EU Privacy Regulation

UpdateDr. Ville Oksanen 18.4.2014

18. maaliskuuta 14

Who’s talking..

• L.LM. , Ph.D. (Technology law)• At TKK (Aalto) since 2001• At Helsinki University since 2009• Partner, Turre Legal• Founder, Electronic Frontier Finland - Currently Vice Chairman • Blogger - “Lex Oksanen”

18. maaliskuuta 14

Privacy regulation updata

18. maaliskuuta 14

Original goal

• To update the existing regulation to meet the change in technologies

• To give more rights to both citizens and also data protection authorities

18. maaliskuuta 14

However..

• “Regulatory capture” in action

• Heavy lobbying from e.g.

• U.S Government

• Facebook, Google etc.

• To water down the proposal

18. maaliskuuta 14

Current State?

18. maaliskuuta 14

Case Snowden 18. maaliskuuta 14

18. maaliskuuta 14

(http://euobserver.com/justice/121817)

18. maaliskuuta 14

Key features

• “Clarified definitions

• Data protection by Design

• Accountability + Notification of breaches

• Portability + Right to Access (for free)

• Right to Erasure

• International regulatory scope?

18. maaliskuuta 14

Sensitive data (Article 9)

• ...revealing race or ethnic origin, political opinions, religion or philosophical beliefs, sexual orientation or gender identity, trade-union membership and activities , and the processing of genetic or biometric data or data concerning health or sex life, administrative sanctions, judgments, criminal or suspected offences, convictions or related security measures

• (h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or

• (i) processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83; or

18. maaliskuuta 14

Right to access and to obtain data

2a.  Where the data subject has provided the personal data where the personal data are processed by electronic means, the data subject shall have the right to obtain from the controller a copy of the provided personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject without hindrance from the controller from whom the personal data are withdrawn. Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject.

18. maaliskuuta 14

Profiling

• Highly visible notification about right to object

• Definition: “ 'profiling' means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour;

18. maaliskuuta 14

Data protection by Design

Article 23: ”...Data protection by design shall have particular regard to the entire lifecycle management of personal data from collection to processing to deletion, systematically focusing on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data.”

18. maaliskuuta 14

Right to Erasure

• Most controversial feature

• Many open questions

• Practical (backups? Who pays the costs)

• Content spesific (photographs? Discussions?)

• Application to data given to 3rd parties?

18. maaliskuuta 14

Respect to Risk• “The controller .. shall carry out a risk analysis of

the potential impact of the intended data processing on the rights and freedoms of the data subjects, assessing whether its processing operations are likely to present specific risks.”

• “(d) processing of personal data for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;”

18. maaliskuuta 14

Designation of the data protection officer

• 1.  The controller and the processor shall designate a data protection officer in any case where:

• ..d) the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or data on children or employees in large scale filing systems.

18. maaliskuuta 14

Penalties

18. maaliskuuta 14

Penalties • “At least”

18. maaliskuuta 14

Penalties • “At least”

• “a warning in writing in cases of first and non-intentional non-compliance;

18. maaliskuuta 14

Penalties • “At least”

• “a warning in writing in cases of first and non-intentional non-compliance;

• regular periodic data protection audits;

18. maaliskuuta 14

Penalties • “At least”

• “a warning in writing in cases of first and non-intentional non-compliance;

• regular periodic data protection audits;

• a fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is higher.

18. maaliskuuta 14

Article 80a: Access to documents

• National law

• “Reconciles the right to the protection of personal data with the principle of public access to official documents.”

• Notification to the Commission

18. maaliskuuta 14

Processing of personal data concerning health

• Based on law (EU or national)

• “consistent, and specific measures to safeguard the data subject's interests and fundamental rights, to the extent that these are necessary and proportionate , and of which the effects shall be foreseeable by the data subject”

18. maaliskuuta 14

3 categories of data• “preventive or occupational medicine, medical

diagnosis, the provision of care or treatment or the management of health-care services”

• “reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety

• “other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system”

18. maaliskuuta 14

Research exceptions

• Consent required

• “Where the data subject's consent is required for the processing of medical data exclusively for public health purposes of scientific research, the consent may be given for one or more specific and similar researches.”

• Anonymisation or pseudonymisation under the highest technical standards

18. maaliskuuta 14

Article 83Processing for historical, statistical and scientific research purposes

1. In accordance with the rules set out in this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:

(a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject;

(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information under the highest technical standards, and all necessary measures are taken to prevent unwarranted re-identification of the data subjects.

18. maaliskuuta 14

18. maaliskuuta 14

Questions?Comments?

ville.oksanen@aalto.fi-- twitter: villoks

18. maaliskuuta 14