Ensure systems accommodate opt-in/opt-out requirements- Ensure capability to shut off processing (e.g. analytics) without
affecting other systems
22Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Profiling and Automated Decision-Making
Profiling- Processing to “evaluate personal aspects” and
predictive analytics
- Individuals have a right to object. The right is absolute in case of marketing-related profiling.
Practical Impact Analytics for legal compliance arguably do not require consent or opt-out. Analytics for marketing are permissible, but must offer right to object as default. Analytics that have legal or other significant effects require consent or legal basis (data-intensive analytics, refusal of
online credit application, e-recruiting). Regime has potential operational impact. Consent and opt-out strategy must be supported by system infrastructure.
Automated Decision-Making
- Profiling/analytics paired with automated decision creating legal or other significant effects
- Not permitted unless: Consent Authorized by EU/Member State law Necessary for entering into or performance of a
contract
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 23
Right to Restrict Processing
Requirement
- Stop regular processing operations, but allowed to keep the data
- Individuals must request application of right
- Must be granted in case of:- Contestation of data accuracy
- Unlawful processing, in stead of deletion
- Required for the individual to prepare for/in case of litigation
- The exercise of the right of objection (Art. 18 GDPR).
- Must notify data recipients about restriction (Art. 19 GDPR)
Practical Impact
- Temporarily move data to another system (or “isolate”)/Make data unavailable to users/Temporarily remove published data from a website (Recital 67 GDPR)
- Avoid that information is subject to further processing
- Track disclosures of data to third parties (controllers and processors)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 24
Modalities for All Rights
Duty to “facilitate” exercise of rights (Art. 12 (2) GDPR)
Duty to inform individuals on action taken (Art. 12 (3) GDPR)
Duty to inform individuals if rights are not granted and of possibility to file a complaint with the Supervisory Authority (Art. 12 (4) GDPR)
Individual rights must be provided free of charge (Art. 12 (5) GDPR), unless requests are “unfounded or excessive” (e.g., if repetitive)
A fee can be charged which reflects effective cost for administration of the request
Request can be refused
Not required to act if the individual cannot be identified. If reasonable doubts, controller may ask information to confirm identity (Art. 12(2) jo. 12 (6) GDPR).
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 25
Conclusions
Put rights management high on the priority list
Identify and involve stakeholders, certainly IT, but also marketing, HR, legal, etc. to understand impact on business
Anticipate required investment at system level (building capability to support rights from IT perspective)
Anticipate required capability to adequately administer and record decisions
Anticipate increased consumer and regulator activism
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 26
New York Webcast Participation
If you are requesting CLE credit in New York, please enter the following code on the Attorney Affirmation sheet. Refer to your webcast confirmation for a link to the sheet
[*]
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 27
About Alston & Bird’s Privacy and Data Security Practice:
Follow us: @AlstonPrivacy
www.AlstonPrivacy.com
Cybersecurity Preparedness & Response Team
Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in
both preventing and responding to security incidents and data breaches, including all
varieties of network intrusion and data loss events.
www.alstonsecurity.com
Privacy & Data Security Team
Our team helps clients at every step of the information life cycle, from developing and
implementing corporate policies and procedures to representation on transactional
matters, public policy and legislative issues, and litigation.
www.alston.com/privacy
Questions