Tag Archives: data portability

CNIL publishes GDPR compliance toolkit

Posted on March 17, 2017 | 1 comment

CNIL published this week a useful guide for all organisations thinking to start getting ready for GDPR compliance, but asking themselves “where to start?”. The French DPA created a dedicated page for the new “toolkit“, while detailing each of the six proposed steps towards compliance by also referring to available templates (such as a template for the Register of processing operations and a template for data breach notifications – both in FR).

According to the French DPA, “the new ‘accountability’ logic under the GDPR must be translated into a change of organisational culture and should put in motion internal and external competences”.

The six steps proposed are:

  1. Appointing a “pilot”/”orchestra conductor” [n. – metaphors used in the toolkit], famously known as “DPO”, even if the controller is not under the obligation to do so. Having a DPO will make things easier.
  2. Mapping all processing activities (the proposed step goes far beyond data mapping, as it refers to processing operations themselves, not only to the data being processed, it also refers to cataloging the purposes of the processing operations and identifying all sub-contractors relevant for the processing operations);
  3. Prioritising the compliance actions to be taken, using as starting point the Register and structuring the actions on the basis of the risks the processing operations pose to the rights and freedoms of individuals whose data are processed. Such actions could be, for instance, making sure that they process only the personal data necessary to achieve the purposes envisaged or revising/updating the Notice given to individuals whose data are processed (Articles 12, 13 and 14 of the Regulation);
  4. Managing the risks, which means conducting DPIAs for all processing operations envisaged that may potentially result in a high risk for the rights of individuals. CNIL mentions that the DPIA should be done before collecting personal data and before putting in place the processing operation and that it should contain a description of the processing operation and its purposes; an assessment of the necessity and the proportionality of the proposed processing operation; an estimation of the risks posed to the rights and freedoms of the data subjects and the measures proposed to address these risks in order to ensure compliance with the GDPR.
  5. Organising internal procedures that ensure continuous data protection compliance, taking into account all possible scenarios that could intervene in the lifecycle of a processing operation. The procedures could refer to handling complaints, ensuring data protection by design, preparing for possible data breaches and creating a training program for employees.
  6. Finally, and quite importantly, Documenting compliance. “The actions taken and documents drafted for each step should be reviewed and updated periodically in order to ensure continuous data protection”, according to the CNIL. The French DPA  provides a list with documents that should be part of the “GDPR compliance file”, such as the Register of processing operations and the contracts with processors.

While this guidance is certainly helpful, it should be taken into account that the only EU-wide official guidance is the one adopted by the Article 29 Working Party. For the moment, the Working Party published three Guidelines for the application of the GDPR – on the role of the DPO, on the right to data portability and on identifying the lead supervisory authority. The Group is expected to adopt during the next plenary guidance for Data Protection Impact Assessments.

If you are interested in other guidance issued by individual DPAs, here are some links:

NOTE: The guidance issued by CNIL was translated and summarised from French – do not use the translation as an official source. 

***

Find what you’re reading useful? Please consider supporting pdpecho.

1 Comment

Posted in Europe, GDPR, News

Tagged , , , , , , , , , , , ,

WP29 published its 2017 priorities for GDPR guidance

Posted on February 9, 2017 | Leave a comment

The Article 29 Working Party published in mid January the new set of priorities for providing GDPR guidance for 2017. This happened after WP29 published in December three sets of much awaited Guidelines on the application of the GDPR: on Data Protection Officers, on the right to data portability and on identifying the lead supervisory authority (pdpEcho intends to provide a closer look to all of them in following weeks). So what are the new priorities?

First of all, WP29 committed to finalise what was started in 2016 and was not adopted/finalised by the end of the year:

  • Guidelines on the certification mechanism;
  • Guidelines on processing likely to result in a high risk and Data Protection Impact Assessments;
  • Guidance on administrative fines;
  • Setting up admin details of the European Data Protection Board (e.g. IT, human resources, service level agreements and budget);
  • Preparing the one-stop-shop and the EDPB consistency mechanism

Secondly, WP29 engaged to start assessments and provide guidance for.

