The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST.

Slides:



Advertisements
Similar presentations
1 Class 6 Format of the Thesis, Outlining Outlining Assignment See Assignment.
Advertisements

THE 1985 UN VICTIMS DECLARATION (the short name!) ASSOCIATE PROFESSOR SAM GARKAWE LECTURE FOR 11 TH ASIAN POST- GRADUATE COURSE ON VICTIMS.
General form of a rights-based claim:
The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
12-1 Chapter 12 Advanced EHR Functionality © 2012 The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill.
EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
1 Welcome Safety Regulatory Function Handbook April 2006.
Aviation Security Training Module 4 Design and Conduct Exercise II 1.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Hamid Dom Reg WS March 04 1 INTRODUCTION THE GATS and DOMESTIC REGULATION.
1 Session 9 – Government-to-government dispute settlement procedures WTO Dispute Settlement Understanding Vesile Kulaçoglu, WTO Secretariat Dar es Salaam,
Dispute Settlement in the WTO
EU-MIDIS European Union Minorities & Discrimination Survey Collecting reliable and comparable data on the Roma across the EU Eva Sobotka.
Implications for the Regions EU-Regional Policy 1 Governance White Paper Introduction Adoption of White Paper on European Governance, July 25, 2001 Aim:
1 IS THERE A FUNDAMENTAL RIGHT TO FORGET? Bruxelles – 20 May 2009.
International Telecommuniction Regulations 1 WG-ITR Council Working Group on ITRs General Overview Alaa M. Fahmy Chairman.
Anti-SPAM activities in Malaysia - Current Situation, Regulatory Environment and Future Developments ITU virtual conference on anti-spam regulation and.
Foreign Air Operator Validation & Surveillance Course
1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.
1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
European CommissionDirectorate-General Justice, Freedom and Security Data Protection 1 Conference on Cross Border Data Flows & Privacy October 15-16, 2007.
606 CMR 14.00: Background Record Checks What you need to know!
Addition Facts
Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.
European payment order Regulation (EC) No 1896/2006 of the European Parliament and of the Council of 12 December 2006 creating a European order for payment.
EMS Checklist (ISO model)
Presentation of the proposed Annex 19 – Safety Management
Subsidy Contract Lead Partner seminar October 2008, Riga Arina Andreičika Managing Authority
Office for Human Research Protections 1 Updating the Common Rule Governing Human Subjects Research Protections Jerry Menikoff.
DR GEOFFREY SHANNON SPECIAL RAPPORTEUR ON CHILD PROTECTION Human Rights Standards Related to School Bullying 1.
1 EC Ports Policy Consultation II ‘Port Service Enhancement’ ESPO General Assembly Hotel Amigo, Brussels – 7 November 2012.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Addition 1’s to 20.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Visual 3.1 Delegation of Authority & Management by Objectives Unit 3: Delegation of Authority & Management by Objectives.
1 Budapest, June 14, Cross border communication among registers - Practical aspects - Yves Gonner Managing director - Trade and Companies Register.
Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.
InterParty Privacy and Security What are the implications of establishing the InterParty Network? A presentation to the final InterParty Seminar The Hague.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.
Class 13 Internet Privacy Law European Privacy.
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
The European influence on privacy law and practice Nigel Waters, Pacific Privacy Consulting International Dimension of E-commerce and Cyberspace Regulation.
European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.
INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.
Professor Centre for WTO Studies. INTRODUCTION IMPORTANCE OF SERVICES 30 May,
Data protection—training materials [Name and details of speaker]
Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.
HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW
The Protection of Confidential Commercial or Industrial Information in Environmental Law: Analysis and Call for a Graded Concept of Protection Prof. Dr.
Surveillance around the world
General Data Protection Regulation
Information Governance and Data Privacy: A World of Risk
The European Union General Data Protection Regulation (GDPR)
EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.
Bob Siegel President Privacy Ref, Inc.
Dan Tofan | Expert in NIS 21st Art. 13a WG| LISBON |
State of the privacy union
European actions.
GDPR Overview and Use Cases.
HIPSSA Project Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Meeting with the Namibia ICT Ministry and Data Protection Stakeholders.
Welcome!.
Data transfers to non-EU countries under the new GDPR
The activity of Art. 29. Working Party György Halmos
The EDPS: competences and processing of personal data in EU funds
Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.
Unit 8 European Aministrative Law Principles
EU Data Protection Legislation
Presentation transcript:

The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST Conference 2005

1 I.The EU Data Protection Regime II.EU Data Protection Law and Security Investigations III.Ramifications of EU Regulatory Control IV.Conclusions Overview

2 I.The EU Data Protection Regime II.EU Data Protection Law and Security Investigations III.Ramifications of EU Regulatory Control IV.Conclusions

