Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulation – analysis of impacts

Published byEvan Norris Modified over 7 years ago

Similar presentations

Presentation on theme: "General Data Protection Regulation – analysis of impacts"— Presentation transcript:

1 General Data Protection Regulation – analysis of impacts
Breffni Martin Regintel ltd

2 Historical background
Data protection = right to privacy Census data use in WWII Ethnic and religious data 1960s: - computational power 1960s – 1983: development of concepts 1968: international discussion on a data protection law - United Nations International Conference on Human Rights Subsequently Article 8 of the ECHR right to "private and family life, his home and his correspondence," Broad interpretation by the ECJ

3 Contents Data protection background Data protection directive
Interpretation and implementation Key-coding, pseudo-anonymisation and personal data Cloud computing General Data Protection Regulation Timetable Process Key-coded data issues Analysis of possible impacts on cloud computing Conclusion

4 Directive Enacted 1995 Promulgated/integrated 1998
Pre-existing national legislation

5 Principles Notice—data subjects should be given notice when their data is being collected Purpose—data should only be used for the purpose stated and not for any other purposes Consent—data should not be disclosed without the data subject’s consent Security—collected data should be kept secure from any potential abuses Disclosure—data subjects should be informed as to who is collecting their data Access—data subjects should be allowed to access their data and make corrections to any inaccurate data Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.

6 Implementation Different for each member state
Underpinning pre-existing privacy legislation DPAs – supervisory authorities Other regulatory agencies (eg CNAM)

7

8 GDPR Main provisions Harmonisation: single set of and single DPA (location of DC?) Extends scope EU data protection to all foreign companies processing EU residents data Data Protection Officer (DPO) needed Notice requirements: retention time for personal data and contact information for data controller and data protection officer Privacy by design Default setting most conservative Data Protection Impact Assessments Valid consent must be explicit for data collected and purposes data used Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn Breaches: notify the DPA without undue delay and subject if adverse impact Sanctions increased – audits Right to erasure Portability of date – usable format

9 Personal Data in the EU Definition
“'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” (Art. 2(a) of the Directive) Encoding, anaoymising, pseudoanonymising etc???

10 Where Encoded = Personal
The laws in most of the Member States which have implemented the Directive define the concept of “personal data” substantially in accordance with the (basic) definition in the Directive, set out above: Belgium, Denmark, Finland, Germany, Greece, the Netherlands, Portugal, Spain, Sweden and the UK (Ireland). Sound and image data: Portugal, Luxembourg and France + Denmark Legal persons: Austria, Italy and Luxembourg Detailed rules on fully-identifiable-, encoded- (pseudonymised-) and fully-anonymised data: Belgium Encoded or pseudonymised data are to be regarded as “personal” with regard to a person who has access to both the data and the key: Austria, Germany, Greece, the Netherlands and the UK make clear that, in those countries,

11 ​Possible agreement on the draft Regulation.
Timeline January 2012 ​ EC Vice-President, Commissioner Viviane Reding, published proposals to reform European data protection rules. This included a draft revised Data Protection Regulation.​ May 2012 European Parliament committees began an exchange of views on the draft revised Data Protection Regulation. July 2012 The first European Parliament working document was produced by lead rapporteur - MEP Jan Philipp Albrecht of the LIBE committee. October-November 2012 The European Parliament led an inter-parliamentary hearing with national parliaments. January 2013 A draft report and mark-up of the proposed regulation, based on earlier working documents, was released by Jan Philipp Albrecht. March 2013 Opinions on Albrecht's report and revised draft due from all other European Parliament advisory committees. Autumn 2013 Informal negotiations between the European Parliament and the Council of the European Union. In October the LIBE Committee voted on a compromise text. March 2014 The EU Parliament ran a plenary vote in first reading of the draft Regulation. and adopted the LIBE Committee's compromise text. May 2014 The Council met and produced a report. They reached a partial general approach on specific articles of the GDPR and held an orientation debate on the "one stop shop" mechanism. October 2014 The Council reached a partial general approach on Chapter IV of the GDPR 2014/ Spring 2015​ The Council will continue to work at a technical level. Negotiation on the proposed text between the Council and the European Parliament will start when the Council is ready. ​Early 2016 ​Possible agreement on the draft Regulation. ​2018 ​Revised Data Protection Framework is expected to come into force.

