Download - Data Protection Presentation 3
AND THE GENERAL DATA PROTECTION REGULATION Administrative Law and Economic Regulation Tess de Gregorio Nov 11th, 2015
DATA PROTECTION
© Tess de Gregorio
INTRODUCTION
1. THE INTERNET NOWADAYS
2. CURRENT LEGAL FRAMEWORK → Directive on Personal Data 1995
3. NEW PROPOSED LEGAL FRAMEWORK → General Data Protection Regulation
4. CONCLUSIONS © Tess de Gregorio
THE INTERNET TODAY
© Tess de Gregorio
THE INTERNET TODAY
More data volume within the network
More collaboration
among Internet participants:
different companies,
companies and governements…
More complexity within the
systems that integrate the
Internet: cloud computing, Big
Data…
More personal data provided by
individuals: addresses, credit
card numbers, political
opinions…
© Tess de Gregorio
During the past five years, data protection and its legal framework has been one of the main concerns of the
European Union
AshelyMadisonDataBreach
NEED FOR A NEW LEGAL REFORM
THE INTERNET TODAY
© Tess de Gregorio
CURRENT LEGAL FRAMEWORK
© Tess de Gregorio
CURRENT LEGAL FRAMEWORK
ARTICLE 8 OF THE EUROPEAN
CONVENTION OF HUMAN RIGHTS
(ECHR) establishes the right to respect for
private life and family. ARTICLE 16 OF THE
TREATY OF THE FUNCTIONING OF THE EUROPEAN
UNION ascertains the right
to privacy. DIRECTIVE 95/46/EC on the protection of
individuals with regard to the processing of personal data
and on the movement of such a data, enacted in 1995 © Tess de Gregorio
DIRECTIVE 95/56 EC With the vast technological changes in the World Wide Web since the adoption of the Directive in 1995. Form of the legislative act is a Directive, which makes the legal framework more complex → Art 289 TFEU enterprises are required to comply with 28 different jurisdictions Implies uncertainty, costs increases and high administrative burdens.
© Tess de Gregorio
27 DIFFERENT JURISDICTIONS DIRECTIVE 95/56 EC
© Tess de Gregorio
RIGHT TO BE FORGOTTEN Case-131/12
AEPD, Mario Costeja González May 2014 v. Google Spain SL, Google Inc
SAFE HARBOUR EU-US INVALID Case -62/14 Maximillian Schrems v Data
Protection Commissioner, Oct 2015
DIRECTIVE 95/56 EC
© Tess de Gregorio
DIRECTIVE 95/56 EC Considering this litigious framework and the incessant Internet innovations, it is clear that there is an urgent need for a new legal framework. The Europe 2020 Strategy included in its Digital Agenda the necessity to reconstruct the data protection legislation. In 2012 the Commission adopted a new Proposal for a General Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data. At this time, the Commission, together with the Parliament and Council is working on the final adoption of the Regulation, which will probably enter into force in 2017.
© Tess de Gregorio
To establish trust among Internet users
This enhances economic growth
Building trust will eliminate the association: Internet=risks
Guarantee a unified Digital Market for the European Union
Less administrative burdens and less costs→ not 27 jurisidctions
LEGAL REFORM NEEDED
© Tess de Gregorio
PROPOSAL FOR A GENERAL DATA PROTECTION REGULATION
© Tess de Gregorio
PROPOSAL FOR A GENERAL DATA PROTECTION REGULATION
INDIVIDUAL PRIVACY
WELL-BEING OF THE ECONOMY
They have not been properly balanced © Tess de Gregorio
CHAPTER VIII REMEDIES, LIABILITY, SANCTIONS
ARTICLE 73
Any individual or enterprise or organization
• Threats the creation of a an environment of excessive litigation
• Increase company's legal
spending, without clear evidence for the Internet users
© Tess de Gregorio
CONTROLLER Uses the cloud service
to store its data
DATA SUBJECTS PROCESSOR
Cloud/ data server provider
THE CLOUD Where the data is stored
CHAPTER VIII REMEDIES, LIABILITY, SANCTIONS
© Tess de Gregorio
ARTICLE 77 Severally and jointly liable, unless they prove that the
have no responsibility
This blurs the lines of responsibility among the chain
of contracting and subcontracting
EU Digital Agenda for 2020 BOOSTING THE CLOUD COMPUTING INDUSTRY
CHAPTER VIII REMEDIES, LIABILITY, SANCTIONS
© Tess de Gregorio
SANCTIONS
250.000€ 1.000.000€
or 0,5% to 2%
of the Annual Worldwide
Turnover
EU Parliament is supporting 5% of annual worldwide turnover
COSTS According to the ICO in the
UK
£500.000 Right to be forgotten (Article 17)
£100.000 Right to data portability (Article 18)
SMEs and startups account for 99% of the EU´s economy, such large fines and costly
requirements may deter the creation of future online enterprises.
