Embed Size (px)
Citation preview
Prep
arin
g fo
r the
EU
Gen
eral
D
ata
Prot
ectio
n R
egul
atio
n
Dav
id B
ende
rG
TC L
aw G
roup
Adj
unct
Pro
fess
orU
nive
rsity
of H
oust
on L
aw C
ente
rFe
llow,
Pon
emon
Inst
itute
GD
PR G
enes
is●
1973
– 1
st se
t of F
air I
nfor
mat
ion
Prac
tices
(“FI
Ps”)
–U
S D
ep’t
of H
EW●
1980
– O
ECD
Gui
delin
es (r
evise
d 20
13),
base
d on
HEW
FIP
s●
1995
– E
U D
ata
Prot
ectio
n D
irect
ive
(sou
rce
ofcu
rrent
EU
DP
law
), ba
sed
on O
ECD
Gui
delin
es.
●M
ay 2
5, 2
018
– En
try in
to fo
rce
of G
ener
al D
ata
Prot
ectio
n Re
gula
tion
(“G
DPR
”), b
ased
on
Dire
ctiv
e.
2
Goa
ls o
f the
Dire
ctiv
e●
Prot
ect f
unda
men
tal d
ata
prot
ectio
n rig
hts
of E
U re
side
nts.
●Fa
cilit
ate
mov
emen
t of p
erso
nal d
ata
with
inEU
.●
Har
mon
ize
data
pro
tect
ion
law
s am
ong
EUM
embe
r Sta
tes.
3
EU’s
Ow
n Sc
orec
ard
onA
chie
ving
Dire
ctiv
e’s G
oals
●Pr
otec
ting
pers
onal
righ
ts -
impe
rfect
ly.
●Fa
cilit
atin
g da
ta m
ovem
ent w
ithin
EU –
OK
.●
Har
mon
ize
law
s – n
ot w
ell.
4
EU P
ropo
sed
Solu
tion
●A
“re
gula
tion”
:●
W
ith a
fram
ewor
k si
mila
r to
that
of t
heD
irect
ive.
●
Tha
t cur
es th
e te
chno
logi
cal o
bsol
esce
nce
of th
e D
irect
ive.
●
And
als
o im
pose
s add
ition
al re
stric
tions
on
the
proc
essi
ng o
f per
sona
l dat
a th
at th
e EU
belie
ves a
re a
ppro
pria
te.
5
So
me
Thin
gs W
on’t
Cha
nge
Muc
h●
We’
ll st
ill h
ave:
●Pr
otec
tion
for a
ll da
ta fr
om w
hich
indi
vidu
als
(“da
ta su
bjec
ts”)
are
iden
tified
or i
dent
ifiab
le;
●A
dis
tinct
ion
betw
een
cont
rolle
rs a
nd p
roce
ssor
s;●
A v
ery
broa
d de
finiti
on o
f “pr
oces
sing
”;●
Nee
d fo
r a “
lega
l bas
is”
whe
neve
r you
pro
cess
pers
onal
dat
a;
6
Not
Muc
h C
hang
e H
ere
●N
eed
for a
dequ
acy
prin
cipl
es w
hene
ver y
oupr
oces
s per
sona
l dat
a;●
Rig
id e
xpor
t (fr
om th
e EU
) res
trict
ions
;●
A re
quire
d in
depe
nden
t gov
ernm
enta
lsu
perv
isor
y au
thor
ity in
eac
h M
embe
r Sta
te;
and
●A
n EU
ent
ity c
ompr
ised
of t
he h
eads
of e
ach
Mem
ber S
tate
supe
rvis
ory
body
.
7
But L
ook
for S
igni
fican
t Cha
nges
Her
e●
Ever
y go
vern
men
tal a
genc
y an
d m
any
busin
esse
s mus
t app
oint
a D
ata
Prot
ectio
nO
ffice
r (“D
PO”)
.●
Requ
irem
ent t
o co
nduc
t “pr
ivac
y im
pact
asse
ssm
ents”
for a
ny ty
pe o
f pro
cess
ing
likel
y to
resu
lt in
“hi
gh ri
sk to
the
right
s and
freed
oms”
of i
ndiv
idua
ls.
