Inhouse Masterclass:
Data Developments - Cyber Security
& the Right to be Forgotten
Rewriting the Past
Oisin Tobin
1. Background
2. Findings and impact: a) Jurisdiction
b) A “data controller”
c) The “right to be forgotten”
3
1998
→ Auction notices published 1998 – 2010
→ Content digitized, appeared in Google search 2010
→ Complaint filed with the Spanish Data Protection
Authority
The original notice was lawfully published
However, Google’s linking to that notice violated
González’s data protection rights
5
Google appealed decision to CJEU → Not within jurisdiction
→ Google search is not a “data controller” • Advocate General
→ Google was “not a data controller” • CJEU
→ Disagreed
→ affirmed Spanish DPA → No appeal possible
2 Jurisdictional tests in EU Data Protection Law
(Article 4)
→ DC is “established” in member state and
processes personal data “in the context of that establishment” (Article 4(1)(a))
→ DC has no EU establishment, but “uses
equipment” in Europe (Article 4(1)(c))
7
Google search is provided by Google, Inc. Google, Inc. has no presence in the EU
Google Spain promotes the sale of ads (an unrelated
activity)
No evidence of servers located in EU Therefore:
→ No relevant establishment in the EU (per Article
4(1)(a))
An economic link between Google search and the
ads sold by Google Spain (one pays for the other)
The separate legal personality of Google, Inc. and
Google Spain can be disregarded
Google Spain deemed to be an “establishment” of Google Inc. that processes personal data “in the
context of the activities of” Google search
Therefore, jurisdiction (per Article 4(1)(a))
9
It “cannot be accepted that the processing of personal data carried out for the purposes of the operation of the
search engine should escape the obligations and guarantees laid down by Directive 95/46, which would
compromise the directive’s effectiveness and the effective and complete protection of the fundamental
rights and freedoms of natural persons which the directive seeks to ensure”
The establishment, by a non-EU company, of an EU
marketing sub may cause EU privacy law to apply to the operations of the non-EU company.
Even where the EU sub is not factually involved in
the processing of personal data
Risk of overlapping regulators (one per marketing
sub)
Strategic decision:
→ Concede that an EU data protection law is to
apply and have a designated “data controller” or subsidiary responsible for DP issues in a
member state
11
Issue 1: Jurisdiction – Practical Impact
If a multinational company ask:
Do we have a clear EU data controller? Where do we have marketing subs?
→ Do our parent’s operations comply with
applicable local law?
Where necessary - consider data protection
jurisdiction risk when expanding operations
Data Protection obligations fall on “data controllers”
An entity that “determines the purposes and means of processing” personal data
13
Issue 2: “Data Controller” – Applicable Law
Scan and cache content to provide access No real control over that information.
Advocate General agreed
→ A “proportionate” reading of DP law
Google programmed the software that scanned,
indexed and cached content (including personal data)
Sufficient to show Google was a data controller
15
Issue 2: “Data Controller” – Court’s finding
Search engines are responsible in data protection
law, for the results they return
Any business could be treated as a data controller in
respect of data it collects/obtains in course of trade
→ Even where the business is not really concerned
about the content of that data
Have we considered all circumstances where we
may be acting as a data controller?
17
Issue 2: “Data Controller” – Questions
Controllers need to ensure
→ a “pre-condition” to processing has been met,
e.g. consent, legitimate interests
→ Compliance with general “data protection
principles” (i.e. not excessive, limited retention etc… )
Principle of Proportionality:
→ Any request for removal of content should be
made to the website, not Google (a mere intermediary)
19
Issue 3: “Right to be Forgotten” – Google
Google lacks consent
→ Must rely on legitimate interests
→ Balancing test – Public interest v privacy rights Must also comply with general DP principles (data
not excessive, up to date etc…)
“As a rule” privacy rights take precedence over public’s interest in accessing information
Where a data subject objects to search results – those should be removed, save in limited
circumstances (e.g. public figures)
Does not create a general right to demand deletion
of data
Ruling was based on Articles 12 and 14 of the
Directive
→ Article 12 – allows deletion where a breach of DP
law (akin to Section 6 of Irish DP Act)
→ Article 14 - a right to object where processing
based on legitimate interests (akin to Section 6A of Irish DP Act)
21
Issue 3: “Right to be Forgotten” – Impact
Right to be forgotten” does not arise where:
→ Data is being lawfully processed; AND
→ There is an alternative basis to justify the
processing including:
→ Consent
→ Necessary to perform a contract with
data subject (NB for difficult customers)
→ Necessary to comply with a legal
obligation
If a “right to be forgotten” request comes in, check:
→ What’s our justification for keeping this data? → Are we happy that this data generally complies
with data protection law?
If:
→ Relying on consent, contract or legal obligations
as a justification; and
→ Satisfied that data otherwise complies with the
DP Acts
Deletion should not be required
No proactive screening requirement
23
Issue 3: “Right to be Forgotten” – Questions
Increased ability of individuals to manage their
online reputations
Broader trends towards “human rights” style data protection decisions:
→ SABAM; Digital Rights Ireland; Schrems
→ Likely to lead to more litigation in this space
Potential Trade implications → TTIPs
→ Divergence between US and EU law
Marketing subs can ground data protection
jurisdiction over parent
An expansive definition of data controller has been
adopted
The “right to be forgotten” only arises in limited circumstances
Seminal judgment – will shape future policy and case law.
