• Home

  • Law

  • No Man is an Island: The Battle for Data Privacy
4
10 | KROLL ONTRACK | Report “May you live in interesting times” is reportedly the English translation of a Chinese curse. Uncertainty and upheaval are not always conducive to prosperity or productivity, and this sentiment is particularly applicable for in-house counsel and data protection officers working with data in 2016. Planned changes The evolution of data protection legislation is cyclical. Technology develops; legislation follows. This pattern is what led to the creation of the EU General Data Protection Regulation (GDPR) which will replace the incumbent European Data Protection Directive (95/46/EC). Introduced in 1996, the EU Data Protection Directive provided European Union citizens with protections designed to work with the explosion of computer use. However, with the advent of social media, greater internet use and growing public concern for data protection, the directive has reached the end of its natural lifespan. Its successor, the EU GDPR (the directive), has been developed to offer better protection for citizens, to harmonise data protection regulation across the European Union and to simplify intra-EU working. For those working with data, the GDPR has been anticipated for the past three years. However, the regulation was only finalised in 2016, giving companies just two years until it is enforced in May 2018. The main points of interest are: Increased fines for breaches of the GDPR (up to 4 percent of the annual global turnover). A "privacy by design" provision requiring data protection to be designed into business services. Ensure that measures are taken to protect data from the start of a client or customer engagement. Explicit consent must be obtained for the collection and processing of data. Contracts with clients or customers should include a section on consent. Multinational companies working across the European Union will be required to appoint an independent Data Protection Officer. This will be a challenging role to fulfil given the breadth of knowledge required to manage both IT systems and be familiar with the legal aspects of the GDPR. International companies based outside the European Union, but which hold data inside the European Union, will be subject to these regulations. A “right to erasure". A client or customer has the right to request the erasing of personal data. Data will be prohibited from being transferred outside the European Union without approval from a supervisory body. 1 The implications of GDPR will be widespread and in-house counsel and compliance officers will need to prioritise data protection, devoting more time, and in some cases money, to ensuring the conditions of the GDPR are being met. The No Man is an Island: The Battle for Data Privacy

No Man is an Island: The Battle for Data Privacy

Embed Size (px)

Citation preview

Page 1: No Man is an Island: The Battle for Data Privacy

10 | KROLL ONTRACK | Report

“May you live in interesting times” is reportedly the English translation of a Chinese curse. Uncertainty and upheaval are not always conducive to prosperity or productivity, and this sentiment is particularly applicable for in-house counsel and data protection officers working with data in 2016.

Planned changesThe evolution of data protection legislation is cyclical. Technology develops; legislation follows. This pattern is what led to the creation of the EU General Data Protection Regulation (GDPR) which will replace the incumbent European Data Protection Directive (95/46/EC). Introduced in 1996, the EU Data Protection Directive provided European Union citizens with protections designed to work with the explosion of computer use. However, with the advent of social media, greater internet use and growing public concern for data protection, the directive has reached the end of its natural lifespan.

Its successor, the EU GDPR (the directive), has been developed to offer better protection for citizens, to harmonise data protection regulation across the European Union and to simplify intra-EU working.

For those working with data, the GDPR has been anticipated for the past three years. However, the regulation was only finalised in 2016, giving companies just two years until it is enforced in May 2018.

The main points of interest are:

■■ Increased fines for breaches of the GDPR (up to 4 percent of the annual global turnover).

■■ A "privacy by design" provision requiring data protection to be designed into business services. Ensure that measures are taken to protect data from the start of a client or customer engagement.

■■ Explicit consent must be obtained for the collection and processing of data. Contracts with clients or customers should include a section on consent.

■■ Multinational companies working across the European Union will be required to appoint an independent Data Protection Officer. This will be a challenging role to fulfil given the breadth of knowledge required to manage both IT systems and be familiar with the legal aspects of the GDPR.

■■ International companies based outside the European Union, but which hold data inside the European Union, will be subject to these regulations.

■■ A “right to erasure". A client or customer has the right to request the erasing of personal data.

