The document summarizes key aspects of the proposed EU Privacy Regulation update. It discusses the original goals of updating existing regulations to account for technological changes and increase citizen and data protection authority rights. However, heavy lobbying from US tech companies and governments has watered down some proposals. Key features of the updated regulation include strengthened definitions, data protection by design, breach notification requirements, data portability and access rights, the right to erasure, and an expanded international scope. Sensitive health and biometric data have additional protections and research has new consent standards. Non-compliance penalties were increased up to 100 million Euro fines.
2. Who’s talking..
• L.LM. , Ph.D. (Technology law)
• At TKK (Aalto) since 2001
• At Helsinki University since 2009
• Partner, Turre Legal
• Founder, Electronic Frontier Finland
- Currently Vice Chairman
• Blogger - “Lex Oksanen”
18. maaliskuuta 14
4. Original goal
• To update the existing regulation to meet
the change in technologies
• To give more rights to both citizens and
also data protection authorities
18. maaliskuuta 14
5. However..
• “Regulatory capture” in action
• Heavy lobbying from e.g.
• U.S Government
• Facebook, Google etc.
• To water down the proposal
18. maaliskuuta 14
10. Key features
• “Clarified definitions
• Data protection by Design
• Accountability + Notification of breaches
• Portability + Right to Access (for free)
• Right to Erasure
• International regulatory scope?
18. maaliskuuta 14
11. Sensitive data (Article 9)
• ...revealing race or ethnic origin, political opinions,
religion or philosophical beliefs, sexual orientation or
gender identity, trade-union membership and activities ,
and the processing of genetic or biometric
data or data concerning health or sex life,
administrative sanctions, judgments, criminal or suspected
offences, convictions or related security measures
• (h) processing of data concerning health is necessary for
health purposes and subject to the conditions and safeguards
referred to in Article 81; or
• (i) processing is necessary for historical, statistical or scientific
research purposes subject to the conditions and safeguards
referred to in Article 83; or
18. maaliskuuta 14
12. Right to access and to
obtain data
2a. Where the data subject has provided the personal
data where the personal data are processed by electronic
means, the data subject shall have the right to obtain from
the controller a copy of the provided personal data in an
electronic and interoperable format which is
commonly used and allows for further use by
the data subject without hindrance from the
controller from whom the personal data are
withdrawn.Where technically feasible and available, the
data shall be transferred directly from controller to
controller at the request of the data subject.
18. maaliskuuta 14
13. Profiling
• Highly visible notification about right to object
• Definition:“ 'profiling' means any form of automated
processing of personal data intended to evaluate
certain personal aspects relating to a natural person
or to analyse or predict in particular that natural
person’s performance at work, economic situation,
location, health, personal preferences, reliability or
behaviour;
18. maaliskuuta 14
14. Data protection by Design
Article 23: ”...Data protection by design shall have
particular regard to the entire lifecycle
management of personal data from collection to
processing to deletion, systematically focusing on
comprehensive procedural safeguards regarding
the accuracy, confidentiality, integrity, physical
security and deletion of personal data.”
18. maaliskuuta 14
15. Right to Erasure
• Most controversial feature
• Many open questions
• Practical (backups? Who pays the costs)
• Content spesific (photographs?
Discussions?)
• Application to data given to 3rd parties?
18. maaliskuuta 14
16. Respect to Risk
• “The controller .. shall carry out a risk analysis of
the potential impact of the intended data
processing on the rights and freedoms of the data
subjects, assessing whether its processing
operations are likely to present specific risks.”
• “(d) processing of personal data for the
provision of health care,
epidemiological researches, or
surveys of mental or infectious
diseases, where the data are processed for
taking measures or decisions regarding specific
individuals on a large scale;”
18. maaliskuuta 14
17. Designation of the data
protection officer
• 1. The controller and the processor shall
designate a data protection officer in any case
where:
• ..d) the core activities of the controller or
the processor consist of processing special
categories of data pursuant to Article
9(1), location data or data on children or
employees in large scale filing systems.
18. maaliskuuta 14
20. Penalties
• “At least”
• “a warning in writing in cases of first
and non-intentional non-compliance;
18. maaliskuuta 14
21. Penalties
• “At least”
• “a warning in writing in cases of first
and non-intentional non-compliance;
• regular periodic data protection
audits;
18. maaliskuuta 14
22. Penalties
• “At least”
• “a warning in writing in cases of first
and non-intentional non-compliance;
• regular periodic data protection
audits;
• a fine up to 100 000 000 EUR or up
to 5% of the annual worldwide
turnover in case of an enterprise,
whichever is higher.
18. maaliskuuta 14
23. Article 80a: Access to
documents
• National law
• “Reconciles the right to the protection of
personal data with the principle of public
access to official documents.”
• Notification to the Commission
18. maaliskuuta 14
24. Processing of personal
data concerning health
• Based on law (EU or national)
• “consistent, and specific measures to
safeguard the data subject's interests and
fundamental rights, to the extent that
these are necessary and proportionate ,
and of which the effects shall be
foreseeable by the data subject”
18. maaliskuuta 14
25. 3 categories of data
• “preventive or occupational medicine, medical
diagnosis, the provision of care or treatment or the
management of health-care services”
• “reasons of public interest in the area of public health,
such as protecting against serious cross-border threats
to health or ensuring high standards of quality and
safety
• “other reasons of public interest in areas such as social
protection, especially in order to ensure the quality and
cost-effectiveness of the procedures used for settling
claims for benefits and services in the health insurance
system”
18. maaliskuuta 14
26. Research exceptions
• Consent required
• “Where the data subject's consent is required for the
processing of medical data exclusively for public health
purposes of scientific research, the consent may be given
for one or more specific and similar researches.”
• Anonymisation or pseudonymisation under the highest
technical standards
18. maaliskuuta 14
27. Article 83
Processing for historical, statistical and scientific research
purposes
1. In accordance with the rules set out in this Regulation, personal
data may be processed for historical, statistical or scientific research
purposes only if:
(a) these purposes cannot be otherwise fulfilled by processing data
which does not permit or not any longer permit the identification of
the data subject;
(b) data enabling the attribution of information to an identified or
identifiable data subject is kept separately from the other
information under the highest technical standards, and all necessary
measures are taken to prevent unwarranted re-identification of the
data subjects.
18. maaliskuuta 14