3 EU Data Protection Regime: Data Protection Directive Framework Directive adopted in 1995 –Established overall groundwork –Transposed into national laws –Supplemented by numerous additional law and administrative rules Primary functions –Impose basic obligations on those controlling data E.g., obligations of fair and lawful processing, purpose, relevance, accuracy, retention, security –Vest rights in data subjects E.g., rights of access and modification

4 EU Data Protection Regime: Jurisdiction Threshold question: does the regulation apply to the activity at issue? Framework Directive provides two possible answers –Article 4.1 (a): the laws applies in the context of activities… on the territory –Article 4.1 (c): the law applies if someone make[s] use of equipment … on the territory Case study: Hewlett-Packard ruling

5 EU Data Protection Regime: Enforcement EU US national/sub-national National Data Protection Authorities (DPAs) can: –Investigate –Intervene –Sanction Private right of action –Rarely exercised; seemingly limited to celebrity claimants –Must demonstrate actual harm/damage

6 Overview I.The EU Data Protection Regime II.EU Data Protection Law and Security Investigations III.Ramifications of EU Regulatory Control IV.Conclusions

7 Law and Investigations Overview: The Emerging Debate Public sector arguments in favor of regulatory oversight –Response team processing of personal data –Response team processing of "judicial data" The private sector response –IP addresses are impersonal in nature –Overly broad interpretations of "judicial data" are incorrect

8 Public Sector Arguments: Processing of Personal Data Framework Directive language, Article 2 –[Personal data are] any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number Broad definition, broader interpretation Article 29 Working Party –Represents all 25 EU Member State DPAs –Opines on new technologies and developments

9 Public Sector Arguments: Processing of Personal Data Nov Working Document on Privacy on the Internet –IP addresses may constitute personal data May 2002 Opinion on IPv6 –IP addresses attributed to internet users are personal data and are protected by EU [privacy law] Note: IP addresses qualify as personal data even if not immediately linked to specific individuals

10 Public Sector Arguments: Processing of "Judicial Data" Framework Directive language, Article 8.5 –Processing of data relating to offenses, criminal convictions or security measures may be carried out only under the control of official authority Subject to considerable debate Article 29 Working Party and national authorities uncertain about meaning/impact

11 Public Sector Arguments: Processing of "Judicial Data" Example 1: Belgian DPA IFPI ruling (2001) –IFPI Collected IP addresses, notified police, advised ISPs and sought letter notification Note: IFPI did not identify individuals behind IP addresses –Activities rejected under Belgian data protection/telecom law IP address are personal data even without identification Processing of IP addresses for potential legal claims = judicial processing limited to police authorities Can only process pseudonyms and download date/hour

12 Public Sector Arguments: Processing of "Judicial Data" Example 2: Article 29 Working Party Working Paper on On-Line Enforcement (2005) –Article 8 requires special protections for judicial data –Monitoring on-line activity/IP addresses for misconduct falls within the competence of judicial authorities

13 Private Sector Response: IP Addresses are Impersonal Industry calls for fundamental reassessment of concept that IP addresses constitute protected personal data No legal, public policy or technical rationale –Directive is silent –Limiting response teams = bad public policy –IP addresses are technologically neutral

14 Private Sector Response: Overly Broad Interpretations are Incorrect Art. 8.5 refers only to criminal records Text and legislative history are very specific: no basis for expansive interpretations DPA interpretations inconsistent: Consider Article 29 Working Party Guidelines for Terminated Merchants Databases (2005) –Conditions for merchants' cross-border databases –Working Party: not judicial data/objective facts –How to reconcile with enforcement paper? Safeguards are adequate

15 Overview I.The EU Data Protection Regime II.EU Data Protection Law and Security Investigations III.Ramifications of EU Regulatory Control IV.Conclusions

16 Data Processing Limitations Directive includes broad processing limitations Limitations depend on nature of data and jurisdiction General obligations –Notify national privacy regulators –Obtain processing approval –Inform data subjects

17 Data Transfer Limitations Article 25 limits transfers to countries with adequate protections EU regularly conducts adequacy determinations –Adequate: Switzerland, Argentina –Not adequate: United States Possible solutions –EU/US Safe Harbor Agreement –Data subject unanimous consent –Data transfer agreement

18 Overview I.The EU Data Protection Regime II.EU Data Protection Law and Security Investigations III.Ramifications of EU Regulatory Control IV.Conclusions

19 1)Incident response teams do not operate in a regulatory or political vacuum 2)Policymakers have heeded the publics call for privacy – more, not less, regulatory intervention is expected 3)Response teams must do the same or face increased scrutiny 4)These are not academic debates –Real and far-reaching consequences –Reallocate valuable time and resources 5)This is the time to be heard Summary and Call to Action

20 Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.