(from 2016) – Lessons from living with high privacy fines (Spain)

The GDPR introduces some very high fines for violations, and for many countries in Europe this will be a major change. – In this context, it’s interesting to have a look at Spain, where the Data Protection Authority can already enforce  fines of up to 600,000 EUR since several years.

Ricard Martinez of the Spanish Data Protection Association APEP wrote a very interesting article on the challenges that come with high privacy fines.

My key take-aways from his post are:

  • The total annual amount of fines in Spain is between 15 to 20 mio EUR in the last decade.
  • The majority of the sanctioned companies are in the telecommunications, video surveillance, and financial industries. Their relative share stays about the same year by year. – So the high fines do not appear to be a crucial deterrent.
  • The legislator had to modulate the sanctions to balance the impact on small and medium enterprises. – It’s important that the DPAs harmonize around this before the GDPR becomes effective, as the overall effect might be unfair.
  • The volume of complaints is steadily increasing from year to year. This has an impact on the ability of the DPA to take actions:  The number of actual infringement statements is staying  constant.  – Any news on DPA actions seem to increase the volume of complaints further.

There’s much more information in Ricard Martinez’ post, and I encourage you to read more at http://www.phaedra-project.eu/the-challenge-of-the-enforcement-in-the-proposal-for-a-general-data-protection-regulation-2/

(from 2016) UK court decision on whether clinical trial data can be adequately anonymised

The below is from 2016.

Very interesting article from Freshfields, that shows the UK Information Commissioner (supported by the First Tier Tribunal) taking a practical approach to the anonymisation of personal data. Also, a reminder that clinical trial data might be subject to freeddom-of-informations requests in UK under some conditions.

http://knowledge.freshfields.com/en/Global/r/1640/can_clinical_trial_data_be_adequately_anonymised__

Key points of interest incl.

“There was no evidence that a third party, alone, could identify participants. The evidence showed that identification would be possible by combining the patient data with NHS data, but this would have involved an NHS employee breaching professional, legal and ethical obligations, and having the skill and motivation to do so. This level of conjecture was considered remote. It is not ‘any conceivable means of identification’ that must be considered, but only ‘those reasonably likely to be used’. We ‘must consider whether any individual is reasonably likely to have the means and the skill to identify any participant and also whether they are reasonably likely to use those skills for that purpose’. ”

High-level summary

“The Information Commissioner had ordered Queen Mary University London to disclose patient data from a trial on chronic fatigue syndrome under the Freedom of Information Act. The Tribunal reviewed this decision.

QMUL ran several arguments but the one the Tribunal most struggled with was whether the data had been anonymised enough that it should no longer be considered personal data. If so, it would likely be disclosable under FOIA. If the data was not sufficiently anonymised, it would still be ‘personal data’ and would therefore have to be withheld from disclosure.

Although the Tribunal was split in its decision, the majority was in favour of upholding the Information Commissioner’s decision that the data had been adequately anonymised. QMUL was therefore ordered to disclose it.”

Privacy as a Service in Digital Health

.. paper by Xiang Su, Jarkko Hyysalo, Mika Rautiainen, Jukka Riekki, Jaakko Sauvola, Altti Ilari Maarala, and Harri Honko

at https://arxiv.org/ftp/arxiv/papers/1605/1605.00833.pdf

I still need to let it truely sink in before I’m ready to comment on it – but I am glad that this kind of privacy design thinking is now happening. GDPR offers some challenges and many opportunities. Having a technical layer to complement the privacy processes, we’ll all have to put in place can be very helpful. Let’s hope for some reasonable open data scheme to make the legal aspects more digestable to tools and algorithms.

Let’s just hope, it won’t go the way of the P3P protocol.

A GDPR presentation worth sharing..

.. and it’s not one of mine.

As probably most of you, I had to prepare quite a few slide decks on the EU General Data Protection Regulation in 2016. These have been very specific to my employer, and unfortunately I can’t share them.

But I also was fortunate to watch and listen to many of you doing your presentations. For example at the IAPP Knowledgenet in Switzerland, and at workshops hosted by IPPC and (ISC)2. And each of them was an opportunity for me to learn.

Looking back, for me the most inspiring presentation was the slide deck “EU General Data Protection Regulation – A workshop for companies in Switzerland” by David Rosenthal published on the Homburger Web Site. – Elegant structure, to the point, with a very natural flow. It’s available under the CC-BY-NC-ND license, along with some other material at http://www.homburger.ch/en/current/publications/dataprotection/

Very recommended reading.

GDPR – a headache for Data Protection Authorities

With the General Data Protection Regulation only some days away, it’s not just companies upgrading their privacy management systems – also the Data Protection Authorities are preparing to meet their increased obligations under the new law.

More than a year ago, Prof. Dr. Alexander Roßnagel prepared an expert opinion on the additional workload caused by the GDPR for the German state DPAs (in German): http://suche.transparenz.hamburg.de/dataset/gutachten-zum-zusaetzlichen-arbeitsaufwand-fuer-die-aufsichtsbehoerden-der-laender-durch-d-2017. (in German)

He estimated that each DPA would need in addition to its current staff 12-19 lawyers, 4-5 IT experts, 2 educational and 6 administrative roles. – At the beginning fo 2017, the planned staff increase fell far short of this (49 for the federal DPA, 8 and below for the different states were planned as new positions for 2017). It’s also interesting that he didn’t list separate categories for “privacy managers” or “auditors”. http://www.heise.de/newsticker/meldung/Datenschutzgrundverordnung-bringt-Datenschutzaufsicht-an-Belastungsgrenze-3633498.html

The mechanisms for mutual cooperation between the European DPAs are new and quite complex (Art. 60 – 62), especially as communcations might take place in a variety of languages. Also the consistency mechanism (Art. 63 – 66) might turn out to be quite demanding. – In situations in which the One-Stop-Shop (OSS) approach cannot be applied, the DPAs will first have to jointly determine their respective responsibilities. It will be very interesting to see how these mechanisms will work out.