DOCSLIB.ORG

Bird & Bird Guide to the General Data Protection Regulation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Guide to the General Data Protection Regulation May 2020 The General Data Protection Regulation (GDPR) is the latest version of Europe’s cornerstone data protection law. It took effect in May 2018, a marathon six and a half years after the European Commission’s original first draft was published following an unprecedented period of debate, negotiation and lobbying. This guide summarises that Regulation - a law which has significantly overhauled Europe’s data protection rules at a time when information systems and digital business underpin human life. As with the legislation which the GDPR replaced, many jurisdictions outside the European Union (EU) have followed concepts which it introduced. So understanding the GDPR and how it is enforced is important for businesses around the world. The changes which were ushered in by the GDPR on European regulators sitting as the EDPB (and it predecessor 25 May 2018 were both substantial and ambitious. The the Article 29 Working Party) as at the date shown on the Regulation is one of the most wide ranging pieces of front of this guide. We recommend that these materials be legislation passed by the EU and concepts such as the ‘right studied for more detail as to how supervisory authorities to be forgotten’, data portability, data breach notification interpret the GDPR. and accountability (to call out only a few) were significant developments. Even its legal medium - a regulation not a European data protection law has always been written using directive - made the GDPR an unusual piece of legislation a certain amount of jargon and bespoke definitions, and the for data protection lawyers to analyse. Since the Regulation GDPR is no different. To help those new to this language we allows EU Member States to introduce their own derogations have also included a glossary of terms which can be found at from those which are set out in the GDPR, for instance in the back of this guide. relation to HR data processing, data protection law remains multi layered in Europe. As further guidance on the GDPR and implementing provisions emerge from law makers, regulators and the This guide seeks to summarise key aspects of the GDPR and courts, we will continue to update this guide. If you would to highlight the most important actions which organisations like to receive updates from us, please let us know. In the should take in seeking to comply with it. meantime, we hope that you will find this guide useful. We have divided our summary into sections which broadly follow those used by the Regulation, but with each sub- divided into themes. Each sub-section starts with a speed read summary, a list of suggested priority action points and our assessment of the degree of change which the analysed section of the GDPR brought as compared to its predecessor legislation in the form of a pressure dial - ranging from green, indicating a small change, to red, indicating a significant change. We have also included a signpost in each sub-section to guide you to where you can find relevant source material within the Regulation. Also included are Ruth Boardman James Mullock Ariane Mole details of some of the key guidance materials published by Partner, UK Partner, UK Partner, FR 4 - © 2020 Bird & Bird All Rights Reserved Table of contents Scope, timetable and new concepts Data transfers » Material and territorial scope » Transfers of personal data » New and significantly changed concepts Regulators Principles » Appointment of supervisory authorities » Data protection principles » Competence, tasks and powers » Lawfulness of processing and further processing » Co-operation and consistency between » Legitimate interests supervisory authorities » » Consent European Data Protection Board » Children » Special categories of data and lawful processing Enforcement » Remedies and liabilities » Administrative fines Individual rights » Information notices » Subject access, rectification and portability Special cases » Rights to object » Derogations and special conditions » Right to erasure and right to restriction of processing » Profiling and automated decision-taking Delegated acts and implementing act » Delegated acts, implementing Accountability, security and breach notification acts and final provisions » Data governance obligations » Personal data breaches and notification Glossary » Codes of conduct and certifications The information given in this document concerning technical legal or professional subject matter is for guidance only and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter. Bird & Bird assumes no responsibility for such information contained in this document and disclaims all liability in respect of such information. Bird & Bird