8
M
ore
Maj
or C
hang
es●
On
requ
est,
com
pani
es m
ust m
ake
indi
vidu
al’s
data
ava
ilabl
e, in
app
ropr
iate
form
at, a
nd tr
ansf
er to
succ
esso
r ven
dor.
●M
ore
requ
ired
notifi
catio
ns to
indi
vidu
als
abou
t the
ir da
ta p
rote
ctio
n rig
hts.
9
Yet M
ore
Cha
nges
●M
ore
prot
ectiv
e tre
atm
ent f
or d
ata
of c
hild
ren.
●M
ore
exte
nsiv
e do
cum
enta
tion
requ
irem
ents
.●
Req
uire
men
t to
impo
se “
priv
acy
by d
esig
n.”
●R
equi
red
notifi
catio
n of
dat
a se
curit
y br
each
es to
gove
rnm
ent a
nd a
ffect
ed in
divi
dual
s.
10
O
ne M
ore
Big
Chan
ge●
Max
imum
pen
altie
s, de
signe
d w
ith G
oogl
e,Fa
cebo
ok, a
nd A
pple
in m
ind,
com
prise
the
grea
ter o
f:●€
20 m
illio
n; o
r●
4% o
f a c
ompa
ny’s
annu
al w
orld
wid
e re
venu
e.●
This
is pe
r vio
latio
n.
11
Ju
risdi
ctio
nal P
rovi
sion
●A
ny e
ntity
– w
heth
er o
r not
it h
as a
pre
senc
e in
the
EU --
whi
ch e
ngag
es in
pro
cess
ing
ofpe
rson
al d
ata
of in
divi
dual
s in
the
EU th
atre
late
s to
the
follo
win
g, is
subj
ect t
o th
eG
DPR
:●
Offe
ring
good
s or s
ervi
ces t
o pe
rson
s in
the
EU; o
r●
Mon
itorin
g th
e be
havi
or o
f per
sons
in th
e EU
.
12
Nee
d to
Prio
ritiz
e –
One
Sug
geste
d Ti
mel
ine
●A
SAP
●3
- 6 m
onth
s●
By M
ay 2
5, 2
018
●O
ngoi
ng
13
A
s Soo
n as
Pos
sible
●D
eter
min
e w
heth
er y
ou a
re re
quire
d to
appo
int a
DPO
.●
If yo
u’re
not
sure
, sho
uld
you
appo
int?
●If
you’
re n
ot re
quire
d, sh
ould
you
app
oint
?●
If yo
u ap
poin
t a D
PO, d
eter
min
e w
here
the
DPO
fits
in y
our o
rgan
izat
ion.
14
A
SAP
-- D
PO●
Shou
ld th
e D
PO b
e:●
In-h
ouse
or v
endo
r?●
Full-
time
or p
art-t
ime
DPO
?●
Excl
usiv
e to
you
r ent
ity, o
r sha
red?
●D
ecid
e ho
w to
supp
ort t
he D
PO –
infra
struc
ture
, sta
ff, b
udge
t
15
ASA
P (c
ontin
ued)
●En
list t
op m
anag
emen
t sup
port
●Is
Boa
rd c
omm
ittee
app
ropr
iate
?●
Con
stru
ct d
ata
flow
map
for a
llpe
rson
al d
ata
of w
hich
you
hav
epo
sses
sion
.●
Iden
tify
the
lega
l bas
is fo
r eac
hpr
oces
sing
act
ivity
.
16
With
in N
ext 3
– 6
Mon
ths
●Pr
iorit
ize
base
d on
you
r dat
a m
ap.
●Id
entif
y th
ose
activ
ities
requ
iring
priv
acy
impa
ct a
sses
smen
ts.
