CIPP E Summary
Uploaded by
林芷晴CIPP E Summary
Uploaded by
林芷晴Richard C.
Hsu
Shearman & Sterling
CIPP/E Privacy Summary* [email protected]
Personal Data Data Protection Concepts Controller Legitimate Processing Criteria
• “Any Information” • “Natural or legal
• “Relating to” Sensitive Personal Processor person, public Personal Data Sensitive Personal Data
• Content: if about an Data • “Natural or authority or agency” • Article 7 • Article 8
an individual • Special Categories legal person • Should be • Can process Personal • Processing is generally
• Purpose: processed • Racial or ethnic (other than EE corporate entity, Data if satisfies 1 of the prohibited unless:
to affect individual origin of controller)” not individual following criteria: • Explicit Consent
• Results: impact on • Political Opinions • Separate legal • “Alone or jointly 1. Unambiguous • Like Article 7
individual • Religious Beliefs entity from with others” Consent consent but must
• “Identified or • Philosophical Controller • Does not have to • Freely given be clear
Identifiable” Beliefs • “Processes be same time or • Specific affirmative act
• Directly: possible to • Trade Union personal data equal in • Informed • Employment Law
identify using all Memberships on behalf of proportion 2. Contractual Necessity • Protection of Vital
means likely to be • Health or Sex Life controller” • “Determines the 3. Compliance with Law Interests
used • Directive has general • Does not have purposes and means 4. Protection of Vital • Non-Profit
• Indirectly: eg using prohibition, subject authority to of processing data” Interests Memberships
pseudonymous data to exceptions allocate rights • Ability to decide 5. Public Interest/Official • Made public by
• “Natural Person” • Some member states to process data how personal Authority individual
• May extend to have created “mid- data is being 6. Legitimate Interests of • Defense of Legal
deceased persons categories” Data Subject processed Controller Claims
Fundamental Data Protection Principles Application of the Law
Fair and Lawful Purpose Limitation Data Quality EU Directive Establishment in the EU
• Article 6(1)(a) • Article 6(1)(b) • Accuracy • Article 4(1)(b) • Article 4(1)(c)
• “Fair” -- must disclose • Attempts to set boundaries on • Must be • Law of a member state applies • More controversial than any
• Identity of use and purpose accurate when data processing is carried other provision in the Directive
controller • Exception for research when out • National data protection law
• Purpose of data purposes collected and • “in the context of the applies to a Controller that makes
• Right to access and • Principle of Finality (only remain activities” of an use of Equipment in that member
rectify data purpose) accurate • “establishment” of Controller state, unless that Equipment is
• “Lawful” -- Must • A29WP says ok to use for other • Retention • Article applies only if (a) entity is used for “transit”
satisfy data purposes if data is anonymized • Article involved in actual processing and
protection laws and 6(1)(e) (b) does so as a Controller Transit
cannot be in breach Proportionality • Requires • Article 4(1)(c)
of: • Article 6(1)(c) controllers to Equipment • No authoritative guidance on
• Enforceable • Use of data cannot be excessive (a) delete • Article 4(1)(c) definition of “transit”
Contract or irrelevant data after no • Applies to physical computer • If Equipment used in processing
• Duty of Confidence • “You must not use a steam longer network located in the EU and merely receives and automatically
• Human right to hammer to crack a nut, if a needed or (b) operated remotely (but could transmits data (solely as a
privacy nutcracker will do” anonymize apply to the entire Internet!) conduit), it is exempt
*Adapted from IAPP CIPP/E Privacy Certification
Richard C. Hsu
Shearman & Sterling
CIPP/E Privacy Summary* [email protected]
International Data Transfer Supervision and Enforcement
Derogations Safe Harbor Binding Corporate Rules Regulators Core Powers Article 29 Working Party
• Article 26(1) provides for • US Dept of Comm (BCR) • Article 28(3) • Not a regulatory body, but role
general prohibition of data and EU developed • A29WP Advisory Documents • Investigative Powers is incredibly broad
transfer with 6 Exceptions: 7 requirements • Self-audits • Powers of Intervention by • Principle Outputs
1. Consent that satisfied • Individual complaints must be Regulators • Opinions
2. Contract Performance Directive which addressed • Power to engage in legal • Working Documents
