Computer Science and Law Fall/Winter Term 2024-25 PDF

Computer Science and Law Fall/Winter Term 2024-25 Natascha Windholz, Krems Course Content 3 October: Introduction to law, contract and liability law 10 October: Intellectual property law 23 October: Data Protection law 5 November: Case study 7 November: Cybersecurity law 28 November: AI law, Case study 5 December: Various IT-related laws (e-Commerce, consumer law, data related acts, platform law), Q&A 19 December: Exam 2 04 Data Protection 3 What is „data protection“ and why is it necessary? Group exercise (4-5 people, 5 min) Present your findings (1 min) 4 What is data protection (law)? The term data protection is misleading The persons "behind" the data are protected, not (only) the data itself Privacy: “right to be left alone” EU law, in particular: General Data Protection Regulation (GDPR) Directive on privacy and electronic communications (e-Privacy Directive) National law, in particular: Austrian Data Protection Act (DSG) Austrian Telecommunication Act (TKG) 5 GDPR: Overview Applicable since 25th May 2018 Objectives (Art 1 GDPR): protection of natural persons with regard to processing of personal data rules relating to the free movement of personal data Elimination of previous notification and approval requirement no prior review by the data protection authority (DPA) Instead, shift of responsibility to the company with subsequent ex post audit by the competent authority Penalty powers of the DPA high penalties for violations: up to EUR 20 million / 4% of the worldwide annual turnover of the previous fiscal year (higher value applies!) 6 GDPR: Territorial scope processing by processing by establishment establishment within outside the EU if: the EU goods/services are offered to data behavior of EU- subjects in the EU data subjects is (including free of monitored charge) 7 GDPR: Territorial scope (Art 3 GDPR) 1. Controller with registered office in EU GDPR + law of the country of domicile Facebook (Ireland) Google (Ireland) Xing (Germany) 2. Controller based in 3rd country Twitter/X (USA) GDPR + possibly several national Data Protection Acts (depends on orientation) 3. Controller based in Austria GDPR + DSG 8 GDPR: Material scope (Art 2, Art 4 para 1 and 2 GDPR) Processing Personal data any handling of data any information relating to an e.g. collect, record, organize, identified or identifiable arrange, store, adapt, modify, natural person extract, retrieve, use, disclose, broadly interpreted disseminate, provide, match, link, e.g. also mere dynamic IP restrict, erase or destroy etc address only applicable to personal data of natural persons legal persons excluded (only "empty" fundamental right) protection of business data via Trade Secrets Directive regulation of spam and cold calling: e-Privacy Directive ePrivacy Regulation under negotiation 9 GDPR: Personal / pseudonymous / anonymous data GDPR is not GDPR applies to: applicable to: Personal data Pseudonymous data Anonymous data Pseudonymisation (Art 4 para 5 GDPR) − = "processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that [it] is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person" − = personal data (Recital 26) o no exemptions or facilitations for pseudonymous data Anonymisation (Recital 26) − = "information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable" − very high standards → difficult to achieve in practice 10 GDPR: Material scope > „sensitive“ data Special categories of personal data: data relating to criminal convictions and offences (Art 10 GDPR) sensitive data (Art 9 GDPR) Broad definition of sensitive data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation 11 GDPR: Fundamental questions WHO processes WHICH data from WHOM for WHAT purpose(s) and on WHAT legal basis? 12 GDPR: Key roles and responsibilities natural person whose personal data are processed Data subject e.g. customers / suppliers and their contact persons, users of websites and social media platforms anyone who decides on the purposes and means of data processing (i.e. the person in whose interest the processing is carried out – the Controller "master of the data") factual decision-making competence is decisive (Art 4 para 7 GDPR) e.g. contractual partner of its customers / suppliers, operator of a social media platform, operator of a social media site – usually a company/legal company anyone who processes the data on behalf of and on the instructions Processor of the controller (i.e. does not decide himself / herself on the purposes and nature of the processing) (Art 4 para 8 GDPR) e.g. (IT) service provider (e.g. cloud provider), provider of tools and software solutions 13 You‘re trainee in a company and are about to receive your first salary from an external accounting firm. Solve the first 3 fundamental questions! Group exercise (4-5 people, 5 min) Present your findings (1 min) 14 GDPR: Key roles and responsibilities – example personal data: name, birth date, employees salary etc (data subjects) external payroll accounting or employer decides on the bookkeeping (controller) purposes and (processor) means instructions 15 GDPR: Key roles and responsibilities in social media ECJ: operators of Facebook pages are jointly responsible with the social network for data processing! − reason: Facebook Insight enables the page owner to obtain statistical evaluations of visitors and thus to tailor his offer and actions to target groups − probably also applies to all other social networks Significant consequences: site owner must fulfill site owner must agreement on joint include social media information safeguard data responsibility to be in the list of obligations (e.g. subject rights (esp. concluded processing activities through own "social right to information (Art 26 GDPR) media privacy policy") and right to erasure) 16 GDPR: Lawfulness of data processing ‒ purpose (Art 5 para 1 icw Art 6 GDPR) What is to be What is the goal of Why is the data achieved by the the data processing? used at all? data processing? Strict purpose limitation principle: − EVERY use of data for a specific purpose − Data may generally only be processed for: o specified, o unambiguous and o legitimate purposes 17 You‘re trainee in a company and are about to receive your first salary from an exteranl accounting firm. They need from you name, social security number, address, banking accoung number, religous confession, names and professions of parents. Solve the fourth fundamental question! Group exercise (4-5 people, 5 min) Present your findings (1 min) 18 GDPR: Lawfulness of data processing (Art 6 + 9 GDPR) Non-sensitive data Sensitive data (Art 6) (Art 9) e.g. name, address, only the data date of birth, gender, mentioned in Art 9 para education, salary data, 1 photos, IP address 1. necessary