Upload
valentin-korobkov
View
226
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
1
Wilson Sonsini Goodrich & Rosati, LLP
European Data Protection Briefing
Cédric Burtonwww.wsgr.com
Meeting at Google Russia
Moscow, March 20, 2013
2
Outline
I. Overview of EU privacy and data protection legal framework
II. EU privacy regulatory approach
III. The future of data protection in the EU – draft data protection regulation
IV. EU privacy & data protection compliance in practice
V. Focus on a few selected issues
– Secrecy of electronic communications
– Approach to user protection and user identification
– Security requirements
3
Overview of EU Privacy & Data Protection Legal Framework
• Article 8 European Convention of Human Rights
• Article 16 Treaty on the Functioning of the European Union
• EU Data Protection Directive (95/46/EC)
– General principles
– Applies to all sectors
• E-Privacy Directive (2002/58/EC as amended by 2009/136/EC)
– Rules for telecoms
– Cookies and spamming regulation
• Data Retention Directive (2006/24/EC)
• Various national privacy and data protection laws implementing these Directives
• Additional national law requirements such as secrecy of electronic communications
• The EU Data Protection Directive is currently being reviewed (draft Data Protection Regulation)
4
EU Privacy Regulatory Approach
• Privacy & Data Protection is a Fundamental Human Right
• Omnibus legislation (transversal approach) – Applies to all entities in all sectors
– Technological neutrality
• Informational Self-Determination – Individuals at the center of the regulation. Put individuals in control!
• Very broad scope of application
• Different roles and responsibilities for various players
• 10 general principles with some flexibility
1. Legal basis
2. Proportionality
3. Sensitive data
4. Notice
5. Individuals’ rights
6. Data transfers
7. Data processing
8. Security
9. Data retention
10. Registration with DPAs
5
EU Privacy Regulatory Approach
• Authorities oversight– Independent supervisory data protection authorities
Independent from government (German case, Belgium); Legislative branch
– Roles
– Subject to fair trial rules
• Regulation / Co-regulation / Self-regulation– Incentives for codes of conduct in the EU legal framework– A few selected success stories:
Marketing & OBA (FEDMA, IAB Europe)
ICO has been very active (consultation & codes of conduct)
Privacy seals
Incentives for codes of conduct and certification in the new draft legal framework
• Power of investigation and fines
• Right to seize the public prosecutors
• Consultative role
• Ex-post control & little prior checking
6
EU Privacy Regulatory ApproachLearning from EU Privacy Rules
Advantages
• Omnibus legislation
• Users at the center of the legislation
• Some level of harmonization
• Some flexibility regarding main data protection principles including legal basis, data transfer mechanisms and security measures
• Technological neutrality
Disadvantages
• Lack of full harmonization – differences under national laws
• Too prescriptive and little effectiveness
• Too bureaucratic (e.g., registration)
• Lack of real incentives for self-regulation
• Focus is sometimes more on documentation than on actual compliance
7
The Future of Data Protection in the EU – Draft Data Protection Regulation
• Complex and raises many political issues
• Impacts all sectors, in particular the online business worldwide
• Large impact on non-EU companies– Potential to affect core businesses of non-
EU companies– Applies to non-EU companies offering
goods/services to or monitoring behavior
of EU citizens
• Intended to replace national data protection laws, but will likely include numerous exemptions for national law (e.g., employee data)
• Imposes new obligations on companies – Extensive documentation– Data minimization– Accountability– Privacy by design and by default– Breach notification– DPO requirements
• Amends the rules on international data transfers
• Enhances cooperation among regulators and enforcement
• Fines can be levied up to 2% of a company’s worldwide turnover
8
The Future of Data Protection in the EU – Draft Data Protection Regulation
Pro’s• No registration with DPAs & one lead
authority
• More legal certainty (more harmonization)
• Promote self-regulation and industries initiative
• Introduction of data minimization principle, pseudonyms and anonymous data
• Focus is more on internal compliance than completing forms
Con’s• Still too prescriptive
• Role of consent is too central
• Issues related to procedural rules
and competence of DPAs
• More was expected regarding data
transfers issue
• Very broad and sometimes unclear
scope of application
9
The Future of Data Protection in the EU – Draft Data Protection Regulation
• Latest trends: – Increasing focus on data minimization: the less data the better!
– Pseudonymous data (personal data, pseudonyms, anonymous data): incentives
(less strict rules) to avoid identification of individuals!
