Tag: data

Bracing up for GDPR

With the new EU General Data Protection Regulation ante portas, companies handling personal customer data throughout the EU are set to face a considerable operational challenge. In fact, the GDPR extends compliance requirements to both data controllers and processors and is oriented towards establishing a modern and uniform data protection framework across the EU, reinforcing individuals’ rights and introducing a number of “data governance” concepts, especially in the area of data security.

Companies eager to move proactively and prepare well ahead of May 2018 need to proceed with a series of steps, such as mapping their data, conducting a due diligence review and implementing a robust response plan in case of data breach. The most important, they should redraft their privacy policies and nurture an inclusive personal data corporate culture, since conformity to GDPR is expected to be an ongoing obligation, demanding constant adjustments and a more hands-on approach.

A controller’s responsibilities summarily comprise:

  • Carrying out data protection impact assessments (PIAs) when the type of processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
  • Assuring the effective protection of individuals, such as erasure, reporting and notice requirements, and maintaining records of processing activities.
  • Duties towards the competent regulatory authority, such as consultation prior to processing and data breach notification. To this purpose, the appointment of a Data Protection Officer, who would mediate as a contact point – or a breakwater – between the company and the authority could play a vital role in ensuring maximum compliance.

Finally, a processor of personal data is not exempt from the regulatory ambit of the GDPR and is therefore burdened with a number of responsibilities, including:

  • The pseudonymisation and encryption of the personal data processed on behalf of the controller,
  • the ability to ensure ongoing confidentiality, integrity and resilience of its processing systems and services,
  • the ability to restore access to personal data in a timely manner in the event of a malicious attack, or a physical incident, and
  • a process for regularly testing, assessing and evaluating the effectiveness of its technical and organizational systems, thus demonstrating that it puts every reasonable effort into safeguarding the security of processing.

Personal Data Protection in the Employment Context

Article 29 Working Party has recently adopted Opinion 2/2017 on data processing at work. By elaborating nine hypothetical scenarios, the Opinion builds on Opinion 8/2001 and its 2002 Working Document on the surveillance of electronic communications in the workplace, and attempts to regulate other types of monitoring technologies such as cloud services, vehicle tracking, smart devices etc.

Over the last couple of years, these technologies have posed significant new challenges to privacy and data protection at only a fraction of the costs. As a result, Opinion 2/2017 now attempts to strike a new balance between the legitimate interests of employers and the reasonable privacy expectations of the employees.

This balance is made in light of the Data Protection Directive and the General Data Protection Regulation. The golden rules confirmed therewith are the following:

  • employers should always bear in mind the fundamental data protection principles, irrespective of the technology used;
  • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications;
  • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence;
  • performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;
  • employees should receive effective information about the monitoring that takes place; and
  • any international transfer of employee data should take place only where an adequate level of protection is ensured.

In its concluding remarks, Opinion 2/2017 stresses that data processing at work must be a proportionate response to the risks faced by an employer. Internet misuse, for example, can be detected without the necessity of analysing website content. If misuse can be prevented (e.g., by using web filters) the employer has no general right to monitor.

Furthermore, a blanket ban on communication for personal reasons is impractical and enforcement may require a level of monitoring that may be disproportionate. Prevention should be therefore given much more weight than detection – the interests of the employer are better served by preventing internet misuse through technical means than by expending resources in detecting misuse.

With regard to data minimization, it is emphasized that the information registered from the ongoing monitoring, as well as the information that is shown to the employer, should be minimized as much as possible. Employees for example should have the possibility to temporarily shut off location tracking, if justified by the circumstances. Employers in their turn are required to take the principle of data minimization by design into account when deciding on the deployment of new technologies. The information should be stored for the minimum amount of time needed with a retention period specified, and whenever it is no longer needed it should be deleted.

 

 

Hellenic Data Protection Authority rules on the “right to be forgotten”

Ulysses and His Companions in the Land of the Lotus-Eaters, etching and engraving by Theodoor van Thulden.

Following the path of Google v. Spain, whereby the European Court of Justice ruled that European citizens can request commercial search firms to remove links to information deemed “inaccurate, inadequate, irrelevant or excessive” for the purposes of data processing, the Hellenic Data Protection Authority issued Decision 83/2016, dealing with a similar case of Greek interest.

The Decision came after a licensed obstetrician complained to the Greek data protection watchdog against Google’s denial to remove a link about a criminal conviction against him for child adoption fraud.

In its reply to the contested removal request, Google considered: (a) the relevance and truthfulness of the data, (b) the fact that the applicant was practicing a regulated profession as a physician, and (c) the severity of the crime for which he was sentenced and its relevance to his profession (proxy attempt at illegal adoption of a minor at gainful employment). Namely, the company’s reply had as follows:

“In this case it appears that the URL in question relates to matters of substantial interest to the public regarding your professional life. For example, this URL may be of interest to potential or current consumers, users, or participants of your services. Information about recent professions or businesses you were involved with may also be of interest to potential or current, users, or participants of your services. Accordingly, the reference to this document in our search results for your name is justified by the interest of the general public in having access to it.”

