Data Protection Essay PDF

Preview

Summary

GDPR...

Description

STUDENT ID: u1627043 WORD COUNT: 3212

Critically evaluate the difference that the new EU Data Protection Regulation will make in Europe. WHAT IS GDPR AND ITS AIMS The EU Data Protection Regulation (GDPR)1 was recently adopted to replace the Data Protection Directive (Directive) 2. It is designed to harmonise data privacy laws across Europe and give greater protection towards individuals. It also significantly streamlines the regulatory environment for businesses. The GDPR introduced new restrictions in light of the rapid advancement of technological changes, the evolvement of data and addressed data breaches, as we move towards an increasingly global networked environment.As we move towards an increasingly global networked environment with rapid technological changes, the evolvement of data has fundamentally changed the way data is collected, stored, and used. In light of this, the GDPR seeks to increase transparency to strengthen the rights of individuals in this digital age and grow the digital economy. In contrast with the previous Directive, the GDPR is directly applicable to all EU Member States which will allow legal certainty and remove potential obstacles facilitating thefor free flow of personal data. The GDPRIt mandates a higher privacy setting by ensuring organisations integrate privacy measures into their system. I will address some of the key changes of the GDPR compared to the previous Directive and discuss the impact it will make in Europe to individuals, business and organisations (entities).

1. Increased TTerritorial and Material Scope The GDPR represents a significant increase in territorial reach over its predecessorin scope of application, both materially and geographically, and clarifies its applicability. 3 The GDPR applies to (i) data controllers and processors located in the EU, regardless if processing takes place in the EU;, (ii) data controllers and processors not located in the EU but process personal data of individuals located in the EU for 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR) ) [2016] OJ L 119/1 2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L 281/31 3 Article 2, Article 3 GDPR

1

those that offer goods and services in the EU, or monitor behaviour of EU citizens; (iii) a Member state national that is applicable to the case.4 Compared to the Directive, GDPR involves more organisations to comply as itIt is now broaden the scope of applicability and is directly applicable to all Member States. Entities carrying out any processing of personal data is subjected to the GDPR. This includes entities targeting the EU internal market irrespective of the location of establishment.This enhances the protection of individuals in the EUurope. This enhances the protection of individuals in the EU. Nevertheless, there are certain activities that fall outside the GDPR , as it acknowledges that data protection rights are not absolute and must be balanced with other rights including . “freedom to conduct a business”. Member States are allowed to legislate on data protection matters in which some provisions may be further specified or restricted by a Member State law. OrganisationEntitiess in certain sectors and Member States can also introduce “special rules” which would individualise or liberalise the GDPR. 5 This could cause a divergent in laws adopted by each Member State which will restrict and cause inconsistencies throughout Europe and hinder the effects that the GDPR seeks to bring. . 2. Personal Data Redefined The GDPR provides clarification of some important privacy terms. 6 The new definitions are broad and fairly all-encompassing. This is important because privacy has different connotations for different people groups and businesses. It also reflects the types of data organisations collect to include online identifiers such as IP addresses. Previously, enforcement was left within the organisations itself, but by defining these terminologies clearly, the GDPR sets a standard for understanding privacy and hold organisations to a higher standard. GDPR also includes a broader definition by introducing “special categories” of personal data, commonly known as sensitive data which now includes genetic and biometric data. Although the definition and recitals are broader than the equivalent definitions in the previous Directive, for the most part they are simply codifying previous guidance and case laws on the meaning of 'personal data'. With the stringent requirements, organisations and businesses are encouraged should to turn to pseudonymisation 7 when collecting and utilizing data. usage of Pseudonymisation is a process that renders data neither anonymous nor directly identifying it with individuals. It separates data so that is not attributed to a specific individual. It allows risks associated with data processing to be significantly reduced while maintaining data utility. is a new definition where processing of data does is not attributed to a specific “data subject”.pseudonymous 8 as it enjoys benefits such as in the event of a data breach, the pseudonymous data will likely cause less harm to individuals and therefore reducing the risks of sanctions and claims for the organisations. This 4 Article 3 GDPR – Territorial Scope Article 3 GDPR 5 Ibid n3 6 Article 4 GDPRibid Article 4 7 ibid Article 4 (5) 8 Articles 4(5),ibid Article 4 (5) 25 GDPR

