Data Privacy and Legitimate Interest

Anuncio
Legitimate Interests:
A Legal Basis to Process
Maintaining Protection While Facilitating ICT Growth
• The primary mechanism for data protection governance is
purpose specification notices and consent
• This is particularly true in Latin America
• However, data-driven innovation is hard to explain, involves
the creation of new data and challenges the effectiveness of
notice and consent
• Data stewardship models (accountability) may provide an
effective answer
Legitimate Processing Beyond Consent
• The global data protection community increasingly recognizes
that consent does not protect individuals effectively
– Data increasingly leads to the creation of new data
– Compatible purposes are not anticipated by either controllers or
individuals
– Notices do not drive awareness
• EU Directive has always had the concept of legitimate
business interests
– Always required a balancing
• New “draft” guidance gives direction
– Greater recognition by authorities
Legitimate Interest Guidance
• Legitimate interest should be used if appropriate
– Do not use consent where it is not effective
• Must balance the legitimate interests of the controller against
all issues of individuals
• Balancing processes must be describable to enforcement
agencies and interested individuals
This Session
• Will place European law into comparative context
• Provide examples of the balancing process
• Discuss legitimate interests as it relates to marketing analytics
Data Privacy v. Data Protection
•
•
U.S. privacy laws protect ‘reasonable
expectations of privacy’
EU data protection laws prohibit
processing of personal data – unless a
statutorily accepted justification
applies
Big Data Defined
•
•
•
•
Data
Personal data and the myth of anonymity
Big?
New purposes, e.g., statistics, traffic, health, security,
marketing
Data Privacy and Legitimate Interest
•
•
•
What is legitimate?
How balance privacy interests v. data usage interests?
Who decides on legitimacy and balancing?
Data Privacy and Consent
•
•
•
When is consent really informed, voluntary, specific,
express and in writing?
Can it be – with respect to big data?
Should it be?
Overview of MasterCard’s Transaction
Processing Business
MC Data Center
MC Transaction
Routing
MC Transaction
Routing
Acquiring Bank
• Processes payment
transaction with MC
MC authorizes, clears and
settles payment transactions
between merchants,
processors and banks
Issuing Bank
• Has financial
relationship with
Cardholder
• Settles funds with MC on
behalf of their Merchant
Merchant
• Extends credit/issues
MC card
Cardholder
• Contracts with an Acquiring Bank to
process payments and settle funds
• Agrees to payment terms of
the Issuing Bank
• Accepts MC card as a form of
payment
• Transacts with Merchant
who accept MC card
Data Collected
Account
Number
Transaction
Amount
Merchant
Transaction
Date
Reported
Fraud
No Contact Information
Legitimate Interest Analysis
Legitimate Interests
Parties in Interest
Anti-fraud
Issuers
Internet Security
Acquirers
Anti-Money Laundering
Merchants
Misuse
Cardholders (data subjects)
Legal claims (dispute
resolution)
Fraudsters/Criminals
Balancing Test
• Controllers’ Legitimate Interests
• Impact to Data Subjects
–
–
–
–
Assess the impact
Types of data
The way the data is processed
Reasonable expectations of the data
subject
– Safeguards
• De-Identification, aggregation and data
minimization
• Transparency
• Right to Object
Current Framework. Legitimate Interests in Directive 95/46/EC
CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE
Article 7
Member States shall provide that personal data may be
processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract
to which the data subject is party or in order to take steps at
the request of the data subject prior to entering into a
contract; or
(c) processing is necessary for compliance with a legal
obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital
interests of the data subject; or
(e) processing is necessary for the performance of a task
carried out in the public interest or in the exercise of official
authority vested in the controller or in a third party to whom
the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate
interests pursued by the controller or by the third party or
parties to whom the data are disclosed, except where such
interests are overridden by the interests (f)or fundamental
rights and freedoms of the data subject which require
protection under Article 1 (1).
