Category: EU

The European Data Protection Board – A new authority under the EU General Data Protection Regulation (GDPR)

27. February 2018

Through the new General Data Protection Regulation (GDPR) there will be established a new EU Data Protection Authority, the so-called European Data Protection Board (the “Board”). The Board replaces the Article 29 Working Party starting May 25th 2018, when the GDPR enters into force. The board has its own legal personality.

Pursuant to Art. 68 (3) GDPR the Board is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor. It works independent and on its own initiative by issuing its opinion pursuant to Art. 64 GDPR or adopting a binding decision pursuant to Art. 65 GDPR, especially in the written cases of Art. 65 (1) GDPR. The Board hence has the authority to adopt one of the most powerful legal acts of the union from Art. 288 of the Treaty of the European Union (TFEU).

While harmonizing the data protection in the EU, the Boards main task is to maintain the consistent application of the GDPR by the national supervisory authority through the Consistency mechanism pursuant to Art. 63 GDPR. Within this Consistency mechanism, the Board comments the so-called Binding Corporate Rules (BCR), which are necessarily given by national data protection authorities for international data transfer of a company group.

The Board also has the final say if the national data protection authorities cannot reach an agreement concerning the implementation of the GDPR.

WP29 Guidelines on the notion of consent according to the GDPR – Part 1

26. January 2018

According to the GDPR, consent is one of the six lawful bases mentioned in Art. 6. In order for consent to be valid and compliant with the GDPR it needs to reflect the data subjects real choice and control.

The Working Party 29 (WP 29) clarifies and specifies the “requirements for obtaining and demonstrating” such a valid consent in its Guidelines released in December 2017.

The guidelines start off with an analysis of Article 4 (11) of the GDPR and then discusses the elements of valid consent. Referring to the Opinion 15/2011 on the definition of consent, “obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality.”

The WP29 illustrates the elements of valid consent, such as the consent being freely given, specific, informed and unambiguous. For example, a consent is not considered as freely given if a mobile app for photo editing requires the users to have their GPS location activated simply in order to collect behavioural data aside from the photo editing. The WP29 emphasizes that consent to processing of unnecessary personal data “cannot be seen as a mandatory consideration in exchange for performance.”

Another important aspect taken into consideration is the imbalance of powers, e.g. in the matter of public authorities or in the context of employment. “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. “

Art. 7(4) GDPR emphasizes that the performance of a contract is not supposed to be conditional on consent to the processing of personal data that is not necessary for the performance of the contract. The WP 29 states that “compulsion to agree with the use of personal data additional to what is strictly necessary limits data subject’s choices and stands in the way of free consent.” Depending on the scope of the contract or service, the term “necessary for the performance of a contract… …needs to be interpreted strictly”. The WP29 lays down examples of cases where the bundling of situations is acceptable.

If a service involves multiple processing operations or multiple purposes, the data subject should have the freedom to choose which purpose they accept. This concept of granularity requires the purposes to be separated and consent to be obtained for each purpose.

Withdrawal of consent has to be possible without any detriment, e.g. in terms of additional costs or downgrade of services. Any other negative consequence such as deception, intimidation or coercion is also considered to be invalidating. The WP29 therefore suggests controllers to ensure proof that consent has been given accordingly.

(will be soon continued in Part 2)

WP 29 adopts guidelines on transparency under the GDPR

21. December 2017

The Article 29 Working Party (WP 29) has adopted guidelines on transparency under the General Data Protection Regulation (GDPR). The guideline intends to bring clearance into the transparency requirement regarding the processing of personal data and gives practical advice.

Transparency as such is not defined in the GDPR. However, Recital 39 describes what the transparency obligation requires when personal data is processed. Providing information to a data subject about the processing of personal data is one major aspect of transparency.

In order to explain transparency and its requirements, the WP 29 points out “elements of transparency under the GDPR” and explains their understanding of these. The following elements are named and described:

– “Concise, transparent, intelligible and easily accessible”
– “Clear and plain language”
– “Providing information to children”
– “In writing or by other means”
– “..the information may be provided orally”
– “Free of charge”

In a schedule, the WP 29 lists which information under Art. 13 and Art. 14 GDPR shall be provided to a data subject and which information is not required.

French Data Protection Commission threatens WhatsApp with sanctions

The French National Data Protection Commission (CNIL) has found violations of the French Data Protection Act in the course of an investigation conducted in order to verify compliance of WhatsApps data Transfer to Facebook with legal requirements.

