• Home

  • Law

  • Historic Victory or False Dawn? Analysing the EU Data Protection Regulation
31
Historic Victory or False Dawn? Analysing the EU Data Protection Regulation Dr. David Erdos Trinity Hall University of Cambridge

Historic Victory or False Dawn? Analysing the EU Data Protection Regulation

Embed Size (px)

Citation preview

Historic Victory or False Dawn?Analysing the EU Data Protection Regulation

Dr. David ErdosTrinity HallUniversity of Cambridge

1

Outline of TalkVery much a first look overview of the GDPR.

It will build towards two claims about the GDPR:It will enhance the EUs reputation for comprehensive safeguarding in digital age.It will augment and entrench key problems:Over-breadth, Over-prescription,Poor balance with other rights,Gap with digital realities etc.

2

Prescription vs. The Risk-Based Approach?One discourse during GPDR drafting focused on risk-based approach & risk is referenced repeatedly.

However, these references almost invariably either:Offer interpretations of already open-textured aspects, orAre integrated into new duties within the GDPR

Moreover, GDPR also includes many new duties which take no account of divergent risks.

3

Data Protection Structure under GDPRPurposive & Material Scope

Principles & LegitimationSensitive Data RulesTransparency & Control RulesDiscipline & SupervisionSubject to Applicable Exemptions and Derogations

GDPR and the Scope of Data ProtectionPurposive Scope (A. 1)Dual human rights & free movement objective with:Greater emphasis on protective human rights.Replaces in particular privacy with data protection.

General Material Scope (A. 2 & A. 5 (1))Breadth of personal data definition is underscored (by reference to location data and online identifier).Exemptions largely same (e.g. only excluding purely personal or household activity) N.B. new DP Directive on Police & Justice outside scope of seminar.

5

Principles (A. 5)Generally same but broadened and tightened:Removal of reference to data quality in title of article.

Addition of integrity and confidentiality principle.

Explicit reference to transparency in first principle.

Non-excessiveness replaced by necessity criteria in third principle.

All the principles given short titles (e.g. data minimization for principle including reference to adequacy of data!)

6

Legitimation (A. 6)Also similar but tightened:Legitimate interest ground not available for public authorities in the performance of their tasks.

Legal obligations and public interest tasks explicitly require proportionality analysis.

Consent threshold raised including reference inter alia to:clear affirmative action (A. 4 (11))Withdrawability (A. 7 (3)Demonstrability (A. 7 (1))Clearness and distinguishability if written (A. 7 (2))

7

Sensitive Data (A 9 & 10)Definition is somewhat broadened:Sex life changed to sex life and sexual orientationAddition of genetic data, biometric data in order to uniquely identify a personVires remain about same overall:States may introduce further limitations regarding genetic data, biometric data or health data but lose ability to do so re: administrative sanctions and civil judgments.Threshold for explicit consent vires clearly raised.Steer towards making a limited derogation compulsory re: archiving (in public interest), research and statistics.

8

Transparency & Control ProvisionsArea of much more dramatic change.

Can link to emphasis on putting individuals in control of their data by key actors in the GDPR process.

Shift to much more prescriptive approach especially as regards proactive transparency (aka privacy notices).Some significant changes also regarding control rights.Less change apparent as regards retrospective transparency (aka subject access)

9

Proactive Direct Transparency (A. 13)

10

Proactive Indirect Transparency (A. 14)

11

Proactive Specifications & ExemptionsSpecifications:When Provide if Direct: Time of collectionWhen Provide if Indirect: Reasonable period/1 month/when communication/when disclosureChange of Purpose: Must give new notification of this

Limitations:Direct: If already have informationIndirect: As above + impossible or disproportionate effort but only if appropriate [protection] measures including making the information publicly available.

12

Control Rights (& Controller Duties)

Controller Duty to Notify Recipients? Applies with caveats alongside rectification, erasure/RtbF and restriction rights.

13

Retroactive Transparency (A. 15)Much of the law remains unaltered here.

However, new information duty to provide:Criteria for storage period,Information on control rights,Right to complain to DPA,Info. on appropriate safeguards re: data exports.

New duty to provide copy of data & in electronic form (if electronic request) but stated this shall not adversely affect the rights and freedoms of others.

14

GDPR Discipline Provisions

Security and Integrity Duties

Registration Duties

Transborder Data Flow Duties

15

Security and Integrity: Overview[A]ppropriate technical and organizational measures re: data security repackaged in new law (A. 32)

Added to this, relatively open-textured new duties:Measures to ensure & demonstrate compliance (A. 24)Requirement for DP by design and default (A. 25)

In addition much more prescriptive new duties incl:Data breach documentation & notification (A. 33-4)Arrangements to discipline data processors (esp. A. 28 (3))

16

Personal Data Breach Rules (A. 33-4)Communication to subject required if likely high risk (or equally effective communication if disprop. effort)Notification to DPA unless unlikely a risk.Req. to document any personal data breaches [incl. facts, effects & remedial action] (must enable DPA verification of DPA notification requirement).personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (A. 4 (12)) (see also Art. 6 (f) re: appropriate security principle)

17

Processor Written Act Requirements (A. 28 (3))

18

Processor: New Direct Duties

Must communicate personal data breach w/out undue delay to controller (A. 33 (2))

Must cooperate on request with DPA (A. 31)

Unless exempt must establish a DP Officer (A. 37-9)

Must register processing (A. 30 (2))

19

Controller Registration Duties (A. 30)

20

Registration Duties: Further DetailsAccessibility (A. 30 (4)): To the DPA on request.

