GDPR Webinar 9: Automated Processing & Profiling

Transcription

1 Webinar 9: Automated Processing & Profiling T-Minus 210 Days (October 26, 2017) Presenter: Peter Blenkinsop 1

2 Agenda for Today Brief update on status of guidance and implementation Deep dive examination of Art. 29 Working Party guidance on automated decision-making and profiling Q&A Closer look at new guidance update on related developments Drinker Biddle Reath LLP 2

3 Article 29 Working Party New Guidance Final Guidance on DPIAs Draft Guidance on Breach Notification Available for public comment through 28 November Draft Guidance on Profiling and Automated Decision-making Available for public comment through 28 November Guidance on the Application and Setting of Administrative Fines Drinker Biddle Reath LLP 3

4 Article 29 Working Party Expected Guidance For adoption between November 2017 and February : Consent Transparency Update of data transfer tools For adoption in February : Certification Drinker Biddle Reath LLP 4

5 National Laws Adopted: Austria, Germany Partial implementation: France (Digital Republic Bill adopted prior to final adoption of ) In draft form: EU: Belgium, Czech Republic, Finland, Hungary, Ireland, Latvia, Lithuania, Luxembourg, Netherlands, Poland, Romania, Slovakia, Slovenia, Spain, Sweden, UK EFTA: Norway Other: Switzerland, Serbia Drinker Biddle Reath LLP 5

6 Automated Decision- Making Drinker Biddle Reath LLP 6

7 Automated Decision-Making (Art. 22) 1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 2. Paragraph 1 shall not apply if the decision: a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or c) is based on the data subject's explicit consent. 3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. 4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place. Drinker Biddle Reath LLP 7

8 Prohibition on Automated Decision-Making That Significantly Impacts Data Subject The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Drinker Biddle Reath LLP 8

9 Automated Decision-Making Based Solely on Automated Processing There is no human involvement in the decisionmaking process. If a human being reviews and takes account of other factors in making the final decision, that decision would not be based solely on automated processing. But human involvement must be meaningful, not just a token gesture. Drinker Biddle Reath LLP 9

10 Automated Decision-Making Including Profiling Profiling defined in Art. 4(4): Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Drinker Biddle Reath LLP 10

11 Automated Decision-Making Produces Legal Effects Legal effect: An impact on a person s legal rights (statutory or contractual) or legal status. Examples: entitled to or denied a particular social benefit granted by law, such as child or housing benefit; refused entry at the border; subjected to increased security measures or surveillance by the competent authorities; or automatically disconnected from some service for breach of contract. Drinker Biddle Reath LLP 11

12 Automated Decision-Making Similarly Significantly Affects (I) An effect that is equivalent or similarly significant in its impact as a legal effect. WP29 says that for a decision to similarly significantly affect an individual, it must have the potential to significantly influence the circumstances, behavior, or choices of the individuals concerned. At its most extreme, the decision may lead to the exclusion or discrimination of individuals. Drinker Biddle Reath LLP 12

13 Automated Decision-Making Similarly Significantly Affects (II) WP 29 points to prior guidance as to examples: causes, or is likely to cause, damage, loss or distress to individuals; has, or is likely to have, an actual effect in terms of limiting rights or denying an opportunity; affects, or is likely to affect individuals health, well-being or peace of mind; affects, or is likely to affect, individuals financial or economic status or circumstances; leaves individuals open to discrimination or unfair treatment; involves the analysis of the special categories of personal or other intrusive data, particularly the personal data of children; causes, or is likely to cause individuals to change their behaviour in a significant way; or has unlikely, unanticipated or unwanted consequences for individuals; creates embarrassment or other negative outcomes, including reputational damage. Drinker Biddle Reath LLP 13

