Data Protection

DATA PROTECTION
Georgios N. Yannopoulos
Associate Professor at the University of Athens
[email protected]

Data protection: Content

 “...the legal protection of individuals with regard to automatic processing of
personal information relating to them...”
 (Council of Europe Convention on Data protection)

 Threat to privacy by computerisation v free flow of information (Recital 7 of the Directive)

 Extent:
 legal persons?

 manual records?

 public or private sector?

[email protected] 2

Similar Terms
 DP and data security

 DP and ‘right to privacy’

 Data Protection: provides a framework for finding a balance

 Scandinavia: ‘Freedom of Information Laws’ - Personal identifiers

 Germany: ‘informational self determination’

 DP and freedom of information: Access right to public archives

 Council of Europe recommendations R(81)19, R(91)10 & R(2001)3

 Access to public sector information- Directive 2003/98

 Information Society: Directives 98/34, 98/84 & 2000/31

[email protected] 3

1
[email protected]
 Data Protection

International developments
 Arts.8 & 10 European Convention for Human Rights

 Convention for the Protection of Individuals with Regard to Automatic Processing

of Personal Data, Council of Europe, Strasbourg, 28 January 1981 (& recommendations)
 OECD: Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980

 UN: draft ‘guidelines for the regulation of computerised personal data files’ - Commission on
Human Rights
 Greek Constitution

 2§1, 5§1 – 5A, 9 & 9A

[email protected] 4

The 8 principles: 1 & 2

COLLECTION LIMITATION: OBTAINED AND PROCESSED fairly and lawfully

1 


the subject must not be misled: inform him/her about other uses
hang notice or print leaflet (not enough)
 consent needed if information for research will be disclosed to third parties
 Electronic concent ?

2 PURPOSE SPECIFICATION: HELD for one or more specified and lawful purposes
 special attention when information obtained from third parties (harvesting)

 e.g. NOT use personnel files for sales

[email protected] 5

The 8 principles: 3 & 4

USE LIMITATION: Must be adequate and relevant and not excessive in relation to the

3 registered purposes
 minimum information / not unlimited information
 THE PRINCIPLE OF ‘P U R P O S E ’
 subjects have the right to be informed
 NOT Irrelevant information / NOT accidentally or incidentally aquired data

DATA QUALITY: Must be accurate or amended to meet accuracy and where necessary
4 kept up to date
 correct as soon as possible, update whenever necessary
 inform third parties, indicate the source of third party information

[email protected] 6

2
[email protected]
 Data Protection

The 8 principles: 5 & 6

TIME LIMITATION: Shall not be kept for longer than is necessary for the specified

5 purpose
NOT EVERYTHING FOR EVERYONE FOREVER

TRANSPARENCY: The ‘data subject’ has the right of:

6 

INFORMATION: to know if data is held about him/her,
ACCESS: to access any such data held
 OBJECTION: where appropriate to have such data corrected or erased
 & OBLIVION / PORTABILITY / PROFILING / AUTOMATISATION
 Robinsons’ lists

[email protected] 7

The 8 principles: 7 & 8

SECURITY & CONFIDENTIALITY: Appropriate security measures must be taken in
7 order to avoid:
A. unauthorised access,
• fix the computer in a secure room and change
passwords regularly
• standard backup (at least daily)
B. unauthorised alteration,
• failure to keep backup = breach
C. unauthorised disclosure, • placement of screens - subject not to see others’ data
• maintenance and transfer of data - shred printouts
D. accidental loss
• inform subjects about computer staff

8
DATA TRANSFERS: Only to third countries with adequate level of protection
 Safe harbour / Privacy Shield
 Schremps

[email protected] 8

Directive 95/46: Structure

on the protection of individuals with regard to the processing of personal data and on the
free movement of such data
 Pieces from national legislation / Political compromise / Member States allowed to derogate

 General structure:

 obligations of the data controller

 rights of the data subject

 institutions (‘Authorities’ of supervision and cooperation)

 transnational data flows

 Art. 29 Working Party – Art. 31 Committee European DP Board [68/Reg] – Committee [93/Reg]

[email protected] 9

3
[email protected]
 Data Protection

Directive 95/46: Scope & terms

 Definitions (art.2)

 ‘PERSONAL DATA’: any information relating to an identified or identifiable natural person

 ‘THE CONTROLLER’ (art.2(d)) :determines the purposes and means of the processing of personal data

 ‘PROCESSOR’: processes personal data on behalf of the controller

 ‘PERSONAL DATA FILING SYSTEM’: structured set of personal data

 ‘DATA SUBJECT’S CONSENT’: freely given specific and informed indication

 Transparency
 Explicit

 Manual processing (in a filing system)