  • Consent;
  • Profiling;
  • Transparency.

Lastly, in order to take into account the changes brought by the GDPR, WP29 intends to update the already existing guidance on:

  • International data transfers;
  • Data breach notifications.

If you want to be a part of the process, there are good news. WP29 wants to organise another FabLab on April 5 and 6 on the new priorities for 2017, where “interested stakeholders will be invited to present their views and comments”. For more details, regularly check this link.

It seems we’re going to have a busy year.

 

Leave a comment

Posted in Europe, GDPR, News

Tagged , , , , , , , , ,

EU Commission’s leaked plan for the data economy: new rules for IoT liability and sharing “non-personal data”

Posted on December 15, 2016 | Leave a comment

It seems that it’s the season of EU leaks on internet and digital policy. One day after the draft new e-Privacy regulation was leaked (to Politico), another document appeared online (published by Euractiv) before its adoption and release – a Communication from the European Commission on “Building a European data economy”.

It announces at least two revisions of existing legal acts: the Database Copyright Directive (96/9) and the Product Liability Directive (85/374). New legislative measures may also be needed to achieve the objectives announced in the draft Communication. However, the Commission is not clear about this and leaves a lot of the decision-making for after the results of wide stakeholder and public consultations are processed.

The common thread of most of the policy areas covered by the Communication is “non-personal data”. The Commission starts from the premise that while the GDPR allows for the free movement of personal data within the EU, there are currently no common rules among Member States for sharing, accessing, transferring “non-personal data”. Moreover, the Commission notes that the number of national measures for data localisation is growing.

“The issue of the free movement of data concerns all types of data: enterprises and actors in the data economy deal with a mixture of personal and non-personal data, machine generated or created by individuals, and data flows and data sets regularly combine these different types of data”, according to the draft Communication.

And what is truly challenging is that “enterprises and actors in the data economy will be dealing with a mixture of personal and non-personal data; data flows and datasets will regularly combine both. Any policy measure must take account of this economic reality”.

If you are wondering what is meant by “non-personal data”, the draft Communication provides some guidance to understand what it refers to. For instance, the draft Communication mentions that “personal data can be turned into non-personal data through the process of anonymisation” and that “the bulk of machine-generated data are not personal data”. Therefore, anonymisation and de-identification techniques will gain even more importance.

While the GDPR covers how personal data are used in the EU, the proposals that will be made on the basis of this Communication envisage the use of all the other data.

So what does the Commission propose?

Several objectives are announced, most of them dealing with the free flow of and access to “non-personal data”, while another objective looks at reforming liability rules to accommodate algorithms, Artificial Intelligence and the Internet of Things.

Free flow of and access to non-personal data

  • According to the draft Communication, any Member State action affecting data storage or processing should be guided by a ‘principle of free movement of data within the EU’.
  • Broader use of open, well-documented Application Programming Interfaces (APIs) could be considered, through technical guidance, including identification and spreading of best practice for companies and public sector bodies.
  • The Commission could issue guidance based on the Trade Secrets Directive, copyright legislation and the Database Directive on how data control rights should be addressed in contracts. The Commission intends to launch the review of the Database Directive in 2017.
  • Access for public interest purposes – public authorities could be granted access to data where this would be in the general interest and would considerably improve the functioning of the public sector, for example access for statistical offices to business data or the optimization of traffic management systems on the basis of real-time data from private vehicles.
  • Selling and acquiring databases could be regulated. “Access against remuneration”: a framework based on fair, non-discriminatory terms could be developed for data holders, such as manufacturers, service providers or other parties, to provide access to the data they hold against remuneration. The Communication is not clear whether this proposal could also cover personal data. In any case, on several occasions throughout the draft Communication, it is mentioned or implied that the GDPR takes precedence over any new rules that would impact the protection of personal data.
  • A data producer’s right to use and licence the use of data could be introduced; by “data producer”, COM understands “the owner or long-term user of the device”. This approach would “open the possibility for users to exploit their data and thereby contribute to unlocking machine-generated data”.
  • Developing further rights to data portability (building on the GDPR data portability right and on the proposed rules on contract for the supply of digital content, further rights to portability of non-personal data could be introduced). The initiatives for data portability would be accompanied by sector specific experiments on standards (which would involve a multi-stakeholder collaboration including standard setters, industry, the technical community, and public authorities).