is, unless otherwise stated, the owner of copyright of this document and its contents. No part of this document may be published, distributed, extracted, re-utilised, or reproduced in any material form, except with our express prior written approval. © 2020 Bird & Bird All Rights Reserved - 5 Scope, timetable and new concepts | Material and territorial scope Material and territorial scope At a glance To do list • As compared to Directive 95/46/EC (the “Data Organisations (i) with an EU Protection Directive”) which it replaces, the GDPR establishment or (ii) without an EU seeks to extend the reach of EU data protection law. presence but who target with goods/ services or monitor EU individuals, − An EU based data controller and processor falls should: into its scope where personal data is processed • understand the impact of the GDPR; “in the context of its activities” a broadly and interpreted test. • determine an approach to compliance. − Where no EU presence exists, the GDPR will still apply whenever: (1) an EU resident’s Organisations working in areas personal data is processed in connection where “special”/sectoral rules are with goods/services offered to him/her; or (2) common, should: the behaviour of individuals within the EU is “monitored”. • assess if they require specific Member State laws and advocate these if • Despite being a Regulation, the GDPR allows necessary (where this is still possible); Member States to legislate in many areas. This will and challenge the GDPR’s aim of consistency, in areas • keep a watching brief on such laws such as employee data processing. being promulgated in ways which may be unhelpful for them. • The GDPR does not apply to certain activities – including processing covered by the Law Enforcement Agencies (“LEA”) Directive, for national security purposes and processing carried out by individuals purely for personal/ household activities. • The GDPR came into effect on 25 May 2018. 1 - © 2020 Bird & Bird All Rights Reserved Scope, timetable and new concepts | Material and territorial scope Territorial scope For this update, we have factored in the final EDPB previously found that a website is not an establishment. The guidelines on territorial scope published in November 2019. EDPB provides the example of a hotel chain that targets EU consumers but has no presence in the EU. The correct EU “established” controllers or processors analysis would be under Article 3(2) (the extraterritorial provisions), not Article 3(1). The EDPB Guidelines also Pursuant to Article 3(1), the GDPR will apply to organisations confirm that just because an organization may be considered which have EU “establishments”, where personal data “established” for one activity will not render all its activities are processed “in the context of the activities” of such subject to GDPR. an establishment. If this test is met, the GDPR applies irrespective of whether Non-EU “established” organisations who the actual data processing takes place in the EU or not. target or monitor EU data subjects “Establishment” was considered by the Court of Justice of Pursuant to Article 3(2), non-EU established organisations will the European Union (“CJEU”) in the 2015 case of Weltimmo be subject to the GDPR where they process personal data v NAIH (C-230/14). This confirmed that establishment is about EU data subjects in connection with: a “broad” and “flexible” phrase that should not depend on legal form. An organisation may be “established” where it • the “offering of goods or services” (payment is not required); exercises “any real and effective activity – even a minimal or one” – through “stable arrangements” in the EU. The presence of a single representative may be sufficient. In that • “monitoring” their behaviour within the EU. case, Weltimmo was considered to be established in Hungary notwithstanding that it was incorporated in Slovakia. A/ For offering of goods and services (but not monitoring), mere accessibility of a site from within the EU is not sufficient. The EDPB guidelines align with the above case law, finding that “the threshold for ‘stable arrangement’ can be quite low It must be apparent that the organisation “envisages” that when the centre of activities of a controller concerns the activities will be directed to EU data subjects. In other words, provision of services online”. In some cases, “the presence it should be looked for signs of intent. As listed in the EDPB of a single employee or agent acts with a sufficient degree guidelines, relevant factors include: of stability” will suffice. However the EDPB does clarify that the mere presence of an employee in the EEA may not be • references to the EU or a Member State in promotional sufficient; the processing must also be carried out in the
Recommended publications
  • Identity Theft Literature Review