Exemptions:Any enterprise/organization with < 250 employees unless:Likely risk to rights and freedoms of data subject, orProcessing is not occasional, orProcessing includes sensitive data.

Additionally, requirements in some cases for:Data Protection Officer establishment &Impact assessment (and even consultation with DPA).

21

DP Impact Assessments (A. 35-6)Any Likely High RiskActivityAutomated systematic, extensive evaluation of personal aspectsSignificantly affects e.g. by producing legal affectsLarge scale processing of sensitive dataLarge-scale systematic monitoring of publicly accessible area.DPA to create list (& may have list where n/a)Consistency mechanismPrior DPA Consultation: When high risk present in absence of measures taken by controller to mitigate.

Transborder Data Flow Rules (Ch. V)

23

DPA Supervision: 20M/4% & 10M/2%Personal Data Processing

DP PrinciplesFair, lawful, transparentPurpose quality & limitsInformation quality & limitsIntegrity & confidentiality LegitimationLegitimating CriteriaSensitive DataCriminal dataOther data

Transparency & Control Proactive DirectProactive IndirectRetroactiveControl Rights

DisciplineDemo complianceSecurityDP by design & defaultJoint controllersPersonal data breachesProcessor engagementRecording keepingDP OfficerImpact AssessExport Control

DPA Cooperation and ConsistencyLead DPA where Main Establishment (A. 56): Essentially place of central administration of controller or where binding decisions taken if elsewhere (A. 4(16))

Concerned DPAs: Wide nexus for this such that most could qualify if cross-border element (A. 4 (22)).

Complex Interactions(A. 60-62; 65):Mutual assistance & conduct joint operationsConsultation on DecisionsUltimately European Data Protection Board may issue Opinion and even binding Decision.

National Derogs: Expression (A. 85)

Recital 153: necessary for the purpose of balancing these fundamental rightsArticle 85 (3) requires notification to Commission to be provided (& updates).For the processing of personal data carried out for journalistic purposes or the purpose of academic artistic or literary expression, Member States shall provide for exemptions or derogations if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.Article 85 (1): Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information

General Derogs Scope: Art. 9 (g), 10 & 23Personal Data Processing

DP PrinciplesFair, lawful, transparentPurpose quality & limitsInformation quality & limitsIntegrity & confidentiality LegitimationLegitimating CriteriaSensitive DataCriminal dataOther data

Transparency & Control Proactive DirectProactive IndirectRetroactiveControl Rights

DisciplineDemo complianceSecurityDP by design & defaultJoint controllersPersonal data breachesProcessor engagementRecording keepingDP OfficerImpact AssessExport Control

General Derogs: Standard Tests (A. 23)Must be necessary and proportionate.

Must respect the essence of the rights restricted.

Must be a legislative measure.

Measure must be for specified purpose.

Must contain specific provisions on range of matters (in so far as relevant).

28

Standard Gen. Derogs: Specific Provisions

29

Conclusions: GDPR and ContinuityGPDR has a strong family resemblance with existing Directive leading to similar strengths and weaknesses:-

PositivesTheoretically strong safeguarding of subject rights.Theoretically near comprehensive protection.Raises awareness of need for some control regarding new technology.(Theoretically) harmonized across EU.

NegativesUnclear goals.Poor fit with liberal freedoms.Red tape and unbalanced stipulations.Huge gap with practical realities.Inconsistent approach between EU countries.

30

Conclusions: GDPR and ChangeChange under GDPR will be considerable.This may enhance the positives in the European Data Protection approach.However, seems likely to mean that the pathologies here will reach new heights.Constructive agenda must be to mitigate and even reverse this by developing contextual interpretation & implementation of the GPDR.Even further ahead could seek to develop contextual legal model as an alternative to the GDPR model.

31


Analysing photos

Analysing photos

Education
Analysing digipaks

Analysing digipaks

Documents
bernard.cheret@posteo.de TILLDAWN · 2018. 9. 3. · bernard.cheret@posteo.de Die Ergebnisse beruhen auf Daten aus meiner Masterarbeit: From dusk till dawn - Analysing the seasonal

[email protected] TILLDAWN · 2018. 9. 3. · [email protected] Die Ergebnisse beruhen auf Daten aus meiner Masterarbeit: From dusk till dawn - Analysing the seasonal

Documents
Analysing adverts

Analysing adverts

Business
Analysing cover

Analysing cover

News & Politics
Analysing Harmony

Analysing Harmony

Documents
Cohesion Coherence Interdependence - Analysing Cohesive ... · PDF fileCohesion Coherence Interdependence - Analysing Cohesive Devices to ... Cohesion Coherence Interdependence - Analysing

