Roadmap to the GPPR - Data Privacy Rights

The New and Expanded Privacy Rights: How Businesses Are Operationalizing Compliance

September 27, 2016

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2

Speakers

Peter SwireSenior Counsel, Atlanta

Alston & Bird

Jan DhontPartner, Brussels

Alston & Bird

David KeatingPartner, Atlanta

Alston & Bird


Cultural Underpinning Expanded Rights

Right to data protection is constitutionalized Doctrine of “Informational self-determination” (1983, German Federal

Constitutional Court)

Data protection is protected by EU Charter

Purpose limitation, fair processing, access and rectification are specifically recognized in the EU Charter

Right to data protection is inalienable


GDPR Increases Individuals’ Control

“Natural persons should have control over their own data” (Recital 7 GDPR)

Increase protections in face of (1) technological changes and (2) member states’ inconsistent applications of the Directive (Recitals 6 and 11 GDPR)


Rights Management and Accountability

GDPR requires tracking of: Actions taken further to individuals’ requests concerning administration of their

rights/reasons for refusing rights

Consent and capability to demonstrate validity of consent

Refusal of access for reasons of inability to identify an individual

Refusal to stop processing further to objection

Controller has burden of proof (Art. 12 (5) GDPR) Ensure that rights are reflected in policies and procedures

PIA process should consider rights management

Required capability to (i) accommodate rights from an IT/systems perspective and (ii) track and record adequate administration of rights


Role of Controller/Processor

Controller is primarily required to implement rights

Data processing agreement should set forth a cooperation duty for processor with respect to rights administration/management (Art. 28(3)(e) GDPR) Adequate data processing language

Cooperation protocols to ensure effective operationalization of rights

Market opportunities for thoughtful processors

Joint controllers should be thoughtful about rights management (Art. 26 GDPR)

7Follow us: @AlstonPrivacy www.AlstonPrivacy.com

Privacy Rights and the EU Project

The European Court of Justice (ECJ) opinions have direct effect since 2009

Scholars and court watchers have seen court decisions on fundamental rights as part of the “EU Project” – how to bring consistency across growing number of Member States

Not just “privacy rights” -- is an expansion of the role of Europe-wide institutions

Even more important to have ways to strengthen Europe when have Brexit and other threats to the EU


Burden of Proof and Derogations

In US law, a rule and its exceptions are legally (mostly) the same

Can have “broad” and “narrow” exceptions

Can have “the exception swallow the rule”

In EU law, the rule is considered paramount

Derogations (exceptions) permitted only when “necessary”

Similar to US insurance law, where contract is interpreted against the insurance company that drafted it

A related doctrine: burden of proof

First, the data subject has the right and the exception is narrow

Second, the burden of proof for the exception is on the controller

In any particular case, therefore, the first part of the analysis heavily favors the individual asserting the right


Necessity and Proportionality

The scope of exceptions, in EU law, governed by the principles of “necessity” and “proportionality”

As applied to privacy:

“Necessity” means no good way to avoid violating the right: does the controller need the data?

“Proportionality” means that there are important limits on the quantity and types of data processing even where necessity exists

Example: Digital Rights Ireland case, where ECJ struck down the Data Retention Directive, which required retention of telecomm records Even if “necessary,” the length of time held to be too long and so not proportionate


Prominent ECJ Examples

The ECJ asserts its role to protect EU fundamental rights: Digital Rights Ireland: data retention; over-ruled the EU Commission

Google Spain: in Right to be Forgotten case, ECJ announced new right not in the text of the Directive

Schrems v. Facebook: overruled the Commission decision that US practices were “adequate”

Highly relevant to our discussion of individual rights under the GDPR Jurisprudential principles re-affirm individual rights: read derogations narrowly; burden of proof on

the controller; necessity principle for an exception; proportionality principle for an exception

Apparent willingness of the EU courts to re-shape major industries and national crime initiatives

Compliance – don’t count too much on the exceptions to rights


Enforcement Risk Increases

Enforcement risk increases with GDPR

Potential Class Action in the EU

Max Schrems is attempting to certify an EU-wide consumer class action against Facebook Ireland in Austrian courts, claiming € 500 per consumer

Unusual procedural posture: no Austrian Rule 23 – claimants must assign claims to Schrems – Schrems appears as sole plaintiff in proceedings – Schrems is actively soliciting consumer claims online

Austrian Supreme Court has referred questions to European Court of Justice:

Is Schrems a “consumer” for purposes of EU jurisdiction regulations?

