The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data...
Transcript of The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data...
![Page 1: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/1.jpg)
The legal aspects of
data protection
17 February 2012 Radboud University of Nijmegen
Nynke Wisman Attorney-at-law at NWLS
![Page 2: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/2.jpg)
PlayStation Network security breach will
cost Sony much more than money
Zappos security
breach: your data
hacked
Zappos
security
breach: Your
data hacked?
Have you seen the headlines?
![Page 3: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/3.jpg)
Privacy: doing the right thing?
When you register for our online newsletter, we may use your data to send you marketing information. This is a) allowed or b) not allowed.
When you visit our website, we place cookies on your computer to improve the website performance and to show adds that may be of interest to you. This is
a) allowed or b) not allowed?
After the huge data breach incident with PlayStation, Sony was criticized mostly for:
a) not having informed the relevant persons timely or b) for not having adequate security measures in place
![Page 4: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/4.jpg)
Privacy: doing the right thing?
What was the biggest downside of the Sony PS security incident according to hackers?
a) tighter security measures were being implemented b) the price of stolen credit cards would decrease from approx $5-10 to $1-2.
What was the outcome of the Google Streetview case:
a) Google must refrain from collecting information re Wifi routers or
b) Google must provide an opt-out to users of Wifi-routers?
![Page 5: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/5.jpg)
Today’s topics
“Data Protection”: protecting personal data from a legal perspective
An introduction into the legal requirements on ‘data protection’:
- What is it: the basics of data protection, the Privacy Principles
- What you should and should not do with personal data
- When and where does it apply
Some specific topics: ‘the cloud’, the Patriot Act, spam,
cookies, data leakage, geolocation data, Google, smart meters …
The future of ‘data protection’
![Page 6: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/6.jpg)
What do you consider ‘personal’?
Name?
Phone number?
Websites you visit?
Credit card number?
Passport number?
Your nationality?
Medical information?
Photo’s? Number plates? IP Addresses? Cookies?
Etc.?
![Page 7: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/7.jpg)
European Commission: ‘brave
new data world’ Attitudes towards data protection -60% of Europeans who use the internet (40% of all EU citizens) shop or sell things online and use social networking sites. Over 75% consider financial information, medical information and national identity or passport numbers ‘personal data’ ‘Only’ 46% considers their name ‘personal’ and only 25% think the websites they visited is ‘personal’ 70% is concerned about the use of their data and the control they have over the data
Special Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union, June 2011
![Page 8: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/8.jpg)
Data Protection – the basics
Terms used:
Personal Data: any data relating to an identifiable individual,
natural person
Data Subject: consumers, clients, vendors, website visitors,
‘friend’, contact persons, one-man businesses, employees, job applicants, prospects → all individuals
Data Controller: responsible party that determines means
and purposes of processing of personal data
Data Processor: processing personal data on behalf of data
controller
![Page 9: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/9.jpg)
Privacy Principles
1. Collect data only for specified and explicit purposes - e.g. client data for assessing and accepting clients and delivering
services and for defending preventing and tracing fraud - e.g. employee data for performance of employment contract (salary
payment, appraisals etc.) and for providing authorisation and maintaining security within the company
2. You need a ground for processing: - with consent - for performance of contract - compliance with legal obligation - if in your legitimate interests
3. Further processing is allowed only for purposes ’not incompatible’ with initial purposes
![Page 10: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/10.jpg)
Privacy Principles (Cont’d)
4. Only process relevant data, keep the data up-to-date, accurate and retain only as long as needed
- do not collect more data than needed
- review the accuracy regularly
- have retention policies in place
5. Give access only on a need-to-know principle
- authorise users individually for systems or files holding personal data
- limit to those persons that have a valid reason for accessing the data
![Page 11: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/11.jpg)
Privacy Principles (Cont’d)
6. Take appropriate technical and organisational security measures to prevent unlawful/unauthorized access
- PET, access control + monitoring - must be state of the art - taking into account the nature of the data
7. Do not process sensitive data - unless permitted by law - medical data, biometric data, data re race or ethnic origin,
sexual orientation etc.
![Page 12: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/12.jpg)
Privacy Principles (Cont’d)
8. Be transparent to individuals about processing of their data and provide opportunity to view and correct data
- use privacy statements
- notify with DPA’s
9. The accountability principle
- responsibility for appropriate measures for the privacy principles to be effective in practice
- to make sure these are complied with
![Page 13: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/13.jpg)
International data transfers
![Page 14: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/14.jpg)
Privacy and ‘the cloud’
Personal data in the cloud (private/ public /community/ hybrid or ‘Rijkscloud’)
Where is your data?
Is your data secure; how do you know?
