the legal aspects of data protectionjhh/secsem/2012/wisman.pdf · the legal aspects of data...
TRANSCRIPT
The legal aspects of
data protection
17 February 2012 Radboud University of Nijmegen
Nynke Wisman Attorney-at-law at NWLS
PlayStation Network security breach will
cost Sony much more than money
Zappos security
breach: your data
hacked
Zappos
security
breach: Your
data hacked?
Have you seen the headlines?
Privacy: doing the right thing?
When you register for our online newsletter, we may use your data to send you marketing information. This is a) allowed or b) not allowed.
When you visit our website, we place cookies on your computer to improve the website performance and to show adds that may be of interest to you. This is
a) allowed or b) not allowed?
After the huge data breach incident with PlayStation, Sony was criticized mostly for:
a) not having informed the relevant persons timely or b) for not having adequate security measures in place
Privacy: doing the right thing?
What was the biggest downside of the Sony PS security incident according to hackers?
a) tighter security measures were being implemented b) the price of stolen credit cards would decrease from approx $5-10 to $1-2.
What was the outcome of the Google Streetview case:
a) Google must refrain from collecting information re Wifi routers or
b) Google must provide an opt-out to users of Wifi-routers?
Today’s topics
“Data Protection”: protecting personal data from a legal perspective
An introduction into the legal requirements on ‘data protection’:
- What is it: the basics of data protection, the Privacy Principles
- What you should and should not do with personal data
- When and where does it apply
Some specific topics: ‘the cloud’, the Patriot Act, spam,
cookies, data leakage, geolocation data, Google, smart meters …
The future of ‘data protection’
What do you consider ‘personal’?
Name?
Phone number?
Websites you visit?
Credit card number?
Passport number?
Your nationality?
Medical information?
Photo’s? Number plates? IP Addresses? Cookies?
Etc.?
European Commission: ‘brave
new data world’ Attitudes towards data protection -60% of Europeans who use the internet (40% of all EU citizens) shop or sell things online and use social networking sites. Over 75% consider financial information, medical information and national identity or passport numbers ‘personal data’ ‘Only’ 46% considers their name ‘personal’ and only 25% think the websites they visited is ‘personal’ 70% is concerned about the use of their data and the control they have over the data
Special Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union, June 2011
Data Protection – the basics
Terms used:
Personal Data: any data relating to an identifiable individual,
natural person
Data Subject: consumers, clients, vendors, website visitors,
‘friend’, contact persons, one-man businesses, employees, job applicants, prospects → all individuals
Data Controller: responsible party that determines means
and purposes of processing of personal data
Data Processor: processing personal data on behalf of data
controller
Privacy Principles
1. Collect data only for specified and explicit purposes - e.g. client data for assessing and accepting clients and delivering
services and for defending preventing and tracing fraud - e.g. employee data for performance of employment contract (salary
payment, appraisals etc.) and for providing authorisation and maintaining security within the company
2. You need a ground for processing: - with consent - for performance of contract - compliance with legal obligation - if in your legitimate interests
3. Further processing is allowed only for purposes ’not incompatible’ with initial purposes
Privacy Principles (Cont’d)
4. Only process relevant data, keep the data up-to-date, accurate and retain only as long as needed
- do not collect more data than needed
- review the accuracy regularly
- have retention policies in place
5. Give access only on a need-to-know principle
- authorise users individually for systems or files holding personal data
- limit to those persons that have a valid reason for accessing the data
Privacy Principles (Cont’d)
6. Take appropriate technical and organisational security measures to prevent unlawful/unauthorized access
- PET, access control + monitoring - must be state of the art - taking into account the nature of the data
7. Do not process sensitive data - unless permitted by law - medical data, biometric data, data re race or ethnic origin,
sexual orientation etc.
Privacy Principles (Cont’d)
8. Be transparent to individuals about processing of their data and provide opportunity to view and correct data
- use privacy statements
- notify with DPA’s
9. The accountability principle
- responsibility for appropriate measures for the privacy principles to be effective in practice
- to make sure these are complied with
International data transfers
Privacy and ‘the cloud’
Personal data in the cloud (private/ public /community/ hybrid or ‘Rijkscloud’)
Where is your data?
Is your data secure; how do you know?