■■ Data will be prohibited from being transferred outside the European Union without approval from a supervisory body.1

The implications of GDPR will be widespread and in-house counsel and compliance officers will need to prioritise data protection, devoting more time, and in some cases money, to ensuring the conditions of the GDPR are being met. The

No Man is an Island: The Battle for Data Privacy

Page 2: No Man is an Island: The Battle for Data Privacy

NEW FRONTIERS IN EDISCOVERY | 11

penalties for non-compliance are high, elevating compliance with data protection law to a similar level of importance as compliance with anti-trust laws.

No port in a stormIn late 2015, the European Court of Justice declared in the case Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) that the “Safe Harbor Agreement” between the European Union and the United States was invalid.

Schrems, an Austrian citizen, had concerns about EU data being transferred from Facebook’s Irish subsidiary to servers located in the United States. He argued that the Safe Harbor agreement was no longer sufficient in protecting the privacy of European citizens, especially following Edward Snowden’s revelations about the surveillance activities of the United States Intelligence Community.

As the replacement legislation, the EU-U.S. Privacy Shield was only finalised in July 2016, following protracted discussions and a rejected draft agreement. This left the 4,400 companies reliant on the agreement in an uncertain legal position regarding transferring data, relying on standard contractual clauses or binding corporate rules for much of 2016.

EU-U.S. Privacy ShieldThe finalised agreement shares some similarities with the Safe Harbor. It relies on a similar approach of self-certification but imposes significantly greater obligations on participating organisations. The basis for the agreement is centred on the following seven privacy principles:

Notice: Organisations must provide individuals with notice of the types of data collected and the purposes of collection and be informed of third parties who will receive their data, their right of

access to it and safeguards limiting the use and disclosure of their personal data. The organisation must also describe recourse mechanisms.

Choice: Organisations must provide clear and readily available opt-out methods for disclosure of personal data to third parties for purposes other than the one for which it was originally collected. For sensitive information (such as health information), individuals must actively consent and opt in to their data being used.

Accountability for Onward Transfer: Privacy Shield certificate holders must ensure that third-party contracts include agreements that provide the same level of protection as the organisation itself. They must agree that data may only be processed for limited, specified purposes consistent with the data subject’s consent. The organisation will remain liable for a third party’s violations unless it can prove that it was not responsible.

Security: Participating organisations need to “take reasonable and appropriate measures to protect [data] from loss, misuse and unauthorised access, disclosure, alteration and destruction.” These measures must be appropriate to the “risks involved and the nature of the personal data.”

Data Integrity and Purpose Limitation: Data collected must be “relevant for the purposes of processing” and organisations must limit collection to only relevant data, and it must be accurate, complete, and current.

Access: Organisations must provide individuals with access to their personal data and the opportunity to correct, amend or delete information that is inaccurate or processed in violation of the principles outlined in Privacy Shield.

Recourse Enforcement and Liability: The Privacy Shield agreement contains detailed mechanisms for recourse and dispute resolution and those seeking self-certification will need to implement complaints procedures that meet these strict requirements.

Page 3: No Man is an Island: The Battle for Data Privacy

12 | KROLL ONTRACK | Report

In additional to these principles, the EU-U.S. Privacy Shield will also:

■■ Introduce an Ombudsman to investigate any complaints regarding access to data by the United States Intelligence Community.

■■ Conduct a joint annual review by the European Union and Department of Commerce of the program.

Brexit wounds?As the European Commission and the U.S. Department of Justice battled it out over a replacement for Safe Harbor, the United Kingdom sought to end a decades old debate over whether or not the country should leave the European Union by holding a referendum on the issue. Defying predictions made by pollsters, pundits and politicians alike, the result – which saw 52 percent of the electorate opting to leave – shocked the world. For in-house counsel and compliance officers operating in the European Union and United Kingdom, the decision once again plunged proceedings into uncertainty regarding data protection laws.

Unlike the current Directive, the GDPR will be unilaterally adopted across EU member states, raising two key questions for the United Kingdom:

■■ What legislation will replace GDPR?

■■ How would Britain do business with European Union countries operating under GDPR?

The United Kingdom currently operates under the Data Protection Act, 1998, which was enacted to bring British law in line with the Directive. At the time of writing, Britain has yet to trigger Article 50 and formally start exit proceedings. Prime Minister Theresa May has stated she will not trigger Article 50 until at least the end of the year to allow time to prepare for negotiations. Once Article 50 is triggered, experts in European Union constitutional law predict that it will take two years for the exit to be finalised. During this transition period, it is likely that the Data Protection Act, 1998 will remain unchanged.

