Legitimate Interests: A Legal Basis to Process Maintaining Protection While Facilitating ICT Growth • The primary mechanism for data protection governance is purpose specification notices and consent • This is particularly true in Latin America • However, data-driven innovation is hard to explain, involves the creation of new data and challenges the effectiveness of notice and consent • Data stewardship models (accountability) may provide an effective answer Legitimate Processing Beyond Consent • The global data protection community increasingly recognizes that consent does not protect individuals effectively – Data increasingly leads to the creation of new data – Compatible purposes are not anticipated by either controllers or individuals – Notices do not drive awareness • EU Directive has always had the concept of legitimate business interests – Always required a balancing • New “draft” guidance gives direction – Greater recognition by authorities Legitimate Interest Guidance • Legitimate interest should be used if appropriate – Do not use consent where it is not effective • Must balance the legitimate interests of the controller against all issues of individuals • Balancing processes must be describable to enforcement agencies and interested individuals This Session • Will place European law into comparative context • Provide examples of the balancing process • Discuss legitimate interests as it relates to marketing analytics Data Privacy v. Data Protection • • U.S. privacy laws protect ‘reasonable expectations of privacy’ EU data protection laws prohibit processing of personal data – unless a statutorily accepted justification applies Big Data Defined • • • • Data Personal data and the myth of anonymity Big? New purposes, e.g., statistics, traffic, health, security, marketing Data Privacy and Legitimate Interest • • • What is legitimate? How balance privacy interests v. data usage interests? Who decides on legitimacy and balancing? Data Privacy and Consent • • • When is consent really informed, voluntary, specific, express and in writing? Can it be – with respect to big data? Should it be? Overview of MasterCard’s Transaction Processing Business MC Data Center MC Transaction Routing MC Transaction Routing Acquiring Bank • Processes payment transaction with MC MC authorizes, clears and settles payment transactions between merchants, processors and banks Issuing Bank • Has financial relationship with Cardholder • Settles funds with MC on behalf of their Merchant Merchant • Extends credit/issues MC card Cardholder • Contracts with an Acquiring Bank to process payments and settle funds • Agrees to payment terms of the Issuing Bank • Accepts MC card as a form of payment • Transacts with Merchant who accept MC card Data Collected Account Number Transaction Amount Merchant Transaction Date Reported Fraud No Contact Information Legitimate Interest Analysis Legitimate Interests Parties in Interest Anti-fraud Issuers Internet Security Acquirers Anti-Money Laundering Merchants Misuse Cardholders (data subjects) Legal claims (dispute resolution) Fraudsters/Criminals Balancing Test • Controllers’ Legitimate Interests • Impact to Data Subjects – – – – Assess the impact Types of data The way the data is processed Reasonable expectations of the data subject – Safeguards • De-Identification, aggregation and data minimization • Transparency • Right to Object Current Framework. Legitimate Interests in Directive 95/46/EC CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE Article 7 Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests (f)or fundamental rights and freedoms of the data subject which require protection under Article 1 (1). PRINCIPIOS RELATIVOS TRATAMIENTO DE DATOS A LA LEGITIMACIÓN DEL Artículo 7 Los Estados miembros dispondrán que el tratamiento de datos personales sólo pueda efectuarse si: a) el interesado ha dado su consentimiento de forma inequívoca, o b) es necesario para la ejecución de un contrato en el que el interesado sea parte o para la aplicación de medidas precontractuales adoptadas a petición del interesado, o c) es necesario para el cumplimiento de una obligación jurídica a la que esté sujeto el responsable del tratamiento, o d) es necesario para proteger el interés vital del interesado, o e) es necesario para el cumplimiento de una misión de interés público o inherente al ejercicio del poder público conferido al responsable del tratamiento o a un tercero a quien se comuniquen los datos, o f) es necesario para la satisfacción del interés legítimo perseguido por el responsable del tratamiento o por el tercero o terceros a los que se comuniquen los datos, siempre que no prevalezca el interés o los derechos y libertades fundamentales del interesado que requieran protección con arreglo al apartado 1 del artículo 1 de la presente Directiva. Future framework. Legitimate Interests in the Proposed GDPR EUROPEAN COMMISSION’S PROPOSAL (http://ec.europa.eu/justice/dataprotection/document/review2012/com_2012_11_e n.pdf) Very similar to 95 Directive, except: - Call out for the protection of minors - Carve out for processing carried by authorities in the performance of their task - Delegated acts LIBE COMMITTEE’S REPORT (http://www.europarl.europa.eu/meetdocs/2009_20 14/documents/libe/pr/922/922387/922387en.pdf) - Last resource (when the other basis do not apply) - Explicit & separate information to the data subject - Publishing of the reasons - Prepopulated list of scenarios A29 WP Opinion 6/2014. Past, Present & Future http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf • • Historical lack of harmonized interpretation As valid as any other ground - Not a last resort (when everything else fails) - But not the ‘weakest link’ either • What is considered a legitimate interest? - Lawful, clearly stated, real & present - From trivial to compelling - Necessity test • What about the data subject interest or fundamental rights? - Broad interpretation - Legitimacy not required • The complexity of the balancing test - Nature of the interest & nature of the impact - Nature of the data & the processing - Data subject’s expectations - Provisional balance - Role of additional safeguards & opt outs • Recommendations for GDPR - Recitals on factors & documentation - Substantive provision on explanation by controllers Legitimate Interests Absent in Latin America Argentina (Ley 25.326 - 2000) Costa Rica (Ley nº 89698 – 2011) http://www.jus.gob.ar/media/33481/ley_25326.pdf http://www.archivonacional.go.cr/pdf/ley_8968_proteccion_datos_personales.pdf - General rule: Free, express and informed consent (“consentimiento libre, expreso e informado”) - References to both express and informed consent Nicaragua (Ley nº 787 – 2012) Mexico (LFPDPPP – 2010) http://inicio.ifai.org.mx/LFPDPPP/LFPDPPP.pdf - General rule: implicit consent (“consentimiento tácito”) - Sensitive data: express consent (“consentimiento expreso”) - Exception for de-identified data (“datos disociados”) Perú (Ley nº 29733 – 2011) http://www.educacionenred.pe/noticia/?portada=8167 http://legislacion.asamblea.gob.ni/normaweb.nsf/9e314815a08d4a620625726500 5d21f9/e5d37e9b4827fc06062579ed0076ce1d - Consent is the general rule, through written or electronic means - Exception for de-identified data (“datos disociados”) Colombia (Ley 1581 de 2012) http://www.sic.gov.co/documents/10157/0/Ley_1581_2012.pdf/ - Previous & informed authorization (“autorización previa e informada”) - General rule: prior, informed, express and unambiguous consent (“previo, informado, expreso e Brazil (Marco Civil – 2014) http://www.planalto.gov.br/CCIVIL_03/_Ato2011-2014/2014/Lei/L12965.htm inequívoco”) - Express consent (“consentimento expresso”) - Sensitive data: in writing - Data Protection Bill still to be released - Exception for de-identified data (“datos disociados”)