The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.
In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.
What does “personal data breach” mean?
The GDPR defines personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. There are many types of personal data breaches, which may include theft or accidental erasure of data from a database, as well as malware attacks which block access to IT systems or blackouts which make data temporarily unavailable.
In brief, we can say that a personal data breach is a specific type of security incident in cases when personal data are involved. While all personal data breaches are security incidents, not all security incidents can necessarily be described as data breaches.
What action must the controller take in cases of personal data breach?
Articles 33 and 34 of the GDPR regulate the procedures the controller must activate in cases of personal data breach, which are to notify the supervisory authority of the breach (in Italy the Garante per la protezione dei dati personali) and to communicate the breach to the data subject.
Both procedures aim at informing the authority or the data subject that a breach has occurred in order to allow them to take all necessary protection measures.
What action must the processor take in cases of personal data breach?
Although obligations of notification and communication must be fulfilled by the data controller, art. 33 establishes that, once aware of the breach the data processor must inform the data controller without undue delay.
After a violation has taken place and in order for any intervention to be carried out as effectively and promptly as possible, also when taking into consideration the dimension of the contexts in which the data is being processed and the number of people who may be involved, it would be useful for the data controller to arrange an incident response plan. This plan should set out the different steps and organisational procedures which need to be adopted to deal with possible violations and the structure or response team to whom the event will be referred.
When must notification to the supervisory authority be carried out?
Art. 33 of the GDPR provides that the data controller must notify a personal data breach without undue delay to the supervisory authority and where feasible within 72 hours. When notification is not made within 72 hours it must be accompanied by the reason for the delay.
It is not necessary to send notification when the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Therefore, the data controller is responsible for analysing the potential risks caused to data subjects by data breaches and for assessing whether the risks are sufficiently high as to warrant triggering the obligation to notify the supervisory authority. It should be noted that the presence of a “simple” risk is enough to oblige the data controller to notify the authority.
When must communication be given to the data subject?
Art. 34 of the GDPR provides that when the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay.
Differently from notification given to the supervisory authority, communication to the data subject must only be given when the breach presents “high risk”. In any case, it is the duty of the data controller to evaluate the level of risk.
The article continues by listing the following circumstances under which, despite the potential high risks, communication to the data subject is not required if: (a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach (e.g. encryption); (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; (c) it would involve disproportionate effort (in such a case, there shall instead be a public communication or similar measure (whereby the data subjects are informed in an equally effective manner).
In what form should the communication be made?
To comply with the obligation of communication provided for by the GDPR it is not sufficient only to inform the data subject. Essentially, the appropriateness of a communication depends not only on its contents, but also on the manner in which it is formulated. In order to fulfil their informative function, communications must be written in plain and easily understandable language. Direct communications to the data subjects are preferable (e.g. e-mail, SMS or direct messages). The information should be communicated in a clear and transparent manner, thus avoiding conveying the message in excessively general and misleading formats (such as generic updates or newsletters).
How should the assessment of the risk resulting from a data breach be carried out?
The assessment of the risks resulting from a data breach is a fundamental step because it allows the data controller not only to identify adequate measures to contain or eliminate the breach, but also to weigh up the necessity to activate the notification and communication procedures (which are triggered only above certain risk thresholds).
The assessment is similar to that which the data controller needs to carry out in relation to the Data Protection Impact Assessment, but unlike the latter it must be more personalised, with regard to the concrete circumstances of the breach.
Among the factors the data controller needs to take into consideration in his/her assessment, can be mentioned: the type of breach (confidentiality, accessibility or integrity breach?) the nature of the data involved (e.g. health data, ID documents or credit card numbers); how easy it would be to identify the data subjects (this varies according to the type of data, identification or non-identification data, and the methods used for their storage, e.g. pseudonymisation techniques or cryptography); the seriousness of the consequences on individuals (this differs depending on whether the data were mistakenly sent to a trusted party or were stolen by an unknown third party); any particular characteristics and the number of individuals involved (e.g. whether vulnerable data subjects such as children or elderly people, for example, are involved; whether it was a collective or individual breach) and the particular characteristics of the data controller (e.g. based on the activity processing environment).
