AND THE GENERAL DATA PROTECTION REGULATION Administrative Law and Economic Regulation Tess de Gregorio Nov 11th, 2015

DATA PROTECTION

© Tess de Gregorio

INTRODUCTION

1.  THE INTERNET NOWADAYS

2. CURRENT LEGAL FRAMEWORK → Directive on Personal Data 1995

3. NEW PROPOSED LEGAL FRAMEWORK → General Data Protection Regulation

4. CONCLUSIONS © Tess de Gregorio

THE INTERNET TODAY

© Tess de Gregorio

THE INTERNET TODAY

More data volume within the network

More collaboration

among Internet participants:

different companies,

companies and governements…

More complexity within the

systems that integrate the

Internet: cloud computing, Big

Data…

More personal data provided by

individuals: addresses, credit

card numbers, political

opinions…

© Tess de Gregorio

During the past five years, data protection and its legal framework has been one of the main concerns of the

European Union

AshelyMadisonDataBreach

NEED FOR A NEW LEGAL REFORM

THE INTERNET TODAY

© Tess de Gregorio

CURRENT LEGAL FRAMEWORK

© Tess de Gregorio

CURRENT LEGAL FRAMEWORK

ARTICLE 8 OF THE EUROPEAN

CONVENTION OF HUMAN RIGHTS

(ECHR) establishes the right to respect for

private life and family. ARTICLE 16 OF THE

TREATY OF THE FUNCTIONING OF THE EUROPEAN

UNION ascertains the right

to privacy. DIRECTIVE 95/46/EC on the protection of

individuals with regard to the processing of personal data

and on the movement of such a data, enacted in 1995 © Tess de Gregorio

DIRECTIVE 95/56 EC With the vast technological changes in the World Wide Web since the adoption of the Directive in 1995. Form of the legislative act is a Directive, which makes the legal framework more complex → Art 289 TFEU enterprises are required to comply with 28 different jurisdictions Implies uncertainty, costs increases and high administrative burdens.

© Tess de Gregorio

27 DIFFERENT JURISDICTIONS DIRECTIVE 95/56 EC

© Tess de Gregorio

RIGHT TO BE FORGOTTEN Case-131/12

AEPD, Mario Costeja González May 2014 v. Google Spain SL, Google Inc

SAFE HARBOUR EU-US INVALID Case -62/14 Maximillian Schrems v Data

Protection Commissioner, Oct 2015

DIRECTIVE 95/56 EC

© Tess de Gregorio

DIRECTIVE 95/56 EC Considering this litigious framework and the incessant Internet innovations, it is clear that there is an urgent need for a new legal framework. The Europe 2020 Strategy included in its Digital Agenda the necessity to reconstruct the data protection legislation. In 2012 the Commission adopted a new Proposal for a General Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data. At this time, the Commission, together with the Parliament and Council is working on the final adoption of the Regulation, which will probably enter into force in 2017.

