UNIVERSITE DE FRIBOURG INFORMATICS COLLOQUIUM - 31 Janvier 2017 - sigma legal
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
DATA PROTECTION & PRIVACY The Upcoming Framework Governing the Protection of Personal Data (GDPR) Challenges and how to strike the right balance UNIVERSITE DE FRIBOURG INFORMATICS COLLOQUIUM 31 Janvier 2017
Overview 1. Introduction 2. GDPR and impact for Tech ventures in CH 3. Specificities for Research Projects 4. Consent & Contract 5. Q&A and Conclusion
Introduction
“Watching the legal system deal with the internet is like watching somebody trying to drive a
car by looking only in the rear-view mirror”
The Guardian – Oct. 6, 2013
1. Introduction: Context
2018
The year the EU GDPR takes effect: This will be the first significant
update of data protection laws in Europe for more that 23 years
(i.e. before internet, mobile phones, clouds, big data, AI, etc.).
1. Introduction: Context
20 year old data protection regulation in the EU and in Switzerland.
GDPR = EU Regulation 2016/679 (entry into force on May 25, 2018).
TECH
EVOLUTION P-DPA = Draft Data protection Act of Sept. 15, 2017
Driven by the need to adapt to the technological evolution.
Other regulations in the EU and Switzerland (e.g. Swiss Human
Research Act of Sept. 30, 2011).
Many developments in EU Member States/Courts potentially influencing
EU and Swiss Law (e.g. Germany).
BUT KEEP IN
MIND… Privacy Shield.
California Law (dozen new laws every year to address various
challenges, including data security breach notification law in 2002,
requirement to publish website privacy policies in 2004 and rules for
automated license plate scanning in 2016)
1. Introduction: Context
GDPR as the regulatory reference.
BEST PRACTICE Complying with GDPR as best practice.
WORLDWIDE
No excuses for penalties: there was a 2 years advance warning !
GDPR applies practically worldwide (e.g. organisations located outside
of the EU if they offer goods or services to, or monitor the behaviour of
NO WAY TO EU data subjects)…
ESCAPE
to every entity processing data (collection, recording, structuring,
storage, adaptation, consultation, use, disclosure, making available
etc.), wholly or partly, by automated or non-automated processing,
directly or for others.
Almost everything is personal data (names, localization, online ID,
cultural profiles, IP address, Dynamic IP Addresses, etc.)
Empowerment of data protection authorities.
GDPR and impact for Tech Ventures in Switzerland
2. GDPR and impact for Tech Ventures in Switzerland
2. GDPR and impact for Tech Ventures in
Switzerland
Examples of Rights of Data Subjects Corresponding Obligations for Controllers
Information. Right to know how your data is used (for Communication and Notification :
what purposes, how long, if shared, if transferred - Notification to data subject when personal data is
outside EU, etc). obtained indirectly, i.e. other than direct from the
data subject.
- Notification to data subject of his or her right to
object to profiling and to processing for direct
marketing purposes or automated decisions.
- Notification to authorities (and in case of high risk
also the data subjects) in case of data breach.
Right to object. Possibility to object at any time to Consent. Obligation to get clear consent to process
processing of personal data. data.
Right to Access. Request for confirmation as to whether Obligation to provide data to a Data Subject or to
or not personal data concerning is being processed, new supplier chosen by Data Subject in a commonly
where and for what purpose. used and machine readable format.
Portability. Request for a copy of the personal data, free
of charge, in an electronic format.
Erasure. Request for the deletion of personal data Delete information (from all servers, backups, etc.)
(+ Right to be forgotten). and provide confirmation of deletion.2. Do I need a DPO
1 I am a Public Authority or Body
NO YES
My core activities consist of processing on a
2 large scale data relating to criminal YES
convictions and offences (Art. 10 GDPR)
NO YES
My core activities consist of processing on a
3 large scale data pursuant to Art. 9 (sensitive YES
data) DPO Needed
(Art. 37 (1) (a) GDPR)
NO
My core activities consist of processing
operations which, by virtue of their nature,
4
their scope and/or their purposes, require
regular and systematic monitoring of data
subjects on a large scale2. GDPR and impact for Tech Ventures in
Switzerland - Examples
Example of Right to Access: You bought a fitness tracker and subscribed to a health app that monitors your activity.
You can ask the app operator for all the information processed on you. This includes all subscription data (such as
your name and contact details where relevant) and all information collected about you through the tracker (such as
heart rate, performance, etc.).
