Académique Documents
Professionnel Documents
Culture Documents
1. Everyone has the right to the protection of personal data concerning him
or her.
Article 1, Title I
1
CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION. http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:12012P/TXT
2
P. GALDIES. A SUMMARY OF THE EU GENERAL DATA PROTECTION REGULATION.
https://www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
3. The free movement of personal data within the Union shall be neither
restricted nor prohibited for reasons connected with the protection of natural
persons with regard to the processing of personal data.3
3
GENERAL DATA PROTECTION REGULATION. http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.119.01.0001.01.ENG&toc=OJ%3AL%3A2016%3A119%3ATOC
4
WHAT IS GDPR (GENERAL DATA PROTECTION REGULATION)? UNDERSTANDING AND COMPLYING WITH GDPR
DATA PROTECTION REQUIREMENTS. https://digitalguardian.com/blog/what-gdpr-general-data-protection-
regulation-understanding-and-complying-gdpr-data-protection
5
GDPR FAQs. https://www.eugdpr.org/gdpr-faqs.html
6
WHAT IS GDPR (GENERAL DATA PROTECTION REGULATION)? UNDERSTANDING AND COMPLYING WITH GDPR
DATA PROTECTION REQUIREMENTS. Supra note 2 at 1.
REQUIREMENTS OF GENERAL DATA PROTECTION
REGULATION
The GDPR itself contains 11 chapters and 91 articles. The following are
some of the chapters and articles that have the greatest potential impact on
security operations:
7
GDPR FAQs. Supra note 4, at 2.
Article 35 – Article 35 requires that certain companies appoint data
protection officers. Specifically, any company that processes data
revealing a subject’s genetic data, health, racial or ethnic origin,
religious beliefs, etc. must designate a data protection officer; these
officers serve to advise companies about compliance with the
regulation and act as a point of contact with Supervising Authorities
(SAs). Some companies may be subjected to this aspect of the GDPR
simply because they collect personal information about their
employees as part of human resources processes.
PENALTIES
8
P. GALDIES. A SUMMARY OF THE EU GENERAL DATA PROTECTION REGULATION.
https://www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
9
N. LORD. WHAT IS GDPR (GENERAL DATA PROTECTION REGULATION)? UNDERSTANDING AND COMPLYING WITH
GDPR DATA PROTECTION REQUIREMENTS. https://digitalguardian.com/blog/what-gdpr-general-data-protection-
regulation-understanding-and-complying-gdpr-data-protection
for not having their records in order (article 28), not notifying the
supervising authority and data subject about a breach or not conducting
impact assessment. It is important to note that these rules apply to both
controllers and processors -- meaning 'clouds' will not be exempt from GDPR
enforcement.10
CONSUMER PROTECTION
10
GDPR FAQs. Supra note 4 at 2.
11
GDPR FAQs. Supra note 4 at 2.
12
Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European
Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12012E%2FTXT
IV. Directive 2000/31/EC of the European Parliament and of
the Council of 8 June 2000 (the E-Commerce Directive)
KEY POINTS
Online contracts
These contracts must also spell out the following, in clear and
understandable terms:
13
http://www.europarl.europa.eu/atyourservice/en/displayFtu.html?ftuId=FTU_2.2.2.html
3. how consumers can identify and correct typing errors before placing
their order
4. the languages in which the contract can be signed.
Consumers must be able to save and print out contracts and general
conditions.14
KEY POINTS
14
http://eur-lex.europa.eu/legal-content/en/TXT/?uri=LEGISSUM%3Al24204
15
http://www.europarl.europa.eu/atyourservice/en/displayFtu.html?ftuId=FTU_2.2.2.html
Certain consumers enjoy a higher level of protection due to their
particular vulnerability to the practice or the product, their age (children
or the elderly), their naivety or their mental or physical infirmity.
1. Misleading actions
2. Misleading omissions
What are the penalties for failure to comply and what is the
enforcement picture?