Rethinking liability rules for the IoT and AI era

Even though Artificial Intelligence is not mentioned as such in the draft Communication, it is clear that the scenario of algorithms making decisions is also envisaged by the announced objective to reform product liability rules, alongside IoT. As the draft Communication recalls, currently, the Products Liability Directive establishes the principle of strict liability, i.e. liability without fault: where a defective product causes damage to a consumer, the manufacturers may be liable even without negligence or fault on their part. The current rules are only addressed to the producer, always require a defect and that the causality between the defect and the damage has to be proven.

The Commission proposed two approaches, which will be subject to consultation:

  • “Risk-generating or risk-management approaches: liability would be assigned to the market players generating a major risk for others and benefitting from the relevant device, product or service or to those which are best placed to minimize or avoid the realization of the risk.”
  • Voluntary or mandatory insurance schemes: they would compensate the parties who suffered the damage; this approach would need to provide legal protection to investments made by business while reassuring victims regarding fair compensation or appropriate insurance in case of damage.”

“Connected and automated driving” – used as test case

The Commission intends to test all the proposed legal solutions, after engaging in wide consultations, in a real life scenario and proposes “connected and automated driving” as the test case.

Finally, read all of these objectives and proposals having in mind that they come from a draft document that was leaked to Euractiv. It is possible that by the time of adoption and publication of this Communication (and there is no indication as to when it will be officially published) its content will be altered.

***

Find what you’re reading useful? Please consider supporting pdpecho.

Leave a comment

Posted in Europe, News

Tagged , , , , , , , , , , , ,

CNIL just published the results of their GDPR public consultation: what’s in store for DPOs and data portability? (Part I)

Posted on November 18, 2016 | 1 comment

Gabriela Zanfir Fortuna

The French Data Protection Authority, CNIL, made public this week the report of the public consultation it held between 16 and 19 July 2016 among professionals about the General Data Protection Regulation (GDPR). The public consultation gathered 540 replies from 225 contributors.

The main issues the CNIL focused on in the consultation were four:

  • the data protection officer;
  • the right to data portability;
  • the data protection impact assessments;
  • the certification mechanism.

These are also the four themes in the action plan of the Article 29 Working Party for 2016.

This post (Part I) will summarise the results and action plan for the first two themes, while the last two will be dealt with in a second post (Part II). [Disclaimer: all quotations are translated from French].

1) On the data protection officer

According to Article 37 GDPR, both the controller and the processor must designate a data protection officer where the processing is carried out by a public authority (1)(a), where their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale (1)(b) and where their core activities consist of processing sensitive data on a large scale (1)(c).

The report reveals that there are many more questions than answers or opinions about how Article 37 should be applied in practice. In fact, most of the contributions are questions from the contributors (see pages 2 to 4). They raise interesting points, such as:

  • What is considered to be a conflict of interest – who will not be able to be appointed?
  • Should the DPO be appointed before May 2018 (when GDPR becomes applicable)?
  • Will the CNIL validate the mandatory or the optional designation of a DPO?
  • Which will exactly be the role of the DPO in the initiative for and in the drafting of the data protection impact assessments?
  • Which are the internal consequences if the recommendations of the DPO are not respected?
  • Is it possible that the DPO becomes liable under Criminal law for how he/she monitors compliance with the GDPR?
  • Should the DPO be in charge of keeping the register of processing operations and Should the register be communicated to the public?
  • Should only the contact details of the DPO be published, or also his/her identity?
  • Must the obligations in the GDPR be applied also for the appointment of the DPO that is made voluntarily (outside the three scenarios in Article37(1))?
  • Can a DPO be, in fact, a team? Can a DPO be a legal person?
  • Are there any special conditions with regard to the DPO for small and medium enterprises?

