The legal aspects of

data protection

17 February 2012 Radboud University of Nijmegen

Nynke Wisman Attorney-at-law at NWLS

PlayStation Network security breach will

cost Sony much more than money

Zappos security

breach: your data

hacked

Zappos

security

breach: Your

data hacked?

Have you seen the headlines?

Privacy: doing the right thing?

When you register for our online newsletter, we may use your data to send you marketing information. This is a) allowed or b) not allowed.

When you visit our website, we place cookies on your computer to improve the website performance and to show adds that may be of interest to you. This is

a) allowed or b) not allowed?

After the huge data breach incident with PlayStation, Sony was criticized mostly for:

a) not having informed the relevant persons timely or b) for not having adequate security measures in place

Privacy: doing the right thing?

What was the biggest downside of the Sony PS security incident according to hackers?

a) tighter security measures were being implemented b) the price of stolen credit cards would decrease from approx $5-10 to $1-2.

What was the outcome of the Google Streetview case:

a) Google must refrain from collecting information re Wifi routers or

b) Google must provide an opt-out to users of Wifi-routers?

Today’s topics

“Data Protection”: protecting personal data from a legal perspective

An introduction into the legal requirements on ‘data protection’:

- What is it: the basics of data protection, the Privacy Principles

- What you should and should not do with personal data

- When and where does it apply

Some specific topics: ‘the cloud’, the Patriot Act, spam,

cookies, data leakage, geolocation data, Google, smart meters …

The future of ‘data protection’

What do you consider ‘personal’?

Name?

Phone number?

Websites you visit?

Credit card number?

Passport number?

Your nationality?

Medical information?

Photo’s? Number plates? IP Addresses? Cookies?

Etc.?

European Commission: ‘brave

new data world’ Attitudes towards data protection -60% of Europeans who use the internet (40% of all EU citizens) shop or sell things online and use social networking sites. Over 75% consider financial information, medical information and national identity or passport numbers ‘personal data’ ‘Only’ 46% considers their name ‘personal’ and only 25% think the websites they visited is ‘personal’ 70% is concerned about the use of their data and the control they have over the data

Special Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union, June 2011

Data Protection – the basics

Terms used:

Personal Data: any data relating to an identifiable individual,

natural person

Data Subject: consumers, clients, vendors, website visitors,

‘friend’, contact persons, one-man businesses, employees, job applicants, prospects → all individuals

Data Controller: responsible party that determines means

and purposes of processing of personal data

Data Processor: processing personal data on behalf of data

controller

Privacy Principles

1. Collect data only for specified and explicit purposes - e.g. client data for assessing and accepting clients and delivering

services and for defending preventing and tracing fraud - e.g. employee data for performance of employment contract (salary

payment, appraisals etc.) and for providing authorisation and maintaining security within the company

2. You need a ground for processing: - with consent - for performance of contract - compliance with legal obligation - if in your legitimate interests

3. Further processing is allowed only for purposes ’not incompatible’ with initial purposes

Privacy Principles (Cont’d)

4. Only process relevant data, keep the data up-to-date, accurate and retain only as long as needed

- do not collect more data than needed

- review the accuracy regularly

- have retention policies in place

5. Give access only on a need-to-know principle

- authorise users individually for systems or files holding personal data

- limit to those persons that have a valid reason for accessing the data

Privacy Principles (Cont’d)

6. Take appropriate technical and organisational security measures to prevent unlawful/unauthorized access

- PET, access control + monitoring - must be state of the art - taking into account the nature of the data

7. Do not process sensitive data - unless permitted by law - medical data, biometric data, data re race or ethnic origin,

sexual orientation etc.

Privacy Principles (Cont’d)

8. Be transparent to individuals about processing of their data and provide opportunity to view and correct data

- use privacy statements

- notify with DPA’s

9. The accountability principle

- responsibility for appropriate measures for the privacy principles to be effective in practice

- to make sure these are complied with

International data transfers

Privacy and ‘the cloud’

Personal data in the cloud (private/ public /community/ hybrid or ‘Rijkscloud’)

Where is your data?

Is your data secure; how do you know?

