Principles and Rules for Processing Personal Data

Similar documents
IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

ICC POSITION ON LEGITIMATE INTERESTS

Violent Intent Modeling System

Robert Bond Partner, Commercial/IP/IT

2

Ocean Energy Europe Privacy Policy

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Privacy Policy SOP-031

Big Data & AI Governance: The Laws and Ethics

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Photography and Videos at School Policy

2018 / Photography & Video Bell Lane Primary School & Children s Centre

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

Wireless Sensor Networks and Privacy

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

Details of the Proposal

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

EU-GDPR The General Data Protection Regulation

ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?

GDPR Implications for ediscovery from a legal and technical point of view

Spring Conference of European Data Protection Authorities (Budapest, May 2016)

Big Data and Personal Data Protection Challenges and Opportunities

ARTICLE 29 Data Protection Working Party

European Union General Data Protection Regulation Effects on Research

Views from a patent attorney What to consider and where to protect AI inventions?

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Legal Aspects of the Internet of Things. Richard Kemp June 2017

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Ethics Guideline for the Intelligent Information Society

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

MISSISSAUGA LIBRARY COLLECTION POLICY (Revised June 10, 2015, Approved by the Board June 17, 2015)

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

Privacy Impact Assessment on use of CCTV

The Alan Turing Institute, British Library, 96 Euston Rd, London, NW1 2DB, United Kingdom; 3

PRIVACY ANALYTICS WHITE PAPER

Personal Data Protection Competency Framework for School Students. Intended to help Educators

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Artificial intelligence and judicial systems: The so-called predictive justice

THE EUROPEAN DATA PROTECTION SUPERVISOR, Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

BBMRI-ERIC WEBINAR SERIES #2

Societal and Ethical Challenges in the Era of Big Data: Exploring the emerging issues and opportunities of big data management and analytics

Building DIGITAL TRUST People s Plan for Digital: A discussion paper

Personal Research Data. 25 Sept 2018 Solveig Fossum-Raunehaug (Research Support Office)

IET Guidelines for Volunteers: Data Protection

Interaction btw. the GDPR and Clinical Trials Regulation

This Privacy Policy describes the types of personal information SF Express Co., Ltd. and

BARRIE PUBLIC LIBRARY COLLECTION DEVELOPMENT POLICY MOTION #16-34 Revised June 23, 2016

Policies for the Commissioning of Health and Healthcare

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

End-to-End Privacy Accountability

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

networked Youth Research for Empowerment in the Digital society MANIFESTO

Use of Camera and Mobile Policy. Use of Camera and Mobile Phone Policy

Executive Summary Industry s Responsibility in Promoting Responsible Development and Use:

Artificial Intelligence and the Law The Manipulation of Human Behaviour. Stanley Greenstein

The new GDPR legislative changes & solutions for online marketing

SATELLITE NETWORK NOTIFICATION AND COORDINATION REGULATIONS 2007 BR 94/2007

European Charter for Access to Research Infrastructures - DRAFT

Interactive Workshop on Data Protection Impact Assessment

Why AI Goes Wrong And How To Avoid It Brandon Purcell

Unified Ethical Frame for Big Data Analysis IAF Big Data Ethics Initiative, Part A. Draft March 2015

12 April Fifth World Congress for Freedom of Scientific research. Speech by. Giovanni Buttarelli

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

Artificial Intelligence and Robotics Getting More Human

Surveillance and Privacy in the Information Age. Image courtesy of Josh Bancroft on flickr. License CC-BY-NC.

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

Towards Trusted AI Impact on Language Technologies

Protection of Privacy Policy

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

ARTICLE 29 DATA PROTECTION WORKING PARTY

Employees, contractors and other personnel of KKR should note that a separate privacy notice will be made available to them.

Integrating Fundamental Values into Information Flows in Sustainability Decision-Making

Transparency and Accountability of Algorithmic Systems vs. GDPR?

Development and Integration of Artificial Intelligence Technologies for Innovation Acceleration

HBM4EU project. Information, Invitation and Informed Consent Lisbeth E. Knudsen, Berit A. Faber. Information and recruitment of participants

Computer Ethics. Dr. Aiman El-Maleh. King Fahd University of Petroleum & Minerals Computer Engineering Department COE 390 Seminar Term 062

(Non-legislative acts) DECISIONS

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

Castan Centre for Human Rights Law Faculty of Law, Monash University. Submission to Senate Standing Committee on Economics

Japan s FinTech Vision

GDPR IMPLEMENTATION SISCON 2018 CONFERENCE 13/09/2018

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

AI AS A FORCE OF GOOD

The Information Commissioner s role

General Questionnaire

D2. Results of the feasibility analysis

Notes from a seminar on "Tackling Public Sector Fraud" presented jointly by the UK NAO and H M Treasury in London, England in February 1998.

