[PPT] - Current Trends in Data Protection Law Berlin, 05 th December 2013 PowerPoint Presentation

SLIDE 1

37 Offices in 18 Countries

Current Trends in Data Protection Law

Berlin, 05th December 2013

Dr. Annette Demmel

Matei Ujica, LL.M.

39 Offices in 19 Countries

SLIDE 2

Who we are…

Dr. Annette Demmel

Matei Ujica, LL.M.

2

SLIDE 3

… and where we are

3

We are sitting here… … and have a view of one of the largest construction sites in Berlin

Unter den Linden, Subway line U55

SLIDE 4

Planned EU Data Protection Reform

Original draft of the Commission

dated 25 January 2012, amended by Parliament

n 21 October 2013
EU Basic Regulation shall be

directly applicable in all Member States

Date of entry into force still

unknown, prospectively in 2014

Objective:

Adjustment of EU data protection law to the Internet age

Affected:

All citizens and companies as well as public authorities

4 Source: European Commission, Eurobarometer 74.3, Results for Germany, Attitude towards data privacy and electronic identity in the European Union

How important is it for you that your personal information is protected in the same way regardless in which EU country these information is collected and processed?

SLIDE 5

Scope of Application

5

Content:
All automated processing of personal data is covered
Saving in filing systems
Personal:
Applicable for those individuals responsible for the processing

(whoever makes decisions concerning the purposes, conditions and means of processing)

Applicable for commissioned data processors (whoever processes

data on behalf of the responsible individual)

Territorial:

Responsible bodies within the EU, independent of whether the data is processed Responsible bodies outside of the EU provided that the concerned individual is based in the EU and the processing serves the purpose of

Offering such individual goods

and services in the EU or

Observing the individual’s

behavior.

SLIDE 6

Complete Harmonization?

Specific Exemptions Intended

Health data
Employment relationship
Processing by public

authorities

Other reasons of public

interest

6

SLIDE 7

Permissible Data Processing

The processing of personal data is permissible

To the extent required for
Fulfilling a contract with

the concerned individual;

Fulfilling a statutory
bligation;
Protecting vital interests of

the concerned individual;

Performing a public task;
Safeguarding legitimate

interests of the responsible individual provided such interests are not outweighed by the interests or basic rights of the concerned individual. Processing special personal data principally impermissible.

Exceptions:
Employment relationship
Execution of a contract

with the concerned individual

7

Consent?….

SLIDE 8

Consent

8 Source: European Commission, Eurobarometer 74.3, Results for Germany, Attitude towards data privacy and electronic identity in the European Union

Would you prefer that your explicit consent is obtained before personal information is collected and processed?

SLIDE 9

Consent

Data processing can in principle be based on consent
Exceptions
Consent within the context of an employment relationship only valid if

voluntary

Other EU or national regulations can exclude such consent
Responsible body has burden of proof
If consent is given in writing, it must be clearly separate from the

remaining text

Text: blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla Consent:

9

I consent to my personal data …..

SLIDE 10

Duties

e.g. Privacy by default settings for social networks

Privacy by design: Technical procedures are to be used, which

ffer the concerned individual the greatest amount of protection
Replaces the general reporting obligations concerning data processing to the

authorities;

Does not apply for companies, which do not process the data of more than 5,000

concerned individuals per year Documentation ! Children Observance of data protection standards Notification of public authorities and concerned individual of data protection violations Data protection – Risk analysis of certain activities

If the data of more than 5,000 concerned individuals is processed within one year

Appointment of a company data protection officer

10

SLIDE 11

Rights of the Concerned Individual

11 Source: European Commission, Eurobarometer 74.3, Results for Germany, Attitude towards data privacy and electronic identity in the European Union

If you decide to change the internet service provider or terminate the relationship how important is it for you that your personal information from this service may be transferred to another service?

SLIDE 12

Rights of the Concerned Individual

Right to “be forgotten”

Concerned individual can

demand the deletion of his data and omission of any further processing

Right to data portability

Right to demand a copy
f the processed data in

a common format

Right to object

12

SLIDE 13

Sanctions

Original requirement:
Monetary fine of up to EUR 1 million or 2 % of the annual worldwide

turnover for severe breaches

New draft provides for higher fines of up to EUR 100 million and 5 %
f the annual turnover worldwide

13

SLIDE 14

PRISM & Co.

According to an article in The Washington Post, the US National Security Agency has supposedly broken data protection rules thousands of times each year since 2008 or overstepped its authority. This was reported by the newspaper with reference to an internal investigation of the NSA and other strictly confidential

documents. The newspaper received such documents during the summer from the

former NSA employee Edward Snowden.

Quelle: Spiegel Online

14

SLIDE 15

PRISM & Co.

Press release of the German data protection authorities dated 24 July 2013:

For the time being, no new authorizations for data transfers to the

USA, particularly for certain cloud services Excursus: How does the US transfer function under German law? Work arounds?