●W
here
app
ropr
iate
, mod
ify y
our s
yste
ms,
and
requ
ire y
our p
roce
ssor
s to
mod
ifyth
eirs
, to
acco
mm
odat
e da
ta p
orta
bilit
yob
ligat
ions
.
17
W/i
Nex
t 3-6
Mos
. (co
ntin
ued)
●If
you
use
fully
aut
omat
ed m
eans
to m
ake
deci
sion
s tha
t sig
nific
antly
affe
ct in
divi
dual
s,co
nsid
er in
trodu
cing
a h
uman
into
the
proc
ess
or, i
f app
ropr
iate
, cha
ngin
g th
e le
gal b
asis
for
proc
essi
ng.
●C
onfir
m e
xist
ence
of a
ppro
pria
te in
sura
nce
cove
rage
, add
ing
or m
odify
ing
polic
ies a
sne
cess
ary.
18
Mor
e 3
– 6
Mon
ths
●Pr
epar
e or
upd
ate
an in
cide
nt re
spon
se p
lan
to h
andl
e da
ta se
curit
y br
each
es, i
nclu
ding
any
notifi
catio
n ob
ligat
ions
.●
Con
side
r whe
ther
to re
nder
dat
a un
inte
lligi
ble
to u
naut
horiz
ed p
erso
ns.
●Ve
rify
that
ade
quat
e se
curit
y ha
s bee
nim
plem
ente
d.
19
Yet M
ore
3-6
Mon
ths
●R
evie
w p
rivac
y po
licie
s to
ensu
re c
ompl
ianc
ew
ith e
xten
sive
GD
PR re
quire
men
ts to
not
ify d
ata
subj
ects
.●
Upd
ate
cons
ent m
echa
nism
s as n
eces
sary
, and
esta
blis
h sy
stem
s to
docu
men
t affi
rmat
ive
cons
ent.
●If
app
licab
le, c
onsi
der m
etho
ds fo
r col
lect
ing
and
docu
men
ting
verifi
able
par
enta
l con
sent
toco
llect
ion
of p
erso
nal d
ata
from
chi
ldre
n.
20
And
Eve
n M
ore
3 –
6 M
onth
s●
Mon
itor l
itiga
tion
and
regu
lato
ryac
tivity
cha
lleng
ing
vario
us c
ross
-bo
rder
tran
sfer
met
hods
, so
as to
be
inpo
sitio
n to
use
arg
uabl
y va
lid m
etho
ds.
●C
onsi
der w
heth
er y
ou w
ould
ben
efit f
rom
Priv
acy
Shie
ld.
21
Last
PPT
on
3 –
6 M
onth
s●
Con
side
r con
duct
ing
appr
opria
te d
ilige
nce
on p
roce
ssor
s and
oth
er v
endo
rs to
ass
ess
prep
ared
ness
for G
DPR
obl
igat
ions
.●
Ensu
re th
at e
xist
ing
and
futu
re p
roce
ssor
agre
emen
ts c
onta
in a
ll pr
ovis
ions
man
date
dby
GD
PR.
22
By
May
25,
201
8●
Cre
ate
train
ing
plan
to e
nsur
e th
at re
leva
ntm
embe
rs o
f you
r org
aniz
atio
n ha
ve b
een
train
ed in
GD
PR c
ompl
ianc
e.●E.g.
, HR
, IT,
Sec
urity
, Com
plia
nce.
●En
sure
that
team
mem
bers
inte
rfac
ing
with
cust
omer
s rec
ogni
ze G
DPR
-em
pow
ered
requ
ests
(e.g
., fo
r acc
ess,
for r
ectifi
catio
n, to
with
draw
con
sent
) and
und
erst
and
how
toha
ndle
them
.
23
By
May
25,
201
8 (c
ontin
ued)
●Pr
epar
e yo
ur sy
stem
s to
impl
emen
t the
se re
ques
ts.
●Pe
rfor
m th
e im
pact
ass
essm
ents
you
iden
tified
as
nece
ssar
y.●
Det
erm
ine
whe
ther
pse
udon
ymiz
atio
n of
fers
adva
ntag
es.
