Keynote on data protection and data integrity @ Paperless Lab Academy 2016

1. DATA PROTECTION &
DATA INTEGRITY
20 April 2016, Paperless Lab
Academy
Sofie van der Meulen
www.axonlawyers.com
#PaperlessLabAcademy@sofievdmeulen

2. Overview
• From DPD to GDPR: personal data
• Anonymisation & pseudonomysation
• Consent
• Research data
• Data transfers
• Security
• New rules on data breaches

3. 3

4. Time to say goodbye…
4
to the Data Protection Directive!

5. Well… almost.
• 2012: EC proposed GDPR
• Council position 6 April = latest available text GDPR
http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=consil:ST_5419_2016_INIT
• Adopted in plenary on 14 April 2016
• Currently: waiting for publication in the Official Journal of the
European Union (OJEU)
• Entry into force: 20 days after the date of publication in the OJEU,
the Regulation
• Apply from: 2 years after the date of its entry into force (2018)
5

6. Personal data?
Personal data under DPD:
any information relating to an identified or identifiable natural
person ('data subject'); whether directly or indirectly identifiable.
“data relates to an individual if it refers to the identity, characteristics
or behaviour of an individual or if such information is used to
determine or influence the way in which that person is treated or
evaluated” (WP136)
Future scope of ‘personal data’ under GDPR?

7. Personal data under GDPR
Definitions for:
• Data concerning health – (sensitive data)
• Genetic data – (sensitive data)
• Biometric data
• Personal data:
7

8. Anonymous information
Recital 26 GDPR:
‘The principles of data protection should not apply to anonymous
information, namely information which does not relate to an
identified or identifiable natural person or to personal data rendered
anonymous in such a manner that the data subject is not or no
longer identifiable.
This Regulation does not therefore concern the processing of such
anonymous information, including for statistical or research
purposes.’
8

9. Anonymous?
9
Zip code, Date of Birth &
Gender are sufficient to
identify a large part of the
population..

10. Anonymisation
Anonymisation criteria WP29 Opinion 05/2014:
• Is it still possible to single out an individual?
• Is it still possible to link records relating to an individual?
• Can information about an individual be inferred?
Outcome after technique is applied: be as permanent as erasure of
the personal data – it should make processing of personal data
impossible. <- Realistic?
Absolute anonymisation is impossible -> focus on mitigating risks of
re-identification.
It’s not a one off exercise!
10

11. Pseudonomysation
GDPR: processing of personal data in such a manner that the
personal data can
• no longer be attributed to a specific data subject
• without the use of additional information,
• provided that such additional information is kept separately and
• is subject to technical and organizational measures to ensure
that the personal data are not attributed to an identified or
identifiable natural person
= security measure to reduce the linkability of a dataset to the
original identity of a data subject
11

12. Consent 
‘GDPR: ‘means any freely given, specific,
informed and unambiguous indication of the
data subject's wishes by which he or she, by a statement or by a
clear affirmative action, signifies agreement to the processing of
personal data relating to him or her’
Recitals 32 and 42 GDPR:
• silence, pre-ticked boxes or inactivity -> do not constitute
consent.
• Processing more purposes? Consent should be given for all of
them!
• Controller should be able to demonstrate consent.
12

13. DPD: health data
Health data is special category of data - processing prohibited
UNLESS
Explicit consent
OR
Medical treatment exemption:
Processing of the data is required for the purposes of preventive
medicine, medical diagnosis, the provision of care or treatment or
the management of health-care services, and those data are
processed by a health professional subject under national law or
rules established by national competent bodies to the obligation of
professional secrecy or by another person also subject to an
equivalent obligation of secrecy.

14. DPD: Scope of ‘health data’?
European Court of Justice in Case C-101/01 (Lindqvist):
‘In the light of the purpose of the directive, the expression “data
concerning health” used in Article 8(1) thereof must be given a wide
interpretation so as to include information concerning all aspects,
both physical and mental, of the health of an individual.’
Letter of WP29 of 5 February 2015 on data collected by mHealth
apps. Health data includes:
• Medical data: ‘data about the physical or mental health status of
a data subject (…) generated in a professional, medical context
• Health related data used in an administrative context
(information to public entities)
• Data about the purchase of medical products and services
provided that the health status can be determined

15. Health data case
study
Performance data becomes health data

16. Future scope of ‘health data’

17. GDPR: Research
Consent & research purposes:
17

18. GDPR: Research
Purpose limitation:
18

19. GDPR: Research
Data minimisation should be ensured
19

20. Research – ‘Right to be forgotten’
Article 17 (1) GDPR: The data subject has the right to obtain the
erasure of personal without undue delay from the controller.
Last year: risk that statistical analyses will be “depowered” as a
result of exercise of right to withdraw consent and erasure of data.
Result, clinical trials and clinical investigations will be
conducted outside Europe to avoid any such risk.
Now: the ‘right to be forgotten’ does not apply if the processing takes
place:
‘for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with
Article 89(1) in so far as the right referred to in paragraph 1 is likely
to render impossible or seriously impair the achievement of the
objectives of that processing.’

21. Data transfer outside EU & security
• Surveillance practices (PRISM)
Safe harbor for transfer to US?
Safe Harbor Certification merely means that the transfer of personal
data to the US is allowed in principle because it demonstrates the
adequacy of the US as jurisdiction
• Facebook case (Schrems, C-362/14) invalidates Safe Harbor
transfer mechanism
Alternatives:
• Data transfer agreement based on European
Commission’s standard contractual clauses
• Binding corporate rules blessed by a DPA
• “Privacy Shield” still not up and running

22. Security
Data controllers and processors should implement appropriate
technical & organizational measures to protect data from loss or
any form of unlawful processing.
Security measures should take into account:
• Nature of the data to be protected
• State of the art
• Aim to prevent unnecessary collection and further processing of
personal data
• Overriding principle: Plan-Do-Check-Act

23. The Guardian 18 February 2016

24. 26 February 2016

25. Data breaches
NL: Legislative proposal adopted amending the Data Protection
Act and Telecommunications Act by incorporating a notification
obligation for data controllers in case of data breaches.
Until now: hundreds of notifications!
The Data Protection Authority can impose administrative fines up to
EUR 820.000 in case of violation of the notification obligation.
Notification obligation applies if:
• Security breach
• Entity in public or private sector (companies, governmental
organizations)
• The infringement leads to a significant risk of adverse impact on
the protection of personal data processed by the organization
(theft, loss or abuse of personal data).

26. GDPR – Data breaches
Recital 85 & 86 GDPR:
• If not addressed a data breach may lead to damage to natural
persons such as loss over control over their personal data,
financial loss, unauthorized reversal of pseudonymisation,
damage to reputation and loss of confidentiality.
• Communicating a data breach to the person concerned in case
of high risk of damage. -> person can take precautions.
• Otherwise: notify supervisory authority.
26

27. Sofie van der Meulen
Axon Advocaten
Piet Heinkade 183
1019 HC Amsterdam
+31 88 650 6500
+31 6 53 44 05 67
sofie.vandermeulen@axonlawyers.com
THANK YOU FOR YOUR ATTENTION!

28. Legal stuff
• The information in this presentation is provided for information
purposes only.
• The information is not exhaustive. While every endeavour is made
to ensure that the information is correct at the time of publication,
the legal position may change as a result of matters including new
legislative developments, new case law, local implementation
variations or other developments.
• The information does not take into account the specifics of any
person's position and may be wholly inappropriate for your
particular circumstances.
• The information is not intended to be legal advice, cannot be
relied on as legal advice and should not be a substitute for legal
advice.