3. Substantial Public must be publicly • Clear duties of cooperation proceedings • Annual Reports
Interest declared: with DPA • Receiving and dealing with • Spots divergences
4. Legal Claims 1. Notice • Must have provisions on complaints
5. Vital Interests 2. Choice liability and jurisdiction • Annual Reports
6. Public Registers
European Data Protection
3. Onward Transfer • International Cooperation Supervisor (EDPS)
4. Security Model Contracts • EDPS is the data protection
Safe Jurisdictions 5. Data Integrity • Article 26(2): requires Compensation and Sanctions regulator for the EU as an
• Switzerland; Hungary (part 6. Access adequate safeguards for • Article 23: entity
of EEA); Canada; 7. Enforcement transfer • Pursue damages claims • Article 46: EDPS’s duties
Argentina; Guernsey; Isle • Safe Harbor is no • Article 26(4): can use • Article 24 • Article 47: EDPS’s powers
of Man; Jersey; Faroe longer in effect as standard contractual clauses • Member states can create • Regulation 45/2001 mirrors the
Islands; Andorra; Israel of 2016 (ICC and BCI) administrative sanctions Directive
Notification Requirements Confidentiality and Security
Notifying DPA Content of Notification Appropriate Technical
• Article 18(1)
In Practice
• Article 19 stipulates content of notification and Organizational
• Member states must • “Per System”
Measures to Protect
ensure that Data Controller • Hardware or software a company uses to Layered Privacy Data Processors
notify relevant DPA before Personal Data
carry out particular function or activity Notices
• Article 17
any processing of Personal • “Per Use or Purpose”
• Provides risk based Info Tech and Comm
Data • Notification for each data processing
• Notification must be approach for Human Factors • Encryption, privacy-
purpose (eg HR or marketing)
immediate and could have determining • Board level issue enhancing
criminal penalties appropriate controls • Culture for technologies, 2 factor
Prior Checking / Authorization • Consider nature of security authentication, etc.
• Article 20 data, threat vector
Purpose of Notifying DPAs • May require processor to perform “prior and harm from
• Foster transparency checking” and approval from DPA (eg security breach Physical Engaging Processors
• Assist DPA in regulatory Sensitive Personal Data) • Risk Assessment also Environment • Maintain quality
functions • “Prior checking” is carried out by DPA includes “state of the • Entry control control
• Provide DPA source of following request or notification from Data art” test and cost systems, CCTV, • Checklist for DD and
funds Controller requirement lock and key contract provisions
*Adapted from IAPP CIPP/E Privacy Certification
Richard C. Hsu
Shearman & Sterling
CIPP/E Privacy Summary* [email protected]
Regulators Legislative Framework
European Parliament Council of the EU
108 Convention (1981) E-Privacy Directive
• Members directly • Main decision-
making body of the • Concerns processing
elected
EU The “Directive” personal data over
• One minister from • EU Data Protection the Internet and
European Council public networks
each member state Directive (95/46/EC)
• Heads of Member
• Gen’l principles for
States + Pres of EC
member states to
• Sets political direction EU Court of Human Amendment to e-Privacy
Rights (ECHR) implement
Directive
European • No powers of • Mandatory data
Commission enforcement Data Retention Directive breach notifications
• Executive body of the • Addresses retention of • Use of cookies and
EU European Court of data storage of information
• Resp. for Member State Justice • Does not cover actual on terminal
implementation and • Judicial body of the content; only applies to equipment requires
“Adequacy Findings” EU (Luxembourg) traffic and location data user consent
Information Provision Obligations Data Subject Rights
Right of Right to Rectification Right to Object to
Notice Exemptions to Providing Data Layered Access • Article 12 Processing
• Article 10 Subject Notice Privacy • Article 12(a) • Data must be “accurate • Article 14
• Must provide Data • Data Controller does not have Notices • Provides right and, where necessary, • Allows individuals to
Subject at least the to provide Data Subject • Layer 1: the of access kept up to date” assert their right to
following info: information under Article 10 if: short notice, “without • With or w/out specific “informational self-
• “Identity of • Data Subject already has the which constraint at request, Data Controller determination”
Controller” information includes the reasonable must remedy inaccurate
• “Purposes of • Personal Data used for requirements intervals and data on his own accord
