isaca privacy open forum on drones and safe harbor
TRANSCRIPT
Click to edit Master title stylePrivacy Open Forum
Tuesday, 20th
of October 2015
Brussels, 20 October 2015 2
Agenda
1. 18:30 Introduction
2. 18:45 Drones
3. 19:30 Break
4. 19:50 Safe Harbor invalidated: whatnow?
5. 20:45 Close
Brussels, 20 October 2015 3
Close
Brussels, 20 October 2015
DRONES: RECENT
EVOLUTIONS
JOHAN VANDENDRIESSCHE
4
Brussels, 20 October 2015
Drones
• Drones = unmanned aircraft systems
• No distinction in size or purpose for this
discussion
• Cost effective tool for surveillance and
surveying
• Increased awareness from DPAs and
legislator
• Privacy issues
• Surveillance issues
• Aviation law issues
5
Brussels, 20 October 2015
Various uses of drones
• Drones have numerous applications
• Aerial (commercial) surveillance
• Commercial film making
• Journalism
• Law enforcement (in the broad sense)
• Scientific research
• Military purposes
6
Brussels, 20 October 2015
Drones are versatile
• Versatile platform
• Detection equipment (thermal, infrared, …)
• Cameras (visual recording)
• Various sensors to scan for specific
traces (biological, chemical, …)
• Radio-frequency equipment
• Focus: cameras
7
Brussels, 20 October 2015
Drone cameras
• Purposes of cameras are diverse
• ‘Private’ use
• Newsgathering
• Surveillance in various forms
• Workfloor surveillance
• Traffic surveillance
• Crime detection and prevention (?)
• Object of camera footage / photos is
diverse
• Objects vs. persons
8
Brussels, 20 October 2015
High level legal framework
• Act of 8 December 1992
• Processing of personal data
• Camera Surveillance Act 21 March 2007
• Camera surveillance (crime detection and
prevention)
• Camera Surveillance Decree 10
February 2008 (Notification)
• Camera Surveillance Decree 2 July
2008 (Declaration)
9
Brussels, 20 October 2015
High level legal framework
• CBA n° 68 concerning workfloor
cameras
• Workfloor privacy
• Copyright Act of 30 June 1994
• Reproduction of copyrighted materials
• Personality rights
• Specific legislation
• Police cameras, football stadium
10
Brussels, 20 October 2015
Defining the applicable law
• Purpose of the camera system
• Surveillance
• Crime detection and prevention
• Nuisance detection and prevention
• Maintaining public order
• Workfloor surveillance
• Other purposes
11
Brussels, 20 October 2015
Defining the applicable law
• Content of camera footage/photos
• Personal data
• Content covered by personality rights
• Copyrighted materials
• Combination of purposes and content
may lead to a multiplication of
applicable laws
12
Brussels, 20 October 2015
Aviation Law
• Draft royal decree on drones
• Rules for any type of “drone”
• Exclusions
• Model airplanes
• Drones used inside buildings
• Specific purposes (law enforcement, …)
• Autonomous drones (prohibited)
13
Brussels, 20 October 2015
Aviation Law
• Specific rules
• Drone operations
• Restricted areas (no fly zones)
• Priority rules (manned aircraft)
• Prohibited activities
• Flight prescriptions
• Drone operators
• Conditions, training and certification
• Drone manufacturers
• Design, production, maintenance and technical
aspects
14
Brussels, 20 October 2015
Surveillance cameras
• Crime detection and crime prevention
• Issues for drone based surveillance
systems
• Prohibition of secret surveillance cameras
• Limitations to the use of mobile
surveillance cameras
• Law enforcement services in specific
circumstances
• Scope of CBA n°68!
15
Brussels, 20 October 2015
Data Protection Law
• Applicability of data protection law
• Processing personal data
• Private purpose (case C-212/13!)
• Journalism
• Law enforcement
• Lawfulness
• Consent
• Necessity based approach (e.g. contract)
• Legitimate interest
16
Brussels, 20 October 2015
Data Protection Law
• Purpose restriction
• Proportionality
• Data minimization
• Transparency and information to data
subjects
• Mobile system => multichannel approach
• Sign at entry
• Information through various channels
• Clear visibility of drone operator
17
Brussels, 20 October 2015
Data Protection Law
• Security of the data processing
• Appropriate level of protection
• Need to know access
• Encrypted storage and transmission
• Logging
• Data Protection by Design
• Drone hacking?
• DEFCON
• Precedents with cars
18
Brussels, 20 October 2015
Article 29 WP Recommendations
• Check aviation law (operation of
drones)
• Clarify the roles of the parties involved
• Assess data protection impact
• Select proportionate technology
• Select appropriate notice
• Implement appropriate security
• Delete or anonymize unnecessary
personal data
19
Brussels, 20 October 2015
SAFE HARBOR
INVALIDATED: WHAT
NOW?
20
Brussels, 20 October 2015
International data transfers
• EU Data Protection Directive – Internal
market principles
• Internal market of personal data = free
circulation of personal data within the EEA
• Strong level of protection for personal
data inside EEA
• Prohibition to transfer personal data
outside EEA, unless adequate protection
21
Brussels, 20 October 2015
International data transfers
• International transfers of personal data
• Adequate level of protection
• Whitelist (e.g. Switzerland) & blacklist
(empty)
• Exceptions
• Consent
• Specific necessities (e.g. contractual
performance)
• Contractual mechanisms ensuring adequate
safeguards
• BCR-C & BCR-P
• Model Clauses
22
Brussels, 20 October 2015
Safe Harbor
• Safe Harbor Framework
• Agreement between US & EU and US-
Switzerland
• EC approved (“adequacy finding”) in 2000
• Streamlined EU-US data transfers
• Self-certification scheme
• FTC enforcement
• Mechanism of choice for many ICT service
providers
• Shift to BCR-C and BCR-P in recent years
23
Brussels, 20 October 2015
Safe Harbor
• Safe Harbor has been subject to
criticism
• 2010: German DPAs ask active check that
US companies comply with Safe Harbor
• 2013: Viviane Reading: possible loophole
for US transfers
• 2013: German DPAs express concerns on
validity
• 2014: EP Resolution for the immediate
suspension
24
Brussels, 20 October 2015
The Schrems case (C-362/14)
• Preliminary ruling
• Interpretation of certain legal instruments
• Refusal of Irish DPA to investigate a
complaint regarding Facebook
• Invalidation of Safe Harbor Framework
(EC decision 2000/520)
• Clear statement that US law does not
provide adequate protection
• Commission is under an ongoing
adequacy review obligation
25
Brussels, 20 October 2015
The Schrems case (C-362/14)
• Reasoning
• EU Charter serve to interpret EU Directive
95/46/EC
• Commission Adequacy finding cannot
prevent the lodging of a complaint with
the national DPA (and the subsequent
investigation thereof)
• Issue in Safe Harbor
26
Brussels, 20 October 2015
Consequences
• Safe Harbor is no longer a valid
mechanism for data transfers from the
EU to the US
• No transitional measures
• Reform of Safe Harbor is ongoing
(negotiations)
• Safe Harbor should be suspended
27
Brussels, 20 October 2015
Alternatives to Safe Harbor
• Alternative mechanisms to export
personal data to the US
• Model Clauses
• BCR-C and BCR-P
• Consent
• Criticism
• DPA Schleswig-Holstein
• Article 29 WP
• Mechanisms remain available pending review
28
Brussels, 20 October 2015 29
Contact details
Johan Vandendriessche
Partner - crosslaw CVBA
Visiting Professor ICT Law - UGent
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
Brussels, 20 October 2015 30
ISACA BELGIUM