14 Automated Decision-Making Impact on Targeted Advertising? WP29: In many typical cases targeted advertising does not have a significant effect on individuals... However it is possible that it may do, depending upon the particular characteristics of the case, including: the intrusiveness of the profiling process; the expectations and wishes of the individuals concerned; the way the advert is delivered; or the particular vulnerabilities of the data subjects targeted. Processing that might have little impact on individuals generally may in fact have a significant effect on certain groups of society, such as minority groups or vulnerable adults. For example, someone in financial difficulties who is regularly shown adverts for on-line gambling may sign up for these offers and potentially incur further debt. e-privacy Regulation currently in legislative process. Drinker Biddle Reath LLP 14

15 Automated Decision-Making Exceptions from Prohibition Necessary for the performance of or entering into a contract; Authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject s rights and freedoms and legitimate interests; or Based on the data subject s explicit consent. Drinker Biddle Reath LLP 15

16 Automated Decision-Making Necessary for Performance of Contract or Entering Into Contract Necessity Test: If other less intrusive means to achieve the same goal exist, then the profiling would not be necessary. Drinker Biddle Reath LLP 16

17 Automated Decision-Making Authorised by Union or Member State Law EU or member state law must authorize use of automated decision-making. Recital indicates this could include its use for monitoring and preventing fraud and tax-evasion or to ensure the security and reliability of a service provided by the controller. Drinker Biddle Reath LLP 17

18 Automated Decision-Making Explicit Consent Consent that is specifically confirmed by an express statement rather than some other affirmative action. Drinker Biddle Reath LLP 18

19 Automated Decision-Making Data Subject Rights Notice: Data controller must: tell the data subject that they are engaging in this type of activity; provide meaningful information about the logic involved; and i.e., information on the rationale behind, or the criteria relied on, in reaching the decision explain the significance and envisaged consequences of the processing. Right to Human Intervention: Right to have a review carried out by someone who has the appropriate authority and capability to change the decision. Drinker Biddle Reath LLP 19

20 Profiling Drinker Biddle Reath LLP 20

21 Profiling Right to Object Under Article 21(1), data subjects can object to processing that is based on controller s (or a third party s) legitimate interests (where applicable, including profiling), on grounds related to data subject s particular situation. The controller must stop the processing unless it can demonstrate compelling legitimate grounds. Under Article 21(2), data subjects have unconditional right to object to processing of their personal data for direct marketing purposes, including to profiling that is for direct marketing purposes. Drinker Biddle Reath LLP 21

22 Profiling Definition Art. 4(4): Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is a form of automated processing but WP29 says that it is not limited to fully/solely automated processing. Human involvement does not take an activity out of definition of profiling. Drinker Biddle Reath LLP 22

23 Profiling Legal Basis for Processing (I) Consent: Data subjects must be provided with enough relevant information about the envisaged use and consequences of the processing to ensure that any consent represents an informed choice. In situations where consent to profiling is a precondition of accessing the controller s services, or where there is an imbalance of power such as in an employer / employee relationship, consent is not an appropriate basis for the processing. Drinker Biddle Reath LLP 23

24 Profiling Legal Basis for Processing (I) Legitimate Interests: Must carry out balancing exercise to assess whether the controller s legitimate interests are overridden by the data subject s interests. WP29 points to following factors as particularly relevant to balancing exercise: the level of detail/granularity of the profile; the comprehensiveness of the profile; the impact of the profiling on the data subject; and the safeguards aimed at ensuring fairness, non-discrimination and accuracy in the profiling process. Where sensitive personal data is derived or inferred from profiling activity, the rules regarding processing of sensitive personal data apply. Drinker Biddle Reath LLP 24

