1 / 10

Data Protection Compliance

Data Protection Compliance. Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University of London. Introductory Remarks. Personal data ‘processing’: collecting, using, disclosing & transferring personal data Compliance

minty
Download Presentation

Data Protection Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University of London

  2. Introductory Remarks • Personal data • ‘processing’: collecting, using, disclosing & transferring personal data • Compliance • data controller • ‘determines purpose and means’ • e.g. SWIFT case • data processor • e.g. Web host • “shall be in writing or in another equivalent form” (art. 17(4))

  3. Transparency • Obligation • fair processing (art. 6(1)) • when using networks to store information or gain access to information stored on users terminal equipment (02/58/EC, art. 5(3)) • e.g. ‘cookies’ • ‘provided with clear and comprehensive information’ • Timing • when collected from data subject (art. 10) • when not obtained from data subject (art. 11) • unless already has it

  4. Transparency • Content of notification • identity, purposes, recipients, consequences, right of access • Right of access (art. 12) • personal data • meta-data • purposes, disclosures, source • right of rectification, erasure, blocking • notification of third parties • Notification to national authority (art. 18)

  5. Transparency • Related legislation • Distance-selling Directive 97/7/EC: art. 4 (prior information), art. 5 (written confirmation) • Distance-selling of financial services Directive 02/65/EC: art. 3 (prior information), art. 4 (additional requirements), art. 5 (communication of terms & information) • eCommerce Directive 00/31/EC: art. 5 (general), art. 6 (commercial communications), art. 10 (contract process) • Form • ‘durable medium’ • “which enables the consumer to store information addressed personally to him in a way accessible for future reference”(02/65/EC, at art. 2(f)) • ‘easily, directly and permanently accessible to the recipients of the service’

  6. Processing Personal Data • Consent • “freely given, specific and informed” • Ex ante • as one ground for legitimising processing • as sole ground for legitimising processing • use of traffic data for ‘marketing’ or ‘provision of value added services’ (02/58/EC, art. 6(3)) • Ex post • right to object to processing for the purposes of ‘direct marketing’ (art. 14(b))

  7. Processing Personal Data • nature • implied (opt-out) & explicit (opt-in) • ‘unambiguously’ • ‘special categories of data’ (art. 8) • Directive 99/93/EC, art. 8(2) re: certification service providers • timing • prior • Directive 02/58/EC, art. 13(1): unsolicited communications • Alternative grounds • performance of a contract (transactional) • compliance with a legal obligation (regulatory)

  8. Problem of Children • From marketing to social networking sites, e.g. Bebo, Facebook • When is a child independent? • OIC: 12 yrs; FEDMA: 14 yrs • Children’s Online Privacy Protection Act of 1998 • directed at children under 13, or knowingly collects • otherwise, not under a duty to investigate age of visitors • ‘verifiable parental consent’ • e.g. email with digital signature • enforcement • UMG Recordings $400,000 and Bonzi Software $75,000

  9. Transferring Data • Question of applicable law (art. 4) • “..for purposes of processing personal data makes use of equipment..” • transit exception • web-based forms • Lindqvist (2003) • uploading to web does not mean ‘transfer’ (para. 68) • ‘Adequate level of protection’ (art. 25) • ‘in the light of all the circumstances’ • Community findings (art. 25(6)) of adequacy • Switzerland, Hungary, Canada, Argentina, US ‘Safe Harbor’

  10. Transferring Data • Derogations (art. 26) • consent • specified need, e.g. “on important public interest grounds, or for the establishment, exercise or defence of legal claims;” • ButSWIFT case: “only important public interests identified as such by the national legislation applicable to data controllers established in the EU are valid in this connection.” (WP 128) • authorised by national authority • e.g. contractual provisions, binding corporate rules

More Related