Failing to comply with the Regulations could result in a fine for culpable
traders and/or their "consenting, conniving" or negligent directors and
senior managers of up to £5,000 or, on indictment, a fine and/or up to
two years imprisonment.
Enforcement will be by way of publicly funded consumer protection
authorities such as "Trading Standards" departments of local government
authorities and the "Office of Fair Trading", the closest thing the UK has
to the Federal Trade Commission.
KEY POINTS
Electronic identification
eID issued in one EU country must be recognized in all others. This applies
only if the eID meets the regulation’s requirements and has been notified
to the Commission and published in a list. Mutual recognition of eIDs
will be mandatory from 28 September 2018 and will facilitate secure
electronic transactions across the EU.
Notification
When notifying the Commission of eID schemes, EU countries must
provide information on aspects such as:
the level of assurance and the issuer of eID under that scheme;
the applicable supervisory and liability systems;
the body managing the registration of unique personal ID data.
18
MICHEAL MCKEE. New EU regulation for electronic signatures.
https://www.dlapiper.com/en/us/insights/publications/2015/08/new-eu-regulation-for-electronic-signatures/
In the event of a security breach of the eID scheme or authentication,
the notifying EU country must:
quickly suspend/revoke the EU-wide authentication or the
compromised parts of the scheme; and
inform other EU countries and the Commission.
Liability
In any transaction between EU countries where there is a failure to comply
with the regulation’s obligations, the following parties can be held liable
for any damage caused intentionally or negligently to any person or body:
a notifying EU country;
the party issuing the eID;
the party managing the authentication procedure.
Trust services
The regulation defines trust services as paid-for services that include:
the creation, verification and validation of electronic signatures,
electronic seals or electronic time stamps, electronic registered delivery
services and certificates related to those services; or
the creation, verification and validation of certificates for website
authentication; or
the preservation of electronic signatures, seals or certificates related to
those services.
A new, voluntary EU trust mark will identify the qualified trust services
provided by the relevant providers.
KEY TERM
*electronic identification (eID): tangible or intangible forms of
identification containing personal ID data as used for authenticating an
online service.
VII. Directive 2002/58/EC of the European Parliament and of the
Council of 12 July 2002 (Directive on privacy and electronic
communications) or “E-PRIVACY DIRECTIVE”
Traffic and location data: this data must be erased or made anonymous
when no longer required for communication or billing purposes, except if the
subscriber has given consent for another use.
19
https://epic.org/international/eu_privacy_and_electronic_comm.html
20
https://ec.europa.eu/digital-single-market/news/eprivacy-directive
AMENDMENTS:
xxx
xxx
‘3. Member States shall ensure that the storing of information, or the
gaining of access to information already stored, in the terminal equipment of
a subscriber or user is only allowed on condition that the subscriber or user
concerned has given his or her consent, having been provided with clear and
comprehensive information, in accordance with Directive 95/46/EC, inter
alia, about the purposes of the processing. This shall not prevent any
technical storage or access for the sole purpose of carrying out the
transmission of a communication over an electronic communications
network, or as strictly necessary in order for the provider of an information
society service explicitly requested by the subscriber or user to provide the
service.’21
The intent behind the law is to increase the options available for
consumers to protect their data privacy. Cookies enable websites to gather
data about visitors and users. A lot of this data is gathered without any user
awareness, and more and more companies are learning to exploit the value
of that data.
The law hopes to enable consumers to strike a new bargain with these
businesses - it requires businesses to inform consumers of what is being
gathered, and enables them to choose to participate in this or not.22
21
http://eur-lex.europa.eu/legal-content/EN/TXT/ELI/?eliuri=eli:dir:2009:136:oj
22
https://www.cookielaw.org/faq/
What is a cookie?
The laws apply across the EU, although are implemented differently in
each country. All businesses in the EU therefore need to comply with the
regulations, and are be bound by those in their own country. So all UK
businesses have to ensure they at least meet the requirements of the UK
legislation. However, in theory at least any business anywhere that has a
website serving customers within any EU country, is required to comply with
the legislation with respect to those EU visitors, and that country. So a US
website with UK visitors ought to be asking for consent from those UK
visitors according to the UK legislation.
