Tag Archives: the right to privacy

Financial Supervisory Authority issues circular for Hungarian financial institutions on the use of cloud computing technologies

Márton Domokos writes for “The Privacy Advisor” that On 18 July, the Hungarian Financial Supervisory Authority-PSZÁF (HFSA) issued a circular for Hungarian financial institutions on the use of cloud computing technologies. It is the first time in Hungary that a regulatory authority issued such an opinion. The document outlines detailed proposals for financial institutions on data classification, pre-contracting tasks and the contents of the service agreement with the cloud provider.

Regulatory considerations

The HFSA expressly reminds the management, IT internal audit, compliance and legal departments of financial institutions that if the company is willing to use cloud computing services, they shall pay particular attention to the following.

Obtaining cloud services is considered as “outsourcing” under the Hungarian sector-specific regulations which results in the application of certain additional rules; e.g., notification to the HFSA, specific data processing obligations.
It is important to continuously monitor the changes in the regulations of the EU affecting cloud computing services, practices and best practice recommendations.
It is also essential to keep an eye on the Hungarian and EU data privacy provisions and practices—in particular to practices and resolutions concerning cross-border data transfers or data transfers to third countries.
The relationship between the master services agreement to be concluded and the related SLAs shall be harmonised.
Data classification

According to the HFSA, it is important to classify the data processed by the financial institution before determining which data can be transferred to the cloud at all. The circular states that it is not recommended to process bank secrets, personal data or other sensitive data in the public cloud and reminds that the physical storage or place of procession of data in the public cloud in particular, e.g., outside of the European Economic Area or the Safe Harbor, substantially influence the possibility of compliance with the EU data protection regulations.

Read the whole text HERE.

The EU right to be forgotten, already criticized by US academics. Does it really threaten freedom of speech?

Professor Jeffrey Rosen published in the Stanford Law Review some very serious criticism against the soon to be enforced in the EU right to be forgotten, stating mainly that it is a threat to freedom of speech. You can find the article HERE.

I don’t really see how obliging a person to erase an embarrassing photo of yourself   infringes that person’s right to free speech. At least, one should balance the right to dignity against freedom of speech in a particular situation and afterwards make a decision in this respect.

Then again, the European system for the protection of human rights is very elaborated and exhaustive, a particular system, with concrete mechanisms of protection and precise principles to be effectively applied (such as the balance I was talking about).

Where is the freedom of speech breached here? “Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.” This is recital 53 of the Preamble of the proposed regulation for data protection, which means Art. 17 of the regulation should be interpreted according to the principles stated in this recital.

I think the provision is very clear and when reading it I feel my privacy protected and not my freedom of speech threatened.

Goals of the EU data protection reform: stronger, more effective and more consistent protection

2012 is an important year for data protection, as EU, the global leader in data protection policies, is going to reform the system centered around Directive 95/46. The measures are expected to be launched for debate early this year, so they could enter into force in 2014.

In a recent article published on http://www.neurope.eu, Peter Hustinx, the European Data Protection Supervisor, provides some insights about the shape of the data protection reform, such as:

  • It should be clear that this is not the time to reinvent data protection. It has been invented and is now recognised as a fundamental right in the Lisbon Treaty. Instead, much attention should be given to making data protection more effective in practice.
  • Another point in this context is the need for greater harmonisation of rules across the EU. The present diversity of national rules is not helpful for effective data protection, and even counterproductive.
  • More effective data protection also requires that data subjects should be enabled to exercise their present rights more easily and should be given a few additional rights to protect their interests where needed. An interesting example is the right to require that personal data are deleted or transferred to another provider – the “right to be forgotten” or the “right to data portability” – which might be particularly useful in the context of social networks or other online services.
  • Strengthening the rights of data subjects would also require a clarification of the situations where consent is required and the conditions that have to be met for valid consent. A lack of clarity about this often leads to a weaker position of data subjects, particularly in the online environment.
  • Data controllers are now responsible for compliance with data protection rules, but in practice this often only leads to formal arrangements and responsibility “at the end” if something goes wrong. Instead, they should be mandated to be more active and to take all those measures which are necessary to ensure that data protection rules are complied with.
  • At this stage, it is also important to clearly define the external scope of EU data protection law. The concept that EU law should not only apply when the responsible data controller is established in Europe, but also when EU consumers are “targeted” – regardless from where over the Internet – seems to attract more and more support.