legitimate interests: a legal basis to · pdf filelegitimate processing beyond consent ......
TRANSCRIPT
Legitimate Interests:A Legal Basis to Process
Maintaining Protection While Facilitating ICT Growth
• The primary mechanism for data protection governance is purpose specification notices and consent
• This is particularly true in Latin America
• However, data-driven innovation is hard to explain, involves the creation of new data and challenges the effectiveness of notice and consent
• Data stewardship models (accountability) may provide an effective answer
Legitimate Processing Beyond Consent
• The global data protection community increasingly recognizes that consent does not protect individuals effectively– Data increasingly leads to the creation of new data
– Compatible purposes are not anticipated by either controllers or individuals
– Notices do not drive awareness
• EU Directive has always had the concept of legitimate business interests– Always required a balancing
• New “draft” guidance gives direction– Greater recognition by authorities
Legitimate Interest Guidance
• Legitimate interest should be used if appropriate– Do not use consent where it is not effective
• Must balance the legitimate interests of the controller against all issues of individuals
• Balancing processes must be describable to enforcement agencies and interested individuals
This Session
• Will place European law into comparative context
• Provide examples of the balancing process
• Discuss legitimate interests as it relates to marketing analytics
Data Privacy v. Data Protection
• U.S. privacy laws protect ‘reasonableexpectations of privacy’
• EU data protection laws prohibitprocessing of personal data – unless a statutorily accepted justificationapplies
Big Data Defined
• Data
• Personal data and the myth of anonymity
• Big?
• New purposes, e.g., statistics, traffic, health, security, marketing
Data Privacy and Legitimate Interest
• What is legitimate?
• How balance privacy interests v. data usage interests?
• Who decides on legitimacy and balancing?
Data Privacy and Consent
• When is consent really informed, voluntary, specific, express and in writing?
• Can it be – with respect to big data?
• Should it be?
Merchant
Acquiring Bank Issuing Bank
Cardholder
• Contracts with an Acquiring Bank to
process payments and settle funds
• Accepts MC card as a form of
payment
• Agrees to payment terms of
the Issuing Bank
• Transacts with Merchant
who accept MC card
• Processes payment
transaction with MC
• Settles funds with MC on
behalf of their Merchant
• Has financial
relationship with
Cardholder
• Extends credit/issues
MC card
Overview of MasterCard’s Transaction Processing Business
MC Transaction
Routing
MC authorizes, clears and settles payment transactions
between merchants, processors and banks
MC Data Center
MC Transaction
Routing
Data Collected
No Contact Information
Account Number
Transaction Amount
Transaction Date
MerchantReported
Fraud
Legitimate Interest Analysis
Legitimate Interests
Anti-fraud
Internet Security
Anti-Money Laundering
Misuse
Legal claims (dispute resolution)
Parties in Interest
Issuers
Acquirers
Merchants
Cardholders (data subjects)
Fraudsters/Criminals
Balancing Test
• Controllers’ Legitimate Interests
• Impact to Data Subjects– Assess the impact
– Types of data
– The way the data is processed
– Reasonable expectations of the data subject
– Safeguards• De-Identification, aggregation and data
minimization
• Transparency
• Right to Object
Current Framework. Legitimate Interests in Directive 95/46/EC
CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE
Article 7
Member States shall provide that personal data may beprocessed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contractto which the data subject is party or in order to take steps atthe request of the data subject prior to entering into acontract; or
(c) processing is necessary for compliance with a legalobligation to which the controller is subject; or
(d) processing is necessary in order to protect the vitalinterests of the data subject; or
(e) processing is necessary for the performance of a taskcarried out in the public interest or in the exercise of officialauthority vested in the controller or in a third party to whomthe data are disclosed; or
(f) processing is necessary for the purposes of the legitimateinterests pursued by the controller or by the third party orparties to whom the data are disclosed, except where suchinterests are overridden by the interests (f)or fundamentalrights and freedoms of the data subject which requireprotection under Article 1 (1).
