THE NEW EUROPEAN PRIVACY LAW THE MAKING OF THE GENERAL DATA PROTECTION REGULATION & NEXT STEPS. Helsinki, Finland 14 April 2016

Transcription

1 THE NEW EUROPEAN PRIVACY LAW THE MAKING OF THE GENERAL DATA PROTECTION REGULATION & NEXT STEPS Helsinki, Finland 14 April 2016

2 ABOUT IAB EUROPE HQ: Focuses: Members: Brussels Policy; European business practices; research; training National IABs, companies

3 ABOUT ME MATTHIAS MATTHIESEN Public Policy Manager, IAB Europe

4 OVERVIEW 1. CONTEXT OF THE GDPR 2. EU LAW MAKING 101: OFFICIAL & UNOFFICIAL PROCEDURES 3. IMPACT OF THE GDPR ON OBA 4. WRAP UP AND NEXT STEPS

5 GENERAL DATA PROTECTION REGULATION AN OVERVIEW

6 CONTEXT The General Data Protection Regulation (GDPR) was designedto: Strengthen privacy Boost the EU s digital economy Adapt to technological progress and how data is used Tackle legal fragmentation in the EU28

7 CONTEXT At best: Getting rid of national fragmentation. Level the playing field. At worst: Much more onerous obligations for the processing of personal data, which make it harder for all and impossible for some to keep working their business model.

8 TECHNOLOGICAL PROGRESS HAS CHANGED THE WAY DATA IS USED EU Data Protection Directive EU Cookie Directive Revised EU Cookie Directive EU GDPR Proposal

9 EUROPEAN UNION LAW MAKING 101 PROCEDURES

10 LEGISLATIVE PROCEDURE CHANGES CONCILIATION INFORMAL AGREEMENT

11 TRILOGUE PROCEDURE (FOR THE GDPR) 82% of laws adopted were agreed in trilogue 96% of laws adopted in 2014 were agreed in trilogue Only 2% of laws negotiated in trilogue fail * TRILOGUES FORMAL PROPOSAL OF INFORMALLY AGREED CHANGES INSTITUTIONS NEGOTIATE INFORMALLY INFORMAL AGREEMENT * Source: EBD

12 TRILOGUES DECISION MAKERS

13 WHO DO WE TALK TO? WHY DO THEY TALK TO US? Expertise back in the Member State, about own system Lacks scientific service or expert advisors Academic experts, with little knowledge of real world Presidency PermReps MEPs Advisors Commissioners Civil service

14 WHO DO WE TALK TO? WHY DO THEY TALK TO US? Expertise Best practices back from in the Member other Member State, about States own EU system context Lacks Provide scientific missing service expert or expert knowledge. advisors Academic experts, Provide real world with little knowledge business insights. of real world Presidency PermReps MEPs Advisors Commissioners Civil service

15 WHAT DO WE GIVE TO THEM? Position papers Informing of impact of proposed rules Proposing better, alternative solutions Providing arguments to be used to justify changes Legal amendments Proposing actual changes in the text, which give effect to proposed solutions In trilogues: make as little changes as possible as we have to work within boundaries of the three positions

16 WHAT DO WE GIVE TO THEM? Position papers Informing of impact of proposed rules Proposing better, alternative solutions Providing arguments to be used to justify changes Legal amendments Proposing actual changes in the text, which give effect to proposed solutions In trilogues: make as little changes as possible as we have to work within boundaries of the three positions

17 POWER STRUGGLES ON OWNERSHIP ( ) VS Neelie Kroes Commissioner for Digital (DG CNECT) Viviane Reding Commissioner for Justice (DG JUST) European Parliament Committee for Industry, Research and Energy vs European Parliament Committee for the Internal Market and Consumer Protection vs European Parliament Committee for Civil Liberties, Justice and Home Affairs Ministries of Justice vs Ministries of Home Affairs vs Ministries for the Economy