Privacy and ‘the cloud’
US research shows - cloud providers do not view security a competitive advantage
- security is customer responsibility
- main drivers for customers: ‘lower costs’ and ‘faster deployment’
- cloud providers think improved security/compliance unlikely reasons for choosing cloud services
Privacy in ‘the cloud’
Obligation to retain records - “you are responsible for backing up the data that you
store on the service”
- “we have no obligation to return data to you after the services is suspended or cancelled”
Personal data transfers
- “As part of providing the Services, Supplier may transfer, store and process customer data in … any other country in which supplier or its agents maintain facilities”
Privacy and ‘the cloud’
US Patriot Act: “Uniting and Strengthening America by Providing Appropriate Tool Required to Intercept and Obstruct Terrorism”
Dropbox, T&C’s:
- “We may disclose to parties outside Dropbox files stored in your
Dropbox and information about youthat we collect when we have good faith belief that disclosure is reasonably necessary to .. Comply with a law, regulation or compulsory legal request. … We will remove Dropbox’s encryption from the files before providing them
to law enforcement”
Protecting your personal data: the
practical approach
‘Defending Privacy at the US Border. A Guide for Travellers Carrying Digital Devices’ (Dec 2011)
If you do not carry personal data with you, ‘they’ can not get it
Smart Meters
What do the meters say about an individual?
The electricity spend, but also..
- when he comes home / which machines he uses and when / how long he showers ..
Or worse….
‘Mijn E”
Marketing …
(Offline) Marketing: opt-out
E-marketing: opt-in / opt-out
Online Behavioural Advertizing: opt-in
Marketing off-line and E-marketing Sending direct marketing messages requires the use of
personal data (unsolicited commercial communication) Off-line marketing: ordinary, old-fashioned off line
letters, brochures etc.: this is allowed with an opt-out (DPA)
E-marketing (online, Telecommunications Act): - if you are already a client, this is allowed with an opt-out
(but should be for similar products/services) - if not: opt-in (prior consent) - also for corporates/ business email addresses For telephone marketing: obligation to offer/register
customers in "Bel-me-niet register“!
E-marketing
Register your name in ‘het Grote Boek van Sinterklaas’ (the Big Book of Sinterklaas)!!! And let us know if you want Sinterklaas to contact you about ‘Pakjesavond’ by giving us your email address…
a) allowed?
b) not allowed?
Online Behavioural Advertising
Online behavioural advertising
‘OBA’: through cookies
‘Our website behaviour discloses who we are’
Detailed data/profiling, often without website visitor noticing
Enables specific targeting of visitors
Current law: opt-out
New law: ‘informed consent’
Online behavioural advertising
Consequences new law:
- user must be informed before cookie is places
- cookie statement via pop-up, not via browser settings (insufficient), but one-time-only
- do not hide the information, available via 1 click (2 is too many)
Data breaches
Draft-amendment to Data Protection Act Introduces obligation to
- notify data subjects - without undue delay - of security breaches where there is a considerable risk of negative
consequences for the private life and personal data of individuals
Unless appropriate technical measures have been taken as a result of which the personal data have been encrypted or otherwise have been made illegible
Obligation to also inform authorities
(Geo) Location Data
Unique MAC address + calculated location of a WiFi access point = personal data
1) infrastructure controller
2) provider of geolocation applic./services
3) OS developers of smart mobile device
Often without individual being aware
The Google Streetview case
(Geo) Location Data
(Geo) Location data
(Geo) Location Data
Data protection issues: - consent often inadequate, by lack of clear
information;
- limit scope/term of consent (reminders required)
- by default, location services must be switched off;
- device must continuously warn that geolocation is ‘on’
- limited retention period for location data.
Privacy at the workplace
Privacy ‘at work’
Employees are entitled to some respect of their ‘privacy’ at work (the occasional personal phone call / private email etc.)
US: no privacy at work, all data generated through office devices is company owned
Privacy ‘at work’: BYOD
Bring Your Own Device: employees using their own devices to access company data
- pro: increase flexibility to work from anywhere, increase productivity
- con: loss of control over security, access etc.
Solutions: mix of technical and legal measures, training and desktop virtualisation
The future of data protection: finally being
taken seriously? (1)
On 25 January 2012 a draft proposal for a new EU Regulation on data protection has been issued (replacing the current EU Directive)
This proposal introduces a number of additional requirements for data controllers, e.g.
- appointment of DPO’s for companies with over 250 employees
- introduces principle of 'accountability‘: company must be able to demonstrate its compliance with data protection requirements + adequate verification by independent auditors
- assigning proper responsibility for data protection, appropriate training of staff
The future of data protection (2)
- ‘privacy by design' and 'privacy by default‘: data protection must be built in by processes/systems + mandatory PIA's
- huge administrative sanctions of up to 2% of the annual worldwide turnover of a company (e.g. for illegal transfers)
- introduces ‘the right to be forgotten’ and ‘the right to data portability’