    Identity Theft Literature Review

    The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: Document Title: Identity Theft Literature Review Author(s): Graeme R. Newman, Megan M. McNally Document No.: 210459 Date Received: July 2005 Award Number: 2005-TO-008 This report has not been published by the U.S. Department of Justice. To provide better customer service, NCJRS has made this Federally- funded grant final report available electronically in addition to traditional paper copies. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. IDENTITY THEFT LITERATURE REVIEW Prepared for presentation and discussion at the National Institute of Justice Focus Group Meeting to develop a research agenda to identify the most effective avenues of research that will impact on prevention, harm reduction and enforcement January 27-28, 2005 Graeme R. Newman School of Criminal Justice, University at Albany Megan M. McNally School of Criminal Justice, Rutgers University, Newark This project was supported by Contract #2005-TO-008 awarded by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice. Points of view in this document are those of the author and do not necessarily represent the official position or policies of the U.S.
  • The Right to Be Forgotten in the Light of the Consent of the Data Subject

    The Right to Be Forgotten in the Light of the Consent of the Data Subject

    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Open Repository and Bibliography - Luxembourg computer law & security review 32 (2016) 218–237 Available online at www.sciencedirect.com ScienceDirect www.compseconline.com/publications/prodclaw.htm The right to be forgotten in the light of the consent of the data subject Cesare Bartolini *, Lawrence Siry * University of Luxembourg, Luxembourg ABSTRACT Keywords: Recently, the Court of Justice of the European Union issued decision C-131/12, which was Data protection considered a major breakthrough in Internet data protection. The general public wel- General data protection reform comed this decision as an actualization of the controversial “right to be forgotten”, which Consent was introduced in the initial draft for a new regulation on data protection and repeatedly amended, due to objections by various Member States and major companies involved in massive processing of personal data. This paper attempts to delve into the content of that decision and examine if it indeed involves the right to be forgotten, if such a right exists at all, and to what extent it can be stated and enforced. © 2016 Cesare Bartoli & Lawrence Siry. Published by Elsevier Ltd. All rights reserved. forgotten is not mentioned in the current DPD provisions, yet 1. Introduction it has been statutorily introduced in the proposed General Data Protection Regulation (GDPR). The GDPR comes from the evo- In May 2014, the Court of Justice of the European Union (CJEU) lution of the DPD interpretation in the light of technological issued a decision1 which has been regarded as the enforce- developments since its adoption in 1995.
  • Data Protection

    Data Protection

    Handbook on the Techniques of Judicial Interactions in the Application of the EU Charter DATA PROTECTION IN THE FRAMEWORK OF THE PROJECT ‘E-LEARNING NATIONAL ACTIVE CHARTER TRAINING (E-NACT)’ FUNDED BY THE EUROPEAN COMMISSION FUNDAMENTAL RIGHTS & CITIZENSHIP PROGRAMME Researcher responsible for the Handbook: Dr Mariavittoria Catanzariti 1 NATIONAL EXPERTS AND COLLABORATORS The e-NACT team would like to thank the following experts and collaborators who contributed to the selection of the national and European case law upon which this Handbook is built. Federica Casarosa Madalina Moraru Karolina Podstawa Joan Soares Mullor Sara Azevedo Afonso Brás Sergiu Popovici Rita de Brito Gião Hanek Diana Lavinia Botău Francesco Perrone Florentino Gregorio Ruiz Yamuza 2 Contents Part I - Data protection and privacy as EU fundamental rights ......................................... 8 Setting the scene ..................................................................................................................... 8 From the Directive 95/46/EC to the GDPR.......................................................................... 11 The European culture of data protection .............................................................................. 12 The Data Protection Reform of 2016: the GDPR and the Law Enforcement Directive ...... 13 Main principles of data processing ....................................................................................... 14 The basics: what’s personal data? ..............................................................................................
  • Data Privacy: De-Identification Techniques

    Data Privacy: De-Identification Techniques

    DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY Data Privacy: De-Identification Techniques By Ulf Mattsson – ISSA member, New York Chapter This article discusses emerging data privacy techniques, standards, and examples of applications implementing different use cases of de-identification techniques. We will discuss different attack scenarios and practical balances between privacy requirements and operational requirements. Abstract The data privacy landscape is changing. There is a need for privacy models in the current landscape of the increas- ing numbers of privacy regulations and privacy breaches. Privacy methods use models and it is important to have a common language when defining privacy rules. This article will discuss practical recommendations to find the right practical balance between compli- ance, security, privacy, and operational requirements for each type of data and business use case. Figure 1 – Forrester’s global map of privacy rights and regulations [4] ensitive data can be exposed to internal users, partners, California Customer Privacy Act (CCPA) is a wake-up call, and attackers. Different data protection techniques can addressing identification of individuals via data inference provide a balance between protection and transparen- through a broader range of PII attributes. CCPA defines Scy to business processes. The requirements are different for personal information as information that identifies, relates systems that are operational, analytical, or test/development to, describes, is reasonably capable of being associated with, as illustrated by some practical examples in this article. or could reasonably be linked, directly or indirectly, with a We will discuss different aspects of various data privacy tech- particular consumer or household such as a real name, alias, niques, including data truthfulness, applicability to different postal address, and unique personal identifier [1].
  • Identity Theft Harms Millions of Americans Every Year. Breaches of Personally Identifiable Information (PII) Across the Governme