© Tess de Gregorio

To establish trust among Internet users

This enhances economic growth

Building trust will eliminate the association: Internet=risks

Guarantee a unified Digital Market for the European Union

Less administrative burdens and less costs→ not 27 jurisidctions

LEGAL REFORM NEEDED

© Tess de Gregorio

PROPOSAL FOR A GENERAL DATA PROTECTION REGULATION

© Tess de Gregorio

PROPOSAL FOR A GENERAL DATA PROTECTION REGULATION

INDIVIDUAL PRIVACY

WELL-BEING OF THE ECONOMY

They have not been properly balanced © Tess de Gregorio

CHAPTER VIII REMEDIES, LIABILITY, SANCTIONS

ARTICLE 73

Any individual or enterprise or organization

•  Threats the creation of a an environment of excessive litigation

•  Increase company's legal

spending, without clear evidence for the Internet users

© Tess de Gregorio

CONTROLLER Uses the cloud service

to store its data

DATA SUBJECTS PROCESSOR

Cloud/ data server provider

THE CLOUD Where the data is stored

CHAPTER VIII REMEDIES, LIABILITY, SANCTIONS

© Tess de Gregorio

ARTICLE 77 Severally and jointly liable, unless they prove that the

have no responsibility

This blurs the lines of responsibility among the chain

of contracting and subcontracting

EU Digital Agenda for 2020 BOOSTING THE CLOUD COMPUTING INDUSTRY

CHAPTER VIII REMEDIES, LIABILITY, SANCTIONS

© Tess de Gregorio

SANCTIONS

250.000€ 1.000.000€

or 0,5% to 2%

of the Annual Worldwide

Turnover

EU Parliament is supporting 5% of annual worldwide turnover

COSTS According to the ICO in the

UK

£500.000 Right to be forgotten (Article 17)

£100.000 Right to data portability (Article 18)

SMEs and startups account for 99% of the EU´s economy, such large fines and costly

requirements may deter the creation of future online enterprises.

ARTICLE 79

Sanctions amounts will be calculated by the Member State's national authorities → NO HARMONIZATION → UNPREDICTABILITY

CHAPTER VIII REMEDIES, LIABILITY, SANCTIONS

© Tess de Gregorio

ARTICLE 3 TERRITORIAL SCOPE

ThosewithanestablishmentintheEUwhoprocessdata

ThosewithoutanestablishmentintheEUbutwhooffergoodsorservicestoEU

ci5zensormonitortheirbehavior

NEARLY ALL COMPANIES that

can be accessed online through

Europe that process data

will have to comply with the Regulation

•  Eminent EFFORT AND COST to these companies. •  How important for the economy is the the proliferation of SMESs •  The question would be, whether foreign SMEs –who may not have enough financial

resources– will block their access to European citizens, as many of their websites´ system tracks all users that access → To avoid having to comply with severe legal requirements for data protection and where not complied, being obliged to pay extremely high sanctions

© Tess de Gregorio

ARTICLE 3 TERRITORIAL SCOPE

The ICO´s report in the UK said:

Costs of complying → £5 million Cost to maintain £1 million

→ a minority stated that its compliance would have no costs. In one way or another, this may again, deter foreign SMEs to provide access to European citizens.

In the case this situation is reached +

ARTICLE 17 (right to be forgotten)

Excessive protection of data is justified To limit freedom of expression and media and if it would be comparable with censorship.

CENSORSHIP?

© Tess de Gregorio

R30 and ARTICLE 5

State that data cannot be stored unlimitedly unless it will be processed for historical, statistical or scientific purposes, according

to ARTICLE 83

SOCIAL NETWORKS

CONTEMPORARY MARKETING

Big data is the cornerstone of

contemporary marketing

According to the Direct Marketing Association,

this data erasing will cost companies whose main business is marketing → 50% annual turnover

Only in the UK→ for the Digital Advertising Sector → £500 million © Tess de Gregorio

CONCLUSIONS

© Tess de Gregorio

CONCLUSIONS

What should be promoted is a regulation that guarantees a unified application throughout the whole territory of the EU. in terms of •  Legal Provisions, •  Interpretation •  Sanctions Impositions

Legal Provisions should be as certain, predictable and harmonized as possible.

They should guarantee that DATA IS PROTECTED but should also carefully

balance the NEED TO IMPULSE AND

PROMOTE ECONOMIC AND INNOVATIVE GROWTH

The EU institutions should u n d e r t a k e A D E E P E R I M P A C T A S S E S S M E N T regarding the regulation.

As Butarelli, the European Data Protection Supervisor said: “This reform will shape data processing for a generation which has no memory of living without the Internet.

The EU must therefore fully understand the implications of this act for individuals, and its sustainability in the face of technological development.”

© Tess de Gregorio

CONCLUSIONS

The coming generation will have to understand that the future of the digital economy is BIG DATA, and that government will have more and more

MASS SURVEILLANCE powers –which they already have, both in the US and the EU-.

By 2025

IT WILL BE FOR INDIVIDUALS TO DECIDE WHETHER THEY OPT FOR CONVENIENCE OR

FOR MORE PRIVACY. THIS IMPLYING NOT PARTICIPATING IN THE ONLINE WORLD

© Tess de Gregorio