If yes, can he assert claims belonging to consumers from other EU states in Austrian courts?


GDPR’s Expansion of the Right to Erasure

The GDPR incorporates Google Spain v. AEPD into a new provision governing the right to erasure.

“the right to obtain from the controller the erasure of personal data concerning him or her without undue delay” if:

“the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”;

“the data subject withdraws consent on which the processing is based . . . ”;

“the data subject objects to the processing” by invoking the “Right to object” provision;

“the personal data have been unlawfully processed”;

“the personal data have to be erased for compliance with a legal obligation in Union or Member State law”; or

“the personal data have been collected in relation to the offer of information society services” to a child.

Art. 17, § 1.


Erasure Under the GDPR

Limits on the Right to Erasure

- Right does not apply to the extent processing is necessary

“for exercising the right of freedom of expression and information”;

“for compliance with a legal obligation . . . [or] for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”;

“for reasons of public interest in the area of public health . . .”;

“for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”; or

“for the establishment, exercise or defence of legal claims.”

Art. 17, § 3.


Erasure: Tips For Complying

Develop a process for deciding how to respond to a request to erase. For example, post an online form for erasure requests. Note Microsoft’s form* on its search engine Bing for “right to be forgotten” requests.

Develop a process for technically enabling compliance with a request to erase.

It’s not easy to “erase” a computer file completely.

One main goal is to stop displaying or disseminating data once you have agreed to erase it.

Develop a system for submitting the notices required following a request to erase.

*https://www.bing.com/webmaster/tools/eu-privacy-request


Right to Data Portability

“The data subject shall have the right to receive the personal data concerning him or her . . . in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance” where the processing is “based on consent . . . or on a contract” or “carried out by automated means.”

Art. 20, § 1.

May sound like common sense If the data subject has the right of access, then should be able to receive the personal data in a

commonly used and machine-readable format, e.g., all of your records from a social network.

If your data is on one platform, then users understandably don’t want to be locked in if a new service comes along, so they should have a way to move the data to a different platform, e.g., contacts on your phone.


Data Portability Concerns

A new right, with no real precedents in EU, U.S., or elsewhere – uncertainty on interpretation

Swire & Lagos: “Why The Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique,” 72 Maryland Law Review 335 (2013), http://ssrn.com/abstract=2159157

Final GDPR provision very similar to the 2012 proposal analyzed there

Some concerns:

Scope not limited to social networks, also cloud computing, web services, smartphone apps, other data processing.

“Lock-in” concern sounds like monopoly power, but right to portability applies to companies of all sizes, even start-ups.

Little attention to the cybersecurity problems – instant, easy exfiltration of data is a security risk. We suggest the right to security means the right to portability should be read more narrowly.

Mysterious what it means to enable transfer of user data “without hindrance” to another service –what kind of software writing do you have to do?


Data Portability Compliance

Somewhat early to give detailed compliance advice, due to uncertainty of a new legal regime

One comfort – right to portability applies only to “commonly used and machine-readable formats” Where the format is non-standard, then you are less likely to be required to provide

portability

Consider building capability for individuals to download the personal information themselves

Consider capability to prevent disclosure of sensitive business information/IP rights

Consider secure communication channels for data portability requests


IT Engagement

New rights require specific capabilities from IT perspective to ensure effective implementation

Involvement of IT from very beginning is quintessential To identify information systems/processes that will be impacted

To understand and address system limitations and build solutions (e.g., turn off analytics, restrict processing, ensure secured communication in context of access/portability right, etc.)

To automate rights management where possible

To ensure effective auditing and tracking of rights management (accountability)

To obtain appropriate feedback to upgrade policies adequately and provide for effective procedures


Consent and Right to Object

Codification of Working Party Opinion (WP187) on Consent

Consent to become a more prominent basis for processing (?)