The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which start from already well-known privacy concepts and give a brief guide to the new legislation.
Who is the Data Protection Officer?
The Data Protection Officer, more commonly known as the DPO, is appointed by the controller or processor and mainly plays a dual role: firstly, he/she is entrusted with the duty of monitoring and overseeing compliance with the GDPR within the organisation of the person who has appointed him/her; secondly, he/she acts as a point of contact between the organisation and GDPR authorities and interfaces with data subjects.
When should a DPO be appointed?
The appointment of the DPO is mandatory (Art. 37) when: a) the processing is carried out by a public authority or body (except judicial authorities); b) the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or c) the core activities of the controller or processor consist of processing on a large scale of sensitive data (e.g. data relating to health, genetic data, biometric data, data relating to criminal offences or data relating to minors). However, Union or Member state law can provide for further cases of mandatory appointment.
Apart from these cases, the appointment of a DPO is discretionary but still strongly recommended, given the importance of the role in assisting and supporting compliance with the GDPR.
What skills are required to be appointed as DPO?
The DPO must have significant specialist knowledge commensurate with the sensitivity, complexity and amount of data processed by an organisation. In particular, he/she must have full command of national and European data protection laws and practices and be thoroughly knowledgeable of the GDPR as well as of the business sector and the controller’s organisation.
Lastly, he/she must have a significant degree of familiarity with the processing operations carried out, as well as the IT systems and data security and data protection needs of the controller.
What tasks does the DPO have?
Beside the roles of internal coordination and external contact point, the DPO will take charge of the ongoing (awareness-raising and) training of the controller’s or processor’s staff in the field of data protection, monitor compliance with the GDPR and play an advisory role, giving advice upon request on data protection impact assessments (DPIAs) and monitor their performance. This task list is by no means complete and the controller or processor may decide to assign further tasks to the DPO, such as for example the task of maintaining the record of processing activities.
Can the role of DPO be allocated to an employee of the controller/processor?
The controller or processor can either decide to appoint an internal member of staff of their own organisation as DPO (a new or existing staff member) or to contract the role externally (by means of outsourcing or a service contract). In both cases, the controller or processor must ensure that the DPO is in the position to be able to perform his/her duties and tasks in an independent manner and that any such tasks and duties do not give rise to a conflict of interest. For this reason, the controller and processor must ensure that the DPO does not receive any instructions and that he/she will not be dismissed or penalised for performing his/her tasks.
Can the DPO have his/her own team?
The controller or processor must provide all resources necessary for the DPO to be able to carry out his/her tasks, such as sufficient time, adequate financial resources, infrastructure (premises, facilities, equipment) and staff. The DPO can also have his/her own team to help him/her in performing his/her tasks. In such cases, the internal structure of the team and the tasks and responsibilities of each of its members should be clearly drawn up and there should be a designated lead contact.
Who is responsible for non-compliance with the GDPR ?
The DPO is not personally responsible for non-compliance with the GDPR during processing. Only the controller and the processor are responsible for any non-compliance with the Regulation when performing processing.
Is the controller/processor required to publish and communicate the DPO’s appointment?
The appointment of the DPO must be published and communicated both inside and outside the organisation of the controller or the processor. In particular, contact details of the DPO, such as for example a postal address, a dedicated telephone number, and/or a dedicated e-mail address (and possibly a dedicated contact form) should be published on the controller’s or processor’s website. The same contact details will be communicated to the relevant supervisory authority and to data subjects with the privacy notice (see, the first FAQ on privacy policies “link”).
Focus: the “large scale” concept
The GDPR does not define what large scale processing is. Working Party Art. 29, offers some criteria in order to clarify the concept in its Guidelines on DPOs of 5th April 2017 . When determining whether the processing is carried out on a large scale, the following factors can be considered:
• The number of data subjects concerned-either as a specific number or as a proportion of the relevant population;
• The volume of data and/or the range of different data items being processed;
• The duration, or permanence, of the data processing activity;
• The geographical extent of the processing activity.
