isaca privacy open forum on drones and safe harbor

Click to edit Master title stylePrivacy Open Forum

Tuesday, 20th

of October 2015

Brussels, 20 October 2015 2

Agenda

1. 18:30 Introduction

2. 18:45 Drones

3. 19:30 Break

4. 19:50 Safe Harbor invalidated: whatnow?

5. 20:45 Close


Close

Brussels, 20 October 2015

DRONES: RECENT

EVOLUTIONS

JOHAN VANDENDRIESSCHE

4


Drones

• Drones = unmanned aircraft systems

• No distinction in size or purpose for this

discussion

• Cost effective tool for surveillance and

surveying

• Increased awareness from DPAs and

legislator

• Privacy issues

• Surveillance issues

• Aviation law issues

5


Various uses of drones

• Drones have numerous applications

• Aerial (commercial) surveillance

• Commercial film making

• Journalism

• Law enforcement (in the broad sense)

• Scientific research

• Military purposes

6


Drones are versatile

• Versatile platform

• Detection equipment (thermal, infrared, …)

• Cameras (visual recording)

• Various sensors to scan for specific

traces (biological, chemical, …)

• Radio-frequency equipment

• Focus: cameras

7


Drone cameras

• Purposes of cameras are diverse

• ‘Private’ use

• Newsgathering

• Surveillance in various forms

• Workfloor surveillance

• Traffic surveillance

• Crime detection and prevention (?)

• Object of camera footage / photos is

diverse

• Objects vs. persons

8


High level legal framework

• Act of 8 December 1992

• Processing of personal data

• Camera Surveillance Act 21 March 2007

• Camera surveillance (crime detection and

prevention)

• Camera Surveillance Decree 10

February 2008 (Notification)

• Camera Surveillance Decree 2 July

2008 (Declaration)

9


High level legal framework

• CBA n° 68 concerning workfloor

cameras

• Workfloor privacy

• Copyright Act of 30 June 1994

• Reproduction of copyrighted materials

• Personality rights

• Specific legislation

• Police cameras, football stadium

10


Defining the applicable law

• Purpose of the camera system

• Surveillance

• Crime detection and prevention

• Nuisance detection and prevention

• Maintaining public order

• Workfloor surveillance

• Other purposes

11


Defining the applicable law

• Content of camera footage/photos

• Personal data

• Content covered by personality rights

• Copyrighted materials

• Combination of purposes and content

may lead to a multiplication of

applicable laws

12


Aviation Law

• Draft royal decree on drones

• Rules for any type of “drone”

• Exclusions

• Model airplanes

• Drones used inside buildings

• Specific purposes (law enforcement, …)

• Autonomous drones (prohibited)

13


Aviation Law

• Specific rules

• Drone operations

• Restricted areas (no fly zones)

• Priority rules (manned aircraft)

• Prohibited activities

• Flight prescriptions

• Drone operators

• Conditions, training and certification

• Drone manufacturers

• Design, production, maintenance and technical

aspects

14


Surveillance cameras

• Crime detection and crime prevention

• Issues for drone based surveillance

systems

• Prohibition of secret surveillance cameras

• Limitations to the use of mobile

surveillance cameras

• Law enforcement services in specific

circumstances

• Scope of CBA n°68!

15


Data Protection Law

• Applicability of data protection law

• Processing personal data

• Private purpose (case C-212/13!)

• Journalism

• Law enforcement

• Lawfulness

• Consent

• Necessity based approach (e.g. contract)

• Legitimate interest

16


Data Protection Law

• Purpose restriction

• Proportionality

• Data minimization

• Transparency and information to data

subjects

• Mobile system => multichannel approach

• Sign at entry

• Information through various channels

• Clear visibility of drone operator

17


Data Protection Law

• Security of the data processing

• Appropriate level of protection

• Need to know access

• Encrypted storage and transmission

• Logging

• Data Protection by Design

• Drone hacking?

• DEFCON

• Precedents with cars

18


Article 29 WP Recommendations

• Check aviation law (operation of

drones)

• Clarify the roles of the parties involved

• Assess data protection impact

• Select proportionate technology

• Select appropriate notice

• Implement appropriate security

• Delete or anonymize unnecessary

personal data

19


SAFE HARBOR

INVALIDATED: WHAT

NOW?

20


International data transfers

• EU Data Protection Directive – Internal

market principles

• Internal market of personal data = free

circulation of personal data within the EEA

• Strong level of protection for personal

data inside EEA

• Prohibition to transfer personal data

outside EEA, unless adequate protection

21


International data transfers

• International transfers of personal data

• Adequate level of protection

• Whitelist (e.g. Switzerland) & blacklist

(empty)

• Exceptions

• Consent

• Specific necessities (e.g. contractual

performance)

• Contractual mechanisms ensuring adequate

safeguards

• BCR-C & BCR-P

• Model Clauses

22


Safe Harbor

• Safe Harbor Framework

• Agreement between US & EU and US-

Switzerland

• EC approved (“adequacy finding”) in 2000

• Streamlined EU-US data transfers

• Self-certification scheme

• FTC enforcement

• Mechanism of choice for many ICT service

providers

• Shift to BCR-C and BCR-P in recent years

23


Safe Harbor

• Safe Harbor has been subject to

criticism

• 2010: German DPAs ask active check that

US companies comply with Safe Harbor

• 2013: Viviane Reading: possible loophole

for US transfers

• 2013: German DPAs express concerns on

validity

• 2014: EP Resolution for the immediate

suspension

24


The Schrems case (C-362/14)

• Preliminary ruling

• Interpretation of certain legal instruments

• Refusal of Irish DPA to investigate a

complaint regarding Facebook

• Invalidation of Safe Harbor Framework

(EC decision 2000/520)

• Clear statement that US law does not

provide adequate protection

• Commission is under an ongoing

adequacy review obligation

25


The Schrems case (C-362/14)

• Reasoning

• EU Charter serve to interpret EU Directive

95/46/EC

• Commission Adequacy finding cannot

prevent the lodging of a complaint with

the national DPA (and the subsequent

investigation thereof)

• Issue in Safe Harbor

26


Consequences

• Safe Harbor is no longer a valid

mechanism for data transfers from the

EU to the US

• No transitional measures

• Reform of Safe Harbor is ongoing

(negotiations)

• Safe Harbor should be suspended

27


Alternatives to Safe Harbor

• Alternative mechanisms to export

personal data to the US

• Model Clauses

• BCR-C and BCR-P

• Consent

• Criticism

• DPA Schleswig-Holstein

• Article 29 WP

• Mechanisms remain available pending review

28


Contact details

Johan Vandendriessche

Partner - crosslaw CVBA

Visiting Professor ICT Law - UGent

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

mailto:[email protected]

http://www.crosslaw.be/


ISACA BELGIUM