Data Protection by Design and by Default. à la European General Data Protection Regulation

Transcription

1 Data Protection by Design and by Default à la European General Data Protection Regulation Marit Hansen Data Protection Commissioner Schleswig-Holstein, Germany IFIP Summer School 2016 Karlstad, 26 August 2016 Setting of ULD Data Protection Authority (DPA) for both the public and private sector Also responsible for freedom of information Source: en.wikipedia.org/ wiki/schleswig-holstein Source: 2

2 Overview (1) General Data Protection Regulation (2) Related work Privacy-Enhancing Technologies Privacy by Design Standard Data Protection Model (3) Data Protection by Design by Default What? Really new? Will it work? Remarks (4) Conclusion 3 (1) General Data Protection Regulation Idea: One for All and All for One Objective: real harmonisation But: 70 opening clauses ( variables for Member States) 8/85/Unus_pro_omnibus%2C_omnes_pro_uno.jpg 4

3 (1) GDPR: Objectives fulfilled? Harmonisation of law Abstraction of rules Opening clauses Harmonisation of competition Market location principle See above Modernisation Compared with 1995 Compared with DE-2001 Future-proof New starting point? 5 (1) GDPR: Back to the last base Photo: Bjoern von Thuelen 6

4 (1) GDPR: Tools & methods to be employed Opening clauses Data protection by design Data protection by default Data protection impact assessment Certification Sanctions Courts Photo: Johan Aulin 7 (1) GDPR: Importance of design Recital 4 The processing of personal data should be designed to serve mankind. [ ] 8

5 (1) GDPR: Importance of design Recital 4 The processing of personal data should be designed to serve mankind. [ ] 9 Overview (1) General Data Protection Regulation (2) Related work Privacy-Enhancing Technologies Privacy by Design Standard Data Protection Model (3) Data Protection by Design by Default What? Really new? Will it work? Remarks (4) Conclusion 10

6 (2) Related work Privacy-Enhancing Technologies (see e.g. PET Symposium) Privacy by Design with many flavours, e.g. privacy engineering, privacy patterns, Standard Data Protection Model [ ] 11 (2a) Use of Privacy-Enhancing Technologies (PETs) for data protection The use of PETs can help to design information and communication systems and services in a way that minimises the collection and use of personal data and facilitate compliance with data protection rules. The use of PETs should result in making breaches of certain data protection rules more difficult and/or helping to detect them. European Commission, MEMO/07/159 12

7 (2a) Maturity of PETs: state of the art? PETs = important building blocks (2014) (2015) 13 (2b) Privacy by Design (PbD) as proposed by Cavoukian 14

8 Imbalance in power data protection necessary Important: Perspective of the individual Photo: Hernán Piñera 15 (2c) Protection goals: more than IT security Confidentiality Unlinkability classical IT security protection goals*) Integrity Intervenability *) From the data subject s perspective Transparency Availability 16

9 (2c) Standard Data Protection Model Determination of the necessary level of protection ( normal, high, very high ) Identification of risks and proper safeguards Protection goals as structure + for same understanding All German DPAs recommend this model; suitable for Supervision Audits Data Protection Impact Assessment Work for : catalogues of reference protection measures Envisioned: repositories with info on maturity, conditions etc. 17 (2c) Standard Data Protection Model To be integrated in the Data Protection Management System of the controller 18

10 Overview (1) General Data Protection Regulation (2) Related work Privacy-Enhancing Technologies Privacy by Design Standard Data Protection Model (3) Data Protection by Design by Default What? Really new? Will it work? Remarks (4) Conclusion 19 (3) Data protection by design & by default 20

11 (3a) Data protection by design Article 25 Data protection by design and by default (1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 21 (3a) Data protection by design Article 25 Data protection by design and by default Many limiting conditions suitable as shabby excuses? (1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 22

12 Limiting conditions state of the art and the cost of implementation? Identical wording in Art. 32 Security of processing 23 Limiting conditions state of the art and the cost of implementation? On EU level nothing new, see Data Protection Directive 95/46/EC 24

13 Limiting conditions state of the art and the cost of implementation? _Not_ contained in Art. 24 GDPR: responsibility 25 (3b) Data protection by default Article 25 Data protection by design and by default Unclear: same as purpose limitation (Art. 5)? (2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. Social network clause 26