In 2016, WhatsApp had announced to transfer data to Facebook for the purpose of targeted advertising, security and business intelligence (technology-driven process for analyzing data and presenting actionable information to help executives, managers and other corporate end users make informed business decisions).

Immediately after the announcement, the Working Party 29 (an independent European advisory body on data protection and privacy, set up under Article 29 of Directive 95/46/EC; hereinafter referred to as „WP29“) asked the company to stop the data transfer for targeted advertising as French law doesn’t provide an adequate legal basis.

„While the security purpose seems to be essential to the efficient functioning of the application, it is not the case for the “business intelligence” purpose which aims at improving performances and optimizing the use of the application through the analysis of its users’ behavior.“

In the wake of the request, WhatsApp had assured the CNIL that it does not process the data of French users for such purposes.

However, the CNIL currently not only came to the result that the users’ consent was not validly collected as it lacked two essential aspects of data protection law: specific function and free choice. But it also denies a legitimate interest when it comes to preserving fundamental rights of users based on the fact that the application cannot be used if the data subjects refuse to allow the processing.

WhatsApp has been asked to provide a sample of the French users’ data transferred to Facebook, but refused to do so because being located in die United States, „it considers that it is only subject to the legislation of this country.“

The inspecting CNIL thus has issued a formal notice to WhatsApp and again requested to comply with the requirements within one month and states:

„Should WhatsApp fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.“


WP29 releases opinion on joint review of Privacy Shield

11. December 2017

The Working Party 29 (WP29),  an independent European advisory body on data protection and privacy, has evaluated the Privacy Shield agreement  (framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, see also our report on One year of Privacy Shield).

In its joint review, the WP29 focusses on the assessment of commercial aspects and governmental access to personal data for national security purposes.

Though acknowledging progress, the WP29 still finds unresolved issues on both sides.

It criticizes the lack of guidance and clear information on the principles of the Privacy Shield, especially with regards to onward transfers, the rights of the data subject and remedies.

The US authorities are further requested to clearly distinguish the status of data processors from that of data controllers.

Another important issue to be tackled is the handling of Human Resource (HR)  data and the rules governing automated-decision making and profiling.

Also, the process of self-certification for companies requires improvement.

In terms of access by public authorities, the WP 29 concludes that the US government has made effort to become more transparent.

However, some of the main concerns still are to be resolved by May 25th, 2018.

The WP 29 calls for further evidence or legally binding commitments to confirm non-discrimination and the fact that authorities don’t get access on a generalized basis to data transferred to the USA from the EU.

Aside from these matters, an Ombudsperson still needs to be appointed and her/his exact powers need to be specified. According to the WP 29, the existing powers to remedy non-compliance are not sufficient.

In case no remedy is brought to these concerns in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

Irish High Court refers Facebook case to the CJEU

6. October 2017

On October 3rd 2017, the Irish High Court publicised it will refer the Facebook case to the Court of Justice of the European Union (CJEU). The lawsuit is based on a complaint to the Irish Data Protection Commissioner filed by Max Schrems, an Austrian lawyer and privacy activist. Schrems was also involved in the case against Facebook resulting in the CJEU’s landmark decision declaring the Commission’s US Safe Harbour Decision invalid.

In his new complaint, Schrems is challenging the data transfers of Faceook to the US on the basis of the “Model Contracts for the transfer of personal data to third countries”, also known as standard contractual clauses (SCCs). Schrems himself said, “In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that.”

In contrast to Schrems, the Irish Data Protection Commissioner challenged the validity of the SCCs in general and not only in matters of Facebook. Due to the importance of the case, the Irish High Court referred it to the CJEU. The CJEU will now have to decide whether data transfers to the US are valid on the basis of the Commission’s Model Contracts. It remains to be seen what the CJEU will decide and if its decision will have an impact on the Privacy Shield framework.

Measures to strengthen the EU cybersecurity published

27. September 2017

On September 13, 2017 a joint communication to the European Parliament and the Council of the European Union on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” was published. This should strengthen the EU regarding the response of cyber attacks.

The joint communication includes:

  • Greater EU resilience to cyber attacks
  • Better detect cyber attacks
  • Strengthen international cooperation on cybersecurity

and is part of a package of EU documents.