2

encourages organisations to only use identifiable personal data as a last resort where anonymous or pseudonymous data is not sufficient for the specific purpose. Alternatively, encryption can be used by replacing identifiers with something else. Organisations can utilise both these tools to handle personal data. The change in definition of personal data is important as it reflects the changes in technology and how organisations collect data about individuals. This The change is welcomed for individuals who seek to have greater protection, however, it complicates matters for organisations in terms of marketing and sales. Due to the high sanctions, organisations would seek to minimise exposure by processing data that is necessary and securely erase personal data or render it fully anonymous., reducing the amount of data subject to the requirements of GDPR. 3. Data Controllers And Data Processors Compared to the Directive, the definitions of controller and processor are essentially identical but the main difference is the introduction of direct obligations for data processors. However, only limited provisions apply directly to processors, most of them apply indirectly. Under the GDPR, data processors will be required to contract with data controllers to process personal data and responsibility will be delegated from controllers to processors. Data processors may be jointly and severally liable together with the data controller. 9 Asides, data protection authorities have the power to impose hefty fines on both controllers and processors. Processors have an indirect obligation to ensure that processing is compliant with the GDPR which appears to be a wider obligation than the Directive which focused on guaranteed security processing. Data controllers represents a central figure when it concerns the protection of the rights of data subjects. They control the overall purpose and means of the data used. Data controllers can process the personal data obtained but they can also outsource the data to third parties - data processors. Control is still retained with the data controller, the data processor merely processes the data according to the instructions and purpose given by the data controller. Furthermore, controllers are obligated to engage in those processors that provide sufficient guarantees to implement appropriate measures. Processors have an indirect obligation to ensure that processing is compliant with the GDPR which appears to be a wider obligation than the Directive which focused on guaranteed security processing. Albeit the different obligations, the roles of the data controller and processors complement each other to achieve transparency and accountability by shifting responsibility to those who handle personal data. For example, appointment of data protection officers 10 and the obligation to conduct to impact assessments 11. The GDPR establishes a framework for where there is a divergence in communication between both data controllers and processors to facilitate close coordination between the two to ensure compliance.. It implements the principle of accountability by shifting responsibility to those who handle personal data. For example, 9 Article 26(2) GDPR 10 Section 4 GDPR 11 Article 35 GDPR

3

appointment of data protection officers assessments13.

12

and the obligation to conduct to impact

Organisations will need familiarise themselves with the differing obligations to ensure compliance. Previously, controllers could cover their potential liability by outsourcing certain obligations to processors as the Directive did not deal with the issue. Now, processors are placed on a higher pedestal to ensure that their obligations are specifically defined as theThey should also conduct careful due diligence when outsourcing their data to third-party providers. The imposition of direct obligations on processors are often similar to those controllers. For example, they are subjected to the same data security obligations, and similar documentation requirements, appointment of DPO and are required to cooperate directly with EU data protection regulators. Consequently, it can also be argued that the distinction between processors and controllers under the GDPR, whilst is still important, may be less significant than it was under the Directive. 14 4. Data Security and Data Breach Notification The GDPR has introduced stricter obligations with regards to data security and has offered guidance on the security standards. Previously, EU member states Member States each adopted different data breach notification laws. The GDPR introduces a specific breach notification guideline for both supervisory authorities and the affected data subjects. Breach timeline and Procedures The GDPR adopts a wide view as to what constitutes a data breach which could potentially cover various situations. Controllers have a general reporting duty towards Supervisory Authorities. 15 When aware of a data breach, cControllers have to notify within a 72-hour time frame after being aware of the breach. 16 or without undue delay. 17Included should be the likely consequences of the breach, and what the controller has done to address and mitigate the breach. Asides, communication must also be made to data subjects unless exempted. Data subjects have to be notified of the breach with undue delay if the breach is likely to result in an infringement of rights and freedom of individuals. But is exempted if the data has been securely encrypted and there is no compromise. Alternatively, a public communication would be sufficient if individual notification involved disproportionate effort. 18

12 Section 4 GDPR 13 Article 35 GDPR 14 HintMichael Hintzee M., ‘Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR ’ (2018), Journal of Internet Law (Wolters Kluwer), August 2018 < https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3192721 > accessed 11 April 2019 15 Article 33 GDPR 16 Article 34 GDPR 17 Article 34 GDPR 18 ibid

4

By enforcing this, organisations entities will have to develop a data breach system to enable notification in the event of a breach. The short timeline and information required to be provided will pose a significant challenge for organisations entities to simultaneously address the issues associated with the breach and maintain ongoing operations. Furthermore, identification of data breaches has becoming increasingly challenging. Once discovered, organisations entities could also face issues with assessing the impact and reporting. Organisations will likely want to avoid the negative publicity of these disclosures and the hefty fines for non-compliance. Previously, under the Directive, the penalties were decided by the Member States, however, penalties are now mandatory and uniform throughout Europe. This will prompt organisations entities to increase their risk assessments and their end-to-end security enhancements. .