●If
you
hav
e es
tabl
ishm
ents
in m
ore
than
one
Mem
ber
Stat
e, d
eter
min
e w
hich
DPA
will
be
your
lead
DPA
,an
d m
onito
r its
act
ions
, adv
ice,
and
trai
ning
.
24
O
ngoi
ng●
Cond
uct a
nnua
l dat
a pr
otec
tion
audi
ts of
inte
rnal
and
ven
dor p
roce
dure
s to
ensu
reG
DPR
com
plia
nce.
●Im
plem
ent “
priv
acy
by d
esig
n.”
●Co
nsid
er p
artic
ipat
ing
in c
reat
ion
of, a
ndsu
bscr
ibin
g to
, Cod
es o
f Con
duct
and
Certi
ficat
ions
.
25
M
ore
Ong
oing
●Id
entif
y M
embe
r Sta
tes w
here
you
are
subj
ect t
o th
e la
w, a
nd fo
llow
thei
r effo
rts to
dero
gate
or c
usto
miz
e th
eir d
ata
prot
ectio
nla
w u
nder
the
num
erou
s exc
eptio
nspe
rmitt
ed b
y th
e G
DPR
.●
Mon
itor t
he p
ropo
sed
repl
acem
ent o
f the
e-
Priv
acy
Dire
ctiv
e if
rele
vant
to y
our
orga
niza
tion.
26
Ye
t Mor
e O
ngoi
ng●
Doc
umen
t any
reas
ons f
or n
ot fo
llow
ing
your
DPO
’sad
vice
.●
Mai
ntai
n w
ritte
n re
cord
s of a
ll pr
oces
sing
if re
quire
d.●
Upd
ate
your
inci
dent
resp
onse
pla
n an
d co
nduc
tbr
each
sim
ulat
ions
(at l
east
tabl
etop
) to
test
itsef
ficac
y.●
Mon
itor m
odifi
catio
ns to
you
r bus
ines
s pra
ctic
es o
rstr
uctu
re th
at m
ay im
pact
you
r ong
oing
com
plia
nce.
27
A R
elat
ed M
atte
r –
Cro
ss-B
orde
r Per
sona
l Dat
a Tr
ansf
er●
Bot
h th
e D
irect
ive
and
GD
PR h
ave
prov
isio
nsre
stric
ting
cros
s-bo
rder
tran
sfer
(“X
BT”
).●
And
the
two
sets
of r
estri
ctio
ns a
re si
mila
r.●
Why
are
the
XB
T re
stric
tions
so im
porta
nt?
●B
ecau
se if
US
impo
rters
can
’t ge
t the
ir ha
nds o
nth
e pe
rson
al d
ata
of E
U re
side
nts,
for t
heir
purp
oses
it d
oesn
’t m
atte
r wha
t the
GD
PR st
ates
.
28
XB
T
●U
nder
bot
h th
e D
irect
ive
and
GD
PR, f
orla
wfu
l tra
nsfe
r, yo
u ne
ed “
adeq
uacy
”of
tran
sfer
ee la
w, c
onse
nt, o
r one
of
seve
ral “
nece
ssiti
es.”
●Th
e U
S w
as d
eem
ed n
ot to
hav
e“a
dequ
ate”
dat
a pr
otec
tion
law
s.
29
XB
T (c
ont.)
●In
200
0, U
S an
d EU
neg
otia
ted
a “S
afe
Har
bor”
fram
ewor
k:●
Expo
rt w
as p
erm
itted
to U
S co
mpa
nies
agre
eing
to S
afe
Har
bor p
rinci
ples
●Th
e Sa
fe H
arbo
r pro
gram
func
tione
dre
ason
ably
wel
l for
a d
ecad
e an
d a
half.
30
Th
e D
eath
of S
afe
Har
bor
●In
Oct
ober
201
5, th
e EU
’s hi
ghes
t cou
rt(E
urop
ean
Cour
t of J
ustic
e –
“ECJ
”) ru
led
that
the
EU ru
ling
appr
ovin
g Sa
fe H
arbo
r was
inva
lid, t
hus
strik
ing
dow
n th
e pr
ogra
m.