Following a complaint lodged with the Hellenic Data Protection Authority, the authority examined whether Google’s negative response had met the de-listing criteria provided by the Article 29 Working Party. Opining that the company failed to do so, they ordered Google to remove the contested link on the ground that the data it linked to was inaccurate. Its inaccuracy lied on the fact that the criminal conviction had been replaced – though not entirely overruled – by a milder sentence  by the court of appeal at a later time.

Decision 83/2016 may open the door to complaints of similar nature before the Hellenic Data Protection Authority and heralds the liability of search engines in Greece for the content they link to with regard to privacy. Forthcoming jurisprudence by Greek courts is eagerly anticipated, as balance should now be stricken between a novel “right to be forgotten” and other fundamental rights, such as the freedom of expression and the freedom of the press.

Law in the Age of Big Data

The following opening paragraphs could be from any contemporary data privacy journal:

“The creation of advanced computer technology has resulted in jurists having to face a range of new and awkward problems. Through interlinking, copying and other automated data processing, modern technology has made it possible to, collect, compare, and combine enormous amounts of data about every person. Also data that in and of itself is not secret can, through its currency, quantity and internal correlation place the individual under the magnifying glass and expose much of his private life …”

What makes the quote unique, though, is that it was written back in 1978, well before the internet started impacting culture and commerce, by Professor Michael Bogdan of Lund University, and published in the Swedish law journal “Svensk Juristtidning”.

The article addresses the world’s first national data privacy law, that of Sweden, elaborating private international law issues stemming from the complexities surrounding dataflykt (‘data drain’ or ‘data flight’).

Since 1978 technological advancements in the field of data processing have been breathtaking, creating challenges that were previously contemplated only by sci-fi novelists. The legal discourse, however, has not managed to keep pace. The relevance of the article referred to above highlights, before anything, that the law will never manage to keep up with the pace of technological developments. How far behind, however, should we accept it to be?

In the end, perhaps, it would be more meaningful if we distinguished between “legal thinking and knowledge” on the one hand, and “legal principles” on the other. Professor Bogdan’s 1978 article shows that academic commentary on the relevant legal issues was already then at an advanced stage. Looking, however at modern technological applications such as facial recognition, or Internet of Things, it is striking in how much detail the legal issues arising therefrom are analyzed by the academia and the international legal community. By realizing this, we may arguably assume that legal thinking and knowledge, as such, is not necessarily always the tortoise while technology is the hare disappearing into the horizon.

The question here, as posed by Dr Christopher Kuner, Editor-in-Chief of the Journal International Data Privacy Law, in an editorial note he published back in 2014, is how we can speed up this conversion of legal thinking and knowledge into appropriate legal principles and rules. This key challenge remains to be addressed.

Privacy Shield: stronger protection for transatlantic data flows

In the aftermath of the CJEU judgment in Maximillian Schrems vs Data Protection Commissioner case (Case C-362/14), and following the invalidation of the Safe Harbor in October 2015, the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic data transfers on Tuesday, 2 February 2016: the EU-U.S. Privacy Shield (IP/16/216).

The adoption procedure of the decision texts was finalized by the European Commission on 12 July 2016, after the relevant opinion of the article 29 working party (national data protection authorities) and the European Parliament resolution of 26 May.

This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States and offers legal clarity for businesses relying on transatlantic data transfers. The Shield has been drafted, among others, to further illuminate the bulk collection of data, strengthen the Ombudsperson mechanism, and set more explicit obligations on companies as regards limits on retention and onward transfers.

The EU-U.S. Privacy Shield summarily touches upon the following points:

  • Strong obligations on companies handling data: under the new arrangement, U.S. companies wishing to abide by the EU-U.S Privacy Shield will be obliged to register in the Privacy Shield register and re-certify annually. Moreover, their privacy policies will have to be updated, so as to appropriately inform data subjects on their current access rights and the available recourse mechanisms. Especially for onward transfers to third party service providers, companies will remain fully liable and will ensure that third parties’ processing data enjoy the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Notably, the U.S. Government has ruled out indiscriminate mass surveillance on personal data transferred to the US. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State. It is notable that on 24 February 2016, the Judicial Redress Act was signed. The Act permits EU data subjects to seek remedies for violation of their personal data against U.S agencies in U.S courts.
  • Effective redress mechanisms: Any citizen who considers that their data has been misused shall benefit from several dispute resolution mechanisms. Ideally, the complaint shall be resolved by the company itself, or by an Alternative Dispute resolution (ADR) process, the costs thereof shall not be incurred by the concerned individual. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.

For further information, you can have a look at the EU-U.S. Privacy Shield fact-sheet, published by the European Commission in July 2016 [link], as well as the European Commission’s practical guide to the EU-U.S. Privacy Shield  [link].