5. Information governance and security Privacy by Default and Design 6. Privacy: Data Regulation Comparing with the Directive, Pprivacy by default and privacy by design areis now a legal requirementsmandatory. 19 Privacy by default requires data controllers to ensure guarantee that organisations should ensure that personal data are not by default available to an indefinite number of people. This also means that specification of data must be given before processing by informing individuals.This setting will maximise privacy of data subjects without them doing anything and will help protect individuals that lack technical knowledge or time to implement privacy friendly setting personally. 20 Additionally, the complexity of online services and data makes it difficult for assessment of the impact of technical settings on data protection. Privacy by design requires data controllers to implement technical and organisational measures such as pseudonymisation in place – to minimise personal data processing. The GDPR effectively extends responsibility so as to ensure that organisations create systems that ensure data protection. Organisations need to account privacy at the beginning of its new product, processes or services that involve personal data. Pseudonymisation is a new definition where processing of data does is not attributed to a specific “data subject”. Privacy by design is a proactive approach through mitigation of potential risks. This can be achieved by ensuring that privacy and data protection are key considerations in each stage of the project and then throughout the lifecycle of the relevant data process. 21 Organisations have to adopt a more risk-based approach to take into account the nature, purposes, context scope of the processing and the implications. Organisations have to ensure that privacy and data protection are key considerations in each stage of the project and then throughout the lifecycle of the relevant data 19 Article 25 GDPRdata protection by design and default 20 Scholz, in: Simitis, BDSG, § 3a ( 2014), rec. 40. 21 Information Commissioner’s Office, “Data protection by design and default’ (2018) accessed 10 April 2019

5

process. 22 This requires the organisation to adopt a more risk- based approach to take into account the nature, purposes, context scope of the processing and the implications. The GDPR It gives more control to individuals over their personal data but also provides a conformance framework for businesses by defining unified guidelines. It also presses busentitiesinesses, especially those dealing with sensitive personal data, to build their information systems in a privacy - friendly setting. These regulations aim to ensure a more transparent handling and processing of personal data, and create an environment of trust and awareness on both sides, i.e. the data owner as well as the controllers/processors. The GDPR attempts to aid companies entities in their structure and formalise subject areas like risk assessment and decision making to allow companies to work efficiently and achieve compliance with privacy rules. These requires companies to incorporate privacy into the processes of their products and services.

7. New Individual Rights

The GDPR has created new rights for individuals and strengthened as well as extended some of the existing rights of data subjects.

Right of access: Individuals can now request an organisation for the data collected through a Subject Access Request (SAR). 23 Previously, a fee was charged but GDPR makes it free. Organisations are to provide the information requested within a month along with a copy of the personal data, in an electronic format. In comparison with the previous Directive, the GDPR requires more information to be provided 24 which will allow a data subject to make decisions about his rights based on concrete information provided instead of abstract privacy statements. This increases transparency and empowers individuals, however, organisations may have to incur significant costs in retrieving personal data. Right to be Erasure/Right to be forgotten: Individuals are also given powers to erase their data in certain circumstances. where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there's no legitimate interest, and if

22 Information Commissioner’s Office, “Data protection by design and default’ (2018) accessed 10 April 2019 23 Article 15 GDPR 24 ibidArticle 15(1)(h)

6

it was unlawfully processed. 25 This is known as the right to be forgotten. It also goes a step further, where applicable , to halt any third party use of that data. Companies may need to maintain comprehensive data inventories, accelerate data-governance strategies, and potentially re-architect key systems in order to more efficiently process these requests. Right To Data Portability : Individuals can obtain and reuse their personal data provided so that it can be easily transferred to another data controller for a different services. 26Hence, data can be moved, copied or transferred easily from one IT environment to another in a safe and secured way. This does not allow dataData controllers are now unable to retain personal data for longer than necessary . It is however,. However, it is unclear how apparentclear the right to individuals to move their data from one service provider to another will stretch. Enhanced Right to Information and Transparency: The GDPR extends the right of individuals by requiring controllers to inform data subject s about the envisaged retention period, the right to withdraw consent and the right to lodge complaints. Controllers have to provide information in a concise, transparent, intelligible and easily accessible mannere got, using clear and plain language. The GDPR clarifies and further develops the rights of data subjects. HoweveNonethelessr, a data subject may be prevented from exercising his right. For example, data subjects may not benefit from the his rights if there they can’t identify the parties that might process their data or cannot value the provided information. The right to data portability will not improve protection if the competitors of the controller process the data in the same manner. It can be argued that tThe GDPR merely alleviates the disadvantaged data subjects. 27 Personal data will still be processed by controller in other ways. The GDPR does not provide tools towards data subjects to maintain an overview of the operations of controllers. For these reasons, the aim to strengthen control of individuals is limited. The GDPR merely provides a way for individuals to seek redress if there is a clear indication that there is lack of protection of data. This , however, does not develop or allow data subjects to actively or substantially assert control over the processing of personal data. Hence, data subjects still remain in a disadvantaged position. 8. Consent 9.

25 Article 17 GDPR 26 Article 20 GDPR 27 P.T.J. Wolters, ‘The Control by and Rights of the Data Subject Under the GDPR’ Edited By DLA Piper (2018) 22 Journal of Internet Law 1. accessed 10 April 2019

7...