Consent- Controller has burden of proof that individual

consented- Genuine free choice- Clear affirmative act

- Consent language must be presented in a manner which is clearly distinguishable from other matters

- Possibility to withdraw anytime “without detriment”- Provision of a service must not be made conditional

on consenting to collection of data that is not required for service (Art. 4 (11) jo. 7 GDPR)

Right to ObjectA. Any processing based on legitimate interests

- Individuals no longer need “compelling” grounds to object - Obligation to document “compelling” legitimate interests that

override privacy concerns

B. Direct Marketing - Must stop processing as soon as consumer objects to it

- A successful objection requires you to delete the user’s data (Art. 21 GDPR)



Situations where the GDPR recognizes companies’ overriding interests and where processing may continue: The establishment, exercise or defense of legal claims

The individual is a client or in the service of the controller

Fraud prevention

Transfer of employee data within a group of companies for internal administrative purposes

Network and information security

Overriding interests cannot be invoked by direct marketing objection

Required to assess in each specific case and document decision!



Mapping/Scoping

Policies, Procedures, and Records

Technology Builds

Map out: - What processing is subject to consent/objection- Where systems data is located

- Ensure policies reflect interests that will override user objections - Draft procedures for receiving, evaluating, and responding to user

objections- Build back-end fulfillment procedures- Institute recordkeeping to record objections as well as

grant/denial- Draft template denial-of-objection for customer

- Ensure systems accommodate opt-in/opt-out requirements- Ensure capability to shut off processing (e.g. analytics) without

affecting other systems


Profiling and Automated Decision-Making

Profiling- Processing to “evaluate personal aspects” and

predictive analytics

- Individuals have a right to object. The right is absolute in case of marketing-related profiling.

Practical Impact Analytics for legal compliance arguably do not require consent or opt-out. Analytics for marketing are permissible, but must offer right to object as default. Analytics that have legal or other significant effects require consent or legal basis (data-intensive analytics, refusal of

online credit application, e-recruiting). Regime has potential operational impact. Consent and opt-out strategy must be supported by system infrastructure.

Automated Decision-Making

- Profiling/analytics paired with automated decision creating legal or other significant effects

- Not permitted unless: Consent Authorized by EU/Member State law Necessary for entering into or performance of a

contract


Right to Restrict Processing

Requirement

- Stop regular processing operations, but allowed to keep the data

- Individuals must request application of right

- Must be granted in case of:- Contestation of data accuracy

- Unlawful processing, in stead of deletion

- Required for the individual to prepare for/in case of litigation

- The exercise of the right of objection (Art. 18 GDPR).

- Must notify data recipients about restriction (Art. 19 GDPR)

Practical Impact

- Temporarily move data to another system (or “isolate”)/Make data unavailable to users/Temporarily remove published data from a website (Recital 67 GDPR)

- Avoid that information is subject to further processing

- Track disclosures of data to third parties (controllers and processors)


Modalities for All Rights

Duty to “facilitate” exercise of rights (Art. 12 (2) GDPR)

Duty to inform individuals on action taken (Art. 12 (3) GDPR)

Duty to inform individuals if rights are not granted and of possibility to file a complaint with the Supervisory Authority (Art. 12 (4) GDPR)

Individual rights must be provided free of charge (Art. 12 (5) GDPR), unless requests are “unfounded or excessive” (e.g., if repetitive)

A fee can be charged which reflects effective cost for administration of the request

Request can be refused

Not required to act if the individual cannot be identified. If reasonable doubts, controller may ask information to confirm identity (Art. 12(2) jo. 12 (6) GDPR).


Conclusions

Put rights management high on the priority list

Identify and involve stakeholders, certainly IT, but also marketing, HR, legal, etc. to understand impact on business

Anticipate required investment at system level (building capability to support rights from IT perspective)

Anticipate required capability to adequately administer and record decisions

Anticipate increased consumer and regulator activism


New York Webcast Participation

If you are requesting CLE credit in New York, please enter the following code on the Attorney Affirmation sheet. Refer to your webcast confirmation for a link to the sheet

[*]


About Alston & Bird’s Privacy and Data Security Practice:

Follow us: @AlstonPrivacy

www.AlstonPrivacy.com

Cybersecurity Preparedness & Response Team

Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in

both preventing and responding to security incidents and data breaches, including all

varieties of network intrusion and data loss events.

www.alstonsecurity.com

Privacy & Data Security Team

Our team helps clients at every step of the information life cycle, from developing and

implementing corporate policies and procedures to representation on transactional

matters, public policy and legislative issues, and litigation.

www.alston.com/privacy

Questions

Documents

Roadmap to the GPPR - Data Privacy Rights