PRINCIPIOS RELATIVOS
TRATAMIENTO DE DATOS
A
LA
LEGITIMACIÓN
DEL
Artículo 7
Los Estados miembros dispondrán que el tratamiento de datos
personales sólo pueda efectuarse si:
a) el interesado ha dado su consentimiento de forma
inequívoca, o
b) es necesario para la ejecución de un contrato en el que el
interesado sea parte o para la aplicación de medidas
precontractuales adoptadas a petición del interesado, o
c) es necesario para el cumplimiento de una obligación jurídica
a la que esté sujeto el responsable del tratamiento, o
d) es necesario para proteger el interés vital del interesado, o
e) es necesario para el cumplimiento de una misión de interés
público o inherente al ejercicio del poder público conferido al
responsable del tratamiento o a un tercero a quien se
comuniquen los datos, o
f) es necesario para la satisfacción del interés legítimo
perseguido por el responsable del tratamiento o por el
tercero o terceros a los que se comuniquen los datos, siempre
que no prevalezca el interés o los derechos y libertades
fundamentales del interesado que requieran protección con
arreglo al apartado 1 del artículo 1 de la presente Directiva.
Future framework. Legitimate Interests in the Proposed GDPR
EUROPEAN COMMISSION’S PROPOSAL
(http://ec.europa.eu/justice/dataprotection/document/review2012/com_2012_11_e
n.pdf)
Very similar to 95 Directive, except:
- Call out for the protection of minors
- Carve out for processing carried by authorities
in the performance of their task
- Delegated acts
LIBE COMMITTEE’S REPORT
(http://www.europarl.europa.eu/meetdocs/2009_20
14/documents/libe/pr/922/922387/922387en.pdf)
- Last resource (when the other basis do not
apply)
- Explicit & separate information to the data
subject
- Publishing of the reasons
- Prepopulated list of scenarios
A29 WP Opinion 6/2014. Past, Present & Future
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf
•
•
Historical lack of harmonized interpretation
As valid as any other ground
- Not a last resort (when everything else fails)
- But not the ‘weakest link’ either
•
What is considered a legitimate interest?
- Lawful, clearly stated, real & present
- From trivial to compelling
- Necessity test
•
What about the data subject interest or fundamental rights?
- Broad interpretation
- Legitimacy not required
•
The complexity of the balancing test
- Nature of the interest & nature of the impact
- Nature of the data & the processing
- Data subject’s expectations
- Provisional balance
- Role of additional safeguards & opt outs
•
Recommendations for GDPR
- Recitals on factors & documentation
- Substantive provision on explanation by controllers
Legitimate Interests Absent in Latin America
Argentina (Ley 25.326 - 2000)
Costa Rica (Ley nº 89698 – 2011)
http://www.jus.gob.ar/media/33481/ley_25326.pdf
http://www.archivonacional.go.cr/pdf/ley_8968_proteccion_datos_personales.pdf
- General rule: Free, express and informed consent
(“consentimiento libre, expreso e informado”)
- References to both express and informed consent
Nicaragua (Ley nº 787 – 2012)
Mexico (LFPDPPP – 2010)
http://inicio.ifai.org.mx/LFPDPPP/LFPDPPP.pdf
- General rule: implicit consent (“consentimiento
tácito”)
- Sensitive data: express consent (“consentimiento
expreso”)
- Exception for de-identified data (“datos disociados”)
Perú (Ley nº 29733 – 2011)
http://www.educacionenred.pe/noticia/?portada=8167
http://legislacion.asamblea.gob.ni/normaweb.nsf/9e314815a08d4a620625726500
5d21f9/e5d37e9b4827fc06062579ed0076ce1d
- Consent is the general rule, through written or
electronic means
- Exception for de-identified data (“datos disociados”)
Colombia (Ley 1581 de 2012)
http://www.sic.gov.co/documents/10157/0/Ley_1581_2012.pdf/
- Previous & informed authorization (“autorización
previa e informada”)
- General rule: prior, informed, express and
unambiguous consent (“previo, informado, expreso e Brazil (Marco Civil – 2014)
http://www.planalto.gov.br/CCIVIL_03/_Ato2011-2014/2014/Lei/L12965.htm
inequívoco”)
- Express consent (“consentimento expresso”)
- Sensitive data: in writing
- Data Protection Bill still to be released
- Exception for de-identified data (“datos disociados”)
Descargar