The CNIL underlines that for this topic an important contribution was brought by large professional associations during discussions, in addition to the large number of replies received online.

In fact, according to the report, the CNIL acknowledges “the big expectations of professional associations  and federations to receive clarifications with regard to the function of the DPO, as they want to prepare as soon as possible and in a sustainable way for the new obligations” (p. 5).

As for future steps, the CNIL recalls that the Article 29 Working Party will publish Guidelines to help controllers in a practical manner, according to the 2016 action plan. (There’s not much left of 2016, so hopefully we’ll see the Guidelines soon!). The CNIL announces they will also launch some national communication campaigns and they will intensify the training sessions and workshops with the current CILs (Correspondants Informatique et Libertés – a role similar to that of a DPO).

2) On the right to data portability

new-note-2

Article 20 GDPR provides that the data subject has the right to receive a copy of their data in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller only if the processing is based on consent or on a contract.

First, the CNIL notes that there was “a very strong participation of the private sector submitting opinions or queries regarding the right to data portability, being interesting especially about the field of application of the new right, the expenses its application will require and about its consequences on competition” (p. 6).

According to the report, the right to data portability it’s perceived as an instrument that allows regaining the trust of persons about processing of their personal data, bringing more transparency and more control over the processing operation (p. 6).

On another hand, the organisations that replied to the public consultation are concerned about the additional investments they will need to make to implement this right. They are also concerned about (p. 6):

  • “the risk of creating an imbalance in competition between European and American companies, as European companies are directly under the obligation to comply with this right, whereas American companies may try to circumvent the rules”. My comment here would be that they should not be concerned about that, because if they target the same European public to offer services, American companies will also be under a direct obligation to comply with this right.
  • “the immediate cost of implementing this right (for instance, the development of automatic means to extract data from databases), which cannot be charged to the individuals, but which will be a part of the management costs and will increase the costs for the services”.
  • “the level of responsibility if the data are mishandled or if the data handed over to the person are not up to date”.

The respondents to the public consultation seem to be a good resource for technical options to use in terms of the format needed to transfer data. Respondents argued in favor of open source formats, which will make reusing the data easier and which will be cheaper compared to proprietary solutions. Another suggested solution is the development of Application Program Interfaces (APIs) based on open standards, without a specific licence key. This way the persons will be able to use the tools of their choice.

One of the needs that emerged from the consultation was to clarify whether the data that are subject to the right to portability must be raw data, or whether transferring a “summary” of the data would suffice. Another question was whether the data could be asked for by a competing company, with a mandate from the data subject. There were also questions regarding the interplay of the right to data portability and the right of access, or asking how could data security be ensured for the transfer of the “ported” data.

In the concluding part, the CNIL acknowledges that two trends could already be seen within the replies: on the one hand, companies tend to want to limit as much as possible the applicability of the right to data portability, while on the other hand, the representatives of the civil society are looking to encourage persons to take their data in their own hands and to reinvent their use (p. 10).

According to the report, the Technology Subgroup of the Article 29 Working Party is currently drafting guidelines with regard to the right to data portability. “They will clarify the field of application of this right, taking into account all the questions raised by the participants to the consultation, and they will also details ways to reply to portability requests”, according to the report (p. 10).

***

Find what you’re reading useful? Consider supporting pdpecho.

Click HERE for Part II of this post.

1 Comment

Posted in Europe, GDPR, News

Tagged , , , , , , , , , ,

Here’s how Internet’s inventor wants to reinvent it and why this is great news for privacy

Posted on August 23, 2016 | Leave a comment

Last May I had the chance to meet Prof. Tim Berners-Lee and one of the lead researchers in his team at MIT, Andrei Sambra, when I accompanied Giovanni Buttarelli, the European Data Protection Supervisor, in his visit at MIT.

Andrei presented then the SOLID project, and we had the opportunity to discuss about it with Prof. Berners-Lee, who leads the work for SOLID. The project “aims to radically change the way Web applications work today, resulting in true data ownership as well as improved privacy.” In other words, the researchers want to de-centralise the Internet.