12 Current Status European Parliament has adopted the draft legislation, following its first reading Vote does not mean that the GDPR has finally passed the European Parliament. Before it is finally approved the text will need to be agreed through tripartite discussions between the European Parliament's representatives, the Commission and the Council

13 GDPR questions How are key-coded, pseudo-anonymised and anonymised data defined? Is key-coded or pseudo-anonymised data treated as personal data? If so what are the implications for cloud computing? Who is regulated, where and how? How will EU residents non-EU data be protected and regulated?

14 GDPR Preamble 23 The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.

15 Key-coding/pseudo-anonymisation
The EU Parliament IMCO Committee has adopted an appropriate definition of pseudonymous data in its final Opinion (Amendments 59 and 61) – also tabled by the EPP Group in LIBE Committee – which reads as follows: “Pseudonymous data means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organizational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort.”

16 Cloud Impacts Key coded data likely to be defined as personal
Increased controls DPO Procedures Impacts sutdies Regulatory burden Transfer / export of data Ex-jurisdiction data New treaties?

17 European Privacy Advisory Group (EPAG)
Suggestions: The right of access, right to rectification, right to be forgotten and right to data portability should not be applicable where solely key-coded data are processed, as they would require the controller to re-identify the individual from which the data was originally derived, and thus themselves lead to data protection risks; The obligation to communicate a personal data breach to the data subject should not apply where the data have been key-coded and where the risk of re-identification is low; The processing of personal data to render it pseudonymous or key-coded should be considered as a legitimate interest of the data controller; Where consent is required to process personal data and these data have been key-coded, there should be more flexibility regarding the legal basis for their processing; The documentation obligations for controllers and processors should be adjusted where products and services are offered mainly on the basis of key-coded data and the organization abides by self-regulatory standards; and The use of key-coded data should be promoted as an element of privacy-by-design.

18 References Linklaters Privireal/ethics web
Data Protection Directive and Medical Research across Europe – Ashgate 2004 European Privacy Advisory Group

Download ppt "General Data Protection Regulation – analysis of impacts"

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.

The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
An introduction to the EU and its legislation. Member States currently 15 –Austria- Ireland –Belgium- Luxembourg –Denmark- Netherlands –Finland- Portugal.

An introduction to the EU and its legislation. Member States currently 15 –Austria- Ireland –Belgium- Luxembourg –Denmark- Netherlands –Finland- Portugal.
Data Protection Overview

Data Protection Overview
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.

EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
September 2002 1 Lobbying for health in the EU Andrew Hayes UICC/ECL EU Liaison Office Brussels.

September Lobbying for health in the EU Andrew Hayes UICC/ECL EU Liaison Office Brussels.
©2012 Morrison & Foerster (UK) LLP | All Rights Reserved | mofo.com Data Protection Masterclass: The New Draft EU Data Protection Regulation 19 September.

©2012 Morrison & Foerster (UK) LLP | All Rights Reserved | mofo.com Data Protection Masterclass: The New Draft EU Data Protection Regulation 19 September.
The EU Directive on Services in the internal market, COM(2004) 2 final/3 Agnese Knabe Project coordinator European Public Health Alliance Civic Alliance.

The EU Directive on "Services in the internal market", COM(2004) 2 final/3 Agnese Knabe Project coordinator European Public Health Alliance Civic Alliance.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
František Nonnemann Skopje, 10th October 2012 JHA 48785 Data protection and re-use of PSI as a tool for public control–CZ approach.

František Nonnemann Skopje, 10th October 2012 JHA Data protection and re-use of PSI as a tool for public control–CZ approach.
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
General Data Protection Regulations: The Key Changes

General Data Protection Regulations: The Key Changes
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
The Citizen in the centre in EU, Bratislava November,2005

The Citizen in the centre in EU, Bratislava November,2005
GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)

Similar presentations

Ads by Google