At first glance, no longer being subject to the stringent conditions of GDPR may seem like a positive consequence of Brexit. However, Brexit is not simply a case of “in” or “out” and much of the potential consequences of leaving depend on whether or not Britain becomes part of the European Economic Area (EEA) or completely severs ties.

If Britain does become part of the EEA, this would afford Britain the same status as other European countries such as Norway and Iceland. This would mean it would be designated a ‘safe area’ under the GDPR.

In business terms, this would make data transfers somewhat easier, assuming the European Union found the United Kingdom’s safeguards to be appropriate. Nevertheless, this would mean that the United Kingdom would still be subject to the Directive and from May 2018 the GDPR, when transferring data across borders to comply with legal obligations in other countries.

An EU-U.K. Privacy Shield?If the United Kingdom does not become part of the EEA, they would probably have to negotiate an agreement similar to the EU-U.S. Privacy Shield in order for U.K. companies to continue to transfer data between the United Kingdom and countries in the European Union.

In this scenario, it is likely the Article 29 Working Party would suggest similar terms to those applicable to the United States:

■■ An ombudsman to handle complaints from European Union citizens about the United

Kingdom’s security services accessing their data.

■■ UK Security services / the Home Office to provide written commitments that Europeans’ personal data will not be subject to mass surveillance.

■■ An annual review or audit to check the new system is working properly.

What do all these changes mean for ediscovery?We predict that 2017 will see a rise in demand for mobile ediscovery solutions. The latest data protection legislation (GDPR and the EU-U.S. Privacy Shield) both impose greater obligations and greater fines for violations than their predecessors. Mobile solutions can assist with compliance in two ways; firstly by processing data in-country, which removes the risks associated with transferring data across borders. Secondly, mobile ediscovery technology and predictive coding technology in particular are adept at ensuring only relevant data is transferred and disclosed.

The latest data protection legislation (GDPR and the EU-U.S. Privacy Shield) both impose greater obligations and greater fines for violations than their predecessors. Mobile solutions can assist with compliance.

Page 4: No Man is an Island: The Battle for Data Privacy

NEW FRONTIERS IN EDISCOVERY | 13

In terms of Brexit, until the United Kingdom finalises its data protection regime and comes to an agreement with the European Union, companies will need to think carefully about the risks of transferring data across European borders. Once again, mobile ediscovery solutions provide a neat solution that allows business to continue processing and transferring data in Europe in a compliant and cost-effective manner.

Additionally, it is likely there will be renewed focus on information governance in order to comply with the “privacy by design” and “right to be forgotten” components of the GDPR. Understanding where data is and the volumes involved will play a big role in ensuring compliance.

REFERENCES1 https://www.privacyshield.gov/EU-US-Framework


Battle of Britain & Balkan Campaign - Mr. Davey's Page · 2018. 6. 1. · Battle of Britain & Balkan Campaign “We shall defend our island, whatever the cost may be. We shall fight

Battle of Britain & Balkan Campaign - Mr. Davey's Page · 2018. 6. 1. · Battle of Britain & Balkan Campaign “We shall defend our island, whatever the cost may be. We shall fight

Documents
THE BATTLE OF THE BAY Nelly Bay, Magnetic Island · 2011-02-11 · Nelly Bay is the second largest settled bay on the island, nestled in the island’s south-east corner (see Figure

THE BATTLE OF THE BAY Nelly Bay, Magnetic Island · 2011-02-11 · Nelly Bay is the second largest settled bay on the island, nestled in the island’s south-east corner (see Figure

Documents
THE BATTLE OVER COMMON CORE, TESTING AND STUDENT PRIVACY Leonie Haimson Executive Director Class Size Matters Co-chair, Parent Coalition to Protect Student

THE BATTLE OVER COMMON CORE, TESTING AND STUDENT PRIVACY Leonie Haimson Executive Director Class Size Matters Co-chair, Parent Coalition to Protect Student

Documents
Battle of Waterloo Ms. Dow Socials 9. Napoleon Returns to France Napoleon was exiled to the island…

Battle of Waterloo Ms. Dow Socials 9. Napoleon Returns to France Napoleon was exiled to the island…