18 EUROPEAN COMMISSION Lead Responsible GDPR Commissioner Věra Jourová Vice President Andrus Ansip Commissioner Günther Oettinger Justice, Consumers and Gender Equality Digital Single Market Digital Economy & Society Renate Nikolay Head of Cabinet Juhan Lepassaar Head of Cabinet Michael Hager Head of Cabinet Kevin O Connel Data Protection Laure Chapuis Data Protection Bodo Lehmann Data Protection DG JUST Paul Nemitz Director NO DGs but Veto Power DG CNECT

19 EUROPEAN PARLIAMENT Rapporteur Jan Philipp Albrecht (Greens) Axel Voss (EPP) Marju Lauristin (S&D) Sophie in't Veld (ALDE) Timothy Kirkhope (ECR) Cornelia Ernst (GUE/NGL) Sean Kelly (EPP) Lara Comi (EPP) MEP Personal Assistants Political Group Advisors

20 COUNCIL OF THE EU Luxembourg Council Presidency 28 members of the Council Working Group on Data Protection and Information Exchange (DAPIX) Laure Wagener

21 PROBLEMS OF THE TRILOGUE Triloguessidestep the formal democratic process with little chance for the public to intervene. Time between decisions can be as little as a couple of days. Bloody Brussels bureaucrats making rules behind closed doors.

22 PROBLEMS OF THE TRILOGUE Trilogues sidestep the formal democratic process with little chance for the public to intervene. Time between decisions can be as little as a couple of days. Bloody Brussels bureaucrats making rules behind closed doors.

23 IMPACT OF THE GDPR 1. SCOPE: DEFINITION OF PERSONAL DATA 2. LEGAL PROCESSING: CONSENT AND LEGITIMATE INTERESTS 3. PROFILING

24 LEGAL FRAGMENTATION IN EU28 EU law based on a Directive 28 similar laws across EU Austrian law Austrian court EU law based on a Regulation 1 law across the EU EU Directive CJEU Member State law Member State court Content of the Directive is implemented into Member State law Member state law is interpreted by national court When the implementing law s compatibility with the Directive is unclear, CJEU interprets the Directive EU Directive CJEU Belgian law Bulgarian law Croatian law Cypriot law Czech law Danish law Estonian law Finnish law French law German law Greek law Hungarian law Irish law Italian law Latvian law Lithuanian law Luxembourgish law Maltese law Dutch law Polish law Romanian law Slovakian law Slovenian law Belgian court Bulgarian court Croatian court Cypriot court Czech court Danish court Estonian court Finnish court French court German court Greek court Hungarian c ourt Irish court Italian court Latvian court Lithuanian court Luxembourgish court Maltese c ourt Dutch court Polish court Romanian court Slovakian court Slovenian court EU Regulation CJEU Content of the Regulation is directly applicable in the Member States Competing Member State law is set aside CJEU interprets the Regulation. Spanish law Spanish court Swedish law Swedish court UK UK court

25 GEOGRAPHICAL SCOPE OF THE REGULATION: WORLDWIDE You are in Europe: The GDPR applies to you. You process European s data: The GDPR applies to you.

26 MATERIAL SCOPE OF THE REGULATION: MORE THAN PII Personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Anonymous Data Identifiable Data Unregulated Regulated Identified Data

27 MATERIAL SCOPE OF THE REGULATION To determine if a person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by any other person, to identify the individual directly or indirectly while considering the costs and time involved as well as the available technology. Anonymous Data Identifiable Data Unregulated Regulated Binary definition of personal data. No granularity within that definition. Explicit addition of online identifiers Singling out is now clearly a form of identification. Identified Data

28 MATERIAL SCOPE OF THE REGULATION To determine if a person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by any other person, to identify the individual directly or indirectly while considering the costs and time involved as well as the available technology. Anonymous Data Identifiable Data Identifiable Data Unregulated Regulated Binary definition of personal data. No granularity within that definition. Explicit addition of online identifiers Singling out is now clearly a form of identification. Identified Data Identified Data Sensitive Data