processing” and statistical purposes or for of Article 10 without Right not to be subject to
• “Further historical or scientific • Layer 2: the excessive fully automated
information” research; and condensed delay or Right to Object to decisions
such as: • The provision of information notice, which consent” Marketing • Article 15
• “Recipients of would either be “impossible” includes • Reasonable • Drafted favorably toward • Right is cast narrowly,
subject data” or have “disproportionate point of interval is controller entitling individuals to
• “Right of effect” contact for generally • Default is that Controller prevent the automated
access” • Recording or disclosure of questions interpreted can send marketing decision from being
• “Right to Personal Data is required by • Layer 3: the as once a messages until recipient made, not automated
rectify data” law full notice year “opts out” processing itself
*Adapted from IAPP CIPP/E Privacy Certification
Richard C. Hsu
Shearman & Sterling
CIPP/E Privacy Summary* [email protected]
Employment Surveillance
3 Types of Comms Data Closed Circuit Biometric Data
Processing Employee Data Whistle Blowing Workplace
• Content (conversation; email) TV (CCTV) • Ex: DNA or
• Legal Basis: Policies Monitoring
• Traffic Data (metadata of content) • If video fingerprints
1. Consent from EE • Limit reporting • EE has right to
• Location Data (could be traffic surveillance • Used for ID
2. Necessary to fulfill individuals (vs privacy; but must
data) falls under purposes
employment contract individuals be balanced with
Directive, • Constitutes
3. Necessary to meet incriminated) ER’s right to
Communications must comply personal data,
legal obligation • Anonymous protect business
• Article 5(1) with its could be
4. Legitimate interest reporting should not from harm
• Prohibits surveillance without user requirements sensitive
• Explicit consent required be encouraged • Monitoring must
consent, except when legally • Compliance personal data
for processing Sensitive • Limit scope of be in compliance
authorized under Article 15(1) requires: • Processing of
Personal Data reports with data
• Does not include technical storage • Prior Biometric Data
• Must provide EE with • Establish strict data protection
or recording of comms to evidence Checking may require
notice about use and retention policy principles:
a business transaction • Lawful “Prior
purpose of data • Policies should be • Necessity
• Article 15(1) enables member • Proportion Checking”
• Storage of data is provided to EE • Legitimacy
states to make exceptions for ality • Use must be
permissible while • Reports must be • Proportionality
national security or public safety, • Rights of proportional to
employed secure • Transparency
etc Individual need
Marketing Internet
Direct Marketing Telemarketing Direct email Marketing Web Cookie Issues
Cloud Computing
• Direct Marketing is • Telemarketing is • Generally requires •
• EU-based controllers must comply w/Directive ID non-essential cookies
marketing to an form of digital prior “opt-in” consent • Assess level of intrusion
in member state which they operate
individual marketing and before email •
• Controller based outside EU but has Provide enhanced notice
• Direct Marketing is subject to Directive marketing by providing
equipment located in EU must comply • Consider options to
broadly defined by • No prior consent “fair processing
• Controller is responsible for data protection provide choices
A2WP; but Directive required; but notice” at the time of
rules
only applies to Article 13(3) data collection
• Cloud service providers must ensure that
marketing which uses requires right to • “Soft Opt-In Rule”:
suppliers: IP Addresses
personal data “opt-out” email marketing ok
• Process personal data in accordance with • Some member states
(including charities • Most member w/out consent “in the
customer’s instruction consider personal data
and non-profits) states have context of the sale of a
• Process only as necessary for provision of
• Postal marketing national opt-out product or service”
services
which uses personal register • Must be similar
• Implement appropriate tech and org Outsourcing
data must comply • Prior “opt-in” product or services
measures • Ensure suppliers put into
with Directive, but consent req’d for • Must provide free and
• International data transfer rules apply place data protection
not e-Privacy automated easy opt-out
• Can rely on Article 26 Derogations or model and appropriate security
Directive calling availability
contracts measures