    Identity Theft Harms Millions of Americans Every Year. Breaches of Personally Identifiable Information (PII) Across the Governme

    Safeguarding & Handling PI1 Each DOE employee and contractor needs to be aware of their responsibility to- b Encrypt personal information sent via email b protect personal information, b Label Privacy Act protected records "OFFICIAL USE ONLY - PRIVACY ACT b avoid unauthorized disclosures, DATA" b ensure that no records are maintained without Identity theft harms millions of Americans every b Do not collect personal information without proper public notice in the Federal Register, and year. Breaches of personally identifiable information proper authority, and only the minimum (PII) across the government have been well b report immediately, whether confirmed or necessary for carrying out the mission of DOE publicized and costly for individuals and Federal suspected, any breach or misuse of PII. agencies. These breaches have prompted the b Do not place Privacy Act protected data on Administration and Congress to take action to unrestricted shared drives, intranets, or the improve the protection of personal information. Internet For more information on Privacy and protecting PII, refer to DOE Order 206. I, Department of Energy b Report any loss or unauthorized disclosure of As Department of Energy employees and Privacy Program, located on the DOE Directives personal data immediately to your supervisor, contractors, you have a responsibility to protect all website: http://directives.doe.gov/ PII. DOE Order 206. I, Department of Energy Privacy program manager, Information System Security Program, defines PI1 as "any information collected or Manager, or Privacy Act Officer Questions should be referred to your supervisor, your local Privacy Act Officer, or the Privacy Office maintained by the Department about an individual, b Lock your computer whenever you leave your including but not limited to, education, financial at (202) 586-5955.
  • From Security Monitoring to Cyber Risk Monitoring

    From Security Monitoring to Cyber Risk Monitoring

    Issue 19 | 2016 Complimentary article reprint From security monitoring to cyber risk monitoring Enabling business-aligned cybersecurity By Adnan Amjad, Mark Nicholson, Christopher Stevenson, and Andrew Douglas About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 200,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte net- work shall be responsible for any loss whatsoever sustained by any person who relies on this communication. © 2016. For information, contact Deloitte Touche Tohmatsu Limited. 122 www.deloittereview.com From security monitoring to cyber risk monitoring 123 CYBER RISK MANAGEMENT From security monitoring to cyber risk monitoring Enabling business-aligned cybersecurity By Adnan Amjad, Mark Nicholson, Christopher Stevenson, and Andrew Douglas Illustration by Lucy Rose Why didn’t we detect it? That’s the all-too-common question when a major cyber incident is discovered—or, too often, announced.
  • Security Forum Strategic Panel Phorm Position Paper

    Security Forum Strategic Panel Phorm Position Paper

    Security Forum Strategic Panel Phorm Position Paper PHORM – PRIVACY IMPACT OF NEW INTERNET ADVERTISING MECHANISMS 1. INTRODUCTION 1.1. Online advertising company Phorm has caused a stir in the Internet community because of its profile-driven service. Phorm has trialled this service with BT, and signed further contracts with Virgin Media and TalkTalk. However, critics claim that the service breaches the Regulation of Investigatory Powers Act (2000), and that Phorm’s approach is contrary to users’ privacy wishes. 1.2. The BCS believes that the solution to this debate rests in self-regulation of online advertising: companies must establish and enforce a code of conduct; be completely transparent about their practices; resist sharing data with third parties; and submit to ongoing oversight from an independent third party organisation. 2. THE BATTLE FOR THE INTERNET 2.1. The massive market for online advertising is one that affects every Internet user: many search engines and websites depend upon advertising revenues for funding, and some ISPs use advertising to subsidise subscription costs. In the absence of those funding sources they would either have to pass on additional operating costs to users, or cease trading altogether. 2.2. The battle for control of Internet advertising had, until recently, been confined to a small number of (rapidly consolidating) players including the likes of Microsoft, Google, Yahoo! and DoubleClick. These well-established companies have built their offerings over many years and believed themselves to control the market, with little threat from new companies. 2.3. However, a new breed of online advertising company has recently appeared.
  • Mass Surveillance