Cifas: Identity theft at epidemic level

24. August 2017

According to, the fraud prevention group Cifas warns that cases of identity theft increase year by year in the UK. In the first six months of the year Cifas already recorded 89,000 cases, which is a 5% increase in relation to the same period of the last year and a new record. further reports that Simon Dukes, chief executive of Cifas, said: “We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day.” It is further explained that “these frauds are taking place almost exclusively online. The vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster.”

Fraudsters are targeting data such as the name, address, date of birth or bank account details. They gather these data by hacking computers, stealing mails or buying data through the “dark web”. Also, victims are tricked into giving away their personal data. However, most of the thefts, about 80%, are committed online and mostly without notice of the victims. The crimes often come to light, when for example the first random bill arrives.

The victims of impersonation were breaked down into categories of ages, showing that it is most likely that people in their 30s and 40s are victims of identity thefts, since about this group of people often a high amount of information was gathered online. It is further reported that according to Cifas, the amount of cases fell for the group of over-60s, while the group of 21 to 30 years old showed the biggest increase of cases.

Article 29 WP releases opinion on data processing at work

11. July 2017

The Article 29 Working Party (WP) has released their opinion on data processing at work on the 8th of June 2017. The Opinion is meant as an amendment to the previous released documents on the surveillance of electronic communications (WP 55) and processing personal data in employment context (WP 48). This update should face the fast-changing technologies, the new forms of processing and the fading boundaries between home and work. It not only covers the Data Protection Directive but also the new rules in the General Data Protection Regulation that goes into effect on 25th of May 2018.

Therefore they listed nine different scenarios in the employment context where data processing can lead to a lack in data protection. These scenarios are data processing in the recruitment process and in-employment screening (especially by using social media platforms), using monitoring tools for information and communication technologies (ICT), usage at home/remote, using monitoring for time and attendance, use of video monitoring, use of vehicles by employees, the disclosure of data to third parties and the international transfer of employee data.

The Article 29 WP also pointed out the main risk for the fundamental rights of the employees. New technologies allow the employer tracking over a long time and nearly everywhere in a less visible way. This can result into chilling effects on the rights of employees because they think of a constant supervision.

As a highlight the Article 29 WP gives the following recommendations for dealing with data processing in the employment context:

  • only collect the data legitimate for the purpose and only with processing taking place under appropriate conditions,
  • consent is highly unlike to be a legal base for data processing, because of the imbalance in power between the employer and the employee,
  • track the location of employees only where it is strictly necessary,
  • communicate every monitoring to your employees effectively,
  • do a proportionality check prior the deployment of any monitoring tool,
  • be more concerned with prevention than with detection,
  • keep in mind data minimization; only process the data you really need to,
  • create privacy spaces for users,
  • on cloud uses: Ensure an adequate level of protection on every international transfer of employee data.

Many companies have not started preparing for the GDPR

27. June 2017

The General Data Protection Regulation (GDPR) will be applicable to all EU Member States from May 25th 2018. The GDPR will not just apply to EU companies, but also to non-EU companies that have dealings with data subjects that are located in the EU (see also Art. 3 (2) GDPR).

Companies, in specific, that fall under the regulations of the GDPR should be prepared to fulfil the requirements that are stated by the GDPR, due to the risk of an imposition of a fine if they fail to comply with the GDPR. This is in particular relevant since the fines for infringements of the GDPR have increased significantly (see also Art. 83 GDPR).

The implementations that companies have to make to comply with the GDPR involve high expenses and probably will be more time consuming than expected in most cases, depending on the size and complexity of the company. Especially the time factor has to be considered since it is less than a year left until May 2018.

However, according to a report of TrustArc, 61 % of the asked companies have not yet started with the implementation of their GDPR compliance programs.

TrustArc interviewed 204 privacy professionals from companies of different industries that will fall under the GDPR. These companies were divided into three categories based on the count of their employees: 500-1000 employees, 1000-5000 employees and more than 5000 employees.

23 % stated that they have started with the necessary implementations, 11 % that the implementations are driven forward and just 4 % stated that they had finished all necessary implementations to reach GDPR compliance.

The Report also shows the cost that companies expect to be need to implement what will be necessary to comply with the GDPR. Overall, 83% expect that their expenses will be in the six figures.

Pages: 1 2 3 4 5 6 7 8 Next
1 2 3 8