Examples of large-scale processing include:
• processing of patient data in the regular course of business by a hospital;
• processing of travel data of individuals using a city’s public transport system (e.g. tracking via
travel cards);
• processing of customer data in the regular course of business by an insurance company or a bank.
The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.
What is a privacy notice?
A factsheet known as a privacy notice refers to that set of information which must be provided to data subjects (namely natural persons whose data are processed) to allow them to understand who is collecting their personal data, what will be done with them, how, by whom and who they will be shared with.
Who is responsible for providing the privacy notice?
The privacy notice must be provided by the data controller or the data processor, when specifically instructed to do so by the data controller.
What are the contents of a privacy notice?
The GDPR provides a thorough description of the contents of the privacy notice in art. 13, par. 1 and art. 14, par. 1.
Some of these contents were already provided for in the Italian Privacy Code, among which are for example the indication of: a) contact data of the data controller and of any data processor when used; b) the purposes of processing (e.g. entering into contracts, marketing, profiling, etc.); c) whether the provision of personal data is mandatory or not and the consequences (should such mandatory data not be provided); d) the rights of data subjects.
Besides this information, the GDPR provides further relevant information in the privacy notice which the controller is required to provide to data subjects in order to proceed with processing their data, such as: a) contact data for the Data Protection Officer when appointed; b) the legal basis for the processing (e.g. consent, public interest, performance of contracts and so on) and in cases where this constitutes legitimate interest for the controller, specify its contents; c) whether the data will be transferred to countries outside the EU and which instrument the transfer will be carried out with (e.g. adequacy decision; BCR, standard contractual clauses); d) the period of time for which the data will be stored or the criteria used to determine it; e) the existence of automated decision-making (including profiling) and the logic it is based on.
When must the privacy notice be given?
The privacy notice must be provided to data subjects at the moment in which their data are collected, therefore before the start of any kind of processing. The GDPR only exempts data controllers from the obligation of providing privacy notices in cases in which data subjects already have all the information at their disposal (art. 13, par. 4).
Conversely, however, in cases where the data have not been obtained from the data subject, data controllers must provide data subjects with the above listed information (in addition specifying the source of the data) within a month of collecting them or at any rate from the moment of their communication (to a third party or to the data subjects themselves).The GDPR also provides for certain circumstances for exemption in this situation (art. 14, par. 5) which refer to those cases in which: a) data subjects are already in possession of all relevant information; b) the provision of such information would prove impossible or would involve excessive effort; c) the collection or disclosure is laid down by law; d) the data must remain confidential subject to an obligation of professional secrecy. It is the duty and therefore, the responsibility of the data controller to assess whether there is one of the above-listed circumstances.
In addition data subjects must be provided with a new privacy notice should the data controller decide to process the collected data for different purposes from those originally communicated.
How must the privacy notice be provided?
In this case too the GDPR gives a clearer definition of the procedure for formulating and providing the privacy notice.
The privacy notice is generally provided in writing or by other means, which can also be electronic (where appropriate). Only in cases when the data subject requires it, may the privacy notice be provided orally.
With regard to its formulation, the GDPR specifies that the privacy notice must be: concise, transparent, intelligible and easily accessible. Essentially, it must be formulated in clear and plain language, in particular when the information is specifically addressed to a child (art. 12, par. 1).
In addition, with the precise aim of guaranteeing the highest level of transparency and to make it easily legible, the GDPR clearly explains that the information may be provided in combination with standardised icons to give an intuitive and easily understandable overview of the processing procedure.
In view of the imminent deadline for the application of the European legislation on the protection of personal data, the Ministry of Justice has appointed a team of experts whose immediate task will be to assure that the current Italian Privacy Code complies with the new rules.