– More self-regulation and co-regulation
– Risk-based approach
– Less documentation requirements
• Status and next steps:– Discussions in EU Parliament and Council of the EU
– May/June 2013: Final vote in the EU Parliament plenary
– Mid 2013: Begin of negotiations between EU Parliament and Council of the EU
– Timing: Political agreement by end of 2013? Second reading?
– Into force two years after its adoption (at the earliest in 2016)
10
EU Privacy & Data Protection Compliance in Practice
• Difficult to comply with all requirements from various data protection laws– Risk assessment is central
– Applicable law issue is crucial – Comply with the strictest requirements as a rule?
• Some flexibility on how to apply the main data protection principles– Legal basis, proportionality, data transfers, security measures
– Necessary since there are many grey areas
• A good privacy notice is key– Difficult to provide clear information about complex data processing activities
– Layered approach
– Best practices come from industry (regulators even call out the industry to work together
and find practical solutions – see article 29 WP Opinion on mobile apps):
Facebook: http://www.google.co.uk/intl/en/policies/
Google: http://www.google.co.uk/intl/en/policies/
Microsoft: http://www.microsoft.com/privacystatement/en-gb/core/default.aspx
Yahoo!: http://info.yahoo.com/privacy/uk/yahoo/
11
12
13
EU Privacy & Data Protection Compliance in Practice
• Consent as a legal basis has some limits:– Difficult to implement in practice
Specific requirements for consent to be valid (freely given, specific, informed)
Many different types of consent (e.g., implied, explicit, opt-in, opt-out, prior consent)
Multiple consents may be required
Little effectiveness of consent
– In practice, general consent to the terms of use and privacy policy, except in certain
limited situations (e.g., location data, cookies)
• Focus on Internet companies:– From trade-off between innovation and data protection to data protection as an asset– Improved cooperation between regulators and Internet companies– Education and awareness raising: individuals & regulators– Exoneration of responsibilities for Internet intermediaries (e.g., hosting provider,
cache provider, mere conduit) except if actual knowledge
14
Focus on a few selected issues
• Secrecy of electronic communications
– Differences depending on applicable national data protection law and context (e.g., HR context, Internet companies)
– General trends: Rationale: protecting against wiretapping
Old legislation not aimed at applying to the electronic world
Scope (in most EU countries):
– Only during the transmission of a communication
– Once e-mail is on a company server the protection stops
Consent as a basis for allowing access to content of e-mails
– There is no violation of secrecy of electronic communications if users consent to the access
– In the commercial context, consent is usually obtained through terms of service
– In the HR context, specific consent is often required because of labor law requirements
– Difficult to apply in practice
15
Focus on a few selected issues
• Approach to user protection and user identification
– Individuals’ informational self-determination – Put users in control!
– Companies are free to require identification or not, but usually no identification for IT
services. To the contrary, clear trend towards less or no identification!
Data minimization principle
Individuals have the right to request deletion of personal data
Use of pseudonyms
Freedom of expression
– Facebook German case
– Massive case law related to IPR enforcement and conflict with privacy/data protection –
little success of graduated response schemes
– Example of industry best practices: Google Incognito mode
16
Focus on a few selected issues
• Security
– Broad and general obligations
– Data controllers are responsible for protecting the data with appropriate security
measures and are accountable in case of breach
– Level of protection is determined by state of the art and specific risks
– Industry is best placed to assess level of protection and adapt to new and fast
moving technologies (little DPA guidance on this issue)
– As a result, best practices come from the industry:
Facebook: Family Safety Center – http://www.facebook.com/safety
Google: Good to know – http://www.google.co.uk/intl/en/goodtoknow/
Microsoft: Safety & Security Center – http://www.microsoft.com/security/default.aspx
Yahoo!: Security at Yahoo! – http://info.yahoo.com/privacy/uk/yahoo/security/
17
18
Conclusions
1. Detailed prescriptive requirements are not workable and not efficient to
protect individuals privacy & security
2. Focus should be more on practical internal compliance
3. Some key core principles with flexibility in implementation is best
4. Industry is better placed to protect individuals privacy & security and
companies have a strong interest in doing so
5. Clear trends towards data minimization, online anonymity, right to deletion,
pseudonym data in Europe
6. Less or no identification protects individuals privacy & limit the security risks
19
Questions?
Thank you!
Cédric Burton
Associate
WSGR EU Data Protection Regulation Observatory, http://www.wsgr.com/eudataregulation