“Solid (derived from “social linked data”) is a proposed set of conventions and tools for building decentralized social applications based on Linked Data principles. Solid is modular and extensible and it relies as much as possible on existing W3C standards and protocols”, as explained on the project’s website.

Andrei explains in a blog post that, in a first step, the project finds solutions “to decouple the applications from the data they produce, and then to decouple the data from the actual storage server.”

“This means that applications and servers are interchangeable, and they can be swapped without impacting the most important part – your data. It’s all about freedom of choice.” (Read the entire explanation in this blog post)

I was so excited to find out about the efforts conducted by Prof. Berners-Lee and his team. At the end of the presentation and the discussion, I asked, just to make sure I understood it correctly: “Are you trying to reinvent the Internet?”. And Prof. Berners-Lee replied, simply: “Yes”. A couple of weeks later I saw this article in the New York Times: “The Web’s creator looks to reinvent it” So I did understand correctly 🙂

But why was I so excited? Because I saw first hand that some of the greatest minds in the world are working to bring back control to the individual on the Internet. Some of the greatest minds in the world are not giving up on privacy, irrespective of how many “Privacy is dead” books and articles are published, irrespective of how public and private policymakers, lobbyists and Courts understand at this moment in history the value of privacy and of what Andrei called “freedom of choice” in the digital world.

I was excited because I found out about a common goal us, the legal privacy bookworms/occasional policymakers, and the IT masterminds have: empower the ‘data subject’, the ‘user’, well, the human being, in the new Digital Age, put them back in control and curtail unnecessary invasions of privacy for all kind of purposes (profit making to security).

In fact, my entire PhD thesis was built on the assumption that the rights of the data subject, as they are provided in EU law (rights to access, to erase, to object, to be informed, to oppose automated decision making) are all prerogatives of the individual that aim to give control to the individual over his or her data. So if technical solutions are developed for this kind of control to be practical and effective, I am indeed excited about it!

I also realised that some of the provisions that survived incredible, multifaceted opposition to make it to the new General Data Protection Regulation are in fact tenable, like the right to data portability (check out Article 20 of the GDPR, here).

This is why, when I saw that today the world celebrates 25 years since the Internet went public, I remembered this moment in May and I wanted to share it with you. Here’s to a decentralised Internet!

Later Edit: The man itself says August 23 is not exactly accurate. Nor 25 years! In any case, it was still a good day for me to think about all of the above and share it with you 🙂

IMG_7391

Leave a comment

Posted in Comments, DP Fundamentals

Tagged , , , , , , , , , , , ,

GigaOm: Fear of lock-in dampens cloud adoption

Posted on February 26, 2013 | Leave a comment

Data portability — the ability to move your information between clouds (or in and out of clouds) with relative ease — is a key concern of companies considering a cloud move.

It’s become a truism to say that data is the new gold –but that doesn’t mean there are easy answers about where to store this gold. For now, many corporate customers will hold back on full cloud computing adoption until they’re convinced that they can move their data off a given cloud as easily as they put it there in the first place. Face it: fear of vendor lock-in is not limited to the on-premises IT world and it’s time enlightened vendors get this problem in hand.

The advent of cloud computing should make it easy to mix and match services from multiple vendors within a cloud and to let data flow in and out of parts of the clouds as needed. But that’s not necessarily the reality now.

“When you move to cloud, you should be increasing your choices, not decreasing them. You don’t buy three on-premises apps but you can use three services from three vendors in the cloud,” said Robert Jenkins, co-founder and CTO of Cloud Sigma, the Zurich-based cloud provider.

Bill Gerhardt, director of Cisco Systems’ internet solutions group’s service provider practice, agreed. “We need to sort out data portability. Customers ask: ‘If I give you all this data, how do I retrieve that data if I want to go somewhere else? Many cloud companies don’t have a clear exit route.”

Read the whole story HERE.

For the opinion that the right to data portability, in reality, hampers competition, see Peter P. Swire and Yanni Lagos, Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique, available HERE.