![Page 15: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/15.jpg)
Privacy and ‘the cloud’
US research shows - cloud providers do not view security a competitive advantage
- security is customer responsibility
- main drivers for customers: ‘lower costs’ and ‘faster deployment’
- cloud providers think improved security/compliance unlikely reasons for choosing cloud services
![Page 16: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/16.jpg)
Privacy in ‘the cloud’
Obligation to retain records - “you are responsible for backing up the data that you
store on the service”
- “we have no obligation to return data to you after the services is suspended or cancelled”
Personal data transfers
- “As part of providing the Services, Supplier may transfer, store and process customer data in … any other country in which supplier or its agents maintain facilities”
![Page 17: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/17.jpg)
Privacy and ‘the cloud’
US Patriot Act: “Uniting and Strengthening America by Providing Appropriate Tool Required to Intercept and Obstruct Terrorism”
Dropbox, T&C’s:
- “We may disclose to parties outside Dropbox files stored in your
Dropbox and information about youthat we collect when we have good faith belief that disclosure is reasonably necessary to .. Comply with a law, regulation or compulsory legal request. … We will remove Dropbox’s encryption from the files before providing them
to law enforcement”
![Page 18: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/18.jpg)
Protecting your personal data: the
practical approach
‘Defending Privacy at the US Border. A Guide for Travellers Carrying Digital Devices’ (Dec 2011)
If you do not carry personal data with you, ‘they’ can not get it
![Page 19: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/19.jpg)
Smart Meters
What do the meters say about an individual?
The electricity spend, but also..
- when he comes home / which machines he uses and when / how long he showers ..
Or worse….
‘Mijn E”
![Page 20: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/20.jpg)
Marketing …
(Offline) Marketing: opt-out
E-marketing: opt-in / opt-out
Online Behavioural Advertizing: opt-in
![Page 21: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/21.jpg)
Marketing off-line and E-marketing Sending direct marketing messages requires the use of
personal data (unsolicited commercial communication) Off-line marketing: ordinary, old-fashioned off line
letters, brochures etc.: this is allowed with an opt-out (DPA)
E-marketing (online, Telecommunications Act): - if you are already a client, this is allowed with an opt-out
(but should be for similar products/services) - if not: opt-in (prior consent) - also for corporates/ business email addresses For telephone marketing: obligation to offer/register
customers in "Bel-me-niet register“!
![Page 23: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/23.jpg)
E-marketing
Register your name in ‘het Grote Boek van Sinterklaas’ (the Big Book of Sinterklaas)!!! And let us know if you want Sinterklaas to contact you about ‘Pakjesavond’ by giving us your email address…
a) allowed?
b) not allowed?
![Page 24: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/24.jpg)
Online Behavioural Advertising
![Page 25: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/25.jpg)
Online behavioural advertising
‘OBA’: through cookies
‘Our website behaviour discloses who we are’
Detailed data/profiling, often without website visitor noticing
Enables specific targeting of visitors
Current law: opt-out
New law: ‘informed consent’
![Page 26: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/26.jpg)
Online behavioural advertising
Consequences new law:
- user must be informed before cookie is places
- cookie statement via pop-up, not via browser settings (insufficient), but one-time-only
- do not hide the information, available via 1 click (2 is too many)
![Page 27: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/27.jpg)
Data breaches
Draft-amendment to Data Protection Act Introduces obligation to
- notify data subjects - without undue delay - of security breaches where there is a considerable risk of negative
consequences for the private life and personal data of individuals
Unless appropriate technical measures have been taken as a result of which the personal data have been encrypted or otherwise have been made illegible
Obligation to also inform authorities
![Page 28: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/28.jpg)
(Geo) Location Data
Unique MAC address + calculated location of a WiFi access point = personal data
1) infrastructure controller
2) provider of geolocation applic./services
3) OS developers of smart mobile device
Often without individual being aware
The Google Streetview case
![Page 29: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/29.jpg)
(Geo) Location Data
![Page 30: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/30.jpg)
(Geo) Location data
![Page 31: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/31.jpg)
(Geo) Location Data
Data protection issues: - consent often inadequate, by lack of clear
information;
- limit scope/term of consent (reminders required)
- by default, location services must be switched off;
- device must continuously warn that geolocation is ‘on’
- limited retention period for location data.
![Page 32: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/32.jpg)
Privacy at the workplace
![Page 33: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/33.jpg)
Privacy ‘at work’
Employees are entitled to some respect of their ‘privacy’ at work (the occasional personal phone call / private email etc.)
US: no privacy at work, all data generated through office devices is company owned
![Page 34: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/34.jpg)
Privacy ‘at work’: BYOD
Bring Your Own Device: employees using their own devices to access company data
- pro: increase flexibility to work from anywhere, increase productivity
- con: loss of control over security, access etc.
Solutions: mix of technical and legal measures, training and desktop virtualisation
![Page 35: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/35.jpg)
The future of data protection: finally being
taken seriously? (1)
On 25 January 2012 a draft proposal for a new EU Regulation on data protection has been issued (replacing the current EU Directive)
This proposal introduces a number of additional requirements for data controllers, e.g.
- appointment of DPO’s for companies with over 250 employees
- introduces principle of 'accountability‘: company must be able to demonstrate its compliance with data protection requirements + adequate verification by independent auditors
- assigning proper responsibility for data protection, appropriate training of staff
![Page 36: The legal aspects of data protectionjhh/secsem/2012/wisman.pdf · The legal aspects of data protection 17 February 2012 Radboud University of Nijmegen Nynke Wisman Attorney-at-law](https://reader033.fdocuments.us/reader033/viewer/2022052001/6013d136bc07f65dd3277bd5/html5/thumbnails/36.jpg)
The future of data protection (2)
- ‘privacy by design' and 'privacy by default‘: data protection must be built in by processes/systems + mandatory PIA's
- huge administrative sanctions of up to 2% of the annual worldwide turnover of a company (e.g. for illegal transfers)
- introduces ‘the right to be forgotten’ and ‘the right to data portability’