25 Profiling Other Requirements Notice: The controller must provide data subjects with concise, transparent, intelligible and easily accessible information about the processing of their personal data for profiling. Compatibility of Purpose: Use of personal data for profiling must be compatible with the original purposes for which the data were collected. the relationship between the purposes for which the data have been collected and the purposes of further processing; the context in which the data were collected and the reasonable expectations of the data subjects as to their further use; the nature of the data and the impact of the further processing on the data subjects; and the safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects. Accuracy: Controller must consider accuracy when analyzing data, building a profile for an individual, and applying a profile to make a decision affecting the individual. Storage Limitation: Storing personal data for a long time may be too intrusive when balanced against the individual's right to privacy (proportionalilty). DPIA: DPIA requirement is triggered whenever there is a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. Drinker Biddle Reath LLP 25

26 Q&A Drinker Biddle Reath LLP 26

27 WP29 Final Guidance on DPIAs Final version is very similar to draft version published in April. Differences: Deletion of statement in draft version suggesting that DPIAs should be published in full or in part. The guidance now indicates that publication of DPIAs is not obligatory but is encouraged to foster trust. Deletion of statement indicating that DPIAs must be re-assessed every three years and replacement with generic statement indicating that DPIAs must be continuously reviewed and regularly re-assessed. Addition of paragraph indicating that DPIAs do not need to be conducted for processing operations that have undergone prior checking under Art. 20 of the Data Protection Directive, unless a significant change to the processing has occurred since the prior checking was performed. Different interpretations of change to statement about DPIAs not required for processing operations in existence as of May 25,, unless significant changes to the processing were made after May 25.

28 WP29 Draft Guidance on Breach Notification 72 hour period for notification to supervisory authorities begins when controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. Time to investigate an incident to determine whether personal data have been breached is not included in 72 hour period, provided that the investigation is conducted promptly. Nevertheless, where it should have been clear from outset that personal data were impacted by an incident, 72 hour period begins immediately. does not provide an explicit time limit within which the processor must alert the controller of a breach but in principle, the controller should be considered as aware once the processor has become aware. Therefore, WP29 suggests that processors provide immediate notification to controllers of breaches. Where a breach affects personal data of individuals in more than one EU Member State and notification is required, controller should notify either (i) each competent supervisory authority, or, (ii) if controller has a lead supervisory authority, that lead authority. Identification of the controller s lead supervisory authority (where applicable) should be included in the controller s breach response plan.

29 Report of Privacy Shield Annual Review Commission s report is largely favorable. Approximately 2,400 companies are Privacy Shield certified and approximately 20 new companies apply for certification each week. In first year, FTC received only 3 Privacy Shield-related complaints, none of which came from EU. US Department of Commerce and EU DPAs did not receive any complaints. Staff Report provides some interesting statistics concerning who companies are choosing as their Privacy Shield independent recourse mechanism: BBB (702 organizations), TRUSTe (521 organizations), and JAMS (458 organizations). 223 companies use EU DPAs as their independent recourse mechanism for both HR and non-hr data; 232 companies use DPAs for non-hr data only.

30 Schrems II Referral to CJEU On 3 October, Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to CJEU. Commissioner questioned whether there is an effective remedy under U.S. law compatible with Art. 47 of EU Charter of Fundamental Rights for EU citizen whose data is transferred to U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. Article 47 guarantees an effective remedy before an independent tribunal if rights or freedoms are violated, including rights under Articles 7 and 8 to respect for private and family life and protection of personal data.

31 eprivacy Regulation - Status European Parliament s LIBE Committee voted on 19 October to approve an amended draft of e-privacy Regulation. Plenary vote in Parliament expected soon. Council Presidency released an amended draft on 8 September for further discussion within the Council. EDPS published recommendations on 5 October. WP29 issued recommendations in April.

32 Schedule (11:00 a.m. 12:30 p.m. U.S. Eastern Time) Through January November 30 Data Breach Notification: What are the triggers for when notification is required to supervisory authorities and data subjects? How can we implement effective incident response plans? January 4, International Data Transfers: What has changed in comparison to the Directive? What changes to model clauses, BCRs, Privacy Shield, and other adequacy decisions are likely? Drinker Biddle Reath LLP 32

33 Drinker Biddle Reath LLP 33