Cohesion Coherence Interdependence - Analysing Cohesive ... · PDF fileCohesion Coherence Interdependence - Analysing Cohesive Devices to ... Cohesion Coherence Interdependence - Analysing

Documents
From Dawn to Dawn Troubadour Poetry

From Dawn to Dawn Troubadour Poetry

Documents
Analysing magazines123

Analysing magazines123

Education
Dawn Dawn Mission. Dawn How Do We Get There? Dawn DAWN A Journey to the Beginning of the Solar System Vesta Travel Plans: Dawn’s Itinerary The Dawn Spacecraft

Dawn Dawn Mission. Dawn How Do We Get There? Dawn DAWN A Journey to the Beginning of the Solar System Vesta Travel Plans: Dawn’s Itinerary The Dawn Spacecraft

Documents
RESURRECTION: THE DAWN OF VICTORY John 20:1-9 Rev. Dr. Samuel P. Fernandez PREACHER

RESURRECTION: THE DAWN OF VICTORY John 20:1-9 Rev. Dr. Samuel P. Fernandez PREACHER

Documents
Analysing Prototypes

Analysing Prototypes

Design
Music Analysing

Music Analysing

Entertainment & Humor
Analysing Competition

Analysing Competition

Documents
Episode VII of Star Wars: Dawn of Defianceswrpgnetwork.com/pdf/swdod07.pdfSTAR WARS: DAWN OF DEFIANCE Episode VII A RECKONING OF WRAITHS With the taste of victory still sweet upon

Episode VII of Star Wars: Dawn of Defianceswrpgnetwork.com/pdf/swdod07.pdfSTAR WARS: DAWN OF DEFIANCE Episode VII A RECKONING OF WRAITHS With the taste of victory still sweet upon

Documents
Analysing website

Analysing website

Documents
Analysing feedback

Analysing feedback

Education
Green New Dawn Main - Riley Blake DesignsFuchsia New Dawn Blossoms Hot Pink New Dawn Bees Hot Pink New Dawn Plaid Blush New Dawn Stitch Mint New Dawn Clover Stripe C: COTTON Mint Swiss

Green New Dawn Main - Riley Blake DesignsFuchsia New Dawn Blossoms Hot Pink New Dawn Bees Hot Pink New Dawn Plaid Blush New Dawn Stitch Mint New Dawn Clover Stripe C: COTTON Mint Swiss

Documents
Analysing Attrition

Analysing Attrition

Documents
THE HISTORIC AMERICAN BUILDINGS SURVEY Eulogy · The bulldozers started rolling shortly after World War II. Victory brought the dawn of a limitless future, and America plunged headlong

THE HISTORIC AMERICAN BUILDINGS SURVEY Eulogy · The bulldozers started rolling shortly after World War II. Victory brought the dawn of a limitless future, and America plunged headlong

Documents
Dr. Ayman al-Zawahiri: Dawn of the Imminent Victory ... · ©2011 — Flashpoint Partners – (206)202-4911– info@flashpoint-intel.com Dr. Ayman al-Zawahiri: “Dawn of the Imminent

Dr. Ayman al-Zawahiri: Dawn of the Imminent Victory ... · ©2011 — Flashpoint Partners – (206)202-4911– [email protected] Dr. Ayman al-Zawahiri: “Dawn of the Imminent

Documents
Analysing websites

Analysing websites

Documents
Analysing covers

Analysing covers

News & Politics
From Dawn to Dawn PDF

From Dawn to Dawn PDF

Documents
Analysing microarray expression data through effective ...web.cs.ucla.edu/~zaniolo/papers/Analysing microarray expression... · Analysing microarray expression data through ... Analysing

Analysing microarray expression data through effective ...web.cs.ucla.edu/~zaniolo/papers/Analysing microarray expression... · Analysing microarray expression data through ... Analysing

Documents
Analysing Comics

Analysing Comics

Documents
Magazine analysing

Magazine analysing

Entertainment & Humor
Airmail 57 - Wings to Victory - Wings to Victory

Airmail 57 - Wings to Victory - Wings to Victory

Documents
VICTORY 130 Máxima potencia Victory 130 Potencia en ... · Victory 130/140. VICTORY 130. Máxima potencia. Victory 130. Potencia en cualquier tipo de terreno. Minos Victory 130 Minos

VICTORY 130 Máxima potencia Victory 130 Potencia en ... · Victory 130/140. VICTORY 130. Máxima potencia. Victory 130. Potencia en cualquier tipo de terreno. Minos Victory 130 Minos

Documents
2013 Owner's Manualcdn.polarisindustries.com/polaris/common/parts-manuals/...2013 Owner's Manual Victory Cross Roads Victory Cross Country Victory Cross Country Tour Victory Cross

2013 Owner's Manualcdn.polarisindustries.com/polaris/common/parts-manuals/...2013 Owner's Manual Victory Cross Roads Victory Cross Country Victory Cross Country Tour Victory Cross

Documents