ARTICLE 79
Sanctions amounts will be calculated by the Member State's national authorities → NO HARMONIZATION → UNPREDICTABILITY
CHAPTER VIII REMEDIES, LIABILITY, SANCTIONS
© Tess de Gregorio
ARTICLE 3 TERRITORIAL SCOPE
ThosewithanestablishmentintheEUwhoprocessdata
ThosewithoutanestablishmentintheEUbutwhooffergoodsorservicestoEU
ci5zensormonitortheirbehavior
NEARLY ALL COMPANIES that
can be accessed online through
Europe that process data
will have to comply with the Regulation
• Eminent EFFORT AND COST to these companies. • How important for the economy is the the proliferation of SMESs • The question would be, whether foreign SMEs –who may not have enough financial
resources– will block their access to European citizens, as many of their websites´ system tracks all users that access → To avoid having to comply with severe legal requirements for data protection and where not complied, being obliged to pay extremely high sanctions
© Tess de Gregorio
ARTICLE 3 TERRITORIAL SCOPE
The ICO´s report in the UK said:
Costs of complying → £5 million Cost to maintain £1 million
→ a minority stated that its compliance would have no costs. In one way or another, this may again, deter foreign SMEs to provide access to European citizens.
In the case this situation is reached +
ARTICLE 17 (right to be forgotten)
Excessive protection of data is justified To limit freedom of expression and media and if it would be comparable with censorship.
CENSORSHIP?
© Tess de Gregorio
R30 and ARTICLE 5
State that data cannot be stored unlimitedly unless it will be processed for historical, statistical or scientific purposes, according
to ARTICLE 83
SOCIAL NETWORKS
CONTEMPORARY MARKETING
Big data is the cornerstone of
contemporary marketing
According to the Direct Marketing Association,
this data erasing will cost companies whose main business is marketing → 50% annual turnover
Only in the UK→ for the Digital Advertising Sector → £500 million © Tess de Gregorio
CONCLUSIONS
© Tess de Gregorio
CONCLUSIONS
What should be promoted is a regulation that guarantees a unified application throughout the whole territory of the EU. in terms of • Legal Provisions, • Interpretation • Sanctions Impositions
Legal Provisions should be as certain, predictable and harmonized as possible.
They should guarantee that DATA IS PROTECTED but should also carefully
balance the NEED TO IMPULSE AND
PROMOTE ECONOMIC AND INNOVATIVE GROWTH
The EU institutions should u n d e r t a k e A D E E P E R I M P A C T A S S E S S M E N T regarding the regulation.
As Butarelli, the European Data Protection Supervisor said: “This reform will shape data processing for a generation which has no memory of living without the Internet.
The EU must therefore fully understand the implications of this act for individuals, and its sustainability in the face of technological development.”
© Tess de Gregorio
CONCLUSIONS
The coming generation will have to understand that the future of the digital economy is BIG DATA, and that government will have more and more
MASS SURVEILLANCE powers –which they already have, both in the US and the EU-.
By 2025
IT WILL BE FOR INDIVIDUALS TO DECIDE WHETHER THEY OPT FOR CONVENIENCE OR
FOR MORE PRIVACY. THIS IMPLYING NOT PARTICIPATING IN THE ONLINE WORLD
© Tess de Gregorio