for the performance 1. express consent; of a contract; 2. to fulfill obligations in the field of 2. legitimate interests of the employment and social security controller or a third party; and social protection law; 3. necessary for compliance with 3. required for the enforcement of legal obligation; or legal claims; 4. consent of the data subject; ▪ … ▪ … 19 GDPR: Lawfulness of data processing (Art 6) fulfillment of the contract with the data subject especially relevant in relation to: employees (e.g. data processing icw payroll accounting) customers and suppliers (e.g. ordinary course of business) only absolutely necessary data fulfillment of legal obligations in practice especially in the area of: employee data processing (e.g. reporting obligations to tax authority) processing of customer / supplier data (e.g. statutory retention obligations) 20 GDPR: Lawfulness of data processing (Art 6) safeguarding of legitimate interests of the controller in practice subject to interpretation, no concrete parameters scope for interpretation often uncertain legal basis clarification: "direct marketing purposes" (Recital 47) BUT: provisions of TKG on spam and cold calling take precedence CAUTION: right of revocation of the data subject at any time in addition: processing for the prevention of fraud (Recital 47) transfer within the group for internal "administrative purposes" (Recital 48) currently used by Facebook / WhatsApp as a legal basis 21 GDPR: Legitimate interests non-sensitive data special categories of data small extent high extent low potential risk/s for data subjects high potential risk/s for data subjects processing expected by the data subject surprising data processing no special need for protection special vulnerability 22 GDPR: Lawfulness of data processing ‒ legitimate grounds (Art 6 GDPR) consent of the data subject HOW? WHEN? FORM? REVOCABLE voluntary before use of no formal at any time (fulfillment of data requirement, without contract must BUT: silence reason not depend on and pre- with effect for consent, activated the future genuine choice checkboxes must be as necessary, no invalid! simple as the disadvantages consent must granting itself in case of be verifiable no formal refusal) and actively requirements unambiguous given for the specific case in an informed manner 23 GDPR: Lawfulness of data processing (Art 6) consent of the data subject must contain the following information: name / address / contact details of the controller types of data used (detailed / taxative) detailed purpose name / address of any recipients + purpose of transmission reference to revocability at any time essential information + revocation notice highlighted in the text >> all information must follow directly from the consent form or from the immediate context practical tip: provide an extra checkbox for consent consent in General Terms and Conditions or in Data Protection Declaration is not permissible because it is not voluntary according to the GDPR, consent is only required from the age of 16 before that, consent from parent or guardian reasonable assurance must be obtained by the controller scope for implementation: age lowered to 14 years in Austria 24 GDPR: No consent in the sense of the GDPR mere indication of a contact address (e.g. for purchase, registration etc) "social media friendship" click on the "Like" or similar buttons "Tell-a-Friend" function >> silence, pre-activated checkboxes or other inactivity invalid >> probably separate consent required for each purpose (Recital 32 GDPR) >> consent must be given actively and before receiving the first advertisement 25 GDPR: Form and presentation of consent Data protection consent according to Art 6 para 1 lit a GDPR for marketing purposes I consent to [...] using my personal data (first name, last name, address, [...]) for the purpose of sending/communicating information about new offers, products or services, in particular about [...]  by mail  by mail  by phone I consent that my personal data are processed by […] and transmitted to [...] as well as the other companies [...] for these purposes. The use of the data to provide the services of [...] is independent of this consent. Revocation: I can revoke this consent at any time by mail to [...] or by letter to [...]. The revocation of consent does not affect the lawfulness of the processing that took place until the revocation. [date and signature] 26 GDPR: Case law on consent Decision DSB-D213.658/0002-DSB/2018 of 8 August 2018 consent of employees to use a GPS system for company-owned vehicles purpose: protection / security of company property facilitation of monthly billing with leasing company route planning and optimization insurance bonus but: 93 days of storage according to DPA GPS tracking enables performance profiling (how fast / punctual) DPA: no clearly identifiable benefit for employee therefore no voluntary consent 27 GDPR: Case law on consent Decision DSB-D122.931/0003-DSB/2018 of 30 November 2018 cookies: "pay or OK" consent for technically unnecessary cookies (§ 165 TKG) choice when visiting the website for the first time: either consent to data processing via marketing cookies or paid "PURE" subscription DPA confirms voluntariness of "pay or ok" consent findings: admissibility of cookie consent is based on Art 7 et seqq GDPR no voluntariness (only) if in case of refusal there are: considerable negative consequences or risks of deception, intimidation or coercion 28 GDPR: Case law on consent Decision DSB-D122.931/0003-DSB/2018 of 30 November 2018 essential parameters: no cookies before user's decision transparent information on data processing (Cookie Policy) price for processing without personal data as an alternative must not be "disproportionately expensive" >> EUR 6,- was regarded adequate in the specific case scope of access must be the same for both alternatives existence of alternative information offers implementation of possibility of revocation >> e.g. via browser settings with further variants note: confirmation in Recital 20aaaa ePrivacy Regulation Proposal 29 GDPR: Case law on consent Decision DSB-D213.642/0002-DSB/2018 of 31 July 2018 declaration of consent for marketing purposes very strict standard for the concrete design / visual implementation possibly impression that only decision regarding communication channel (postal, electronic, telephone) thus inadmissible opt-out (!) findings: admissibility § 107 TKG (now: § 174)-consent >> Art 7 et seqq GDPR even if the content is correct and detailed, attention must be paid to design and presentation 30 GDPR: Case law on consent DSB-D213.895 (not published) and DSB-D213.983 CRM program / bonus club; interaction of several controllers focus of the DPA: design of consent transparency of information and customer expectations result: invalid consent because of overall impression continuation of strict line strict requirements for transparency / scope of data protection notices consent placed at the end of the CRM registration form but: note that (i) consent required by data protection law and (ii) not required for registration for the customer loyalty programm DPA assessment: invalid consent notice not clear enough, but "merely inconspicuous below or above the signature line" reason: “average data subject assumes that a signature field at the end of a registration form for the customer loyalty program "is a signature to confirm registration for the program (and not, for example, consent to profiling under data protection law)" 31 GDPR: Case law on consent consent via website is also inadmissible "ostensibly referred to the benefits, but not sufficiently clear that this is consent for profiling purposes (and more)" fallback to legitimate interests? NO, because "a subsequent change of the legal basis – in particular to legitimate interests – cannot be considered" fallback would contradict right to withdraw consent only obtaining consent via app was permissible screen-by-screen sign-up process ensures that request for consent is clearly distinguished from the rest of the sign-up process clear reference to "profiling" and "consent" 32 GDPR: Direkt marketing by snail mail use of public land register data for postal contacting so far: different results of the DPA 1 time sending of advertisement permissible 3 times mailing inadmissible reasoning DPA, reasoning Federal Administrative Court, W DSB-D123.972/0005-DSB/2019 211 2221963-1/3E interest of the data subject: no repeated data in the land register are generally contact because of real estate sales available and not worthy of protection when merely reproduced one-time shipment may be permissible, weighing of interests required: provided that: interest of the developer / public to create transparent information living space deletion was offered interest of the data subjects in proportionate no sensitive data are processed processing of land register data 33 GDPR: Direkt marketing by snail mail result: Federal Administrative Court comes to different conclusion when weighing interests interests of the entrepreneur prevail even if data subject was contacted 3 times by mail justification: − data in the land register is generally available − interest "direct marketing" explicitly mentioned in Recital 47 GDPR − low severity of the interference with the data subjects rights 34 Excursus: Contacting (potential) customers = electronic message, e.g. E-mails, SMS, social media message / posting, via messenger and video tools without prior consent = calls (outbound) SPAM: § 174 TKG any content that promotes or provides arguments for a specific product or idea or has a reputation-enhancing effect; for direct marketing measures which serve to point out a need and the possibility of its satisfaction; also mere suggestion for the use of certain services 35 Spam (§ 174 TKG) electronic contact for advertising purposes (esp. newsletter) requires prior consent of the recipient relationship to GDPR? grey area: under data protection law, contacting for advertising purposes can be justified by legitimate interests but: TKG also protects legal persons! unsolicited electronic communication is usually a violation of the TKG, but usually not a clear violation of the GDPR but: postal advertising does not require consent (very) limited soft opt-in possible instead of active consent, it is possible that customers are only offered an opt-out option if: the contact data was obtained in the course of providing a service or selling a product (existing business relationship) the customer has been given a clear and unambiguous opportunity to refuse direct marketing when his data were collected (opt-out) the customer is able to refuse further direct advertising free of charge and without any problems at the time of each transmission (e.g. unsubscribe from newsletter) the customer has not rejected the sending from the outset, in particular by registering with RTR in the Sec 7 para 2 ECG list 36 Spam: inadmissible measures and consequences in any case: the identity of the sender is concealed / obscured advertising is not recognizable as such (Sec 6 ECG) recipient is requested to visit websites that violate Sec 6 ECG (websites that do not provide sufficient information about advertising) no authentic address of the sender to which the recipient can send a request to stop is available (revocation!) legal consequences TKG sending without consent = administrative offense fine of up to EUR 50,000 violation of UWG (law against unfair competition) head start by breaking the law as defined in § 1 UWG advantage over competitors who act in a compliant manner aggressive business practice (no. 26 of the blacklist) persistent and unwanted solicitation by phone, fax, E-mail or other media suitable for distance selling 37 Spam: inadmissible measures and consequences claims injunctive relief (UWG, general civil law) damages, surrender of profits, publication of judgment enforceable with preliminary injunction practical risks negative PR, bad reputation loss of customers as a result of loss of confidence frequently: market observation by competitors (warning letters) warning letters by specialized lawyers (cost-intensive) action by private individuals (complaints, reports to telecommunications office or DPA) 38 GDPR/TKG: solutions for the handling of consent in practice Consent only as ultima ratio !!! >> no consent if other legal bases apply: legal obligations fulfillment of contract e.g. Sec 55a para 3 AMG ongoing business relations (advanced training events) legitimate interests maintenance of business relationship purposes of scientific information (limited) direct marketing purposes and market research (but: Sec 174 TKG) 39 GDPR: Profiling and Automated Decision Making (ADM) highly relevant Profiling (Art 4 no. 4 GDPR) for data mapping "any form of automated processing […] to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements" ADM (Art 22 GDPR) "a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her" 40 GDPR: Profiling and Automated Decision Making (ADM) Profiling (Art 4 no. 4 GDPR) basically no special provisions ADM (Art 22 GDPR) generally inadmissible without the intervention of a human being - i.e. permissible if human being makes decision! exception: permissible if decision is - necessary for conclusion / fulfillment of a contract; - authorised by (EU / MS) law; or - based on data subject's explicit consent appropriate measures are obligatory - intervention of a human being - position of data subject - right to challenge decision 41 „Cookies“: Information and consent requirement (§ 165.3 TKG) service providers (website operators) are obliged to inform users (visitors) about the following: which personal data are collected, processed and transmitted;, on what legal basis, for which purposes this is done and for how long the data will be stored supplement to the information obligations under data protection law Best practice: Cookie Policy in cookie banner !!! No restriction to the Cookie-technology!!! 42 „Cookies“: information and consent requirement (§ 165.3 TKG) additional consent requirement user must actively agree to cookies before they are set in practice: information banner or pop-up on the start page (cookies may only be set after active click on the button) + in footer or flying button consent requirement does not apply if: cookies are necessary for the transmission of a message or cookies are absolutely necessary so that the provider can provide a service that has been expressly requested All marketing, tracking and analysis cookies require consent! 43 „Cookies“: ePrivacy regulation (draft) supplement to the GDPR with special provisions for electronic communications (esp websites and newsletters) still in draft stage – Council (February 2022) legal entities also protected (as in TKG) severe penalties for violations – like GDPR: up to EUR 20 million (or 4%) stricter provisions for consent (esp. newsletter) prior consent required for sending advertising as GDPR: voluntary, verifiable, on the basis of comprehensive information and separately for each purpose (prohibition of tying), right to withdraw consent at periodic intervals (no longer than 12 months) easier embedding of cookies user's browser settings sufficient (not always banners) BUT: active selection of settings by user required 44 „Cookies“: Austrian lead „Google Analytics decisions I+II“ DPA follows a restrictive approach supported NOYB's complaint implementation and usage of Google Analytics collects and transmits personal data to Google LLC neither the applicable SCC nor the agreed supplementary measures do provide sufficient guarantees subject to Art 44 GDPR Google Analytics uses personal data despite IP anonymization unambiguous Google IDs generated via cookies are sufficient for identification as it is possible to distinguish website visitors "identifiability" to the effect that it must be possible to associate ID numbers with a specific "face" is not required reference is made to Recital 26 GDPR ("singling out") whether an identification actually takes place or not is irrelevant – mere (theoretical) possibility is sufficient 45 „Cookies“: Austrian lead „Google Analytics decisions I+II“ DPA focused on SCC set-up due to lack of other Art 46 GDPR measures no adequacy decision for the US (at the time of relevant data transfers) no consent pursuant to Art 49 para 1 lit a GDPR gathered open: May consent enable further use of Google Analytics or other US tools/Cookies? DPA quotes Schrems II decision as well as EDPD Guidelines and states that: "risk-based" approach does not apply likelihood that problematic US law will apply is sufficient therefore: the (old version of) SCC are not sufficient per se; contractual measures do not bind the US authorities and therefore cannot be sufficient on its own; organizational measures adhered to by both sender and recipient are required to complement contractual and technical measures; and technical measures need to be effective to prevent foreign authorities from identifying data subjects it is not sufficient that the application of such legal protection gaps is sufficiently unlikely or that the risk they pose to data subjects is sufficiently low 46 „Cookies“: Austrian lead „Google Analytics decisions I+II“ based on this, DPA denied the effectiveness of the supplementary measures taken by Google: "With respect to the contractual and organizational measures outlined, it is not clear to what extent notifying the data subject of data requests […], publishing a transparency report or a 'policy for handling government requests' are effective in the sense of the above considerations." "As far as the technical measures are concerned, it is equally not discernible […] to what extent the protection of communications between Google services, in transit between data centers, between users and websites or an "on-site security" actually prevent or limit the access possibilities of US intelligence services on the basis of US law. [...] As long as the second respondent itself has the possibility to access data in plain text, the technical measures invoked cannot be considered effective in the sense of the above considerations." 47 GDPR: Admissibility of disclosure of data disclosure = any disclosure of personal data to an (external) recipient recipient = recipient = controller processor i.e. recipient uses the data i.e. recipient uses the data for his own purposes only on behalf of the controller data processing legitimate ground required agreement required 48 GDPR: Privacy by Design (Art 25, 32) previous approach of data economy now regulated comprehensively appropriate technical and organizational measures to effectively implement data protection principles and security measures, regulation as well as data subject rights criteria: state of the art implementation costs type, scope, circumstances and purpose of processing probability of occurrence and severity of risks 49 GDPR: Privacy by Default (Art 25, 32) obligation to ensure that only data required for the purpose are processed by default setting amount of data collected extent of processing storage period accessibility ensure compliance at an early stage eg during product development and introduction (definition of service!) transparent functions enable monitoring by affected parties create and improve security functions 50 GDPR: Records of processing activities obligation of almost every controller, minimum content: name / contact details of the controller purpose of processing categories of data subjects, data, recipients description of appropriate safeguards for transfers to 3rd countries deadlines for deletion of data description of security measures (legal basis) processors must also create directory, but abbreviated content: name and contact details of the processor and all controllers categories of processing operations per controller description of appropriate safeguards in case of transfers to 3rd countries general description of technical and organizational security measures in writing / electronically to be submitted to the data protection authority upon request for verification and proof of GDPR compliance 51 GDPR: Records of processing activities 52 GDPR: Data Protection Impact Assessment (DPIA, Art 35) Is the data processing likely to involve a high risk for the data subjects? - due to type, scope, circumstances, purpose - especially when new technologies are used prior preparation of a DPIA 53 GDPR: DPIA required in any case if: evaluation on the basis of automated decisions (profiling) extensive processing of sensitive/criminal data systematic monitoring of publicly accessible areas delimitation difficult in practice European Data Protection Board provides interpretative guidance Black- / Whitelists of the data protection authorities ongoing review required not to be drawn up by the data protection officer ("seek advice") 54 GDPR: DPIA White List of Austrian DPA of 25 May 2018: data processing operations according to the list of exceptions (similar to previous standard applications) already registered and pre-monitored data processing operations that have not been substantially changed (e.g. video surveillance) regulation does not focus on specific categories of data subjects, data and recipients instead, pure description of the purpose of the data processing the most important exceptions in practice: customer management ("basic" CRM) accounting, logistics, bookkeeping human resources management customer care and marketing for own purposes access management for EDP systems access control video surveillance, if esp.: only own premises (public areas maximum 0,5 m) maximum 72 hours storage time proper identification 55 GDPR: DPIA Blacklist of Austrian DPA of 9 November 2018: currently very different blacklists (or drafts) across the EU with a total of more than 260 different processing activities no full harmonization, no "EU list“ BUT: EDPB has issued EU-wide uniform criteria to be taken into account by the Member States if at least two of the following criteria are if one of the following criteria is met, e.g.: met: evaluation or grading (including profiling and special categories of personal data forecasting) where potentially adverse Profiling and ADM personal data on criminal convictions and offences observation, surveillance or control of persons collection of location data as defined by the TKG concerned (especially in public spaces) merge and/or match records from multiple processing data on data subjects in need of protection (employees, operations (data mapping!) patients, mentally ill persons) data processing in the highly personal sphere (also with consent) 56 GDPR: DPIA required for any extensive processing of special categories of data (sensitive data) minimum content: systematic description of the processing and purposes assessment of necessity and proportionality assessment of risks defensive measures, guarantees, security precautions and procedures Standardization options description of IT landscape (hardware, software, systems etc); IT standards (virus protection, firewall, back up, etc); personnel structure (access rights, control, reporting lines etc); potential risks and their probability of occurrence listing of consequences and hazard classes elaboration of risk minimization / countermeasures Practical implementation proposals reference to adapted / updated IT policy ! CAUTION ! DPIA to be carried out separately for each data application check need for adaptation in each individual case different processing leads de facto to different risks 57 GDPR: DPIA Result basis for decision implementation of project possible? conversion of individual steps required? sufficient safety measures established? Purpose fulfillment of Art 35 GDPR most important document for notifications in emergencies indispensable proof of compliance with due diligence (discharge!) increase transparency within the company Updating in case of changes in the process after the occurrence of a previously unforeseen risk in case of changes in international / technical standards 58 GDPR: Designation of a DPO (Art 37 et seqq GDPR) no general obligation scope for implementation of the GDPR not used in the DSG no obligation to designate a DPO if certain key figures are reached DPO has to be appointed regardless of company size or number of employees (as opposed to German DSG) vague criteria of the GDPR take effect mandatory designation for: authority or public bodies companies with specific core activities: extensive, regular and systematic monitoring; or extensive processing of sensitive or criminally relevant data 59 Employee data protection Employees are no exemption to the right of data protection! Works agreements („Betriebsvereinbarung“) Every company of more than 5 employees should have a works council („Betriebsrat“) Works agreements are concluded between the works council (representing the employees) and the management §§ 96 et seqq ArbVG („employee constitutional act“) Employee consent § 10 AVRAG („employee contract adaption law“): special type of „consent“ to conduct the measure (this does not equal a GDPR-consent!) Not: Art 7 GDPR-consent 60 GDPR: DPO core activities main activity of the company, not a mere secondary activity (Recital 97) Guidelines Art 29 Data Protection Working Party (DPWP): key operations all essential as well as inseparable ("inextricable") activities that serve to achieve the company's objectives no merely subordinate auxiliary activities (e.g. employee administration) "extensive": large amounts of data, large number of data subjects, potentially high risk (Recital 91) other factors according to Art 29 DPWP: duration and geographic scope of processing "regular and systematic monitoring": interpretation by Art 29 DPWP: "regular": permanent, at certain intervals or at certain times "systematic": organized, methodical, strategic Art 29 DPWP examples: monitoring of data subjects' behavior on the Internet, all forms of tracking and profiling as well as targeted advertising, location tracking – e.g. through mobile apps, customer loyalty programs, video surveillance 61 GDPR: DPO core activities special categories of personal data (Art 9 GDPR) data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs trade union membership genetic and biometric data, health data data relating to sexual life or sexual orientation data relating to criminal convictions and offences (Art 10 GDPR) data relating to criminal convictions and offences or related security measures 62 GDPR: DPO tasks of the DPO: 1. advising the 2. monitoring controller / processor compliance with data and its employees on protection obligations data protection issues 3. advice on DPIA and 4. cooperation with monitoring of its and contact point for implementation (not the data protection preparation!) authority 63 GDPR: DPO independent, free from directives (Art 38 para 3 GDPR) in the performance of duties as data protection officer may not be dismissed or disadvantaged because of the fulfillment of his tasks time limit makes sense controller / processor responsible for compliance! involvement in data protection issues at an early stage necessary resources must be made available including maintenance of expertise (training and education) ensure access to data and processing activities direct reporting line to highest management level data subjects can "consult" DPO 64 GDPR: Selection of a DPO 1. Professional qualification 2. Expertise in the field of data protection law and pracitice 3. Ability to perform the tasks according to the GDPR >> therefore: legal, technical and organizational knowledge required internal or external avoid conflicts of interest: therefore, not a person with decision-making authority in data protection matters, as DPO would advise / control himself / herself not responsible in the sense of Sec 9 VStG at the same time (due to authority to issue orders) 65 GDPR: Selection of a DPO – practical tips internal DPO: employee of compliance, legal or IT department usually not head of the department data protection team possible purely internal: with a "real" DPO at the top who can act independently of the remaining team members mixed: external service provider as DPO with direct internal contact, both acting together personal profile and social competence equally important as experience recognized / appreciated within the company solution-oriented and pragmatic 66 GDPR: Designation of a DPO – assessment and documentation in any case, document internally the examination of the duty to appoint! must be presented to the authority upon request if not mandatory: voluntary DPO? provisions of the GDPR fully applicable! practical tip: appoint "data protection coordinator(s)" is not a DPO in the sense of the GDPR can decide on the matter not bound to GDPR regime contact point in the company for data protection issues contact to the authority if required 67 Employee data protection Types of works agreements § 96 ArbVG: replaceable consent Examples: disciplinary regulations, personnel questionnaires, control measures, performance related pay Mutual agreement Cannot be enforced by arbitration board Cannot be replaced by employee consent § 96a ArbVG: measures requiring approval Examples: systems for the assessment of employees Mutual agreement Arbitration board can be called upon >> decision replaces works agreement Without agreement, the measure cannot be conducted 68 GDPR: DPO authority or public body no definition in the GDPR or in the DSG Guideline of the Art 29 Data Protection Working Party (DPWP, now EDPB) independent of legal form to be determined according to national law esp. also in the area of water and energy supply, transportation etc. Interpretative Guidelines: Art 2 Directive 2003/98/EC: "state, regional or local authorities" as well as "bodies governed by public law" which perform "tasks in the general interest" and are financed or supervised by public bodies Sec 26 DSG: established in forms of public law or "acting in execution of the law" to be appointed for all data processing activities even if activity only partly official (Art 29 DPWP) 69 GDPR: Data subject rights right to erasure right of right to right to ("right to be revocation information rectification forgotten") right to right to data restriction of right to object portability processing copy of ID required as proof of identity in case of "reasonable doubt about the identity" of the applicant only fulfillment within 1 month after receipt of request extension to 2 months possible in individual cases fulfillment generally free of charge prepare sample responses! 70 GDPR: Right to information/access (Art 13-15) Right to information: abstract information on purpose, legal bases, processed data, etc. Right to access: concrete and precise information on what exact data is processed, purposes, etc. content: purposes of processing categories of processed data (conclusive!) possible recipients or categories of recipients storage period data subject rights "all available" information about the origin of the data written/electronic – depending on the nature of the request data subject also has a right to a "copy of the data" 71 GDPR: Right to rectification and erasure (Art 16-17) rectification of incorrect or completion of incomplete data erasure of personal data if there is a reason for deletion principle: data is only stored for as long as it is required for the specific purpose for which it was collected immediate deletion in case of revocation of consent BUT: statutory retention periods apply in many cases! company law requirements: 7 years (BAO; UGB) claims for damages: 3 years general limitation period in special constellations: 30 years 72 GDPR: Right to „be forgotten“ (Art 17`) ECJ C-131/12: claim for deletion also directly against search engine Google instead of against website that was made findable by Google prerequisite: interest in not being found outweighs: (i) Google's interest in operating the search engine and (ii) the public's interest in information right to freedom of expression has to be taken into account right to deletion can also be enforced against social media platforms GDPR: right to “be forgotten” does not outweigh all other rights, statutory obligations to store data still apply! 73 GDPR: Anonymization vs. erasure Decision DSB-D123.270/0009-DSB/2018 of 5 December 2018 data subject requests erasure of personal data controller complies by: partial deletion and anonymization of the remaining personal data by changing it to dummy data (“Jane Doe") findings: anonymization instead of deletion permissible because processing and use no longer possible (no personal reference) no right of choice of the data subject 74 GDPR: Right to data portability (Art 20) transfer of data provided by the data subject to data subjects or other controllers to 3rd parties only as far as technically feasible in a structured, common and machine-readable format but only if data processing: on the basis of consent or performance of a contract and automated processes no obligation to adopt or maintain technically compatible data processing systems 75 GDPR: Right to object (Art 21) At any time, if processing is based on Art 6 para 1 lit e or f the processing serves GDPR and on grounds direct marketing relating to the purposes particular situation of the data subject 76 GDPR: How to deal with inquiries of data subjects? 1. the first steps channeling requests of data subjects create awareness among employees document the receipt of data subject inquiries and their further processing/disposal 2. identification of the applicant independent investigation by the controller (as far as possible) requesting proof of identity only in exceptional cases! in case of "reasonable doubt" about identity request proof without delay 3. identification of the asserted data subject right assessment of whether the conditions for exercising the right are met comparison of the request and the legal obligations 77 GDPR: How to deal with inquiries of data subjects? 4. the first reaction to the data subject information to the data subject about the receipt of the request information on the cooperation of the data subject that may be required, e.g. proof of identity in the case of justified doubts or if necessary, concretization of the request 5. initiation of internal steps allocation of responsibilities fulfillment of the request by the data subject 6. deadline monitoring deadline: 1 month upon receipt of the data subject request by the data controller extensions of up to 2 months in justified cases complex requests numerous requests 78 GDPR: How to deal with inquiries of data subjects? 7. information to the data subject about the status of his/her request at the latest after 1 month upon receipt positive information: fulfillment of the data subject's request negative information: reasons for non-compliance observe any mandatory information obligations (e.g. reference to the right to file a complaint) 8. legally sound answers avoid discrepancies in the complaint procedure! be guided by the wording of the GDPR and the DSG No more and no less! 79 What is a „data breach“ („Datenleck“, eng. „data leak“)? Think of examples and measures how to avoid them! Group exercise (4-5 people, 5 min) Present your findings (1 min) 80 GDPR: Data breach (Art 33-34) Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data! e.g.: theft of mobile devices (laptop, mobile phone) loss of hardcopy records and documents during transport to home office dropped USB stick Hacker, ransomware data records "ripped off" by (former) employee E-mail to wrong recipient/s access by household members to documents to be kept secret controller or processor! 81 GDPR: Prevention of data breaches (Art 32) technical measures (exemplary!): pseudonymization / encryption confidentiality, integrity, availability, resilience of systems and services availability of data rapid recovery access in case of incident procedures for regular review, assessment and evaluation of effectiveness of technical / organizational measures best practice as benchmark ISO standards (esp. ISO / IEC 27000 family) ÖNORMEN Austrian Information Security Handbook German BSI Grundschutz (eng. basic protection) general security measures to be taken: personal security (confidentiality and training) access control, authorization system, passwrd security secure physical environment (fire protection, power supply etc) disaster recovery and business continuity (e.g. backups) 82 GDPR: Prevention of data breaches (Art 32) organizational measures personnel security (confidentiality and training) secure physical environment (power supply, etc) create employee awareness adaptation / creation of IT guidelines regulation of which devices may be used (“BYOD”) ensure that data secrecy and company and business secrets are maintained guidelines for TelCos and video conferences in the home office regulations for handling external storage media awareness training 83 GDPR: Data breach notification evaluation of the risk within a maximum of 72 hours from knowledge of the data breach! detailed internal documentation of all data breaches! no risk for data internal subjects documentation + notification to risk for data data protection subjects authority high risk for data + notification to subjects data subjects 84 GDPR: Data breach – To do's: decisive: risk for data subjects criteria for risk assessment (overall consideration!): type of data breach type, sensitivity and (e.g. unauthorized possibility to identify scope of the disclosure, loss, the data subjects affected data etc.) severity and data subjects likelihood of number of data requiring special impending subjects protection consequences high risk in any case of imminent harm or if data subjects themselves have to take action 85 GDPR: Data breach notification immediate (if possible: within 72 hours) notification to the data protection authority: 2. indication of 3. name and 1. description of categories and contact details of the nature of the number of data the data breach subjects and data protection officer 5. description of 4. description of the the likely countermeasures consequences taken or proposed in the case of high risk: additional, immediate notification to the data subjects − in case of disproportionate effort: public announcement practical tip: in case of doubt, better notify − notification of data subjects can be requested by DPO 86 GDPR: Transfer of personal data to third countries Third countries: states outside the EU/EEA Legal basis for a transfer: adequacy decision standard data protection clauses (templates of the EU Commission) Schrems II: supplementary measures? binding corporate rules derogations for specific situations 87 GDPR: US data transfers History complaint by Max Schrems of 25 June 2013 allegation: lack of appropriate safeguards in the data transfer from Facebook Ireland to Facebook Inc in the US ECJ overturns EU-US Safe Harbor on 6 October 2015 in C-362/14 No restriction on US government access and surveillance measures No administrative or judicial legal protection against unlawful government surveillance measures Privacy Shield framework replaces Safe Harbor agreement Max Schrems renews his complaint on same allegation ECJ overturns EU-US Privacy Shield on 16 July 2020 in C-311/18 88 GDPR: Data transfer to the US The "Schrems-Saga": Safe-Harbor/Privacy Shield Agreements Max Schrems is Austrian adequacy decisions invalidated due to US-surveillance measures EU SCC still applicable as suitable guarantees BUT: additional inspection obligation of the controller What protection do SCCs offer in a specific case? What guarantees does the recipient's country of domicile provide? Are the EU SCC sufficient or are further measures required? verification probably already required, but hardly ever carried out six-step plan of the EDPB and overall risk assessment comparable to "DPIA" for data transfer 89 GDPR: Consequences of data protection vioaltions 1. data subjects' right of appeal to DPA (in AT: DSB) 2. (official) investigation by DPA 3. penalties by DPA 4. possibly claims: for damages (to be asserted in court) for injunctive relief (UWG) 5. in extreme cases: punishable by court (imprisonment of up to 1 year) practice: complaints and investigation procedures by DPA, media pressure and lawsuits based on UWG 90 GDPR: Consequences in case of data protection violations – DPA-proceedings DPA may inspect at any time, not only in case of concrete suspicion right to complain to DPA 1. DPO examines complaint 2. in case of violation 3. penalties or data processing request for comments request to modify the esp. in case of "not usually time limit of 2-4 processing activity or immediate" implementation weeks of the orders) second round possible order to restrict the processing or when necessary (on site) inspection Note: assert and prove the legality of the prohibition of processing (in data processing, the fulfillment of the data whole or in part, for a limited subject's request and the correctness of the or unlimited period of time) measures taken evidence: excerpts from the IT systems, screenshots, correspondence with data subject, copies and photos 91 GDPR: Preparation for audit by DPA preparation in the company absolutely necessary implementation of regulated processes in case DPA contacts controller channeled communication awareness and readiness of human resources completeness of documentation impression of workplaces and IT landscape 92 GDPR: Penalties imposing fines directly on legal entities up to EUR 20 million / 4% of the total worldwide annual turnover of the previous business year (higher value applies!) in the event of a breach of the GDPR or DSG by a person in a management position (alone or as part of an organ of the legal entity): authorized to represent, decision-making authority or control authority even if breach was made possible by lack of supervision or control enforcement additional fine against natural persons (esp. managing directors, board of directors) only subsidiary and in "special circumstances" no fines against authorities and public bodies 93 Case study: data protection Sybil Sly, Caroline Careful and Albert Angsty just founded a start-up. All three of them are managers of the „Super Profiling limited“. They already have several employees, among them 5 programmers, 2 assistants, 3 marketing specialists and a lawyer. Their company specializes in online advertising. Their tool can track click rates of newsletters, surfing behavior, mouse movement, where the website visitors come from and where they go to. The tool does not work based on cookies, but on a different, new technology, because they remembered when inventing the tool, cookies mean trouble. It gives the surfers an „online fingerprint“ to identify, recognize and track them. The tool can also show advertisements throughout several websites and on social media. Though the tool is developed by themselves, it is hosted in a US cloud. Careful receives a request from a customer, who has recently implemented their tool. The customer wants to know what they must do to be GDPR-compliant when they use the tool. As the contract with „Super Profiling limited“ also includes consulting, they want her advice. What should she tell them? Sly has grown very mistrusting of the programmers. They don‘t work as fast as she wants them to and she thinks they don‘t work when they are in home office. She wants to use their tool internally to track the working behavior of the programmers and if that works, she also wants to sell it for that purpose to other customers. She talks to Angsty about her plan, but he is skeptical, if this is legal. Is he right? Angsty just recently returned from a business trip. Back in the office he realizes that he must have lost his tablet. As he very quickly put the tablet in operation before the business trip, no encryption is set up and the PIN is the set-up PIN glued to the back of the tablet. With the tablet one can access contracts, customer data, employee data, E-Mails, etc. What should he do? 94 Questions? 95 Repetition questions Assign the term to to the right definition! 1: Data that is not related to an identified or identifiable natural person A: Personal data 2: Data that is related to an identified or identifiable B: Anonymous data natural person C: Pseudonymous data 3: Data that can no longer be attributed to a specific natural person without the use of additional information that is kept separately 96 Repetition questions What are the essential elements of consent (Art. 7 GDPR)? A: unambiguous, given for the specific case in an informed manner before the use of data B: voluntary, unambiguous, given for the specific case in an informed manner after the use of data C: voluntary, given for the specific case in an uninformed manner before the use of data D: voluntary, unambiguous, given for the specific case in an informed manner before the use of data 97 Repetition questions What are examples of illegal Spam? A: Advertising that is recognizable as such. B: The identity of the sender is concealed. C: E-Mail that can only be unsubscribed by paying a fee. D: The customer has rejected receiving a newsletter. 98 Repetition questions What elements need to be written in a cookie banner? A: legal basis B: personal data that is collected, processed and transmitted C: name of the cookie-technology D: storage duration of the data 99 Repetition questions What are assessment criteria regarding technical and organizational measures in Privacy by Design? A: state of the art measures are the absolut minimum, if higher measures exist, they must be chosen B: implementation cost cannot be considered C: type, scope, circumstances and purpose of the processing must be considered D: probability of occurence and severity of risks do not need to be considered because the strongest measures possible must be set to protect data 100 Repetition questions In which cases to you need a data protection impact assessment? A: the processing activity is listed on the white list B: the processing activity uses a small amount of sensitive data C: the processing activity leads to a systematic monitoring of privately acessible areas D: the processing activity leads to automated decisions 101 Repetition questions What are rights of data subjects according to the GDPR? A: Right to authenticity B: Right to erasure C: Right to object D: Right to information 102 Repetition questions What are examples of data breaches according to Art 33 and Art 34 GDPR? A: theft of an encrypted mobile phone B: file with customer contracts that is forgotten in the subway C: E-Mail with names and IBANs of customers that is sent to wrong recipients within the company D: ransomware attack 103 Repetition questions What does the data protection authority need to be informed about in case of a data breach? A: description of the countermeasures taken or proposed B: name and contact details of the relevant processors C: description of the nature of the data breach D: name and contact details of the data subjects 104 Repetition questions What are possible consequences of violations of the right to data protection? A: life sentence in prison B: data subjects may appeal to the data protection authority C: damages claimed by the data protection authority D: penalties by the Ministry of Digitalization 105

Computer Science and Law Fall/Winter Term 2024-25 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue