General Data Protection Regulation – analysis of impacts Breffni Martin Regintel ltd
Historical background Data protection = right to privacy Census data use in WWII Ethnic and religious data 1960s: - computational power 1960s – 1983: development of concepts 1968: international discussion on a data protection law - United Nations International Conference on Human Rights Subsequently Article 8 of the ECHR right to "private and family life, his home and his correspondence," Broad interpretation by the ECJ
Contents Data protection background Data protection directive Interpretation and implementation Key-coding, pseudo-anonymisation and personal data Cloud computing General Data Protection Regulation Timetable Process Key-coded data issues Analysis of possible impacts on cloud computing Conclusion
Directive Enacted 1995 Promulgated/integrated 1998 Pre-existing national legislation
Principles Notice—data subjects should be given notice when their data is being collected Purpose—data should only be used for the purpose stated and not for any other purposes Consent—data should not be disclosed without the data subject’s consent Security—collected data should be kept secure from any potential abuses Disclosure—data subjects should be informed as to who is collecting their data Access—data subjects should be allowed to access their data and make corrections to any inaccurate data Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
Implementation Different for each member state Underpinning pre-existing privacy legislation DPAs – supervisory authorities Other regulatory agencies (eg CNAM)
GDPR Main provisions Harmonisation: single set of and single DPA (location of DC?) Extends scope EU data protection to all foreign companies processing EU residents data Data Protection Officer (DPO) needed Notice requirements: retention time for personal data and contact information for data controller and data protection officer Privacy by design Default setting most conservative Data Protection Impact Assessments Valid consent must be explicit for data collected and purposes data used Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn Breaches: notify the DPA without undue delay and subject if adverse impact Sanctions increased – audits Right to erasure Portability of date – usable format
Personal Data in the EU Definition “'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” (Art. 2(a) of the Directive) Encoding, anaoymising, pseudoanonymising etc???
Where Encoded = Personal The laws in most of the Member States which have implemented the Directive define the concept of “personal data” substantially in accordance with the (basic) definition in the Directive, set out above: Belgium, Denmark, Finland, Germany, Greece, the Netherlands, Portugal, Spain, Sweden and the UK (Ireland). Sound and image data: Portugal, Luxembourg and France + Denmark Legal persons: Austria, Italy and Luxembourg Detailed rules on fully-identifiable-, encoded- (pseudonymised-) and fully-anonymised data: Belgium Encoded or pseudonymised data are to be regarded as “personal” with regard to a person who has access to both the data and the key: Austria, Germany, Greece, the Netherlands and the UK make clear that, in those countries,
Possible agreement on the draft Regulation. Timeline January 2012 EC Vice-President, Commissioner Viviane Reding, published proposals to reform European data protection rules. This included a draft revised Data Protection Regulation. May 2012 European Parliament committees began an exchange of views on the draft revised Data Protection Regulation. July 2012 The first European Parliament working document was produced by lead rapporteur - MEP Jan Philipp Albrecht of the LIBE committee. October-November 2012 The European Parliament led an inter-parliamentary hearing with national parliaments. January 2013 A draft report and mark-up of the proposed regulation, based on earlier working documents, was released by Jan Philipp Albrecht. March 2013 Opinions on Albrecht's report and revised draft due from all other European Parliament advisory committees. Autumn 2013 Informal negotiations between the European Parliament and the Council of the European Union. In October the LIBE Committee voted on a compromise text. March 2014 The EU Parliament ran a plenary vote in first reading of the draft Regulation. and adopted the LIBE Committee's compromise text. May 2014 The Council met and produced a report. They reached a partial general approach on specific articles of the GDPR and held an orientation debate on the "one stop shop" mechanism. October 2014 The Council reached a partial general approach on Chapter IV of the GDPR 2014/ Spring 2015 The Council will continue to work at a technical level. Negotiation on the proposed text between the Council and the European Parliament will start when the Council is ready. Early 2016 Possible agreement on the draft Regulation. 2018 Revised Data Protection Framework is expected to come into force.
Current Status European Parliament has adopted the draft legislation, following its first reading Vote does not mean that the GDPR has finally passed the European Parliament. Before it is finally approved the text will need to be agreed through tripartite discussions between the European Parliament's representatives, the Commission and the Council
GDPR questions How are key-coded, pseudo-anonymised and anonymised data defined? Is key-coded or pseudo-anonymised data treated as personal data? If so what are the implications for cloud computing? Who is regulated, where and how? How will EU residents non-EU data be protected and regulated?
GDPR Preamble 23 The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.
Key-coding/pseudo-anonymisation The EU Parliament IMCO Committee has adopted an appropriate definition of pseudonymous data in its final Opinion (Amendments 59 and 61) – also tabled by the EPP Group in LIBE Committee – which reads as follows: “Pseudonymous data means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organizational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort.”
Cloud Impacts Key coded data likely to be defined as personal Increased controls DPO Procedures Impacts sutdies Regulatory burden Transfer / export of data Ex-jurisdiction data New treaties?
European Privacy Advisory Group (EPAG) Suggestions: The right of access, right to rectification, right to be forgotten and right to data portability should not be applicable where solely key-coded data are processed, as they would require the controller to re-identify the individual from which the data was originally derived, and thus themselves lead to data protection risks; The obligation to communicate a personal data breach to the data subject should not apply where the data have been key-coded and where the risk of re-identification is low; The processing of personal data to render it pseudonymous or key-coded should be considered as a legitimate interest of the data controller; Where consent is required to process personal data and these data have been key-coded, there should be more flexibility regarding the legal basis for their processing; The documentation obligations for controllers and processors should be adjusted where products and services are offered mainly on the basis of key-coded data and the organization abides by self-regulatory standards; and The use of key-coded data should be promoted as an element of privacy-by-design.
References Linklaters Privireal/ethics web Data Protection Directive and Medical Research across Europe – Ashgate 2004 European Privacy Advisory Group