UNIVERSITE DE FRIBOURG INFORMATICS COLLOQUIUM 31 Janvier 2017 - - PowerPoint PPT Presentation

universite de fribourg informatics colloquium 31 janvier
SMART_READER_LITE
LIVE PREVIEW

UNIVERSITE DE FRIBOURG INFORMATICS COLLOQUIUM 31 Janvier 2017 - - PowerPoint PPT Presentation

Feb 16, 2024 155 likes •474 views

DATA PROTECTION & PRIVACY The Upcoming Framework Governing the Protection of Personal Data (GDPR) Challenges and how to strike the right balance UNIVERSITE DE FRIBOURG INFORMATICS COLLOQUIUM 31 Janvier 2017 Overview 1. Introduction 2.

slide-1
SLIDE 1

DATA PROTECTION & PRIVACY The Upcoming Framework Governing the Protection of Personal Data (GDPR) Challenges and how to strike the right balance

UNIVERSITE DE FRIBOURG INFORMATICS COLLOQUIUM 31 Janvier 2017

slide-2
SLIDE 2

Overview

  • 1. Introduction
  • 2. GDPR and impact for Tech ventures in CH
  • 3. Specificities for Research Projects
  • 4. Consent & Contract
  • 5. Q&A and Conclusion
slide-3
SLIDE 3

Introduction

slide-4
SLIDE 4

“Watching the legal system deal with the internet is like watching somebody trying to drive a car by looking only in the rear-view mirror” The Guardian – Oct. 6, 2013

slide-5
SLIDE 5

2018

The year the EU GDPR takes effect: This will be the first significant update of data protection laws in Europe for more that 23 years (i.e. before internet, mobile phones, clouds, big data, AI, etc.).

  • 1. Introduction: Context
slide-6
SLIDE 6
  • 1. Introduction: Context

20 year old data protection regulation in the EU and in Switzerland. GDPR = EU Regulation 2016/679 (entry into force on May 25, 2018). P-DPA = Draft Data protection Act of Sept. 15, 2017 Driven by the need to adapt to the technological evolution.

TECH EVOLUTION BUT KEEP IN MIND…

Other regulations in the EU and Switzerland (e.g. Swiss Human Research Act of Sept. 30, 2011). Many developments in EU Member States/Courts potentially influencing EU and Swiss Law (e.g. Germany). Privacy Shield. California Law (dozen new laws every year to address various challenges, including data security breach notification law in 2002, requirement to publish website privacy policies in 2004 and rules for automated license plate scanning in 2016)

slide-7
SLIDE 7

GDPR applies practically worldwide (e.g. organisations located outside

  • f the EU if they offer goods or services to, or monitor the behaviour of

EU data subjects)… to every entity processing data (collection, recording, structuring, storage, adaptation, consultation, use, disclosure, making available etc.), wholly or partly, by automated or non-automated processing, directly or for others. Almost everything is personal data (names, localization, online ID, cultural profiles, IP address, Dynamic IP Addresses, etc.) Empowerment of data protection authorities.

NO WAY TO ESCAPE BEST PRACTICE WORLDWIDE

GDPR as the regulatory reference. Complying with GDPR as best practice. No excuses for penalties: there was a 2 years advance warning !

  • 1. Introduction: Context
slide-8
SLIDE 8

GDPR and impact for Tech Ventures in Switzerland

slide-9
SLIDE 9
  • 2. GDPR and impact for Tech Ventures in

Switzerland

slide-10
SLIDE 10
  • Erasure. Request for the deletion of personal data

(+ Right to be forgotten).

  • 2. GDPR and impact for Tech Ventures in

Switzerland

Examples of Rights of Data Subjects Corresponding Obligations for Controllers

  • Portability. Request for a copy of the personal data, free
  • f charge, in an electronic format.

Right to Access. Request for confirmation as to whether

  • r not personal data concerning is being processed,

where and for what purpose. Communication and Notification :

  • Notification to data subject when personal data is
  • btained indirectly, i.e. other than direct from the

data subject.

  • Notification to data subject of his or her right to
  • bject to profiling and to processing for direct

marketing purposes or automated decisions.

  • Notification to authorities (and in case of high risk

also the data subjects) in case of data breach.

  • Information. Right to know how your data is used (for

what purposes, how long, if shared, if transferred

  • utside EU, etc).

Obligation to provide data to a Data Subject or to new supplier chosen by Data Subject in a commonly used and machine readable format. Right to object. Possibility to object at any time to processing of personal data.

  • Consent. Obligation to get clear consent to process

data. Delete information (from all servers, backups, etc.) and provide confirmation of deletion.

slide-11
SLIDE 11
  • 2. Do I need a DPO

NO DPO Needed (Art. 37 (1) (a) GDPR) I am a Public Authority or Body My core activities consist of processing on a large scale data pursuant to Art. 9 (sensitive data) My core activities consist of processing on a large scale data relating to criminal convictions and offences (Art. 10 GDPR) My core activities consist of processing

  • perations which, by virtue of their nature,

their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale

1 3 2 4

NO NO YES YES YES YES

slide-12
SLIDE 12
  • 2. GDPR and impact for Tech Ventures in

Switzerland - Examples

Example of Right to Access: You bought a fitness tracker and subscribed to a health app that monitors your activity. You can ask the app operator for all the information processed on you. This includes all subscription data (such as your name and contact details where relevant) and all information collected about you through the tracker (such as heart rate, performance, etc.). Source:https://www.edoeb.admin.ch/edoeb/fr/home/documentation/bases-legales/Datenschutz%20- %20International/DSGVO.html Example of compliance for a Data Controller: Thomson Reuters World check https://risk.thomsonreuters.com/en/products/world-check-know-your-customer/am-i-on-world-check.html

slide-13
SLIDE 13
  • 2. GDPR and impact for Tech Ventures in

Switzerland - Examples

slide-14
SLIDE 14
  • 2. GDPR and impact for Tech Ventures in

Switzerland - Examples

slide-15
SLIDE 15

Specificities for Research Projects

slide-16
SLIDE 16
  • 3. Data Protection and Research Projects
slide-17
SLIDE 17

3.1 Right to Collect and Use for Research Purposes

Right based

  • n…

Consent Ordinary Qualified Other lawful bases, including… Public interest

Legitimate interest of controller (except if overriden by interest of data subject) GDPR (interpretation): explicit consent for sensitive data

Interpretation of GDPR (in particular Recital 157): research purpose as public interest. If carried out by private organization or for commercial purposes: balancing test? GDPR 89: safeguards to be put in place. GDPR 40: codes of conduct

GDPR 4(11): statement or clear affirmative action (not enough: silence, pre-ticked boxes, inactivity, failure to

  • pt-out)

Specific assessment in each case

slide-18
SLIDE 18

3.2 Right to Reuse for Research Purposes

Right based

  • n…

Consent Ordinary Qualified Other lawful bases, including… Public interest Legitimate interest of controller

GDPR (interpretation): explicit consent for sensitive data GDPR 4(11): statement or clear affirmative action (not enough: silence, pre-ticked boxes, inactivity, failure to

  • pt-out)

Specific assessment in each case

GDPR 6(4) : processing operations for another purpose compatible with initial purpose (compatibility test) GDPR, 5(1)(b): further processing for research purpose shall not be considered to be incompatible with the initial purposes (purpose limitation) GDPR 89: safeguards to be put in place.

slide-19
SLIDE 19

3.3 Processing for Research Purposes: Safeguards

Safeguards Principles, incl: Data integrity and confidentiality Accountability (records of processing) Protection by design (anonymisation, pseudonymisation, minimisation) Protection by default (initial set-up) Obligation to inform data subjects / Transparency Privacy policy Exemption in case of disproportionate efforts relating to a research project Processes, incl: DPO Data Protection Impact Assessment Notification in case

  • f breach

Specific assessment in each case

slide-20
SLIDE 20

3.3 Processing for Research Purposes: Safeguards

Principles, incl: Data integrity and confidentiality Accountability (records of processing) Protection by design (anonymisation, pseudonymisation, minimisation) Protection by default (initial set-up)

Specific assessment in each case

slide-21
SLIDE 21

3.3 Processing for Research Purposes: Safeguards

Obligation to inform data subjects / Transparency Privacy policy Exemption in case

  • f disproportionate

efforts relating to a research project

Specific assessment in each case

slide-22
SLIDE 22
  • 3. Specificities for Research Projects

Right to Collect and Use

slide-23
SLIDE 23

Contracts and Policies

slide-24
SLIDE 24

Tech venture

Customers Customers Customers

Employees

  • 4. Consent & Contracts

Possible contractual relationships to consider

Customers Customers

Board members Public Institutions Other Providers (Lawyers, accountants, consultants) Partners Joint Ventures Investors Sister, mother and daughter entities (branch, subsidiairies) Tech Service Provider (Swisscom, Cloud Service, XaaS)

slide-25
SLIDE 25

Right based

  • n…

Consent Ordinary Qualified Other lawful bases, including… Public interest

Legitimate interest of controller (except if overriden by interest of data subject) GDPR (interpretation): explicit consent for sensitive data

Interpretation of GDPR (in particular Recital 157): research purpose as public interest. If carried out by private organization or for commercial purposes: balancing test? GDPR 89: safeguards to be put in place. GDPR 40: codes of conduct

GDPR 4(11): statement or clear affirmative action (not enough: silence, pre-ticked boxes, inactivity, failure to

  • pt-out)

Specific assessment in each case

  • 4. Consent & Contracts
slide-26
SLIDE 26

Consent forms: example

Users Users Users Users Users Users

Advertisers

slide-27
SLIDE 27

http://www.dw.com/en/facebook-faces-german-cartel-office-probe-on-exploiting-user-data/a-42001928

slide-28
SLIDE 28
slide-29
SLIDE 29
  • 5. Conclusion: Right Balance and Guidance?

GDPR SPECIFITIES FOR RESEARCH CONSENT & CONTRACT

slide-30
SLIDE 30
slide-31
SLIDE 31

Adrien Alberini

Partner ⋮ Attorney at law (Geneva Bar) Ph.D. ⋮ LL.M. (Stanford) adrien.alberini@sigmalegal.ch

Vincent Pfammatter

Partner ⋮ Attorney at law (Geneva Bar) LL.M. (Berkeley) vincent.pfammatter@sigmalegal.ch sigma legal ⋮ Rue de Berne 10 ⋮ 1201 Geneva T + 41 22 715 00 55 ⋮ F + 41 22 715 00 50 www.sigmalegal.ch

Joëlle Becker

Partner ⋮ Attorney at law (Geneva Bar) Ph.D. joelle.becker@sigmalegal.ch sigma legal is an innovative law firm, assisting companies at every step of their life. The partners of sigma legal have in common significant expertise in commercial, contractual and corporate law, as well as academic and professional experiences abroad (Berkeley, Stanford, Harvard). They specialize in innovation law, from technology to arts, covering fields such as Technologies & Brands, Data Protection & Privacy, Art, Media & Entertainment, Philanthropy, Non-Profit & Organizations and Competition. sigma legal addresses your legal challenges, at all stages, by providing legal advice, assisting you in the context of negotiations, drafting your legal documents, interacting with authorities on your behalf and carrying out due diligences in its fields

  • f expertise. sigma legal further provides dispute

resolution services, in the context of domestic and international litigation and arbitration.