 Private and public sector

[email protected] 10

10

The Directive: Legitimate processing

 SIX (6) criteria for legitimate (lawful) processing (art.7):

(1) consent of the data subject  GDPR art. 6§1(a)

(2) performance of a contract  GDPR art. 6§1(b)
(3) legal obligation of the controller GDPR art. 6§1(c)
(4) vital interest of the data subject GDPR art. 6§1(d)
(5) public interest or exercise of official authority GDPR art. 6§1(e)
(6) ‘legitimate interests’ of the controller GDPR art. 6§1(f): pursued by the controller or by a
third party, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject is a child.
[email protected] 11

11

Special categories of data

“data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data concerning health or sex life”
Art 9 GDPR  & genetic data, biometric data for the purpose of uniquely
identifying a natural person, or sexual orientation & criminal convictions /
offences
 Additional controls for ‘special categories of data’ (art.8)

 Supervisory authority (art.28)

 Data users had to notify the supervisory authority (art.18) before any processing

GDPR processing only if one of the exceptions of art. 9 §2 (a) to (j)

[email protected] 12

12

4
[email protected]
 Data Protection

The Directive: The Rights

 Data subjects have the right:
 to be informed
 at the time of collection (art.10)

 when not obtained from the data subject (art.11)

 right of access (art.12)

 right to object certain categories of processing (art.14)

 general right not to be subject to ‘automated decisions’ (art.15)

[email protected] 13

13

Under the Directive the Data Controller had to observe:

 General material obligations
legitimacy (art.7)

data quality principles (art.6)

exemptions (e.g national security)

confidentiality and security (arts.16 & 17)

 Specific material obligations
 sensitive data (art.8(1)) (exemptions)
 data relating to criminal offences (art.8(5)): under control of Authority
 data for journalistic purposes (art.9): freedom of expression
 Procedural obligations
 Notification, Simplification

[email protected] 14

14

Transborder Data Flows

 Transfers to third countries:
 should ensure an ‘adequate level of protection’ (art.25) / adequacy to be determined
in art.25(2)
 exceptions (art.26)
 contractual terms
 Public interest / rights in front of courts
 Vital interest
GDPR  standard contractual clauses (SCCs) / binding corporate rules (BCRs)

[email protected] 15

15

5
[email protected]
 Data Protection

Directives for electronic communications

 E-privacy 2002/58: concerning the processing of personal data and the
protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications)
 SPAM MAIL
 Data Retention 2006/24: on the retention of data generated or processed
in connection with the provision of publicly available electronic
communications services or of public communications networks and amending
Directive 2002/58/EC
 !!! Cancelled by ECJ C-293/12 & C-594/12 Digital rights Ireland
 Cookies Directive 2009/136: amending 2002/58

[email protected] 16

16

Sanctions and case -law

 Sanctions: Administrative, Criminal, Civil (compensation)
 Case-law:
 C-101/2001, Bodil Lindqvist (DP & Internet)
 C-73/07, Satamedia (DP & traditional press)
 C-275/2006, Promusicae (reveal of PD for copyright)
 C-131/12, Google (Costeja González) (right to oblivion)
 C-230/14 Weltimmo (competence of different Authorities)
 C-362/14 Schrems
 WG29 Opinions:
 4/2007 (definition of personal data), 1/2008 (search engines), 5/2009 (online social networks)

[email protected] 17

17

23 years of Directive 95/46

 Directive:
 Tried to establish good computer practice
 To balance the right to informational self-determination with the need for
free flow of information
 To determine principles for data security
 Technological developments -Web 2.0
 Trend towards simplification
 Self-regulation - codes of conduct
 Very difficult to regulate transborder data flows

[email protected] 18

18

6
[email protected]
 Data Protection

The new “package”

1. Regulation (EU) 2016/679 (GDPR) [25 May 2018]

2. Directive (EU) 2016/680 (Police Directive) [6 May 2018]

3. Directive (EU) 2016/681 (Passenger Name Record – PNR) [25 May 2018]

 Special procedures for consent over the Internet

 The right to “Oblivion” (to be forgotten)

 Special provisions for social networks and web 2.0

 Liability:
 Each controller / processor: jointly and severally liable for the entire damage

 STRICT liability of the controller: Processing must be performed according to Regulation

[email protected] 19

19

GDPR: 25th MAY 2018

 Immediate effect
 Cancels national legislation
 99 articles, 173 preambles, 88 pages.
 FINES: 20 mil. € or 4% worldwide turnover
 NEW RIGHTS
 NEW OBLIGATIONS (I – IV)
 PROPOSED MEASURES (1‐4)