●O
ne m
ain
thru
st of
the
Safe
Har
bor d
ecisi
on w
asth
at U
S na
tiona
l sec
urity
surv
eilla
nce
viol
ated
the
fund
amen
tal r
ight
s of E
U re
siden
ts.
31
ECJ S
afe
Har
bor D
ecisi
on -
IMH
O●
In it
s dec
ision
, the
ECJ
:●
Wen
t on
a fro
lic a
nd d
etou
r to
reac
h an
issu
ew
ell b
eyon
d th
e na
rrow
poi
nt o
f law
that
was
pre
sent
ed to
it;
●Re
lied
on a
flaw
ed a
nd in
corre
ct lo
wer
cou
rtfin
ding
abo
ut U
S na
tiona
l sec
urity
surv
eilla
nce;
32
Safe
Har
bor D
ecis
ion
(con
t.)●
Faile
d to
reco
gniz
e m
ajor
cha
nges
mad
e, a
fter
that
low
er c
ourt
opin
ion,
as t
o pr
ivac
ypr
otec
tions
atte
ndan
t to
US
natio
nal s
ecur
itysu
rvei
llanc
e;●
Faile
d ev
en to
men
tion
any
bala
ncin
g of
priv
acy
inte
rest
s aga
inst
secu
rity
inte
rest
s, ev
enth
ough
EU
law
cal
ls fo
r suc
h a
bala
ncin
g; a
nd
33
Safe
Har
bor D
ecis
ion
(con
t.)●
Blit
hely
and
hyp
ocrit
ical
ly ig
nore
d th
ees
tabl
ishe
d fa
ct th
at th
e pr
ivac
ypr
otec
tions
em
bodi
ed in
US
natio
nal
secu
rity
law
in g
ener
al e
xcee
d th
ose
ofm
ost o
ther
cou
ntrie
s, in
clud
ing
mos
t EU
Mem
ber S
tate
s.
34
The
Afte
rmat
h●
Sinc
e Sa
fe H
arbo
r was
inva
lidat
ed, c
ompa
nies
have
bee
n sc
urry
ing
arou
nd lo
okin
g fo
r som
e“s
afe”
mea
ns o
f exp
ort.
●B
ut th
ere
is a
n in
here
nt p
robl
em:
●th
e EC
J did
not
just
find
a fl
aw in
the
Safe
Har
bor m
echa
nism
for e
xpor
ting
the
data
;●
rath
er, i
t als
o fo
und
faul
t with
the
way
that
dat
aw
as tr
eate
d af
ter i
t rea
ched
the
US.
35
Afte
rmat
h (c
ontin
ued)
●Th
at la
tter p
erce
ived
defi
cien
cy w
ill se
emin
gly
exis
t no
mat
ter w
hat m
eans
are
use
d to
exp
ort
the
data
.●
“Priv
acy
Shie
ld,”
a su
cces
sor t
o Sa
fe H
arbo
r,de
bute
d on
Aug
ust 1
, 201
6.●
Priv
acy
Shie
ld is
alre
ady
the
subj
ect o
flit
igat
ion
seek
ing
to in
valid
ate
it, a
s are
“sta
ndar
d co
ntra
ctua
l cla
uses
,” a
noth
er p
opul
arex
port
vehi
cle.
36
How
Can
the
EU G
et O
utof
this
Conu
ndru
m?
●Th
e EC
J’s S
afe
Har
bor d
ecisi
on is
from
the
EU’s
high
est c
ourt,
and
is b
ased
on
the
EUCh
arte
r, an
instr
umen
t with
con
stitu
tion-
like
statu
re.
●Th
e de
cisio
n ca
nnot
be
reve
rsed
with
legi
slatio
n or
by
anot
her c
ourt.
●O
nly
the
ECJ c
an c
hang
e it.