Privacy and ‘the cloud’

US research shows - cloud providers do not view security a competitive advantage

- security is customer responsibility

- main drivers for customers: ‘lower costs’ and ‘faster deployment’

- cloud providers think improved security/compliance unlikely reasons for choosing cloud services

Privacy in ‘the cloud’

Obligation to retain records - “you are responsible for backing up the data that you

store on the service”

- “we have no obligation to return data to you after the services is suspended or cancelled”

Personal data transfers

- “As part of providing the Services, Supplier may transfer, store and process customer data in … any other country in which supplier or its agents maintain facilities”

Privacy and ‘the cloud’

US Patriot Act: “Uniting and Strengthening America by Providing Appropriate Tool Required to Intercept and Obstruct Terrorism”

Dropbox, T&C’s:

- “We may disclose to parties outside Dropbox files stored in your

Dropbox and information about youthat we collect when we have good faith belief that disclosure is reasonably necessary to .. Comply with a law, regulation or compulsory legal request. … We will remove Dropbox’s encryption from the files before providing them

to law enforcement”

Protecting your personal data: the

practical approach

‘Defending Privacy at the US Border. A Guide for Travellers Carrying Digital Devices’ (Dec 2011)

If you do not carry personal data with you, ‘they’ can not get it

Smart Meters

What do the meters say about an individual?

The electricity spend, but also..

- when he comes home / which machines he uses and when / how long he showers ..

Or worse….

‘Mijn E”

Marketing …

(Offline) Marketing: opt-out

E-marketing: opt-in / opt-out

Online Behavioural Advertizing: opt-in

Marketing off-line and E-marketing Sending direct marketing messages requires the use of

personal data (unsolicited commercial communication) Off-line marketing: ordinary, old-fashioned off line

letters, brochures etc.: this is allowed with an opt-out (DPA)

E-marketing (online, Telecommunications Act): - if you are already a client, this is allowed with an opt-out

(but should be for similar products/services) - if not: opt-in (prior consent) - also for corporates/ business email addresses For telephone marketing: obligation to offer/register

customers in "Bel-me-niet register“!

E-Marketing: the big book of

Sinterklaas

E-marketing

Register your name in ‘het Grote Boek van Sinterklaas’ (the Big Book of Sinterklaas)!!! And let us know if you want Sinterklaas to contact you about ‘Pakjesavond’ by giving us your email address…

a) allowed?

b) not allowed?

Online Behavioural Advertising

Online behavioural advertising

‘OBA’: through cookies

‘Our website behaviour discloses who we are’

Detailed data/profiling, often without website visitor noticing

Enables specific targeting of visitors

Current law: opt-out

New law: ‘informed consent’

Online behavioural advertising

Consequences new law:

- user must be informed before cookie is places

- cookie statement via pop-up, not via browser settings (insufficient), but one-time-only

- do not hide the information, available via 1 click (2 is too many)

Facebook

Data breaches

Draft-amendment to Data Protection Act Introduces obligation to

- notify data subjects - without undue delay - of security breaches where there is a considerable risk of negative

consequences for the private life and personal data of individuals

Unless appropriate technical measures have been taken as a result of which the personal data have been encrypted or otherwise have been made illegible

Obligation to also inform authorities

(Geo) Location Data

Unique MAC address + calculated location of a WiFi access point = personal data

1) infrastructure controller

2) provider of geolocation applic./services

3) OS developers of smart mobile device

Often without individual being aware

The Google Streetview case

(Geo) Location Data

(Geo) Location data

(Geo) Location Data

Data protection issues: - consent often inadequate, by lack of clear

information;

- limit scope/term of consent (reminders required)

- by default, location services must be switched off;

- device must continuously warn that geolocation is ‘on’

- limited retention period for location data.

Privacy at the workplace

Privacy ‘at work’

Employees are entitled to some respect of their ‘privacy’ at work (the occasional personal phone call / private email etc.)

US: no privacy at work, all data generated through office devices is company owned

Privacy ‘at work’: BYOD

Bring Your Own Device: employees using their own devices to access company data

- pro: increase flexibility to work from anywhere, increase productivity

- con: loss of control over security, access etc.

Solutions: mix of technical and legal measures, training and desktop virtualisation

The future of data protection: finally being

taken seriously? (1)

On 25 January 2012 a draft proposal for a new EU Regulation on data protection has been issued (replacing the current EU Directive)

This proposal introduces a number of additional requirements for data controllers, e.g.

- appointment of DPO’s for companies with over 250 employees

- introduces principle of 'accountability‘: company must be able to demonstrate its compliance with data protection requirements + adequate verification by independent auditors

- assigning proper responsibility for data protection, appropriate training of staff

The future of data protection (2)

- ‘privacy by design' and 'privacy by default‘: data protection must be built in by processes/systems + mandatory PIA's

- huge administrative sanctions of up to 2% of the annual worldwide turnover of a company (e.g. for illegal transfers)

- introduces ‘the right to be forgotten’ and ‘the right to data portability’