    Mass Surveillance

    Thematic factsheet1 Update: July 2018 MASS SURVEILLANCE The highly complex forms of terrorism require States to take effective measures to defend themselves, including mass monitoring of communications. Unlike “targeted” surveillance (covert collection of conversations, telecommunications and metadata by technical means – “bugging”), “strategic” surveillance (or mass surveillance) does not necessarily start with a suspicion against a particular person or persons. It has a proactive element, aimed at identifying a danger rather than investigating a known threat. Herein lay both the value it can have for security operations, and the risks it can pose for individual rights. Nevertheless, Member States do not have unlimited powers in this area. Mass surveillance of citizens is tolerable under the Convention only if it is strictly necessary for safeguarding democratic institutions. Taking into account considerable potential to infringe fundamental rights to privacy and to freedom of expression enshrined by the Convention, Member States must ensure that the development of surveillance methods resulting in mass data collection is accompanied by the simultaneous development of legal safeguards securing respect for citizens’ human rights. According to the case-law of the European Court of Human Rights, it would be counter to governments’ efforts to keep terrorism at bay if the terrorist threat were substituted with a perceived threat of unfettered executive power intruding into citizens’ private lives. It is of the utmost importance that the domestic legislation authorizing far-reaching surveillance techniques and prerogatives provides for adequate and sufficient safeguards in order to minimize the risks for the freedom of expression and the right to privacy which the “indiscriminate capturing of vast amounts of communications” enables.
  • Security and Privacy Issues of Big Data

    Security and Privacy Issues of Big Data

    Security and Privacy Issues of Big Data José Moura1,2, Carlos Serrão1 1 ISCTE-IUL, Instituto Universitário de Lisboa, Portugal 2 IT, Instituto de Telecomunicações, Lisboa, Portugal {jose.moura, carlos.serrao}@iscte.pt ABSTRACT This chapter revises the most important aspects in how computing infrastructures should be configured and intelligently managed to fulfill the most notably security aspects required by Big Data applications. One of them is privacy. It is a pertinent aspect to be addressed because users share more and more personal data and content through their devices and computers to social networks and public clouds. So, a secure framework to social networks is a very hot topic research. This last topic is addressed in one of the two sections of the current chapter with case studies. In addition, the traditional mechanisms to support security such as firewalls and demilitarized zones are not suitable to be applied in computing systems to support Big Data. SDN is an emergent management solution that could become a convenient mechanism to implement security in Big Data systems, as we show through a second case study at the end of the chapter. This also discusses current relevant work and identifies open issues. Keywords: Big Data, Security, Privacy, Data Ownership, Cloud, Social Applications, Intrusion Detection, Intrusion Prevention. INTRODUCTION The Big Data is an emerging area applied to manage datasets whose size is beyond the ability of commonly used software tools to capture, manage, and timely analyze that amount of data. The quantity of data to be analyzed is expected to double every two years (IDC, 2012).
  • Protection of Biometric Information of Children in Schools and Colleges

    Protection of Biometric Information of Children in Schools and Colleges

    Protection of biometric information of children in schools and colleges Advice for proprietors, governing bodies, head teachers, principals and school and college staff March 2018 Contents 1. About this advice 3 Expiry/review date 3 What legislation does this advice relate to? 3 Who is this advice for? 3 2. Key Points 4 What is biometric data? 4 What is an automated biometric recognition system? 5 What does processing data mean? 5 3. The Protection of Freedoms Act 2012 6 Notification and Parental Consent 6 The pupil’s right to refuse 7 Providing alternatives 8 The Data Protection Act 1998 8 Associated Resources 9 4. Template Notification and Consent Form 10 2 1. About this advice This is non-statutory advice from the Department for Education. It explains the legal duties schools and colleges have if they wish to use biometric information about pupils for the purposes of using automated biometric recognition systems. The duties on schools and colleges in the Protection of Freedoms Act 2012 set out in this advice came into effect from 1 September 2013. Schools and colleges using automated biometric recognition systems, or planning to install them, should make arrangements to notify parents and obtain the consent required under the duties set out in the body of this advice. There are no circumstances in which a school or college can lawfully process a pupil’s biometric data without having notified each parent of a child and received the necessary consent. This advice replaces “Protection of biometric information of children in schools”, which was issued in December 2012.
  • The Data Protection Act 1998 and Personal Privacy

    The Data Protection Act 1998 and Personal Privacy

    Introduction On 2 February 1998 Lord Williams of Mostyn commenced his second reading speech for the Data Protection Bill: “I recognise that data protection does not sound like a subject to attract obsessive interest; witness the general exodus from your Lordships’ House as I start to Monday, 19 March 2012 introduce this Second Reading. Data protection is redolent in many ways of computers and electronic processing: necessary but essentially technical providers The Data Protection Act 1998 & Personal Privacy of services. In fact it affects our well-being in a much more general way. It shares common ground to that extent with the Human Rights Bill. That Bill will improve Philip Coppel QC the position of citizens of this country by enabling them to rely on the wide range of civil and political rights contained in the European Convention on Human Rights. Those rights include the right to respect for private and family life. The Data Protection Bill also concerns privacy, albeit a specific form of privacy; Synopsis: Described in Campbell v MGN [2003] QB 633 at [72] as “a thicket” personal information privacy. The subject matter of the Bill is, therefore, and as “certainly a cumbersome and inelegant piece of legislation”, inherently important to our general social welfare.”1 the Data Protection Act 1998 is the ugly relation in the law of As I penned this talk, with more than a decade having passed since Lord privacy. As the Human Rights Act 1998 has extruded the law of Williams’s speech echoed in the House, I did wonder whether his words confidentiality to protect personal privacy, the Data Protection Act would similarly resonate tonight.
  • Mass Surveillance

    Mass Surveillance

    Mass Surveillance Mass Surveillance What are the risks for the citizens and the opportunities for the European Information Society? What are the possible mitigation strategies? Part 1 - Risks and opportunities raised by the current generation of network services and applications Study IP/G/STOA/FWC-2013-1/LOT 9/C5/SC1 January 2015 PE 527.409 STOA - Science and Technology Options Assessment The STOA project “Mass Surveillance Part 1 – Risks, Opportunities and Mitigation Strategies” was carried out by TECNALIA Research and Investigation in Spain. AUTHORS Arkaitz Gamino Garcia Concepción Cortes Velasco Eider Iturbe Zamalloa Erkuden Rios Velasco Iñaki Eguía Elejabarrieta Javier Herrera Lotero Jason Mansell (Linguistic Review) José Javier Larrañeta Ibañez Stefan Schuster (Editor) The authors acknowledge and would like to thank the following experts for their contributions to this report: Prof. Nigel Smart, University of Bristol; Matteo E. Bonfanti PhD, Research Fellow in International Law and Security, Scuola Superiore Sant’Anna Pisa; Prof. Fred Piper, University of London; Caspar Bowden, independent privacy researcher; Maria Pilar Torres Bruna, Head of Cybersecurity, Everis Aerospace, Defense and Security; Prof. Kenny Paterson, University of London; Agustín Martin and Luis Hernández Encinas, Tenured Scientists, Department of Information Processing and Cryptography (Cryptology and Information Security Group), CSIC; Alessandro Zanasi, Zanasi & Partners; Fernando Acero, Expert on Open Source Software; Luigi Coppolino,Università degli Studi di Napoli; Marcello Antonucci, EZNESS srl; Rachel Oldroyd, Managing Editor of The Bureau of Investigative Journalism; Peter Kruse, Founder of CSIS Security Group A/S; Ryan Gallagher, investigative Reporter of The Intercept; Capitán Alberto Redondo, Guardia Civil; Prof. Bart Preneel, KU Leuven; Raoul Chiesa, Security Brokers SCpA, CyberDefcon Ltd.; Prof.