Documents
BATTLE OF CRETE BY: AUSTIN L. AND LEVI B.. WHERE: The Battle took place in Crete, Greece. Crete is the largest Greek island with the largest white mountain

BATTLE OF CRETE BY: AUSTIN L. AND LEVI B.. WHERE: The Battle took place in Crete, Greece. Crete is the largest Greek island with the largest white mountain

Documents
ISLAND HOPPING: THE BATTLE OF IWO JIMA Belligerents

ISLAND HOPPING: THE BATTLE OF IWO JIMA Belligerents

Documents
Vocabulary Douglas MacArthur Chester Nimitz Bataan Death March Battle of Midway Kamikaze Island hopping Manhattan Project Hiroshima

Vocabulary Douglas MacArthur Chester Nimitz Bataan Death March Battle of Midway Kamikaze Island hopping Manhattan Project Hiroshima

Documents
Battle of Minds - Create Battle

Battle of Minds - Create Battle

Education
Key Terms – The Eastern Front Bataan Death March Battle of Coral Sea Battle of Midway Island Hopping Battle of Leyte Gulf The Atomic Bomb Hiroshima and

Key Terms – The Eastern Front Bataan Death March Battle of Coral Sea Battle of Midway Island Hopping Battle of Leyte Gulf The Atomic Bomb Hiroshima and

Documents
north island...- Island “a la carte” breakfast in the privacy of your Villa or at our restaurant “LaidBack” - Romantic 3-course dinners every evening including soft drinks

north island...- Island “a la carte” breakfast in the privacy of your Villa or at our restaurant “LaidBack” - Romantic 3-course dinners every evening including soft drinks

Documents
Island of Terror Battle of Iwo Jima

Island of Terror Battle of Iwo Jima

Documents
1781-07-21-Battle off Spanish River off Spanish Ri… · Cabot Strait BATTLE OFF SPANISH RIVER OFF SPANISH RIVER, CAPE BRETON ISLAND-21-22 July 1781-On 18 July 1781 a British convoy

1781-07-21-Battle off Spanish River off Spanish Ri… · Cabot Strait BATTLE OFF SPANISH RIVER OFF SPANISH RIVER, CAPE BRETON ISLAND-21-22 July 1781-On 18 July 1781 a British convoy

Documents
Facebook might lose battle to guard users' privacy

Facebook might lose battle to guard users' privacy

Social Media
TABLE OF CONTENTSimages.pcmac.org/.../Uploads/...Battles_notes_and_activities_student… · Battle of Rhode Island, QR code/website to article, Questions Printable 31-33 Bonhomme

TABLE OF CONTENTSimages.pcmac.org/.../Uploads/...Battles_notes_and_activities_student… · Battle of Rhode Island, QR code/website to article, Questions Printable 31-33 Bonhomme

Documents
Battle of Wake Island - · PDF fileBattle of Wake Island 1 ... Japanese Mitsubishi G3M3 bombers flown from bases on the Marshall Islands attacked Wake Island, destroying 8 of the 12

Battle of Wake Island - · PDF fileBattle of Wake Island 1 ... Japanese Mitsubishi G3M3 bombers flown from bases on the Marshall Islands attacked Wake Island, destroying 8 of the 12

Documents
Battle of Salamis - William Sterling€¦ · Battle of Salamis by Wilhelm von Kaulbach 1868, Bayerischer Landtag Monument for the Battle of Salamis, Kynosoura peninsula, Salamis Island,

Battle of Salamis - William Sterling€¦ · Battle of Salamis by Wilhelm von Kaulbach 1868, Bayerischer Landtag Monument for the Battle of Salamis, Kynosoura peninsula, Salamis Island,

Documents
ANNUAL REPORT 2006 OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER ... · annual report 2006 office of the information and privacy commissioner province of prince edward island

ANNUAL REPORT 2006 OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER ... · annual report 2006 office of the information and privacy commissioner province of prince edward island

Documents
ISLAND HOPPING: BATTLE OF TARAWA & MAKIN ATOLLS

ISLAND HOPPING: BATTLE OF TARAWA & MAKIN ATOLLS

Documents
The Battle of Savo Island - Home - Practical Learning

The Battle of Savo Island - Home - Practical Learning

Documents
January Program: The Battle of Rhode Islandjamestownhistoricalsociety.org/wp-content/uploads/2015/04/JHS-2009... · January Program: The Battle of Rhode Island ... Larry McDonald