PRINCIPIOS RELATIVOS A LA LEGITIMACIÓN DELTRATAMIENTO DE DATOS
Artículo 7
Los Estados miembros dispondrán que el tratamiento de datospersonales sólo pueda efectuarse si:
a) el interesado ha dado su consentimiento de formainequívoca, o
b) es necesario para la ejecución de un contrato en el que elinteresado sea parte o para la aplicación de medidasprecontractuales adoptadas a petición del interesado, o
c) es necesario para el cumplimiento de una obligación jurídicaa la que esté sujeto el responsable del tratamiento, o
d) es necesario para proteger el interés vital del interesado, o
e) es necesario para el cumplimiento de una misión de interéspúblico o inherente al ejercicio del poder público conferido alresponsable del tratamiento o a un tercero a quien secomuniquen los datos, o
f) es necesario para la satisfacción del interés legítimoperseguido por el responsable del tratamiento o por eltercero o terceros a los que se comuniquen los datos, siempreque no prevalezca el interés o los derechos y libertadesfundamentales del interesado que requieran protección conarreglo al apartado 1 del artículo 1 de la presente Directiva.
Future framework. Legitimate Interests in the Proposed GDPREUROPEAN COMMISSION’S PROPOSAL
(http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf)
Very similar to 95 Directive, except:
- Call out for the protection of minors
- Carve out for processing carried by authorities in the performance of their task
- Delegated acts
LIBE COMMITTEE’S REPORT (http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf)
- Last resource (when the other basis do not apply)
- Explicit & separate information to the data subject
- Publishing of the reasons
- Prepopulated list of scenarios
A29 WP Opinion 6/2014. Past, Present & Future http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf
• Historical lack of harmonized interpretation
• As valid as any other ground- Not a last resort (when everything else fails)- But not the ‘weakest link’ either
• What is considered a legitimate interest?- Lawful, clearly stated, real & present- From trivial to compelling- Necessity test
• What about the data subject interest or fundamental rights? - Broad interpretation- Legitimacy not required
• The complexity of the balancing test- Nature of the interest & nature of the impact- Nature of the data & the processing- Data subject’s expectations - Provisional balance- Role of additional safeguards & opt outs
• Recommendations for GDPR- Recitals on factors & documentation- Substantive provision on explanation by controllers
Legitimate Interests Absent in Latin America
Argentina (Ley 25.326 - 2000)http://www.jus.gob.ar/media/33481/ley_25326.pdf
- General rule: Free, express and informed consent (“consentimiento libre, expreso e informado”)
Mexico (LFPDPPP – 2010)http://inicio.ifai.org.mx/LFPDPPP/LFPDPPP.pdf
- General rule: implicit consent (“consentimientotácito”)- Sensitive data: express consent (“consentimientoexpreso”)- Exception for de-identified data (“datos disociados”)
Perú (Ley nº 29733 – 2011) http://www.educacionenred.pe/noticia/?portada=8167
- General rule: prior, informed, express and unambiguous consent (“previo, informado, expreso e inequívoco”)- Sensitive data: in writing - Exception for de-identified data (“datos disociados”)
Costa Rica (Ley nº 89698 – 2011) http://www.archivonacional.go.cr/pdf/ley_8968_proteccion_datos_personales.pdf
- References to both express and informed consent
Nicaragua (Ley nº 787 – 2012) http://legislacion.asamblea.gob.ni/normaweb.nsf/9e314815a08d4a6206257265005d21f9/e5d37e9b4827fc06062579ed0076ce1d
- Consent is the general rule, through written or electronic means- Exception for de-identified data (“datos disociados”)
Colombia (Ley 1581 de 2012) http://www.sic.gov.co/documents/10157/0/Ley_1581_2012.pdf/
- Previous & informed authorization (“autorizaciónprevia e informada”)
Brazil (Marco Civil – 2014)http://www.planalto.gov.br/CCIVIL_03/_Ato2011-2014/2014/Lei/L12965.htm
- Express consent (“consentimento expresso”)- Data Protection Bill still to be released