Data Protection Law: An Update

Transcription

1 Data Protection Law: An Update Billy Hawkes Data Protection Commissioner Matheson Dublin, 28 January 2014 Data Protection Day

2 EU & Irish Legislation Data Protection Directive 95/46/EC Being updated Electronic Privacy Directive 2002/58/EC (as amended) EUROPOL etc Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2011 (SI 336/2011) Corresponding Acts Good Friday Agreement Disability Act 2005

3 Lisbon Treaty Article 16 Treaty on the Functioning of the Union 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities...

4 EU Charter of Fundamental Rights: Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

5 EU DP Law Changes: Timetable Draft Laws published 25 January 2012 Regulation on Data Protection Directive for law enforcement Negotiation in Council and Parliament Approval of revised text by Parliament LIBE Committee 21 October 2013 Council discussions continuing European Council Conclusions October 2013: by 2015 Implementation by ?

6 General Principles (1) Protecting Fundamental Right to Data Protection and Free Movement of Personal Data Particular focus on children Applies to Organisations processing personal data either established in the EU or offering goods and services to, or monitoring the behaviour of, EU residents Does not apply to natural person without any gainful interest in the course of its own exclusively personal or household activity

7 General Principles (2) Data Minimisation limited to the minimum necessary Transparency More prescriptive information requirements Strengthened Right of Access More Information No Charge (except manifestly excessive ) Normally within one month

8 General Principles (3) Accountability of Data Controller (Joint Controller) and Data Processor ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation Documentation Data Protection Officer public bodies, those with 250+ employees and those engaged in regular and systematic monitoring of data subjects

9 General Principles (4) Privacy by Design Privacy Impact Assessment Seal systems Data Portability Right to be Forgotten Requirement for retention policy On request, delete unless clash with other rights (freedom of expression etc) Strengthened Data Security Data Breach Notification

10 Lawfulness of Processing Stricter definition of consent Burden of proof on data controller Can t be buried in another document Not valid where significant imbalance Parental consent for child under 13 Legal Obligation, Public Interest and Exercise of Official Authority must be laid down in law which meets proportionality test Legitimate Interests of data controller does not apply to a public organisation

11 International Transfers (1) Adequacy Decisions by Commission Standard Clauses Adopted by Commission or Prescribed by DPA and declared generally valid by Commission Approved by DPA (subject to Consistency Mechanism) Binding Corporate Rules

12 International Transfers (2) Informed Consent, Contractual Requirement etc Legitimate Interests of data controller or processor and not frequent, massive or structural and must inform DPA

13 Data Protection Authorities (DPAs) (1) Independence Appointment, financial resources, staff Strengthened Powers Conduct investigations on own initiative Investigate complaints to the extent appropriate Must be consulted on relevant legislation One-stop-Shop for data controllers Location of main establishment

14 DPAs (2) European Cooperation Consistency Mechanism Joint Enforcement, Binding Consultation etc Strengthened European Data Protection Board Commission regulatory powers Sanctions Up to 1M or 2% of global turnover

15 Proposed Changes: Parliament and Council (1) Personal Data Tweaks to definition; new pseudonymous data definition Tweaks to definition; new pseudonymous data definition Consent Significant Imbalance gone; Informed, Explicit consent emphasised, with full transparency Significant Imbalance gone; explicit gone

16 Proposed Changes: Parliament and Council (2) Data Protection Officer Compulsory if 5,000+ data subjects, monitoring, sensitive data Incentivised, not compulsory International Transfers Sunset clauses for adequacy decisions; prohibition of transfer to 3 rd country official authorities (NSA etc) without authorisation; elimination of limited possibility of transfer at data controller s discretion No substantive changes

17 Proposed Changes: Parliament and Council (3) Sanctions Up to 100M or 5% of global turnover may rather than shall amounts left open One Stop Shop Closer coordination among DPAs; final decisionmaking power to European Data Protection Board Disagreement at political level

18 What Now? Negotiations continuing in Council Significant disagreement: Regulation/Directive, One Stop Shop Agreement by end-year? New Parliament, New Commission Priorities? When ready for Trialogue? Approval 2015? Entry into force 2017?

19 And in the Meantime Successful IDA Activities More IT Companies declaring for Irish data protection jurisdiction Pressure on DPC Facebook, LinkedIn audits: more to follow More Resources allocated enough?

20 Thank You Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall Fax: Website: