Reading Week 5, GDPR Book (3.3 & 3.7)

Question 1

What is privacy by design?

Answer 1

The concept of Privacy by Design (Art. 25 Sec. 1 GDPR) is based on the realisation
that the conditions for data processing are fundamentally being set by the soft- and
hardware used for the task.143 The accelerating pace of technical progress turns
data protection through technology into the regulatory approach of the future.144
Technological concepts for preventive protection shall serve as basis for minimally
invasive data processing.145 When creating new technology, developers and
producers shall be obliged to keep data minimisation in mind.

Where new products shall be created, the management of the respective entity
should act at an early stage of the project towards making developers and designers
aware of this obligation.

Question 2

What are some example of privacy by design?

Answer 2

Examples include
IT systems directed towards data minimisation, as well as comprehensive and
timely pseudonymisation of personal data.147 For example, questionnaires and
other data collection forms could be drawn up in a way that limits the scope of
collected data to the amount that is absolutely necessary to fulfil the purpose of the
data processing.

Question 3

What is privacy by default?

Answer 3

The concept of Privacy by Default (Art. 25 Sec. 2 GDPR) shall protect consumers
against the widespread trend among companies to obtain as much personal data as
possible.151 By default, only personal data that are necessary for the specific
purpose of the data processing shall be obtained. The concept addresses the amount
of personal data collected, the extent of their processing, the period of their storage
and their accessibility.152 For this purpose, the controller needs to implement
appropriate technical and organizational measures. When the controller uses a
processor, the latter must give the controller the possibility to achieve Privacy by
Default.

The concept of Privacy by Default will, above all, help to protect individuals that do not have the technical knowledge or time to implement privacy-friendly settings
themselves.

The main case of application for Privacy by Default should be privacy-friendly
technical default settings when obtaining data subject’s consent for processing

Question 4

How does the extent of the obligation remain unclear?

Answer 4

it should be noted that manufacturers of IT solutions and
products might be held liable as well, even if they will not be involved in the
processing activities carried out through their products. Unfortunately, the article’s
wording is very vague and lacks detailed definitions or examples to clarify the
extent of the obligation to protect personal data through technology. Therefore, it
will be the courts’ duty to specify these obligations in the course of the following
years.

Question 5

What may an approved Certification mechanism be used for?

Answer 5

An approved Certification mechanism (see Sect. 3.9.3) may be used to specify
these requirements and demonstrate compliance with the requirements of data
protection through technology to the Supervisory Authorities, Art. 25 Sec.
3 GDPR. For example, technical default settings could be certified for being privacy
friendly and, thus, in compliance with the GDPR.

Question 6

How are DPbDD implemented?

Answer 6

In order to identify the appropriate scope for implementing technical data protection, entities should get an overview of their flow of personal data and evaluate it for
additional data protection potential.
158 Above all, pseudonymisation and
anonymisation should be considered for complying with the principles of Art.
25 GDPR.1

If applicable, entities should make use of the Data Protection Officer’s expertise
(see Sect. 3.6) and consult it as soon as possible, whenever and wherever appropriate, on potential technical data protection measures.

The concept of Privacy by Default can be technically implemented at any given
moment throughout processing, which makes it is somewhat more practical and
might lead to its preferential use in practice, such as by changing previously used
technical settings of software, applications, devices or user accounts into privacyfriendly default settings.
161 Nevertheless, also before offering new services or
products on the market, the development process should try to include a privacyfriendly design approach.

Question 7

What must the technical and organizational measures (TOM) guarantee?

Answer 7

Technical and organisational measures (TOM) shall guarantee the safeguard of
personal data. Article 32 GDPR obliges the controller and processor to undertake
such measures. This is one of the most fundamental obligations under the GDPR. Its
breach can result in fines of up to EUR 10,000,000.00 or 2% of the total worldwide
annual turnover; see Art. 83 Sec. 4 GDPR. Whereas data protection through
technology shall enforce data security in advance of the processing, technical and
organisational measures must be taken throughout processing.29 The obligation of
controller and processor includes their duty to ensure that any individual acting
under their authority shall only process personal data according to the instructions
of the controller, Art. 32 Sec. 4 GDPR.

Question 8

What are appropriate measures regarding data protection?

Answer 8

Appropriate measures include any action in connection with the collection,
processing or use of personal data that provides an adequate level of protection of
said data under the GDPR.30 Article 32 GDPR does not limit the scope of appropriate measures. Based on this open definition, a large variety of measures is
available. Examples include the following31:
– minimising the processing of personal data;
– pseudonymisation (as soon as possible) (see Sect. 2.1.2.2);
– enabling the data subject to monitor the data processing;
– creating and improving security features;
– the preventive concepts of Privacy by Design and Privacy by Default
– construction measures to prevent unauthorised physical access to personal data,
such as secured rooms, inspection bodies, access via password or employee
identification, etc.;
– regular training of employees on data security;
– encoded data transfer;
– regular controls of the data security level and so forth.

Question 9

What does article 32 of GDPR paraphrase in terms of minimum requirements for the level of data security?

Answer 9

Article 32 Sec. 1 paraphrase 2 GDPR sets out minimum requirements for the level
of data security. Those measures are particularly relevant for the safeguard of data
protection. The statutory enumeration is not exhaustive.

– Article 32 Sec. 1 lit. a GDPR—pseudonymisation and encryption: these
measures are deemed especially effective when it comes to data security and
are therefore recommended by the legislator. As with pseudonymisation (for
details, see Sect. 2.1.2.2), encrypted data can still be attributed to a specific data
subject. However, the data is altered by cryptographic operation and, as a
consequence, can no longer—especially when transmitted—be attributed without knowledge of the key for decryption.33

– Article 32 Sec. 1 lit. b GDPR—ability to ensure ongoing confidentiality, integrity, availability and resilience of processing: confidentiality, integrity, availability and resilience are the key elements of modern processing services.34 This
security target sets a high bar for IT systems.35 As those targets shall be ensured
‘ongoing’, they have to be set up carefully and in a durable manner.36

– Article 32 Sec. 1 lit. c GDPR—ability to restore availability and access to
personal data in a timely manner in case of a physical/technical incident:
given that data loss is one of the biggest risks of IT systems, controllers and
processors need to prepare for this situation, for example, through the implementation of back-up systems or an emergency power supply.37 There is no clarification as to what is meant by ‘timely manner’. However, entities should be
able to establish immediately whether a data breach occurred and its communication shall take place promptly.38 Therefore, the recovery of the data should
happen as quickly as possible.

– Article 32 Sec. 1 lit. d GDPR—process for regularly testing, assessing and
evaluating effectiveness of technical and organizational measures: the permanent obligation to guarantee data security requires constant up-keeping and
maintenance of the implemented technical and organisational measures. The
DPMS (see Sect. 3.2.1) will serve to fulfil this obligation. The frequency of these
assessments depends on the level of risk for data security (see the following
sub-heading) and could require adaptations over time.39

Adherence to an approved Code of Conduct or Certification mechanism (see
Sect. 3.9) can be used to demonstrate compliance with requirements for data
security, Art. 32 Sec. 3 GDPR.

Question 10

What does it mean that the GDPR introduces risk-based approach for determining which technical and organizational measures are appropriate in the given situation?

Answer 10

The GDPR introduces a risk-based approach for determining which technical and
organisational measures are appropriate in the given situation. The required level of
data security needs to be identified on a case-by-case basis through an objective risk
assessment.
40 The assessment should primarily focus on potential risks for data
subjects, but the risks for or imposed by third parties and controllers/processors will
have to be taken into account as well.

Question 11

What are the risks?

Answer 11

1. risks for data subjects
2. risks imposed by third parties
3. risks for controllers and processors
4. data security concept

Question 12

What are the risks for data subjects?

Answer 12

Since data processing is putting the fundamental rights of data subjects at risk,
account needs to be taken of their legitimate interest in data security. In particular,
account should be taken of the risks presented from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data, Art.
32 Sec. 2 GDPR.
Additionally, a more significant risk can be identified where41

– discrimination, identity theft or fraud, financial loss, damage to the reputation or
any other significant economic or social disadvantage is likely to arise;

– data subjects might be deprived from their rights or freedoms or prevented from
exercising control over their personal data;

– special categories of personal data (see Art. 9 Sec. 1 GDPR) are involved

– personal aspects, such as preferences of the data subject, are evaluated;

– personal data of children or other vulnerable persons are processed;

– a large amount of data or a large number of persons are affected.

Question 13

What are the risks imposed by third parties?

Answer 13

However, not only the interests of data subjects have to be taken into account for the
risk evaluation. Identifiable risks imposed by third parties may be a factor for the
evaluation as well, such as situations where governmental intervention might take
place (e.g., telecommunications data, passenger name records from air traffic).

Question 14

What are the risks for controllers and processors?

Answer 14

Furthermore, the impending risks for controllers and processors themselves need to
be considered. Factors for developing appropriate measures are the costs of implementation and the nature, scope, context and purposes of the processing, Art.
32 Sec. 1 GDPR. The risks for controllers and processors often correspond with
the risks for data subjects, for example43:

– legal risks resulting from non-compliance with data protection obligations (e.g.,
fines, punishments, …);

– financial risks (e.g., claims for damages, costs for the improvement of the
DPMS, …);

– business risks (e.g., risks for the business reputation, failure to achieve business
goals, overwhelming workload for the management, …).

However, even though the interests of controllers and processors play a role in
risk evaluation, they cannot be used to justify an impairment of the data protection
level established under the GDPR.

Question 15

What is the data security concept risk?

Answer 15

The balancing of interests shall only serve to achieve data security in a proportionate way. It permits a differentiation of obligations to find a reasonable balance
between efforts to and benefits of data security measures for the Regulations’
addressees.44
The results of the risk evaluation shall serve as basis for developing an appropriate data security concept. For this purpose, it is useful to classify data processing
activities according to their risk potential (very high risks/high risks/medium risks/
low risks, …) and develop a corresponding security concept for each of these
classes.45 This will play a key role in the DPMS (see Sect. 3.2.1). The efforts for implementing data protection measures shall be limited to what can economically
be reasonably expected from the controller/processor.

Question 16

What is the NIS directive?

Answer 16

In July 2016, the EU adopted Directive (EU) 2016/1148 of the European Parliament
and of the Council concerning measures for a high common level of security of
network and information systems across the Union (NIS Directive) to define
common cyber-security standards.
A high level of data security and a high level of IT security are mutually
dependent: the most elaborate data protection system cannot protect data subjects
if the IT system processing the personal data can be easily hacked.47 Thus, through
the parallel application of the GDPR and the NIS Directive, both acts simultaneously oblige controllers and processors to implement technical and organizational measures.

Question 17

How can the NIS directive be implemented into national law?

Answer 17

As briefly mentioned in Sect. 1.1, European directives are not directly applicable
but have to be transposed into national law by the EU Member States. As a
consequence, the implementation of the NIS Directive is necessary and has to be
completed by 9 May 2018. Just as with the Data Protection Directive (see Sect. 1.1),
the implementation into the different national laws entails the risk of inconsistent
levels of protection throughout the EU Member States. National differences might
impair legal certainty and the NIS Directive’s effectiveness. Time will tell whether
the NIS Directive can sufficiently guarantee effective IT security standards
throughout the EU.

Question 18

What is the limited scope of application of the NIS directive?

Answer 18

The scope of application of the NIS Directive is limited and only affects certain
categories of entities.48 It obliges ‘operators of essential services’ and digital
services providers to implement, based on the available standard of technology,
appropriate and proportionate technical and organisational measures to manage the
risks posed to the security of network and information systems that they use in their
operations, Arts. 14 Sec. 1, 16 Sec. 1 NIS Directive. Just like the GDPR, the NIS
Directive is using a risk-based approach towards IT security.49 In greater detail, it
is applicable to the following:

• Network and information systems50: those are electronic communication
  networks (cable, radio, Internet, optical, electromagnetic equipment, etc.) or
  devices that, pursuant to a program, perform automatic processing of digital
  data, as well as digital data processed for the purposes of their operation, used by

– operators of essential services51: public or private entities providing IT- or
network-system-based services that are essential for the maintenance of
critical societal/economic activities and where an incident would have significant disruptive effects on the provision of those services, the latter being
located in the sectors of energy (electricity, oil gas), transport services (air,
rails, water and road transport), banking, financial market infrastructures,
health, drinking water supply and distribution, as well as digital infrastructure; or

– digital service providers52: the providers of online marketplaces, online
search engines and cloud computing services. The NIS Directive also applies
to digital service providers established outside the EU that are offering their
services within the EU.

Question 19

What are the IT security obligations and sanctions?

Answer 19

The NIS Directive shall ensure a high level of network security, as well as a
maximum of service availability for the users of digital services and essential
services.54 Thus, the operators of essential services and digital service providers
have to implement appropriate risk-based technical and organisational measures
that correspond to the available state of the art; see Art. 14 Sec. 1, 16 Sec.
1 NIS Directive.
Moreover, both categories of service providers have to notify incidents with a
significant effect on service continuity to the competent (national) authorities, Art.
14 Secs. 2, 3; Art. 16 Secs. 2, 3 NIS Directive. Significance is to be determined,
among other factors, based on the number of users affected, the duration of the
incident and its geographic spread.
The EU Member States shall implement rules on penalties applicable to
infringements of the IT security obligations under the NIS Directive that shall be
effective, proportionate and dissuasive, Art. 21 NIS Directive. It remains to be seen
how high the penalties in the different EU Member States will be.