data developments: cyber security & the right to be forgotten
DESCRIPTION
ÂTRANSCRIPT
Inhouse Masterclass:
Data Developments - Cyber Security
& the Right to be Forgotten
MHC.ie
1. Background
2. Findings and impact:
a) Jurisdiction
b) A “data controller”
c) The “right to be forgotten”
3
Agenda
1998
→ Auction notices published
1998 – 2010
→ Content digitized, appeared in Google search
2010
→ Complaint filed with the Spanish Data Protection
Authority
4
Background – The Timeline
The original notice was lawfully published
However, Google’s linking to that notice violated
González’s data protection rights
5
Background - Spanish DPA Decision
Google appealed decision to CJEU
→ Not within jurisdiction
→ Google search is not a “data controller”
• Advocate General
→ Google was “not a data controller”
• CJEU
→ Disagreed
→ affirmed Spanish DPA
→ No appeal possible
→ “deleting the index cards”
6
Background – CJEU appeal
2 Jurisdictional tests in EU Data Protection Law
(Article 4)
→ DC is “established” in member state and
processes personal data “in the context of that
establishment” (Article 4(1)(a))
→ DC has no EU establishment, but “uses
equipment” in Europe (Article 4(1)(c))
7
Issue 1: Jurisdiction – Applicable law
Google search is provided by Google, Inc.
Google, Inc. has no presence in the EU
Google Spain promotes the sale of ads (an unrelated
activity)
No evidence of servers located in EU
Therefore:
→ No relevant establishment in the EU (per Article
4(1)(a))
→ No equipment (per Article 4(1)(c))
→ No jurisdiction
8
Issue 1: Jurisdiction – Google’s case
An economic link between Google search and the
ads sold by Google Spain (one pays for the other)
The separate legal personality of Google, Inc. and
Google Spain can be disregarded
Google Spain deemed to be an “establishment” of
Google Inc. that processes personal data “in the
context of the activities of” Google search
Therefore, jurisdiction (per Article 4(1)(a))
9
Issue 1: Jurisdiction – Court’s Response
It “cannot be accepted that the processing of personal
data carried out for the purposes of the operation of the
search engine should escape the obligations and
guarantees laid down by Directive 95/46, which would
compromise the directive’s effectiveness and the
effective and complete protection of the fundamental
rights and freedoms of natural persons which the
directive seeks to ensure”
10
Issue 1: Jurisdiction – Court’s Response
The establishment, by a non-EU company, of an EU
marketing sub may cause EU privacy law to apply to
the operations of the non-EU company.
Even where the EU sub is not factually involved in
the processing of personal data
Risk of overlapping regulators (one per marketing
sub)
Strategic decision:
→ Concede that an EU data protection law is to
apply and have a designated “data controller” or
subsidiary responsible for DP issues in a
member state
11
Issue 1: Jurisdiction – Practical Impact
If a multinational company ask:
Do we have a clear EU data controller?
Where do we have marketing subs?
→ Do our parent’s operations comply with
applicable local law?
Where necessary - consider data protection
jurisdiction risk when expanding operations
12
Issue 1: Jurisdiction – Questions
Data Protection obligations fall on “data controllers”
An entity that “determines the purposes and means
of processing” personal data
13
Issue 2: “Data Controller” – Applicable Law
Scan and cache content to provide access
No real control over that information.
Advocate General agreed
→ A “proportionate” reading of DP law
14
Issue 2: “Data Controller” – Google’s case
Google programmed the software that scanned,
indexed and cached content (including personal
data)
Sufficient to show Google was a data controller
15
Issue 2: “Data Controller” – Court’s finding
Search engines are responsible in data protection
law, for the results they return
Any business could be treated as a data controller in
respect of data it collects/obtains in course of trade
→ Even where the business is not really concerned
about the content of that data
16
Issue 2: “Data Controller” – Impact
Have we considered all circumstances where we
may be acting as a data controller?
17
Issue 2: “Data Controller” – Questions
Controllers need to ensure
→ a “pre-condition” to processing has been met,
e.g. consent, legitimate interests
→ Compliance with general “data protection
principles” (i.e. not excessive, limited retention
etc… )
18
Issue 3: “Right to be Forgotten” – Law
Principle of Proportionality:
→ Any request for removal of content should be
made to the website, not Google (a mere
intermediary)
19
Issue 3: “Right to be Forgotten” – Google
Google lacks consent
→ Must rely on legitimate interests
→ Balancing test – Public interest v privacy rights
Must also comply with general DP principles (data
not excessive, up to date etc…)
“As a rule” privacy rights take precedence over
public’s interest in accessing information
Where a data subject objects to search results –
those should be removed, save in limited
circumstances (e.g. public figures)
20
Issue 3: “Right to be Forgotten” – Court
Does not create a general right to demand deletion
of data
Ruling was based on Articles 12 and 14 of the
Directive
→ Article 12 – allows deletion where a breach of DP
law (akin to Section 6 of Irish DP Act)
→ Article 14 - a right to object where processing
based on legitimate interests (akin to Section 6A
of Irish DP Act)
21
Issue 3: “Right to be Forgotten” – Impact
Right to be forgotten” does not arise where:
→ Data is being lawfully processed; AND
→ There is an alternative basis to justify the
processing including:
→ Consent
→ Necessary to perform a contract with
data subject (NB for difficult customers)
→ Necessary to comply with a legal
obligation
22
Issue 3: “Right to be Forgotten” – Impact
If a “right to be forgotten” request comes in, check:
→ What’s our justification for keeping this data?
→ Are we happy that this data generally complies
with data protection law?
If:
→ Relying on consent, contract or legal obligations
as a justification; and
→ Satisfied that data otherwise complies with the
DP Acts
Deletion should not be required
No proactive screening requirement
23
Issue 3: “Right to be Forgotten” – Questions
Increased ability of individuals to manage their
online reputations
Broader trends towards “human rights” style data
protection decisions:
→ SABAM; Digital Rights Ireland; Schrems
→ Likely to lead to more litigation in this space
Potential Trade implications
→ TTIPs
→ Divergence between US and EU law
24
Issue 3: “Right to be Forgotten” – Policy
Marketing subs can ground data protection
jurisdiction over parent
An expansive definition of data controller has been
adopted
The “right to be forgotten” only arises in limited
circumstances
Seminal judgment – will shape future policy and
case law.
25
Conclusions
Some Quick Facts
• Average cost is $3.5 million / €145 per record
• Biggest hit from loss of reputation and customers
• Incident response plan shown to reduce cost
= take security breaches seriously
27
Managing a Security Incident
• You cannot be prepared for a security incident without
having prepared for it!
28
3 Important Points
• Data controller primarily responsible, even if caused by data
processor
• what are you?
• Security breach:
• not necessarily a breach of dp law
• could still be a breach of contract
• You need to consider laws of other countries too
29
Key Management Tools
• Security Breach Policy (and training)
• IT Security Policy
• Acceptable Usage Policy
• Firewalls
• Logs / red flags
• Supplier due diligence
• Contractual measures
• Insurance
30
Security Breach Policy
• Create a Security Breach Policy
• Reporting lines
• Incident management team (and deputies)
• compliance/audit/legal/IT/security/PR/business control etc
• include senior officer so can make quick decisions
• Third party advisers
• Include contact details
• Identify key action points
• Training for incident management team
31
Key Action Points – Initial Steps
• Act quickly
• Assemble incident response team
• Internal escalation
• Stop or mitigate breach
• Information lockdown
• Preserve evidence
NB. remember litigation is possible
32
Key Action Points - Investigation
• Identify data controller
• Determine your status
• Investigate facts
• data affected
• individuals affected
• cause
• resulting harm / damage
• use legal counsel – legal privilege?
• Remember things move and change quickly
33
Key Action Points - Implications
• Consider exposure
• liability and fines
• contract termination
• audit / escalation
• Contractual obligations?
• Consider any wider business critical implications
• Tolling agreement
34
Key Action Points - Notifications
• Notify insurers if required under policy
• Consider regulatory notifications in Ireland and abroad, e.g.
DPC, Gardai, foreign DPC etc
• Consider data subject / customer / dc notifications
• Check relevant contracts
• confidentiality
• preservation of rights
35
Key Action Points – Customer Relations
• Create customer relations’ strategy
• Press release
• Customer relationship management
• Mitigation measures: hotline, online helpdesk, monitoring
service, discounts etc
36
Key Action Points – Corrective Action
• Audit
• Disaster recovery / business continuity etc
• Implement corrective / disciplinary action
37
Should you Notify DPC?
• No express obligation (except ECSPs / ECNPs)
• No fines in Ireland (except ECNPs / ECSPs)
• different in other countries
• Negative PR resulting from failure to disclose – can incident
be contained?
• Have you notified other regulators?
• Draft EU Regulation
38
Should you Notify DPC?
• DPC has a statutory obligation of confidentiality
• General practice not to disclose except in response to
inquiry by media or concerned person
• However, may issue press release or notify other DPCs if
significant incident
39
Should you Notify DPC?
• Before making disclosure, also consider:
• is disclosure permitted by contract?
• must you notify insurers first?
• implications of DPC finding for third party litigation?
• other implications?
• similar issues apply to other notifications, e.g. to individuals
• Notification based on current information
• Remember DPC has statutory enforcement powers
40
Voluntary Code
• Applies if personal data put at risk
• Also earlier DoF public sector guidance
• Code only applicable if DC or DP subject to DPA
• Code is not legally binding (unless incorporated into
contract)
• Not applicable to ECNP / ECSP as separate legislation
applies
41
Voluntary Code – DC and DPC Notifications
• DP must report to DC all incidents of loss of control of data
• DC must report to DPC incidents in which data put at risk
within 2 working days unless:
• individuals already informed;
• no more than 100 data subjects; and
• does not include sensitive personal data or financial data
• Keep summary record even if don’t notify DPC
• brief description
• why chose not to notify
42
Voluntary Code – Notifying Individuals
• DC must give immediate consideration to informing those
affected
• No obligation if no risk to data due to technological measures of high
standard
• Risk of over notification or more harm than good
• Audit trail for reasons not to notify
43
Steps in a DPC Investigation
1. Initial call / email
2. Written submission
- amount and nature of personal data
- action to secure / recover personal data
- action to inform those affected or reasons for the decision not to
do so
- action to limit damage or distress to those affected
- chronology of events leading up to incident
- measures to prevent repetition
44
Steps in a DPC Investigation
3. Additional Materials
- Contract
- Recruitment process
- Relevant policies
- Training documents
- Log of training for relevant staff
- expressly state it is confidential and commercially sensitive
NB: remember your confidentiality obligations
45
Steps in a DPC Investigation
4. Site visit
- systems
- procedures
- live demonstrations
- questions
- (enforcement notice?)
5. Draft finding or report / recommendations
6. Right of reply
7. Final finding or report
46
Third Party Contracts
• Diligence
• Notification of incident
• Control of incident
• Co-operation / information / preservation obligations
• Right to interrogate devices / data
• Right to interview personnel
47
Third Party Contracts
• Notification of policies to others
• Restoration of data
• Confidentiality clause
• Indemnity / cap
• “subject to law” qualifications
48
Civil Liability for Breach
Michael Collins v FBD
• DP complaint and investigation
• Circuit Court
• High Court
50
Insurance
• Third Party Claims
• First Party Expenses
Third Party Claims
• Disclosure
• Content
• Reputational
• Conduit
• Impaired Access
First Party Claims
• Notification
• Regulator
• Reputation and Response Costs
• Cyber Extortion
• Network Interruption
Q&A