29 EVERYTHING IS PERSONAL DATA MAKE NO MISTAKE, YOU ARE IN SCOPE.* DON T BE A FOOL AND PREPARE! * very likely

30 LEGAL PROCESSING If data falls within the definition of personal data the processing of such data is prohibited UNLESS

31 LEGAL PROCESSING Personal Data Non-personal data Sensitive Personal Data Certain types of processing Ordinary Personal Data Whatever Explicit consent of the data subject Unambiguous consent of the data subject Pursuing the legitimate interests of the controller

32 LEGAL PROCESSING Personal Data Non-personal data Sensitive Personal Data Ordinary Personal Data Whatever Explicit consent of the data subject Unambiguous consent of the data subject Pursuing the legitimate interests of the controller

33 LEGAL PROCESSING: CONSENT Direct relationship Obtain consent Process Data No direct relationship Contract with 1 st party 1 st party obtains consent on 3 rd party s behalf Process Data Controllers need to be able to demonstrate that they have obtained consent for the data processing Data subjects must be afforded the opportunity to withdraw consent

34 LEGAL PROCESSING: CONSENT (UNAMBIGUOUS) Unambiguous consent with safeguards 1. Freely given Presumption that it has not been freely given where: - imbalance between data subject and controller (consumer vs company) - access to service is conditional on consent (take it or leave it) 2. Specific - Consent for one thing does not mean consent for another (change of purpose) 3. Informed - Consent is not valid unless the data subject knows what consent is given for (transparency) 4. Unambiguous - It is clear a clear affirmative action that there is no doubt that the data subject has given consent (opt-in)

35 LEGAL PROCESSING: CONSENT (EXPLICIT) Explicit consent Not defined in EU law. But has been understood to be a stricter mode of consent based on an affirmative action (opt-in). Needed for processing sensitive personal data; or Some automated decision making, including profiling.

36 EXAMPLES

37 LEGAL PROCESSING Personal Data Non-personal data Sensitive Personal Data Certain types of processing Ordinary Personal Data Whatever Explicit consent of the data subject Unambiguous consent of the data subject Pursuing the legitimate interests of the controller

38 LEGAL PROCESSING Personal Data Non-personal data Sensitive Personal Data Ordinary Personal Data Whatever Explicit consent of the data subject Unambiguous consent of the data subject Pursuing the legitimate interests of the controller

39 LEGAL PROCESSING: THE LEGITIMATE INTERESTS OF THE CONTROLLER Meeting reasonable expectations Respecting privacy Transparency The data subject needs to be informed about the processing. Direct relationship & No direct relationship Legitimate interest of the controller or a third party Fundamental rights and interests of the data subject Balancing test Process Data Network Security Fraud Prevention Direct Marketing Controller Data subject Objection! The data subject needs to be given the opportunity to object to the processing. Advertising? Probably.

40 LEGAL PROCESSING: THE LEGITIMATE INTERESTS OF THE CONTROLLER Meeting reasonable expectations Respecting privacy Transparency The data subject needs to be informed about the processing. Direct relationship & No direct relationship Legitimate interest of the controller or a third party Fundamental rights and interests of the data subject Balancing test Process Data Network Security Fraud Prevention Direct Marketing Controller Data subject Objection! The data subject needs to be given the opportunity to object to the processing. Advertising? Probably.

41 LEGAL PROCESSING: THE LEGITIMATE INTERESTS OF THE CONTROLLER Meeting reasonable expectations Respecting privacy Transparency The data subject needs to be informed about the processing. Direct relationship & No direct relationship Legitimate interest of the controller or a third party Fundamental rights and interests of the data subject Balancing test Process Data Network Security Fraud Prevention Direct Marketing Controller Running a business Data subject Doesn't expect processing Objection! The data subject needs to be given the opportunity to object to the processing. Advertising? Probably. Advertising a product or service Privacy

42 PROFILING Profiling is automated processing analyzing or predicting a person s preferences,interests,behavior,etc. Profiling that produces legal effects or similarlysignificantly affects data subjects is regulated profiling. It can only be justified through (i) Contract (ii) EU or MS law (iii) The explicit consent of the data subject.