For the opinion that the right to data portability adds value both to privacy and competition, see G. Zanfir, The right to data portability in the context of the EU data protection reform, abstract available HERE, full text upon access, HERE.

Leave a comment

Posted in News

Tagged , , , , , , ,

Experts say the right to data portability is more competition-concerned than privacy-concerned. I disagree

Posted on March 12, 2012 | Leave a comment

Hogan Lovells recently submitted comments on the proposed EU Data protection regulation to the UK Ministry of Justice.

Among their conclusions there are some regarding the right to be forgotten and the right to data portability:

The right to data portability seems to be focused on a competition law objective, reducing switching costs between service providers, rather than a data protection objective.  It therefore exceeds the scope of Article 16 TFEU on which the proposed Regulation is based.

The Commission’s proposal no doubt has social media in mind.  But data portability would apply to all sectors of industry: banking, insurance, healthcare, telecommunications, etc.  The Community legislature has in the past introduced number portability for telecommunications operators, and some Member States have enacted specific provisions imposing portability in other industries (eg. the UK for the banking industry).

The Commission proposes an across-the-board portability obligation, but has not analysed the impact of that proposal, nor whether there are specific market failures warranting such an intrusive economic regulation.  If the Commission had done a market analysis, it would have found that even in the field of social networking, the market is evolving quickly and that regulation is no doubt premature.  Google + makes data portability a commercial argument to attract customers away from Facebook.  In other industries (eg. banking in certain Member States), data portability may be a good idea to increase competition, but a privacy regulation is the wrong vehicle to use to address this issue.

The creation of a right to data portability also raises the complex issue of whether a data subject has a property interest in his or her personal data.  Economists are divided on this controversial issue, and the Commission’s proposal goes too far down the road of recognizing a property right in personal data, where none has heretofore been recognized.

As one can easily see, all the conclusions are based on an economic or business analysis, even though the right to data portability is introduced in data protection legislation, which envisages basically “the person”. Only the natural person, to be more specific, and it does so taking into account two fundamental rights in the EU – the right to privacy and the right to data protection.

I would say that before excluding the possibility of such a right to be a part of the actual privacy and data protection sphere, one should analyze profoundly which are the implications of providing a person the right to move his or her collection of data from a service provider to another.

I am definitely not the first one to ever talk in history about a digital persona of the human being. Often, the data collected by some service providers become an expression of ones personality – like the reputation a seller or a buyer has on ebay. Why not enjoy the same reputation while using another similar service provider? Why not protect that personal data?

Or maybe data portability is the right which will make once and for all crystal clear the difference between privacy and data protection. After all, they are two separate rights. Which means they are not interchangeable. And instruments such data portability are more justified by the data protection philosophy than by the privacy one.

Leave a comment

Posted in Comments

Tagged , , , ,

Personal data, the new online currency?

Posted on February 17, 2012 | Leave a comment

The New York Times writes today about how could personal data become the new online currency.

The main idea is that personal data have become so valuable for marketing companies – to say the least, that its potential value is already exploited by a few start-ups. “A number of start-ups allow people to take control — and perhaps profit from — the digital trails that they leave on the Internet”, writes NYT.

I think that handled carefully, with prudence, this idea could be the new big thing in online marketing.

Also have in mind that such innovations would impact cloud computing and data portability. The EU data protection reform presupposes the existence of a right to data portability in favor of the data subject (See Article 18 of the proposed Regulation).

First of all, this would mean that a right to data portability will propagate soon in other jurisdictions. Second of all, it means that the data subject gains more control on the set of data directly connected to he or she, being able to keep all of it in one place, as long as he or she knows he or she will be able to move the set of data whenever he or she finds a better service provider, or a better suited one for his or her needs. All of these indicates that value could be added to the set of one’s available personal data. So this is a trend to be observed in the future.

Note: Photo source – http://www.moneymakingsuccesssite.com

 

 

 

Leave a comment

Posted in Comments, News

Tagged , , , , , , , , , , , ,