isaca privacy forum 17 october 2013 on big data and facebook privacy
DESCRIPTION
Discussion on big data and employee's privacy on FacebookTRANSCRIPT
Click to edit Master title styleOpen Forum PRIVACY
Thursday, 17th of October 2013
Brussels, 17 October 2013 2
Agenda
1. 18:30 Welcome 2. 18:45 Big Data & Privacy3. 19:30 Break 4. 19:50
1. Big Data & Privacy (continued)2. Facebook, Employment & Privacy
5. 20:30 Close
Brussels, 17 October 2013 3
Close
Brussels, 17 October 2013
BIG DATAJOHAN VANDENDRIESSCHE & MARC VAEL
4
Brussels, 17 October 2013
What is Big Data?
• Exponential growth of data
• Availability
• Processing tools (‘automated use’)
• Evolution
• (Manual) Small scale profiling
• Data mining
• Big Data
• Numerous applications
• Detect general correlations and trends
• Create specific, individual profiles5
Brussels, 17 October 2013
What is profiling?
• Approach to profiling
• Tool?
• Purpose?
• Current vs. future framework forprofiling
• Mixed approaches in legal documents
• Directive 95/46/EC vs. Draft Regulations
• Council of Europe
• Art. 29 WP
• Privacy Commission
6
Brussels, 17 October 2013
Big Data general and privacy Issues?
• Scale of data collection, tracking and profiling
• Security of data
• Transparency
• Inaccuracy, discrimination, exclusion and economic imbalance
• Increased possibilities of government surveillance.
7
Brussels, 17 October 2013
Data Protection?
• Limitations in relation to the processing of personal data
• Very large legal interpretation to the concept of personal data
• Not necessarily sensitive information (although stricter rules apply to special categories of personal data)
• Processing: “any operation or set of
operations which is performed upon
personal data […]”
8
Brussels, 17 October 2013
Data protection principles
• The data processing must comply with specific principles
• Proportionality
• Purpose limitation
• Limited in time
• (Individual and collective) Transparency
• Data quality
• Data security
9
Brussels, 17 October 2013
Data protection issues?
• Purpose Limitation
• Data collected for a specified, specific andlegitimate purpose
• Re-use for a different purpose?
• Compatible or not?
• Criteria
• Nature of the purposes and their connections
• Circumstances surrouding data collection
• Privacy expectations of the data subjects
• Personal data involved and impact on the data subject
• Safeguards for fair processing
• Specific framework for statistical processing10
Brussels, 17 October 2013
Proportionality
• Processing must be limited to the personal data that is strictly necessaryfor the purpose
• Do I need this personal data?
• Big database containing a lot of information?
• Combination of databases?
11
Brussels, 17 October 2013
Other issues
• Notice obligation
• Specific information to be provided to data subjects
• What is required in case of big data?
• Data quality
• Impact of profiling may be substantial: impact on data quality requirements?
• Data Security
• Big data = big impact of data breaches?
12
Brussels, 17 October 2013
FACEBOOK, EMPLOYMENT
& PRIVACYJOHAN VANDENDRIESSCHE & MARC VAEL
13
Brussels, 17 October 2013
Privacy on Facebook?
• Negative statements on Facebook = immediate dismissal?
• Court decision of the Labour Court of Leuven of 17 November 2011 (yes)
• Confirmed by Court decision of 3 September 2013 of the Labour Court of Appeal of Brussels
• What about privacy on Facebook?
14
Brussels, 17 October 2013
What is privacy?
• Various sources
• European Convention on Human Rights
• Treaty on the Functioning of the European Union (TFEU)
• Charter of Fundamental Rights of the EU
• National (constitutional) legislation
• Various forms
15
Brussels, 17 October 2013
Privacy on the workfloor?
• Privacy at work in the EU?
• Telephone calls
• E-mail / Use of Internet and online technology
• Principle of privacy at work has been confirmed by ECHR and Article 29 Working Party
• National laws implement privacy at work differently
16
Brussels, 17 October 2013
What is data protection?
• Limitations in relation to the processing of personal data
• Very large legal interpretation to the concept of personal data
• Not necessarily sensitive information (although stricter rules apply to special categories of personal data)
• Processing: “any operation or set of
operations which is performed upon
personal data […]”
17
Brussels, 17 October 2013
Some applications
• Pre-employment screening (CBA 38)
• Surveillance on the workfloor
• Internet & e-mail (CBA 81)
• Cameras (CBA 68)
• Theft (CBA 89)
• What about acts outside the workcontext?
• Criticism on Facebook?
• Freedom of speech?
• Privacy (and secrecy of communications)?
18
Brussels, 17 October 2013
Analysis of the decisions
• Immediate dismissal based on negativestatements on a public site of Facebook
• Two main legal issues
• Reason for immediate dismissal?
• Evidence?
• Admissibility of evidence
• Probative value of evidence
19
Brussels, 17 October 2013
Analysis of the decision
• Reason for immediate dismissal?
• No uniform case law
• Particularities
• False statements
• Role/function of the person
• Nature and circumstances of the negativestatements
20
Brussels, 17 October 2013
Analysis of the decisions
• First instance
• Employer can consult public messages on Facebook
• No violation of privacy
• Appeal
• No violation of privacy
• Violation of privacy of communications
• “Antigoon theory” applied: admissibleevidence
21
Brussels, 17 October 2013 22
Contact details
Johan Vandendriessche
Partner
crosslaw CVBA
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
Marc Vael
International Vice President
ISACA
Mobile Phone +32 473 99 30 31
E-mail [email protected]
Website www.isaca.org
Brussels, 17 October 2013 23
ISACA BELGIUM