14 Compare with: Privacy by Default à la Cavoukian Privacy as the default setting: If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy it is built into the system, by default. Photo: anncavoukian.com 27 Compare with: EDPS comment from 2012 The principle of data protection by default aims at protecting the data subject in situations in which there might be a lack of understanding or control on the processing of their data, especially in a technological context. The idea behind the principle is that privacy intrusive features of a certain product or service are initially limited to what is necessary for the simple use of it. The data subject should in principle be left the choice to allow use of his or her personal data in a broader way. Opinions/2012/ _EDPS_Reform_package_EN.pdf 28

15 (3b) Data protection by default cases Article 25 Data protection by design and by default (2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. Let s discuss a few cases: - Social networks - Tracking on the Internet - Conference participation - Choice of payment model - Storage location 29 Some hints in Recital 78 (I) (78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. [ ] Required to demonstrate compliance 30

16 Some hints in Recital 78 (I) (78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. [ ] Required to demonstrate compliance Data minimisation Early pseudonymisation Transparency Monitoring of data processing by the data subject Expandable security 31 Some hints in Recital 78 (II) [ ] When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders. How to encourage producers or products? Ah, public tenders may help. 32

17 Does the GDPR oblige controllers to employ the following data protection measures? ABCs? Anonymisers for the Internet? Transparency tools? 33 Data protection by design controller s perspective in 2016 Photo: Martin Cox Minimum: For optimum on top: Photo: Paul B Low-key interpretation of the legal rules Documentation of internal policies and measures Awaiting requirements of supervisory bodies Awareness of responsibility (CEO; at best supported by Data Protection Officer) Acting proactively Knowing and extending solution space Striving for certification Implementing a data protection management system for entire lifecycle Interacting with other actors and disciplines for improving technologies and workflows 34

18 Possible fines according to Art. 83 Article 83 General conditions for imposing administrative fines (1) Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive. [ ] (4) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; 35 BTW: All translations are equivalent, aren t they? [FR] Article 25: Protection des données dès la conception et protection des données par défaut [ES] Artículo 25: Protección de datos desde el diseño y por defecto [DE] Artikel 25: Datenschutz durch Technikgestaltung und durch datenschutzfreundliche Voreinstellungen [SV] Artikel 25: Inbyggt dataskydd och dataskydd som standard [NL] Artikel 25: Gegevensbescherming door ontwerp en door standaardinstellingen 36

19 (3) Summary: Data Protection by Data Protection What? Really new? Will it work? Remarks by Design Implement t+o measures & integrate safeguards to meet reqs from GDPR: at best built-in data protection No, but hardly ever enforced before + powerful mechanism requires much knowledge at controller & DPA fig leaf approach possible: do a tiny bit and show documentation Producers are not directly addressed. Who takes care of infrastructures? by Default 37 (3) Summary: Data Protection by Data Protection What? Really new? Will it work? Remarks by Design Implement t+o measures & integrate safeguards to meet reqs from GDPR: at best built-in data protection No, but hardly ever enforced before + powerful mechanism requires much knowledge at controller & DPA fig leaf approach possible: do a tiny bit and show documentation Producers are not directly addressed. Who takes care of infrastructures? by Default Basically implemented purpose limitation No, but hardly enforced before + powerful mechanism likely to be circumvented (e.g. by combination with nice features) Very narrow definition in the GDPR; wide interpretation possible? 38

20 Data protection by design and by default Demanded by the General Data Protection Regulation With focus on the perspective of the individuals Conclusion Important: reducing limiting factors and giving incentives R & D for data protection solutions Knowledge about possible solutions Outcome dependent on commitment and initiative of stakeholders Controllers / processors Producers Data Protection Authorities Research community Photo: Johan Aulin 39 Thank you for your future commitment! Marit Hansen ULD, Holstenstr. 98, Kiel, Germany marit.hansen@datenschutzzentrum.de

21 References (2014) (2015) Handbuch.pdf (2015)[English translation in progress] Hansen/Jensen/Rost: Protection Goals for Privacy Engineering, Proc. 1st International Workshop on Privacy Engineering, IEEE, Funding Notice Privacy & Us partly funded by MSCA-ITN-2015-ETN Marie Skłodowska-Curie Innovative Training Networks Project Number: Forum Privatheit und selbstbestimmtes Leben in der Digitalen Welt (Privacy-Forum) partly funded by the German Federal Ministry of Education and Research