43 REGULATED PROFILING EXAMPLES Automated review of credit applications, Automated recruitment practices, e.g. candidate selection through algorithm

44 REGULATED PROFILING EXAMPLES What about OBA? Probably does not produce legal effects or similarly significantly affects data subjects. Automated review of credit applications, Automated recruitment practices, e.g. candidate selection through algorithm

45 WRAPPING UP 1. SUMMARY GDPR 2. IMPLEMENTATION OVER THE NEXT 2 YEARS 3. REVIEW OF THE EPRIVACY DIRECTIVE

46 WRAP UP PT. 1 SUMMARY GDPR The GDPR is broader in its scope (both territorially, and materially): More activities will fall under it. The GDPR is more restrictive in its legal grounds for processing: Activities are harder to justify. The GDPR lacks legal clarity: Member States, DPAs and courts willneed to fillin the gaps (ifthey arepermitted). As a direct result of the above, the GDPR is a far cry from harmonization : Gaps will not be filled in the same way everywhere. It was an uphill battle from the beginning and while the outcome is not great. The most extreme ideas have not made it in.

47 TIMELINE April 14, 2016 Soon... Spring 2018 GDPR formal adoption GDPR publication in OJ 20 days + 24 months GDPR taking effect Erratum: During the presentation this slide incorrectly identified May 5, 2018 as the date for the GDPR taking effect. As time of publication in the Official Journal is not actually precisely known, the exact date cannot be pinpointed.

48 WRAP UP PT. 2 NEXT STEPS We have a two year transition period to ensure a beneficial interpretationof thegdpr. Socialize more positive interpretations of the GDPR with policy makers at EU and national level. Exploring the possibility of legally endorsed codes of conduct and other forms of self-regulation and co-regulation. Attempting to have the new European Data Protection Board consult industry before issuing guidance.

49 NEXT STEPS SELF REGULATION CODES OF CONDUCT Associations representing categories of controllers may prepare codes of conduct specifying (some of) the provisions of the GDPR: Approval through EDPB/DPAs and European Commission can be given and provide a high degree of legal certainty throughout the EU... Chance to clarify how third parties could use pseudonymisation and non-consent legal bases for the purposes of online advertising? The European Commission is open toworking withus on that...! Revisit the OBA Framework

50 REVIEW OF THE eprivacy DIRECTIVE

51 NEXT STEPS eprivacydirective The European Commission has announced a review of the eprivacy Directive, to bring it in line with the GDPR. Chanceto deregulatecookies? Some new exceptions Removing limitation to consent... Risk that cookies will be regulated more strictly? Consent could be made even stricter than underthe GDPR Risk that other limitations will be imposed on top of the GDPR? already some stakeholders are trying to achieve through the eprivacy review what they didn t get in the GDPR Timeline: Public consultation launched Monday April 11. Public consultation ends July 5, 2016 (12 weeks) Legislative proposal could come as early as Q4 2016

52 NEXT STEPS eprivacydirective

53 NEXT STEPS eprivacydirective Taking away publishers freedom to decide on their own business model Obligation to provide subscription based access to website content Forcing publishers to provide their service for free No right to turn a user away that does not agree to seeing advertising

54 NEXT STEPS eprivacydirective

55 NEXT STEPS eprivacydirective Forced default settings: No to everything Make (even stricter) rules about how users should be giving their consent Enforce Do-Not-Track Support self-regulation (e.g. OBA Framework )

56 THANK YOU FOR LISTENING! QUESTIONS? QUESTIONS