January Program: The Battle of Rhode Islandjamestownhistoricalsociety.org/wp-content/uploads/2015/04/JHS-2009... · January Program: The Battle of Rhode Island ... Larry McDonald

Documents
By: Alison Lew Matt Guttman Michelle Paras. Island-Hopping Strategy Battle of Coral Sea Battle of Midway Battle of Guadalcanal Battle of Iwo

By: Alison Lew Matt Guttman Michelle Paras. Island-Hopping Strategy Battle of Coral Sea Battle of Midway Battle of Guadalcanal Battle of Iwo

Documents
205 W Dry Lake Rd...Beautiful Camano Island Opportunity Island living on nearly 5 beautiful acres of privacy and nature. Tidy one-owner 3-bedroom contemporary home is complemented

205 W Dry Lake Rd...Beautiful Camano Island Opportunity Island living on nearly 5 beautiful acres of privacy and nature. Tidy one-owner 3-bedroom contemporary home is complemented

Documents
THE BATTLE FOR MIDWAY ISLAND - Fist of the Fleet History · In the dark days of 1942, the Battle for Midway Island tipped the scales of war in our favor. ... Even in 1942, the TBD

THE BATTLE FOR MIDWAY ISLAND - Fist of the Fleet History · In the dark days of 1942, the Battle for Midway Island tipped the scales of war in our favor. ... Even in 1942, the TBD

Documents
Battle of Midway Island

Battle of Midway Island

Documents
Governors Island and the Battle of Brooklyn · Governors Island and the Battle of Brooklyn: The American Revolution ... State Standards: State New York Subject SS Grade Level 4th

Governors Island and the Battle of Brooklyn · Governors Island and the Battle of Brooklyn: The American Revolution ... State Standards: State New York Subject SS Grade Level 4th

Documents
ROBOTECH RPG TACTICS: BATTLE FOR MACROSS …...ROBOTECH RPG TACTICS: BATTLE FOR MACROSS ISLAND SCENARIO 1: CONTROL THE BATTLEFIELD *** READ THE ENTIRE SCENARIO BEFORE SETTING UP ***

ROBOTECH RPG TACTICS: BATTLE FOR MACROSS …...ROBOTECH RPG TACTICS: BATTLE FOR MACROSS ISLAND SCENARIO 1: CONTROL THE BATTLEFIELD *** READ THE ENTIRE SCENARIO BEFORE SETTING UP ***

Documents
December 5 - 14, 2022 · 2020. 9. 29. · Wake Island — a battle both remembered and lamented as one of the greatest battles of the War in the Pacific. Though the island fell to

December 5 - 14, 2022 · 2020. 9. 29. · Wake Island — a battle both remembered and lamented as one of the greatest battles of the War in the Pacific. Though the island fell to

Documents
The Third Battle Innovation in the U ... - The Cold War · PDF fileThe Third Battle Innovation in the U.S. Navy’s Silent Cold War Struggle with Soviet Submarines Newport, Rhode Island

The Third Battle Innovation in the U ... - The Cold War · PDF fileThe Third Battle Innovation in the U.S. Navy’s Silent Cold War Struggle with Soviet Submarines Newport, Rhode Island

Documents
THE BATTLE OF ATTU AND THE ALEUTIAN ISLAND … · THE BATTLE OF ATTU AND THE ALEUTIAN ISLAND ... Analysis of primary source data used includes personal accounts, ... A soldier stood

THE BATTLE OF ATTU AND THE ALEUTIAN ISLAND … · THE BATTLE OF ATTU AND THE ALEUTIAN ISLAND ... Analysis of primary source data used includes personal accounts, ... A soldier stood

Documents
Battle of New Madrid and Island No. 10 - Missouri S&Tweb.mst.edu/~rogersda/umrcourses/ge342/New Madrid and Island No 10.pdfApril 1861 – Confederate BG Pillow occupies ... • Union

Battle of New Madrid and Island No. 10 - Missouri S&Tweb.mst.edu/~rogersda/umrcourses/ge342/New Madrid and Island No 10.pdfApril 1861 – Confederate BG Pillow occupies ... • Union

Documents