37
Som
e Po
ssib
ilitie
s●
The
ECJ h
as p
aint
ed it
self
into
a c
orne
r.●
It co
uld,
if it
wis
hed,
neu
traliz
e its
Saf
e H
arbo
rde
cisi
on b
y:●
deno
min
atin
g m
ost o
f it a
s dictum
, bec
ause
infa
ct it
wen
t wel
l bey
ond
the
issu
e pr
esen
ted
toit;
●di
scus
sing
a b
alan
cing
of n
atio
nal s
ecur
ityag
ains
t priv
acy
and
on th
at b
asis
, ove
rrul
ing
the
deci
sion
; and
/or
38
Mor
e Po
ssib
ilitie
s●
on a
n ap
prop
riate
low
er c
ourt
reco
rd:
●re
vers
ing
the
initi
al lo
wer
cou
rt fin
ding
on
US
surv
eilla
nce;
●re
cogn
izin
g su
bseq
uent
cha
nges
in U
S la
w; a
nd/o
r●
findi
ng th
at U
S na
tiona
l sec
urity
surv
eilla
nce
law
ism
ore
priv
acy-
prot
ectiv
e th
an is
the
law
in m
ost
Mem
ber S
tate
s.●
But
few
are
pre
dict
ing
the
ECJ w
ill d
o th
at.
39
Som
e U
nfor
tuna
te E
xam
ples
in th
eA
pplic
atio
n of
EU
Dat
a Pr
otec
tion
Law
●B
elgi
an d
ata
rete
ntio
n re
stric
tions
may
caus
e de
letio
n of
Par
is a
ttack
s pho
ne d
ata.
●G
erm
an u
se o
f red
acte
d ph
oto
inpu
blic
izin
g su
spec
t in
Paris
atta
cks.
●A
ndre
as L
ubitz
inci
dent
.
40
Th
e Fu
ture
●Th
e G
DPR
com
prise
s an
atte
mpt
at a
gra
ndsc
hem
e fo
r ach
ievi
ng im
prov
ed d
ata
prot
ectio
n.●
One
thin
g th
at se
ems q
uite
like
ly: i
n th
ene
ar te
rm, t
he D
PAs w
ill b
e in
unda
ted
with
wor
k an
d ab
le to
enf
orce
the
law
aga
inst
only
a sm
all p
erce
ntag
e of
vio
lato
rs.
41
Mor
e Fu
ture
●W
ill th
e G
DPR
wor
k to
enh
ance
sign
ifica
ntly
the
priv
acy
and
secu
rity
ofEU
per
sona
l dat
a?●
The
first
inkl
ing
of w
heth
er it
wor
ks m
ayoc
cur i
n th
e da
ta se
curit
y ar
ea, a
nd m
aybe
com
e m
anife
st in
201
9.
42
Th
e Fu
ture
●By
that
tim
e, w
e w
ill e
ither
see
EUne
wsp
aper
s run
ning
innu
mer
able
dat
ase
curit
y br
each
arti
cles
…●
Or w
e w
on’t.
●It
will
be
inte
resti
ng to
see
whi
ch tu
rns
out t
o be
the
case
.
43
W
hat S
houl
d Y
OU
Do?
●K
eep
your
hea
d do
wn.
●D
PAs w
ill b
e ov
erw
helm
ed w
ith w
ork
and
targ
ets.
●D
on’t
unne
cess
arily
attr
act t
heir
atte
ntio
n.●
Rem
embe
r the
stor
y ab
out t
he tw
oca
mpe
rs a
nd th
e be
ar.
44
Wha
t to
Do
(con
tinue
d)●
Follo
w p
ertin
ent D
PA in
terp
reta
tions
of
appl
icab
le la
w.●
Mak
e an
hon
est e
ffort
to c
ompl
y w
ith w
hat
you
unde
rsta
nd to
be
the
perti
nent
law.
●D
ocum
ent y
our e
fforts
.●
And
if y
ou a
re a
bel
ieve
r, pr
ay.
45