There are two European regulations which will need to be implemented in the Italian framework in May 2018. Regulation 2016/679 of the European Parliament and Council on privacy (GDPR), which repeals the previous 1995 Directive, will come into effect from May 25th 2018, while the deadline of May 6th has been set for publishing and implementing the legislative, regulatory and administrative dispositions of Directive EU 2016/680, which concerns the protection of personal data processed by the competent authorities for the purpose of the prevention, investigation, or prosecution of criminal offences.
In order that the Italian Code on personal data protection will comply with the new rules as quickly as possible, the Government has taken the decision to also utilise a team of qualified experts from outside the Administration and from different professional fields. On December 14th 2017, Professor Giusella Finocchiaro was appointed by the Ministry of Justice to lead the Working Group in charge of drawing up the Legislative Decrees to guarantee the prompt implementation and compliance of the internal framework with the European data protection requirements.
The Swedish streaming music giant must contend with a lawsuit from the American company Wixen Music Publishing which is suing it for copyright infringement, specifically alleging Spotify is using thousands of its songs without a proper licence and compensation to the music publisher.
Spotify, the company which offers unlimited music streaming on subscription, is accused of failing to pay fair royalties to the right-holders of Wixen Music Publishing which manages the rights of 10,784 songs of artists such as Tom Petty, the Doors, Carlos Santana and Neil Young.
The music publishing company is seeking a damages award from Spotify for lump-sum compensation worth $ 150,000 per song, for a total of more than $ 1,6 billion.
Spotify is not new to this kind of legal action as in May 2017, after a drawn-out lawsuit, the Stockholm based company had already reached an agreement to settle a class action lawsuit led by the singer-songwriters David Lowery and Melissa Ferrick, to pay the authors $ 43 million in rights in view of the listing of their shares on the New York Stock Exchange (NYSE) expected for this year. In July 2016, songwriter Bob Gaudio and music publisher Bluewater Music Services in Nashville, took legal action filing lawsuits for the same reasons.
Meanwhile Spotify has filed documentation for DPO (direct public offering), namely direct listing of its shares on the New York Stock Exchange, to the Securities and Exchange Commission (SEC) which should take place by the first trimester of the year. Spotify, the clear worldwide-leader in music streaming, recently revealed that it had over 70 million paying subscribers. Its value was estimated at $8,5 billion last year, but it seems that the company’s value has risen to $20 billion after a recent equity shares swap with the Chinese social media giant Tencent Music Entertainment.
More than a half century ago, Bob Dylan’s “A hard rain’s a-gonna fall” reflected a dark and turbulent world facing a potential nuclear attack, the rising threat of environmental pollution, a rapid shifting of the international order, a growing divisiveness within society and the dawning of new socio-political paradigms and power centers. Does this sound like today? Or is the falling rain the source of new opportunities?
Nomisma asked prominent experts from around the world to share their views on major trends which will affect the global agenda in the next year. Giusella Finocchiaro is the author of the chapter regarding Internet Law in 2018. All contributions are collected in a book edited by Andrea Goldstein and Julia K. Culver.
The book can be freely downloaded by clicking HERE.
The presentation of the book will take place in Milan, on the 12th of January 2018. For more information, please visit NOMISMA website.
The following is an analysis of a proposal for a regulation “for a framework on the free flow of non-personal data in the European Union”.
The objective of the regulation is the liberalisation of data flows. It is worth noting that this liberalisation suffers from two intrinsic limitations in the proposal: on the one hand it only refers to non-personal data, which, for clear reasons of consistency, are defined as “data other than those defined in art. 4, Regulation EU 2016/679”; and on the other hand it solely pertains to the movement of data within the European Union borders, whereas it in no way affects the exchange of data outside the Union.
The Commission identifies two main obstacles to businesses and public administrations having full freedom to choose the location where they store and manage their data.