[email protected] 20

20

NEW RIGHTS
 Right to erasure (‘right to be forgotten’ / ‘oblivion’) [17]: may ask erasure if no longer
necessary in relation to the purposes
Exceptions: freedom of expression – information / legal obligation – public interest / public health / archiving-
scientific-historical-statistical / legal claims

 Right to restriction of processing [18]

 Data portability: to receive & transmit in machine readable format [20]

 Right to object profiling [21]

 Right to object automated individual decision-making [22]

 AT LEAST the right to obtain human intervention
 NOT to be based on special categories of personal data

[email protected] 21

21

7
[email protected]
 Data Protection

I. LIABILITY OF THE CONTROLLER

CONTROLLER: Must implement appropriate technical and organisational measures to ensure and
to be able to demonstrate that
PROCESSING IS PERFORMED IN ACCORDANCE WITH THE REGULATION [24§1]
ACCOUNTABILITY
 Liable for the damage caused by processing which infringes the Regulation [82§2]
PROCESSOR also Liable: …if not complied with GDPR obligations specifically directed to
processors or has acted outside or contrary to lawful instructions of the Controller
 & in third countries ! [28, 82§2]

[email protected] 22

22

II. ACCOUNTABILITY
 Clear & plain language regarding :
 processing of data [14]
 Duration of storage
 Contact details of CONTROLLER or DPO
 The right to lodge a complaint with a supervisory authority

 Notify DATA BREACH within 72 hrs !

 To the AUTHORITY [33§1]
 & the Data Subject [34§1]
 Maintain RECORDS (if > 250 employees or high risk) [30§5]

[email protected] 23

23

III. Privacy by design & by default

The Controller shall:
 both at the time of the determination of the means for processing and at the time of the
processing itself, implement Appropriate Technical and Organisational Measures
(ATOM), .. in order to meet the requirements of this Regulation [25§1]
 The Controller shall implement ATOM for ensuring that, by default,
ONLY PERSONAL DATA WHICH ARE NECESSARY FOR EACH SPECIFIC
PURPOSE OF THE PROCESSING ARE PROCESSED [25§2]
ATOM: pseudonymisation / data minimisation / integrate safeguards

[email protected] 24

24

8
[email protected]
 Data Protection

IV. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

 WHEN HIGH RISK to the rights and freedoms of natural persons: [35§1]
a) IF evaluation of personal aspects
b) IF processing on a large scale of special categories
c) IF systematic monitoring of a publicly accessible area
CONTAINS:
1) Description of processing & the legitimate interest of the controller;
2) Assessment of necessity and proportionality of the processing in relation to purpose;
3) Assessment of the risks to the rights and freedoms of data subjects
4) Measures envisaged to address risks and demonstrate compliance with Regulation BALANCING the rights
and legitimate interests of data subjects and other persons concerned.
• Cost ?

[email protected] 25

25

MEASURES (1-3)
1. Internal Data Protection POLICY
 ATOM [pr. 78, 24§2]
 Transparency & Information to data subjects
2. Codes of Conduct
 Sumbmission to Authority [40§5]
 General Validity [40§9]

3. Cerification Mechanisms
 Voluntary accredition [43§3]
 DO NOT EXEMPT FROM LIABILITY

[email protected] 26

26

DATA PROTECTION OFFICER (DPO) - (4)

OBLIGATORY for public authorities or bodies and for private entities WHEN:
 regular and systematic monitoring of data subjects on a large scale
 processing on a large scale of special categories of data
 personal data relating to criminal convictions and offences
 INDEPENDENT / NOT SUBJECT TO ORDERS FROM CONTROLLER
“…expert knowledge of data protection law and practices…” [37§5]
 Must keep confidentiality
 Fine:10 mil. € or 2% annual worldwide turnover

[email protected] 27

27

9
[email protected]
 Data Protection

Case-Law
 C-496/17 Deutsche Post (1st case under GDPR)
 C-210/16 Wirtschaftsakademie Schleswig-Holstein [FB is Controller]
 C-40/17 Fashion ID [«LIKE»(FB), Controller, consumer information, unions]
 C-136/17 GC et al. “…the operator must, … taking into account … the data subject’s fundamental
rights to privacy and protection of personal data… ascertain, having regard to the reasons of substantial
public interest … whether the inclusion of that link … is strictly necessary for protecting the freedom of
information of internet users…”
 C-507/17 Google [ Oblivion – only in EU]

[email protected] 28

28

10
[email protected]