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

DaPIS: an Ontology-based Data Protection Icon Set

Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health

LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

Transcription:

data protection rules LAW AND DIGITAL TECHNOLOGIES INTERNET PRIVACY AND EU DATA PROTECTION Principles and Rules for Processing Personal Data Gerrit-Jan Zwenne Seminar III October 25th, 2017 lawfulness,fairness and transparency purpose specification and limitation data and storage minimisation accuracy effectiveness integrity accountability lawfulness can be derived from consent, vital data subject interests, legi mitate controller interests etc. time-limits on storage credit-worthiness assessments demonstrate compliance Recital 39 Art. 5(a) GDPR lawfulness, fairness and transparency means personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject fair relationship between controller and data subject processing grounds: data subject consent contract legal obligation etc. art. 7 DPD, art 6(1) GDPR collection for specified, explicit and legitimate purposes art. 5(1b) DPD, art. 5(1)(b) GDPR eg. a privacy statement no further processing in a way incompatible with purpose for which data is collected art. 6(1b) DPD, art.5(1) (b) GDPR retention no longer than necessary art. 6(1e) DPD, art. 5(1)(e) GDPR G-J. ZWENNE 2017 1

lawfulness of processing data subject consent performance of a contract compliance with a legal obligation vital interest of the data subject public authority legitimate interest of controller or third parties to whom the data are provided Art.6 GDPR conditions for consent burden of proof written declaration which also concerns another matter withdrawal of consent purpose limitation Art. 7 GDPR consent must be presented clearly distinguishable in its appearance from this other matter Art. 8 GDPR children s personal data consent of parent or guardian clear language younger than 13 years but will not affect national contract law appropriate to intended audience controller must take reasonable efforts to verify consent, taking into consideration available technology without causing otherwise unnecessary processing of personal data won t somebody please think of the children!? G-J. ZWENNE 2017 2

vital interests Art. 7(4) GDPR When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Cf. recital 43: Consent is presumed not to be freely given if it does not allow separate consent to be given to different. legitimate interest factors to consider when carrying out the balancing test : nature and source of the legitimate interest and whether the data processing is necessary for the exercise of a fundamental right, is otherwise in the public interest, or benefits from recognition in the community concerned; impact on the data subject and their reasonable expectations about what will happen to their data, as well as the nature of the data and how they are processed; additional safeguards which could limit undue impact on the data subject, such as data minimisation, privacy-enhancing technologies; increased transparency, general and unconditional right to opt-out, and data portability purpose specification and purpose limitation means personal data collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes personal data which airlines gathered about their passengers for flight purposes cannot subsequently be used by immigration services at the destination achmea and albert heijn Recital 39 Art. 5(1)(b) GDPR G-J. ZWENNE 2017 3

purpose limitation A substantive compatibility assessment requires an assessment of all relevant circumstances. In particular, account should be taken of the following key factors: the relationship between the purposes for which the personal data have been collected and the purposes of further processing; the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use; the nature of the personal data and the impact of the further processing on the data subjects; the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects. data minimisation means personal data is adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data Art. 5(1)(c) G DPR storage minimisation means personal data is kept in a form which permits direct or indirect identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed Art. 5(1)(e) GDPR G-J. ZWENNE 2017 4

Art. 5(1)(d) GDPR Art. 5(ea) GDPR accuracy means personal data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay effectiveness means personal data is processed in a way that effectively allows the data subject to exercise his or her rights Art. 9 GDPR Art. 5(1)(f) GDPR special (categories) of data accountability processed under the responsibility and liability of the controller, who shall ensure and be able to demonstrate the compliance with the provisions of this Regulation race or ethnic origin political opinions religion or philosophical beliefd sexual orientation or gender identity trade union membership genetic or biometric or health or sex life administrative sanctions, judgments, criminal or suspected offences, convictions, security measures processing not allowed, unless by certain controllers for their specific purposes specific exemptions such as explicit consent G-J. ZWENNE 2017 5

in cases of first and non-intentional noncompliance: a warning in writing regular periodic data protection audits What about video footage or employees photo's on the companies intranet..? LAW AND DIGITAL TECHNOLOGIES INTERNET PRIVACY AND EU DATA PROTECTION roadmap Data Protection and Datafication, Big Data and Internet-of-Things, Artificial Intelligence, Machine Learning (etc.) Gerrit-Jan Zwenne Seminar IV October 25th, 2017 What is IoT (datafication & big data anyhow? Quick recap of DP-law How IoT & Datafication & Big Data (etc.) challenge DP Law the elephant in the room G-J. ZWENNE 2017 6

IoT A. WHAT IS INTERNET OF THINGS..? WHAT IS DATAFICATION? AND WHAT IS BIG DATA? (ETC..?) big data etc. datafication Internet of Things ( IoT ) [J. Judge & J. Powles 25 May 2015] The internet of things is a vision of ubiquitous connectivity, driven by one basic idea: screens are not the only gateway to the ultimate network of networks. With sensors, code and infrastructure, any object from a car, to a cat, to a barcode - can become networked. But the question we need to ask is: should they be? And, if so, how? G-J. ZWENNE 2017 7