Source:https://www.edoeb.admin.ch/edoeb/fr/home/documentation/bases-legales/Datenschutz%20-
%20International/DSGVO.html
Example of compliance for a Data Controller: Thomson Reuters World check
https://risk.thomsonreuters.com/en/products/world-check-know-your-customer/am-i-on-world-check.html2. GDPR and impact for Tech Ventures in Switzerland - Examples
2. GDPR and impact for Tech Ventures in Switzerland - Examples
Specificities for Research Projects
3. Data Protection and Research Projects
3.1 Right to Collect and Use for Research Purposes
Specific assessment in
each case Right based
on…
Other lawful
Consent bases,
including…
Legitimate interest of
Public controller
Ordinary Qualified
interest (except if overriden by
interest of data subject)
GDPR 4(11): Interpretation of GDPR (in particular Recital
statement or clear 157): research purpose as public interest.
affirmative action GDPR (interpretation):
If carried out by private organization or for
(not enough: silence, explicit consent for
pre-ticked boxes, sensitive data commercial purposes: balancing test?
inactivity, failure to GDPR 89: safeguards to be put in place.
opt-out) GDPR 40: codes of conduct3.2 Right to Reuse for Research Purposes
Specific assessment in
each case Right based
on…
Other lawful
Consent bases,
including…
Legitimate
Public
Ordinary Qualified interest of
interest
controller
GDPR 4(11): GDPR 6(4) : processing operations for another purpose
statement or clear compatible with initial purpose (compatibility test)
affirmative action GDPR (interpretation): GDPR, 5(1)(b): further processing for research purpose shall
(not enough: silence, explicit consent for not be considered to be incompatible with the initial
pre-ticked boxes, sensitive data purposes (purpose limitation)
inactivity, failure to GDPR 89: safeguards to be put in place.
opt-out)3.3 Processing for Research Purposes: Safeguards
Specific assessment in
each case
Safeguards
Obligation to inform
Principles, incl: data subjects / Processes, incl:
Transparency
Exemption in case of
disproportionate
Privacy policy
Accountability efforts relating to a
Data integrity and research project
confidentiality (records of
processing)
Data Protection Notification in case
DPO
Protection by design Impact Assessment of breach
Protection by
(anonymisation, default
pseudonymisation,
(initial set-up)
minimisation)3.3 Processing for Research Purposes: Safeguards
Specific assessment in
each case
Principles, incl:
Protection by design
Accountability Protection by default
Data integrity and (anonymisation,
(records of
confidentiality pseudonymisation, (initial set-up)
processing)
minimisation)3.3 Processing for Research Purposes: Safeguards
Specific assessment in
each case
Obligation to
inform data
subjects /
Transparency
Exemption in case
of disproportionate
Privacy policy
efforts relating to a
research project3. Specificities for Research Projects Right to Collect and Use
Contracts and Policies
4. Consent & Contracts
Possible contractual relationships to consider
Tech Service Other Providers
Provider (Lawyers, Public Institutions
(Swisscom, Cloud accountants,
Service, XaaS) consultants)
Sister, mother and
daughter entities Tech Partners
(branch, Joint Ventures
subsidiairies)
venture Investors
Customers Customers Employees
Customers Customers
Customers Board members4. Consent & Contracts
Specific assessment in
each case Right based
on…
Other lawful
Consent bases,
including…
Legitimate interest of
Public controller
Ordinary Qualified
interest (except if overriden by
interest of data subject)
GDPR 4(11): Interpretation of GDPR (in particular Recital
statement or clear 157): research purpose as public interest.
affirmative action GDPR (interpretation):
If carried out by private organization or for
(not enough: silence, explicit consent for
pre-ticked boxes, sensitive data commercial purposes: balancing test?
inactivity, failure to GDPR 89: safeguards to be put in place.
opt-out) GDPR 40: codes of conductConsent forms: example
Users
Users
Users Advertisers
Users
Users
Usershttp://www.dw.com/en/facebook-faces-german-cartel-office-probe-on-exploiting-user-data/a-42001928
5. Conclusion: Right Balance and Guidance?
GDPR
SPECIFITIES
FOR RESEARCH
CONSENT &
CONTRACTJoëlle Becker sigma legal is an innovative law firm, assisting
companies at every step of their life.
Partner ⋮ Attorney at law (Geneva Bar)
Ph.D. The partners of sigma legal have in common
joelle.becker@sigmalegal.ch significant expertise in commercial, contractual and
corporate law, as well as academic and
professional experiences abroad (Berkeley,
Stanford, Harvard). They specialize in innovation
Adrien Alberini law, from technology to arts, covering fields such
as Technologies & Brands, Data Protection &
Partner ⋮ Attorney at law (Geneva Bar) Privacy, Art, Media & Entertainment, Philanthropy,
Ph.D. ⋮ LL.M. (Stanford) Non-Profit & Organizations and Competition.
adrien.alberini@sigmalegal.ch sigma legal addresses your legal challenges, at all
stages, by providing legal advice, assisting you in
the context of negotiations, drafting your legal
Vincent Pfammatter documents, interacting with authorities on your
behalf and carrying out due diligences in its fields
Partner ⋮ Attorney at law (Geneva Bar) of expertise. sigma legal further provides dispute
LL.M. (Berkeley) resolution services, in the context of domestic and
international litigation and arbitration.
vincent.pfammatter@sigmalegal.ch
sigma legal ⋮ Rue de Berne 10 ⋮ 1201 Geneva
T + 41 22 715 00 55 ⋮ F + 41 22 715 00 50
www.sigmalegal.chYou can also read