The first obstacle is represented by the unjustified restrictions on data localisation imposed by public authorities in Member States. Over the years, the reasons which have moved Member States to impose the mandatory local storage of their data on national businesses and public administrations, include maintaining higher levels of security and facilitating easier monitoring by national authorities. For example, this includes the storage measures for financial statements and accounting data provided for in Germany, Denmark, Belgium and other northern European countries, which require that data be filed within national borders. In the same way, in countries such as Bulgaria, Poland and Romania data localisation requirements are imposed on winnings and user transactions. In Bulgaria for example, an applicant for a gaming license must assure that all data related to operations in Bulgaria is retained on a server located within the country. In addition, even when no specific territorial restriction is in place, business practice and common sense have in any case led in the direction of favouring localised data storage, turning down the chance of alternative cross- border offers.
The second obstacle to data liberalisation derives from private market limitations, which prevent data portability across IT systems by means of so-called vendor lock-in (aka proprietary lock-in or customer lock-in) practices. This widespread business phenomenon (e.g. Microsoft, Apple, Google, Nvidia, even hotels!) has its origin in providers wanting to create a condition of artificial dependence, which makes customers virtually totally dependent on them for the goods or services they provide. Customers are put in such a position that they cannot purchase goods or services from a competitor without incurring both the substantial costs and cumbersome and inconvenient organisational difficulties involved in switching to a new provider. Providers implement this sort of “forced loyalty” both by means of adopting technologies or standards differ from those used by competitors and the inclusion of contractual conditions which are particularly penalising in case of a switch.
Thus, in order to curb the spread of such practices and arrangements, with this proposal the Commission wants to tackle the problems through four lines of action.
Firstly, the proposal introduces a general principle of free circulation of data among Member States which allows businesses free choice of where to process or store their data. Legally provided restrictions will have to be be carefully scrutinised and will only be legitimate in cases when public and/or national security are at stake.
Secondly, with the intention of reassuring national legislators, the proposal guarantees that the competent authorities (of each Member State) will have access to data stored or processed in another Member State on the same conditions of access guaranteed nationally.
Thirdly, the proposal encourages the elaboration of self-regulatory codes of conduct which would smooth portability conditions and therefore, for example, switches of cloud service providers. The aim is that of also building a sort of “right to data portability” for non-personal data, in the same way as that provided for by the privacy Regulation for personal data. The need is to make sure that that customers’ freedom of choice is in place not only at the start of a contractual relationship, but that it is maintained and made technically possible for the entire duration of the relationship.
Lastly, the proposal establishes a central point of contact for each Member State, in order to guarantee the successful application of the new rules on the free flow of non-personal data.
In conclusion, there is no doubt that the regulation proposal is aimed first and foremost at businesses and public administrations, with significantly lower impact on individual citizens. However, if it is seen in the light of and in coordination with the European data framework, the proposal takes on much more general relevance. In fact, thanks to this new formulation, a number of the principles contained in the privacy Regulation, such as those regarding free data circulation and data portability, would be strengthened as a result of an extension of their scope of application.
More than 20 speakers will discuss cybersecurity at the 2017 China-EU School of Law Conference “Personal Data Protection in Times of Big Data” which will be held in Beijing on the 3rd of November 2017. Gao Hongbing, Vice President of Chinese internet giant Alibaba, is one of them.
At the 2017 China-EU School of Law Academic Conference, legal scholars and entrepreneurs from China and Europe will examine the legal challenges massive data collection poses to the protection of personal data. In speeches and panels, they will ask questions such as: Who owns collected data? How safe are databases? How can personal data be protected? What data can be analysed? Which legal framework can regulate this? China’s 2017 Cybersecurity Law and the EU’s 2018 General Data Protection Regulation play a key role in this debate.
Zhang Fusen, Former Minister of Justice of the People’s Republic of China, Hinrich Julius, Professor of Law and Project Coordinator of the China-EU School of Law Consortium Office are slated to open the conference. Giusella Finocchiaro is one of the panel speakers.
The conferece will start at 9 a.m., it will end at 5 p.m.. Conference venue is the Jingyi Hotel, No. 9 Dazhongsi East Road, Hai Dian District, in Beijing.