25
Conclusions
Defending your Data
Rob McDonagh
Some Quick Facts
• Average cost is $3.5 million / €145 per record
• Biggest hit from loss of reputation and customers
• Incident response plan shown to reduce cost
= take security breaches seriously
Managing a Security Incident
• You cannot be prepared for a security incident without having prepared for it!
3 Important Points
• Data controller primarily responsible, even if caused by data processor
• what are you?
• Security breach:
• not necessarily a breach of dp law
• could still be a breach of contract
• You need to consider laws of other countries too
Key Management Tools
• Security Breach Policy (and training)
• IT Security Policy
• Acceptable Usage Policy
• Firewalls
• Logs / red flags
• Supplier due diligence
• Contractual measures
Security Breach Policy
• Create a Security Breach Policy
• Reporting lines
• Incident management team (and deputies)
• compliance/audit/legal/IT/security/PR/business control etc • include senior officer so can make quick decisions
• Third party advisers
• Include contact details
• Identify key action points
• Training for incident management team
Key Action Points – Initial Steps
• Act quickly
• Assemble incident response team • Internal escalation
• Stop or mitigate breach • Information lockdown • Preserve evidence
Key Action Points - Investigation
• Identify data controller • Determine your status • Investigate facts
• data affected
• individuals affected • cause
• resulting harm / damage
• use legal counsel – legal privilege?
• Remember things move and change quickly
Key Action Points - Implications
• Consider exposure
• liability and fines • contract termination • audit / escalation
• Contractual obligations?
• Consider any wider business critical implications • Tolling agreement
Key Action Points - Notifications
• Notify insurers if required under policy
• Consider regulatory notifications in Ireland and abroad, e.g. DPC, Gardai, foreign DPC etc
• Consider data subject / customer / dc notifications • Check relevant contracts
• confidentiality
• preservation of rights
Key Action Points – Customer Relations
• Create customer relations’ strategy • Press release
• Customer relationship management
• Mitigation measures: hotline, online helpdesk, monitoring service, discounts etc
Key Action Points – Corrective Action
• Audit
• Disaster recovery / business continuity etc • Implement corrective / disciplinary action
Should you Notify DPC?
• No express obligation (except ECSPs / ECNPs)
• No fines in Ireland (except ECNPs / ECSPs)
• different in other countries
• Negative PR resulting from failure to disclose – can incident be contained?
• Have you notified other regulators?
Should you Notify DPC?
• DPC has a statutory obligation of confidentiality
• General practice not to disclose except in response to inquiry by media or concerned person
• However, may issue press release or notify other DPCs if significant incident
Should you Notify DPC?
• Before making disclosure, also consider:
• is disclosure permitted by contract? • must you notify insurers first?
• implications of DPC finding for third party litigation? • other implications?
• similar issues apply to other notifications, e.g. to individuals
• Notification based on current information
Voluntary Code
• Applies if personal data put at risk
• Also earlier DoF public sector guidance
• Code only applicable if DC or DP subject to DPA
• Code is not legally binding (unless incorporated into contract)
• Not applicable to ECNP / ECSP as separate legislation applies
Voluntary Code – DC and DPC Notifications
• DP must report to DC all incidents of loss of control of data
• DC must report to DPC incidents in which data put at risk within 2 working days unless:
• individuals already informed;
• no more than 100 data subjects; and
• does not include sensitive personal data or financial data
• Keep summary record even if don’t notify DPC
• brief description
Voluntary Code – Notifying Individuals
• DC must give immediate consideration to informing those affected
• No obligation if no risk to data due to technological measures of high standard
• Risk of over notification or more harm than good • Audit trail for reasons not to notify
Steps in a DPC Investigation
1. Initial call / email
2. Written submission
- amount and nature of personal data
- action to secure / recover personal data
- action to inform those affected or reasons for the decision not to do so
- action to limit damage or distress to those affected
Steps in a DPC Investigation
3. Additional Materials - Contract - Recruitment process - Relevant policies - Training documents- Log of training for relevant staff
- expressly state it is confidential and commercially sensitive
NB: remember your confidentiality obligations
Steps in a DPC Investigation
4. Site visit - systems - procedures - live demonstrations - questions - (enforcement notice?)5. Draft finding or report / recommendations
Third Party Contracts
• Diligence
• Notification of incident
• Control of incident
• Co-operation / information / preservation obligations
• Right to interrogate devices / data
• Right to interview personnel
Third Party Contracts
• Notification of policies to others
• Restoration of data
• Confidentiality clause
• Indemnity / cap
Covering your bases
Ailbhe Gilvarry
Civil Liability for Breach
Michael Collins v FBD
• DP complaint and investigation • Circuit Court
Insurance
• Third Party Claims
Third Party Claims
• Disclosure • Content • Reputational • Conduit • Impaired AccessFirst Party Claims
• Notification• Regulator
• Reputation and Response Costs
• Cyber Extortion