Investigation announced whether all transfers on the basis of

Safe Harbor and EU standard contractual clauses are faulty (completion expected by the end of 2013)

15

SLIDE 16

Excursus: How does the data transfer function in other countries?

Two-step Assessment:

Step 1: Data transfer from one company to another

Must be justified by particular interests
Interest in the transfer must be greater than the right
f the concerned individual to exclusion of the transfer

Step 2: Reasonable level of protection in the recipient country a) Exists in the EU, the EEA (Norway, Liechtenstein, Iceland) b) Exists in Canada, Switzerland, Argentina, Israel, Guernsey, Andorra, Faroe Islands, Australia, Isle of Man, Jersey, Uruguay, New Zealand c) Exists for Safe Harbor certification in the USA plus diverse and regular confirmations d) Exists for the stipulation of EU standard contractual clauses e) Exists in the case of agreement of binding corporate rules (for intra-group transfers) Transfers according to a) - d) are principally not subject to authorization

– If a company data protection officer has been appointed and – Has assessed the data processing in advance and endorsed it

16

SLIDE 17

Excursus: Safe Harbor from a German Perspective

Data protection authorities have already been demanding the

regular review of the guarantees of US importers by German companies since 2010

PRISM has further increased the skepticism of the

authorities

Politicians are demanding the renegotiation of the Safe

Harbor Agreement

EU Commission is currently assessing a suspension of the

agreement

17

SLIDE 18

Cloud: Requirements of the German Authorities in 2011

Resolution of the 82nd conference on 28/29 September 2011: Data

protection compliant design and use of Cloud computing services

Requirements for the use:
The duties of the responsible bodies must continue to be fulfilled,
The implementation of the data protection and IT security requirements has to have been

reviewed

Which data protection and IT security requirements are to be reviewed?
Confidentiality
Integrity
Availability
Checkability
Transparency
Ability to influence the data processing.
Requirement in the resolution: The management of the body processing

the data must continue to be able to bear responsibility for its own data processing.

18

SLIDE 19

Cloud: Implementation of the Requirements from 2011

Cloud users should demand

Provision of straightforward, transparent and detailed information
n the

– Technical and organizational measures including security concepts

and

– Legal framework conditions.

Conclusion of transparent, detailed and clear contractual

regulations, in particular concerning the

– Location of the data processing, – Notification of any change of location, – Portability, – Interoperability, – Implementation of the agreed IT security and data protection

measures

=> Current and persuasive proof (e.g. certificates of recognized and independent audit organizations)

19

SLIDE 20

Cloud: Help with Implementation

Paper: Guidance – Cloud Computing

f the Technology and Media Task Force of the Conference of

Data Protection Officers of the Federal and State Government Version 1.0 Effective date: 26 September 2011 http://www.datenschutz-bayern.de/technik/orient/oh_cloud.pdf

20

SLIDE 21

Cloud: Permitted, Tolerated or Undesired?

In principle permitted if

Anonymized data is not made re-identifiable by the Cloud

because various participants have additional knowledge

The use of additional service providers is clearly regulated

contractually and

With respect to Cloud users,

– Can fulfill their obligations as the responsible body at all times, – In particular, can fulfill their obligations to delete, block and make

corrections

– Can fulfill the claims for information of the concerned individuals

Additionally: Legal basis for the transfer to third countries
Unclear: Processing of sensitive data in the cloud

permitted in third countries?

21

SLIDE 22

Cloud: Permitted, Tolerated or Undesired?

Excerpt from the Microsoft Data Protection Policy for Office 365: Amendments of these data protection provisions We will update this data protection declaration from time to time in

rder to take into account changes to the services […].

[…] In the case of fundamental changes to […] the way that Microsoft uses your information, we shall notify you of […] We recommend that you review these data protection provisions at regular intervals in order to always remain informed of the protection of your information by Microsoft.

Source: http://www.microsoft.com/online/legal/v2/?docid=43&langid=de-de (Effective date: 12 November 2013)

22

SLIDE 23

Cloud: Permitted, Tolerated or Undesired?

Excerpt from the Oracle Agreement for SaaS Section 6.1: […] You are liable for all activities, which are carried out using your user name, password or user account […]. Section 9.3: Oracle can temporarily block your password, your account and your access to the services if you or your users breach any of the provisions designated under sections […] 6 (‘Use of Services’) …] of this contract or if Oracle using equitable discretion believes that the services or

ther associated components are exposed to direct security risks or a risk

to the operational reliability. […]

Source: SaaS Online Cloud Services Agreement, http://www.oracle.com/us/corporate/contracts/saas-online- csa-de-1978862.pdf (Effective date: 12 November 2013)

23

SLIDE 24

24

Thank you!

Unter den Linden, Construction Site U55