[J. Judge & J. Powles 25 May 2015] It s hard to see what this [ie IoT] would look like, exactly. But imagining it shouldn t just be delegated to tech companies and opportunists riding the hype cycle. Artists, designers, philosophers, lawyers, psychologists and social workers must be just as involved as engineers and internet users in shaping our collective digital future every breath you take every move you make every bond you break every step you take datafication [dey tuh fi key shuh n] a modern technological trend turning many aspects of our life into computerized data and transforming this information into new forms of value [Mayer-Schönberger & Cukier 2013] G-J. ZWENNE 2017 8

Big Data Big BS? Big Bucks! Big Data Big Brother? Big Business! Big Data is a generalized, imprecise term that refers to the use of large data sets in datascience and predictive analytics [Mayer- Schönberger & Cukier 2013] Big data can be used to identify more general trends and correlations but it can also be processed in order to directly affect individuals [WP29 2013] high-volume, high-velocity and high-variety information assets that demand costeffective, innovative forms of information processing for enhanced insight and decision making [www.gartner.com/it-glossary/big-data] a massive phenomenon that has rapidly become an obsession with entrepreneurs, scientists, governments and the media [Financial Times_2014] unprecedented computational power and sophistication make possible unexpected discoveries, innovations, and advancements in our quality of life [Whitehouse 2014] G-J. ZWENNE 2017 9

distinctive aspects of big data analytics use of algorithms opacity of the processing tendency to collect all the data repurposing of data, and use of new types of data artificial intelligence or AI the analysis of data to model some aspect of the world. Inferences from these models are then used to predict and anticipate possible future events [UK Government Office for Science 9 November 2016] giving computers behaviours which would be thought intelligent in human beings [www.aisb.org.uk/public-engagement/what-is-ai] machine learing the set of techniques and tools that allow computers to think by creating mathematical algorithms based on accumulated data [https://iq.intel.com/artificial-intelligence-and-machine-learning/] G-J. ZWENNE 2017 10

The main advantage of Big Data is that it can reveal patterns between different sources and data sets, enabling useful insights The use of Big Data by the top 100 EU manufacturers could lead to savings worth 425 billion, and by 2020, Big Data analytics could boost EU economic growth by an additional 1.9%, which means a GDP increase of 206 billion [EC The EU Data Protection Reform and Big Data Factsheet April 2015] B. QUICK RECAP OF DP LAW personal data transparancy consent or other processing ground dataminimalization purpose specification and limitation profiling etc. G-J. ZWENNE 2017 11

profiling rules for profiling automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person in particular to analyse or predict aspects concerning that natural person s performance at work economic situation health personal preferences interests reliability behaviour location or movements a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her exceptions (a) necessary for entering into, or performance of, a contract between the data subject and a data controller (b) authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests (c) based on the data subject's explicit consent. Rasterfahndung credit score Typically RAF-terrorists use cash and pay their electricity bill in person at the utility (to keep their apartments associated with a false name) a numerical expression based on a level analysis of a person's credit files, to represent the creditworthiness of the person. primarily based on a credit report information typically sourced from credit bureaus. to evaluate the potential risk posed by lending money to consumers and to mitigate losses due to bad debt G-J. ZWENNE 2017 12

online profiling or behavorial advertizing ethnic profiling advertising based on observation of behavior of individuals over time seeks to study characteristics of this behaviour through actions to develop a specific profile and provide these individuals with advertisements tailored to their interests stopping or detaining the driver of a vehicle based on the determination that a person of that race, ethnicity, or national origin is unlikely to own or possess that specific make or model of vehicle stopping or detaining an individual based on the determination that a person of that race, ethnicity, or national origin does not belong in a specific part of town or a specific place Obama search results those interactions produced data that streamed back into Obama s servers to refine the models pointing volunteers toward the next door worth a knock. The efficiency and scale of that process put the Democrats well ahead when it came to profiling voters 37. Also, the organisation and aggregation of information published on the internet that are effected by search engines with the aim of facilitating their users access to that information may, when users carry out their search on the basis of an individual s name, result in them obtaining through the list of results a structured overview of the information relating to that individual that can be found on the internet enabling them to establish a more or less detailed profile of the data subject G-J. ZWENNE 2017 13

correlation causation C. HOW IOT & DATAFICATION & BIG DATA (ETC.) CHALLENGE DP LAW in a big-data age most innovative secondary uses [of data] haven't been imagined when the data is first collected. How can companies provide notice for a purpose that has yet to exist? How can individuals give informed consent to an unknown? [Mayer-Schönberger & Cukier 2013] free, specific, informed and unambiguous 'optin' consent would almost always be required, otherwise further use cannot be considered compatible [WP29 2013] personalization stigmatization discrimination dehumanization presumtion of innocence etc. G-J. ZWENNE 2017 14

questions? g.j.zwenne@law.leidenuniv.nl G-J. ZWENNE 2017 15

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback