Platform services and data protection 18/11/2015, Osnabrueck Wojciech Wiewiórowski Platform Services in the Digital Single Market
© M. Narojek for GIODO 2011
EDPS The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. A number of specific duties of the EDPS are laid down in Regulation 45/2001. The three main fields of work are • Supervisory tasks • Consultative tasks: to advise EU legislator on proposals for new legislation as well as on implementing measures. Technical advances, notably in the IT sector, with an impact on data protection are monitored. • Cooperative tasks: involving work in close collaboration with national data protection authorities (Article 29 Working Party) 3 3
The role of European Data Protection Supervisor • • 4 The European Data Protection Supervisor (EDPS) is the independent supervisory authority for the processing of personal data by the EU administration; Privacy and data protection are fundamental rights – see Articles 7 and 8 of the Charter of Fundamental Rights; Independent supervision is an integral part of the right to data protection – see Article 16(2) TFEU and 8(3) Charter; What we do: – monitoring and verifying compliance with Regulation (EC) 45/2001, – giving advice to controllers, – advising the co-legislators on new legislation, – cooperating with Member States’ DPAs, – handling complaints, conducting inspections – Monitoring technological developments – Promoting data protection aware design and development
Our objectives I. Data protection goes digital II. Forging global partnerships III. Opening a new chapter for EU data protection 5
Big Data = Big Responsibility 6
Reform of Data Protection Law in the European Union • Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), OJ 1995 L 281 7
Reform of Data Protection Law in the European Union Communication from the Commission to the European Parliament and the Council ”A comprehensive approach on personal data protection in the European Union” 8
Reform of Data Protection Law in the European Union 9
Reform of Data Protection Law in the European Union COM(2012) 11/4 draft Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) 10
Reform of Data Protection Law in the European Union COM(2012) 10 final 2012/0010 (COD) Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data 11
Reform of Data Protection Law in the European Union Council DAPIX Group - Working Party on Information Exchange and Data Protection Member States represented by governments: Minister (usually Justice or Interior, but in PL – Digitisation) Experts: Some governments invite Data Protection Authority Instruction: Council of Ministers • 12
Reform of Data Protection Law in the European Union European Parliament The European Parliament voted the draft in plenary with 621 votes in favour, 10 against and 22 abstentions for the Regulation and 371 votes in favour, 276 against and 30 abstentions for the Directive). "The message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible. Europe's directly elected parliamentarians have listened to European citizens and European businesses and, with this vote, have made clear that we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens, " said Vice-President Viviane Reding, the EU's Justice Commissioner. "Data Protection is made in Europe. Strong data protection rules must be Europe's trade mark. Following the U. S. data spying scandals, data protection is more than ever a competitive advantage. I want to thank Mr Albrecht and Mr Droutsas for their committed and tireless work on the data protection reform. Today's vote is the strongest signal that it is time to deliver this reform for our citizens and our businesses. ” 13
Reform of Data Protection Law in the European Union Trilogue Discussion on final text by Council, Parliament and Commission 14
Reform of Data Protection Law in the European Union Norms derived from European law can be: - directly binding - directly applicable - directly effective vertically and/or horizontally 16
Online platforms as data controllers Online platforms (e. g. search engines, social media, ecommerce platforms, app stores, price comparison websites) are playing an ever more central role in social and economic life: they enable consumers to find online information and businesses to exploit the advantages of ecommerce. Europe has a strong potential in this area but is held back by fragmented markets which make it hard for businesses to scale-up. [A Digital Single Market Strategy for Europe COM(2015) 192 final] 17
Online platforms as data controllers • • 18 DG CONNECT, in its consultation on online platforms, stated that an online platform is "an undertaking operating in two (or multi)-sided markets, which uses the Internet to enable interactions between two or more distinct but interdependent groups of users so as to generate value for at least one of the groups. Certain platforms also qualify as Intermediary service providers. Typical examples include general internet search engines (e. g. Google, Bing), specialised search tools (e. g. Google Shopping, Kelkoo, Twenga, Google Local, Trip. Advisor, Yelp, ), location-based business directories or some maps (e. g. Google or Bing Maps), news aggregators (e. g. Google News), online market places (e. g. Amazon, e. Bay, Allegro, Booking. com), audio-visual and music platforms (e. g. Deezer, Spotify, Netflix, Canal play, Apple TV), video sharing platforms (e. g. You. Tube, Dailymotion), payment systems (e. g. Pay. Pal, Apple Pay), social networks (e. g. Facebook, Linkedin, Twitter, Tuenti), app stores (e. g. Apple App Store, Google Play) or collaborative economy platforms (e. g. Air. Bn. B, Uber, Taskrabbit, Bla-bla car). Internet access providers fall outside the scope of this definition".
Online platforms as data controllers Platforms generate, accumulate and control an enormous amount of data about their customers and use algorithms to turn this into usable information. The growth of such data is exponential – 90% of all data circulating on the Internet were created less than 2 years ago. Moreover, platforms have proven to be innovators in the digital economy, helping smaller businesses to move online and reach new markets. New platforms in mobility services, tourism, music, audiovisual, education, finance, accommodation and recruitment have rapidly and profoundly challenged traditional business models and have grown exponentially. The rise of the sharing economy also offers opportunities for increased efficiency, growth and jobs, through improved consumer choice, but also potentially raises new regulatory questions. [A Digital Single Market Strategy for Europe COM(2015) 192 final] 19
Online platforms as data controllers “Controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law; 20
Online platforms as data controllers Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d). [Google Spain Judgement C‑ 131/12] 21
Online platforms as data brokers • One of the main functions for data brokers is to create customised profiles for marketing purposes and sell them to business willing to target their advertisements. • Platforms may act as data brokers. Facebook surely is: it has introduced a platform named Atlas, which allows marketers to track the effectiveness of their ads around the web, and place ads on non-Facebook websites on the basis of Facebook targeting data. 22
Online platforms as data brokers • • 23 Examples of data brokers include: Corelogic (for financial data), Datalogix (also dealing with automotive industry), towerd@ta (offering a massive intrusion on US email accounts and collection of data from electronic mails), Intelius (providing access to billions of US records, also criminal ones and bankruptcy records, very cheap to get a report on a specific person only by typing his/her name! Disclosure on the relations among people also), Peek you (based on the same logic), ID analytics (for credit and fraud risk solutions, ID network is the technology used, able to reveal anomalous and potentially fraudulent activity, quite predictive in identifying creditworthy consumers and those who are at risk), e. Bureau (where big data and predictive analytics are used to provide both B 2 C and B 2 B solutions in credit, fraud and insurance).
Online platforms as data brokers • • 24 Google and vertical integration. How does it affect the market? Vertical integration (i. e. the presence in various stages of the product chain, such as platform operation, advertisement, product sale, delivery, etc. ) will, in the first place, generate economic efficiencies (e. g. economies of scale) for the vertically integrated business. Such business will then be able to compete more effectively against other businesses (vertically integrated or not). A vertical integrated business, will be able to transfer financial resources or savings from a division to the other of its business operations (crosssubsidization), which normally is not illegal, but a sign of efficiency. In certain cases, when the business has a dominant position and crosssubsidization leads to predatory prices, competition rules may apply and lead to sanctions. In any event, the fact that a business makes savings or enhances its efficiency thanks to vertical integration does NOT guarantee that such efficiencies are passed on to consumers.
Online platforms as data brokers • What are the effects of algorithms in perpetuating biases (status quo, myopia, cultural biases)? • Algorithms are formulas that summarise economic models. These models are used by technology to "understand" reality and human behaviour. In order to function, algorithms need to be set up with basic assumptions. It is possible that such assumptions are biased (e. g. poor people are bad credit payers). When this happens, the effect of the algorithm is to perpetuate the bias every time it operates (e. g. every time a poor person applies for credit he is denied). This happens because reality is complex and commercial businesses need to simplify the environment they operate in. • Algorithms, of course, have also benefits for end consumers. One is to get more personalized and accurate returns on searches and advertisements (either integrated into third party website or received by e mail). However, there is still little consumer control on what information is manipulated for corporate gains. 25
Reform of Data Protection Law in the European Union 1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, damage to the reputation, unauthorised reversal of pseudonymisation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 26
EDPS on Reform of Data Protection Law in the European Union • • • The reformed framework needs to maintain and, where possible, raise standards for the individual. The data protection reform package was proposed firstly as a vehicle for ‘strengthening online privacy rights’ by ensuring people were ‘better informed about their rights and in more control of their information. ’ Existing principles set down in the Charter, primary law of the EU, should be applied consistently, dynamically and innovatively so that they are effective for the citizen in practice. For the EDPS, the starting point is the dignity of the individual which transcends questions of mere legal compliance. Our recommendations are based on an assessment of each article of the GDPR, individually and cumulatively, according to whether it will strengthen the position of the individual compared to the current framework. The point of reference is the principles at the core of data protection, that is, Article 8 of the Charter of Fundamental Rights. 27
EDPS on Reform of Data Protection Law in the European Union • 1. Definitions: let’s be clear on what personal information is • Individuals should be able to exercise more effectively their rights with regard to any information which is able to identify or single them out, even if the information is considered ‘pseudonymised’. • Article 10. Unless and until there exists a clear and legallybinding definition for ‘pseudonymised data’ as distinct from ‘personal data’, this type of data must remain within the scope of data protection rules. 28
Anonymous data Pseudonymous data Personal data Anonymisation ? ? ? 29
Pseudonymous data 097203316017 71061302790 710613027|9|0 71|06|13|027|9|0 30
Big Data = Big Responsibility 31
![EDPS opinion on Big Data Opinion [6]/2015 Meeting the challenges of big data A](https://present5.com/presentation/3ba8a5f0087a6143b04915560a285094/image-32.jpg "EDPS opinion on Big Data Opinion [6]/2015 Meeting the challenges of big data A")
EDPS opinion on Big Data Opinion [6]/2015 Meeting the challenges of big data A call for transparency, user control, data protection by design and accountability 32
EDPS on Reform of Data Protection Law in the European Union • • • 2. All data processing must be both lawful and justified The requirements for all data processing to be limited to specific purposes and on a legal basis are cumulative, not alternatives. We recommend avoiding any conflation and thereby weakening of these principles. Instead, the EU should preserve, simplify and operationalise the established notion that personal data should only be used in ways compatible with the original purposes for collection. Consent is one possible legal basis for processing, but we need to prevent coercive tick boxes where there is no meaningful choice for the individual and where there is no need for data to be processed at all. We recommend enabling people to give broad or narrow consent, to clinical research for example, which is respected and which can be withdrawn. 33
EDPS on Reform of Data Protection Law in the European Union • • The EDPS supports sound, innovative solutions for international transfers of personal information which facilitate data exchanges and respect data protection and supervision principles. We strongly advise against permitting transfers on the basis of legitimate interests of the controller because of the insufficient protection for individual, nor should the EU open the door for direct access by third country authorities to data located in the EU. Any request for transfer issued by authorities in a third country should only be recognised where it respects the norms established in Mutual Legal Assistance Treaties, international agreements or other legal channels for international cooperation. Articles 6. 2 and 6. 4. Given that there has been some uncertainty as to the meaning of ‘compatibility’ we recommend, following the WP 29 Opinion on Purpose Limitation, general criteria for assessing whether processing is compatible (see Article 5. 2). 34
EDPS on Reform of Data Protection Law in the European Union • Effective functional separation is one means of ensuring lawful processing in the absence of consent, but legitimate interest should be not be interpreted excessively. An unconditional right to opt out may also be an appropriate alternative in some situations. Assessing whether consent is freely given depends in part on (a) whethere is a significant imbalance between the data subject and the controller and (b) in cases of processing under Article 6. 1(b), whether the execution of a contract or the provision of a service is made conditional on the consent to the processing of data that is not necessary for these purposes. • Such rules include adequacy decisions for specified sectors and territories, periodic reviews of adequacy decisions and Binding Corporate Rules. See Articles 40 -45. 35
EDPS on Reform of Data Protection Law in the European Union More independent, more authoritative supervision • The EU’s data protection authorities should be ready to exercise their roles the moment the GDPR enters into force, with the European Data Protection Board fully operational as soon as the Regulation becomes applicable. • Authorities should be able to hear and to investigated complaints and claims brought by data subjects or bodies, organisations and associations. • Individual rights enforcement requires an effective system of liability and compensation for damage caused by the unlawful data processing. Given the clear obstacles to obtaining redress in practice, individuals should be able to be represented by bodies, organisations and associations in legal proceedings. 36
EDPS on Reform of Data Protection Law in the European Union Effective safeguards, not procedures • Documentation should be a means not an end to compliance; the reform must focus on results. We recommend a scalable approach which reduces documentation obligations on controllers into single policy on how it will comply with the regulation taking into account the risks, with compliance demonstrated transparently, whether for transfers, contracts with processors or breach notifications. • On the basis of explicit risk assessment criteria, and following our experience of supervising the EU institutions, we recommend requiring notification of data breaches to the supervisory authority and data protection impact assessments only where the rights and freedoms of data subjects are at risk. • Industry initiatives, whether through Binding Corporate Rules or privacy seals, should be actively encouraged. 37
EDPS on Reform of Data Protection Law in the European Union A better equilibrium between public interest and personal data protection • Data protection rules should not hamper historical, statistical and scientific research which is genuinely in the public interest. Those responsible must make the necessary arrangements to prevent personal information being used against the interest of the individual, paying particular attention to the rules governing sensitive information concerning health, for example. • Researchers and archivists should be able to store data for as long as needed subject to these safeguards. Article 83. Research and archiving in themselves do not constitute a legal basis for processing, which is why we recommending deleting Article 6. 2. 38
EDPS on Reform of Data Protection Law in the European Union Trusting and empowering supervisory authorities • We recommend allowing supervisory authorities to issue guidance to data controllers and to develop their own internal rules of procedure in the spirit of a simplified, easier application of the GDPR by one single supervisory authority (the ‘One Stop Shop’) close to the citizen ('proximity'). • Authorities should be able to determine effective, proportionate and dissuasive remedial and administrative sanctions on the basis of all relevant circumstances. The WP 29 has outlined a vision for governance, the consistency mechanism and the one-stop-shop based on trust in independent DPAs and formulated in three layers: – the individual DPA which is strong and fully resourced for dealing with cases within their sphere of competence; – effective cooperation between DPA with a clear lead in cross border cases; – the EDPB which must be autonomous, with its own legal personality, provided with sufficient means, consisting of equal DPAs working in a spirit of solidarity, with the power to make binding decisions and supported by a secretariat which serves the board through the chair. 39
EDPS on Reform of Data Protection Law in the European Union Rules which will last a generation • Accountable business practices and innovative engineering • reverse the recent trend towards secret tracking and decision making on the basis of profiles hidden from the individual. • support to the introduction of the principles of data protection by design and by default as a means of kickstarting market-driven solutions in the digital economy. • Empowered individuals • Data portability is the gateway in the digital environment to the user control which individuals are now realising they lack. We recommend allowing a direct transfer of data from one controller to another on the data subject’s request and entitling data subjects to receive a copy of the data which they themselves can transfer to another controller. • Future-proofed rules 40
Reform of Data Protection Law in the European Union 41
Thank you for your attention! www. edps. europa. eu edps@edps. europa. eu @EU_EDPS
International co-operation of data protection authorities (DPAs) The IPEN initiative was founded in 2014. It supports the creation of engineer groups working on (re)-usable building blocks, design patterns and other tools for selected Internet use cases where privacy is at stake. IPEN invites participants from different areas such as data protection authorities, academia, open source and business development, and other individuals who are committed to the finding engineering solutions to privacy challenges. The objective of the work should be to integrate data protection and privacy into all phases of the development process, from the requirements phase to production, as it is most appropriate for the development model and the application environment. It supports networking between engineer groups and existing initiatives for engineering privacy into the Internet. This network facilitates exchange in order to coordinate work and avoid duplication, in addition to discussing which privacy oriented use cases should be addressed with priority. IPEN is building a repository of relevant resources, making its findings and knowledge base accessible to all participants, developers and privacy experts. A core group takes care of collection and distribution of information, liaises with other relevant initiatives, facilitates the dialogue on engineering solutions, and organises online and offline events. 43
Скачать презентацию Platform services and data protection 18 11 2015 Osnabrueck Wojciech
3ba8a5f0087a6143b04915560a285094.ppt