The EU Cookie Legislation requires 4 actions from website owners who use
cookies:
1. When someone visits your website, you need to let them know that
your site uses cookies.
2. You need to provide detailed information regarding how that cookie
data will be utilized.
3. You need to provide visitors with some means of accepting or refusing
the use of cookies in your site.
4. If they refuse, you need to ensure that cookies will not be place on their
machine.
Put simply, it's the law. Any website not compliant is open to
enforcement action from the regulators. In the UK for example the
Information Commissioners Office (ICO) has powers to force websites to
change or it can impose a fine of up to £500,000 in the most serious cases.
However, there is no indication that this is going to happen any time soon.
Compliance is also increasingly a matter of meeting visitor expectations for
23
Ultimate Guide to EU Cookie Laws. https://privacypolicies.com/blog/eu-cookie-law/
respect for pricvay preferences. In fact it is likely that this will quickly
become a key business driver for site owners, as they will otherwise risk
losing visitors.24
This seems pretty obvious, but it may not be as easy as you think. If you just
have a simple, static website, getting rid of your cookies should be easy. Use
the Google Chrome method above to figure out where cookies exist, and get
rid of that code. It may be as simple as removing a comments field or that
rarely-used “like” button.
However, if your website has anything more complicated than static HTML,
getting rid of your cookies will be a lot harder, and you have to consider what
you will be sacrificing in the process. If you post a daily blog to your site,
cookies are essential for comments. Do you want to lose comments just to
avoid telling your visitors about cookies? Probably not.
First, you need to let users know that cookies are being used. This can be
done through a pop up, header bar, or similar technology. The wording does
not need to be complex or even detailed at this point. Details can be provided
elsewhere. The important thing is that the warning exists, and that it includes
the option to opt-out of cookies.
If you’re not sure what that would look like, there’s a great example from
ICO, the UK’s regulation body responsible for enforcing the Cookie
Legislation. When you first access their website, the follow pop-up appears:
24
Supra note 22, at 15. https://www.cookielaw.org/faq/
Option 3 – Get Implied Consent
Depending on your country’s interpretation of the law, you may only need to
get a user’s “implied consent.” Rather than forcing every user to click
“accept” before they can access your site, you can instead display a short
message informing them that cookies are being used, typically through a
header bar or some other non-obstructive method. After a predefined period
of time, which may be as short as a few seconds, the announcement can
disappear. If the user remains on your site, consent is implied.
This is the method the UK government uses; however, before you decide to
take this route, you should check with your local regulator to ensure it meets
your country’s requirements.
Including a pop up may not provide the best user experience, so some
companies have opted for including the cookie disclosure within their terms
and conditions. This can be a very effective and non-intrusive method, but
there are a couple of caveats.
First, users have to agree to the use of cookies, so if you include the
information in your T&Cs, you need a way for users to approve your T&Cs.
This is usually done as part of a sign-up or registration process. If your
website does not require users to sign up, this option probably won’t work
for you.
Second, you cannot simply add the cookie language to your existing terms
and conditions, because you need to gain consent specifically for the use of
cookies. This means, if you already have users who have agreed to your T&Cs,
after adding the cookie language you will need to prompt them to review and
agree to the new T&Cs.
There are plenty of applications and plugins available that can help you
comply with cookie laws. Depending on the program, they may be able to
assist you with such tasks as identifying cookies on your website, creating a
detailed list of how your cookies are used, informing users about cookie use,
and obtaining their consent. Some programs will even adjust settings and
information as cookies change.
Programs like Cookie Consent and Cookie Control can help you automate the
consent process. If you’re running WordPress, there are a number of plugins
available, such as Cookie Law Info. Many of these programs are available for
free or low cost, and can make the entire process much simpler.25
25
Supra note 23, at 16. https://privacypolicies.com/blog/eu-cookie-law/