Category: European Data Protection
21. December 2017
The Article 29 Working Party (WP 29) has adopted guidelines on transparency under the General Data Protection Regulation (GDPR). The guideline intends to bring clearance into the transparency requirement regarding the processing of personal data and gives practical advice.
Transparency as such is not defined in the GDPR. However, Recital 39 describes what the transparency obligation requires when personal data is processed. Providing information to a data subject about the processing of personal data is one major aspect of transparency.
In order to explain transparency and its requirements, the WP 29 points out “elements of transparency under the GDPR” and explains their understanding of these. The following elements are named and described:
– “Concise, transparent, intelligible and easily accessible”
– “Clear and plain language”
– “Providing information to children”
– “In writing or by other means”
– “..the information may be provided orally”
– “Free of charge”
In a schedule, the WP 29 lists which information under Art. 13 and Art. 14 GDPR shall be provided to a data subject and which information is not required.
The French National Data Protection Commission (CNIL) has found violations of the French Data Protection Act in the course of an investigation conducted in order to verify compliance of WhatsApps data Transfer to Facebook with legal requirements.
In 2016, WhatsApp had announced to transfer data to Facebook for the purpose of targeted advertising, security and business intelligence (technology-driven process for analyzing data and presenting actionable information to help executives, managers and other corporate end users make informed business decisions).
Immediately after the announcement, the Working Party 29 (an independent European advisory body on data protection and privacy, set up under Article 29 of Directive 95/46/EC; hereinafter referred to as „WP29“) asked the company to stop the data transfer for targeted advertising as French law doesn’t provide an adequate legal basis.
„While the security purpose seems to be essential to the efficient functioning of the application, it is not the case for the “business intelligence” purpose which aims at improving performances and optimizing the use of the application through the analysis of its users’ behavior.“
In the wake of the request, WhatsApp had assured the CNIL that it does not process the data of French users for such purposes.
However, the CNIL currently not only came to the result that the users’ consent was not validly collected as it lacked two essential aspects of data protection law: specific function and free choice. But it also denies a legitimate interest when it comes to preserving fundamental rights of users based on the fact that the application cannot be used if the data subjects refuse to allow the processing.
WhatsApp has been asked to provide a sample of the French users’ data transferred to Facebook, but refused to do so because being located in die United States, „it considers that it is only subject to the legislation of this country.“
The inspecting CNIL thus has issued a formal notice to WhatsApp and again requested to comply with the requirements within one month and states:
„Should WhatsApp fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.“
11. December 2017
The Working Party 29 (WP29), an independent European advisory body on data protection and privacy, has evaluated the Privacy Shield agreement (framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, see also our report on One year of Privacy Shield).
In its joint review, the WP29 focusses on the assessment of commercial aspects and governmental access to personal data for national security purposes.
Though acknowledging progress, the WP29 still finds unresolved issues on both sides.
It criticizes the lack of guidance and clear information on the principles of the Privacy Shield, especially with regards to onward transfers, the rights of the data subject and remedies.
The US authorities are further requested to clearly distinguish the status of data processors from that of data controllers.
Another important issue to be tackled is the handling of Human Resource (HR) data and the rules governing automated-decision making and profiling.
Also, the process of self-certification for companies requires improvement.
In terms of access by public authorities, the WP 29 concludes that the US government has made effort to become more transparent.
However, some of the main concerns still are to be resolved by May 25th, 2018.
The WP 29 calls for further evidence or legally binding commitments to confirm non-discrimination and the fact that authorities don’t get access on a generalized basis to data transferred to the USA from the EU.
Aside from these matters, an Ombudsperson still needs to be appointed and her/his exact powers need to be specified. According to the WP 29, the existing powers to remedy non-compliance are not sufficient.
In case no remedy is brought to these concerns in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
19. October 2017
The Article 29 Data Protection Working Party (WP29) adopted a guideline for the automated individual decision-making and profiling which are addressed by the General Data Protection Regulation (GDPR). The GDPR will be applicable from the 25th May 2018. WP29 acknowledges that “profiling and automated decision-making can be useful for individuals and organisations as well as for the economy and society as a whole”. “Increased efficiencies” and “resource savings” are two examples that were named.
However, it was also stated that “profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards”. One risk could be that profiling may “perpetuate existing stereotypes and social segregation”.
The Guideline covers inter alia definitions of profiling and automated decision-making as well as the general approach of the GDPR to these. It is addressed that the GDPR introduces provisions to ensure that the use of profiling and automated decision-making does not have an “unjustified impact on individuals’ rights” and names examples, such as “specific transparency and fairness requirements” and “greater accountability obligations”.
11. July 2017
The Article 29 Working Party (WP) has released their opinion on data processing at work on the 8th of June 2017. The Opinion is meant as an amendment to the previous released documents on the surveillance of electronic communications (WP 55) and processing personal data in employment context (WP 48). This update should face the fast-changing technologies, the new forms of processing and the fading boundaries between home and work. It not only covers the Data Protection Directive but also the new rules in the General Data Protection Regulation that goes into effect on 25th of May 2018.
Therefore they listed nine different scenarios in the employment context where data processing can lead to a lack in data protection. These scenarios are data processing in the recruitment process and in-employment screening (especially by using social media platforms), using monitoring tools for information and communication technologies (ICT), usage at home/remote, using monitoring for time and attendance, use of video monitoring, use of vehicles by employees, the disclosure of data to third parties and the international transfer of employee data.
The Article 29 WP also pointed out the main risk for the fundamental rights of the employees. New technologies allow the employer tracking over a long time and nearly everywhere in a less visible way. This can result into chilling effects on the rights of employees because they think of a constant supervision.
As a highlight the Article 29 WP gives the following recommendations for dealing with data processing in the employment context:
- only collect the data legitimate for the purpose and only with processing taking place under appropriate conditions,
- consent is highly unlike to be a legal base for data processing, because of the imbalance in power between the employer and the employee,
- track the location of employees only where it is strictly necessary,
- communicate every monitoring to your employees effectively,
- do a proportionality check prior the deployment of any monitoring tool,
- be more concerned with prevention than with detection,
- keep in mind data minimization; only process the data you really need to,
- create privacy spaces for users,
- on cloud uses: Ensure an adequate level of protection on every international transfer of employee data.
27. June 2017
The General Data Protection Regulation (GDPR) will be applicable to all EU Member States from May 25th 2018. The GDPR will not just apply to EU companies, but also to non-EU companies that have dealings with data subjects that are located in the EU (see also Art. 3 (2) GDPR).
Companies, in specific, that fall under the regulations of the GDPR should be prepared to fulfil the requirements that are stated by the GDPR, due to the risk of an imposition of a fine if they fail to comply with the GDPR. This is in particular relevant since the fines for infringements of the GDPR have increased significantly (see also Art. 83 GDPR).
The implementations that companies have to make to comply with the GDPR involve high expenses and probably will be more time consuming than expected in most cases, depending on the size and complexity of the company. Especially the time factor has to be considered since it is less than a year left until May 2018.
However, according to a report of TrustArc, 61 % of the asked companies have not yet started with the implementation of their GDPR compliance programs.
TrustArc interviewed 204 privacy professionals from companies of different industries that will fall under the GDPR. These companies were divided into three categories based on the count of their employees: 500-1000 employees, 1000-5000 employees and more than 5000 employees.
23 % stated that they have started with the necessary implementations, 11 % that the implementations are driven forward and just 4 % stated that they had finished all necessary implementations to reach GDPR compliance.
The Report also shows the cost that companies expect to be need to implement what will be necessary to comply with the GDPR. Overall, 83% expect that their expenses will be in the six figures.
16. March 2017
Ultimately, the Italian police department (in cooperation with Garante – Italian data protection authority) has carried out an investigation, which has revealed a violation of a data protection legislation and specific actions aimed at introducing the legal circulation of money onto the Chinese market.
Four agent companies and one multinational have turned out to split money transfers for remaining sub-threshold under this perspective. Under these circumstances an unlawful massive personal data processing of unaware individuals (payments and senders) has been performed. What is more, some of the records were up to be filed by not existing individuals or even deceased. Other records however, were left blank.
Taking into account all of the gathered facts, which actually indicated that personal data were used in order to unlawfully avoid the money laundering provisions, a wide-ranging Italian data protection authority sanctioning initiative has been launched. As a result, Garante has issued the highest fines ever in Europe.
Given the number of violations of data protection provisions, the Garante has set the whole amount of sanctions up to a total sum of almost 11,000,000 euros (850,000; 1,260,000; 1,590,000 1,430,000 euros for the agent companies and 5,880,000 euros for the multinational company).
It is believed that such a strict data protection authorities sanction will encourage individual data controllers and companies to accelerate their compliance with the upcoming GDPR (May 2018).
10. February 2017
On January 10, the European Commission published a proposal for an ePrivacy Regulation. After the adoption of the General Data Protection Regulation (‘GDPR’), a new ePrivacy Regulation would be the next step in pursuing the European Commission’s Digital Single Market Strategy (‘DSM’).
If adopted, the ePrivacy Regulation will replace both the ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC). In contrast to a Directive that has to be implemented into national law by each EU Member State, a Regulation is directly applicable in all Member States. Thus a Regulation would support the harmonisation of the data protection framework.
What’s new?
Since 2009, when the ePrivacy Directive was revised last, important technological and economic developments took place. In order to adapt the legal framework to the reality of electronic communication, the scope of the proposed Regulation is widened to apply to the so called ‘over-the-top’ (‘OTT’) service providers. These OTT providers, such as WhatsApp, Skype or Facebook, run their services over the internet.
By ensuring the privacy of machine-to-machine communication, the Regulation also deals with the Internet of Things and thus seems not only to consider the current situation of electronic communication, but also to prepare for upcoming developments within the information technology sector.
Electronical communications data (metadata as well as content data) cannot be processed without complying with the requirements of the Regulation. Metadata can be processed, if necessary for mandatory quality of service requirements or for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communication services.
Content data can be used for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content or if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority.
Regarding the use of cookies, the end-users’ consent is still the basic requirement, except for first party non-privacy intrusive cookies. These cookies can now be used without the consent of the end-user. The proposed Regulation furthermore allows to use browser settings as consent.
In contrast to the draft of the Regulation leaked in December 2016, the official proposal does not contain the commitment to ‘Privacy by default’, which means that software has to be configured so that third parties cannot store information on or use information about a user’s device.
The Commission’s proposal of the Regulation just demands that software must offer the option to prevent third parties from storing information on or using information about a user’s device.
ePrivacy Regulation and GDPR
Both the ePrivacy Regulation and the GDPR are part of the above mentioned ‘DSM’. Several commonalities prove this fact. For instance, the fines in both Regulations will be the same. Furthermore, the EU Data Protection Authorities responsible for the enforcement of the GDPR will also be responsible for the ePrivacy Regulation. This will contribute to the harmonisation of the data protection framework and increase trust in and the security of digital services.
What’s next?
After being considered and agreed by the European Parliament and the Council, the Regulation could be adopted by May 25th, 2018, when the GDPR will come into force. It is to see whether this schedule is practicable, considering how long the debate about the GDPR took.
13. January 2017
On January 10th 2017 the European Commission released a Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications.
The presented proposal pursues the implementation of the EU’s Digital Single Market strategy. The Digital Single Market strategy aims to increase trust in and the security of digital services. With the upcoming General Data Protection Regulation further legislative measures have to be implemented in order to build a coherent regulatory framework.
The proposed Regulation will repeal the Directive 2002/58/EC Regulation on Privacy and Electronic Communications, also known as the “E-Privacy Directive”, which insufficiently regards current technological developments. Especially so-called Over the Top communication services, such as the messenger services WhatsApp, Skype or Facebook Messenger, are not regulated by the E-Privacy Directive and lack sufficient privacy for its users. According to the proposed Regulation, the content of messages as well as metadata will have to remain confidential and / or anonymized unless the user consented otherwise.
In addition, the new rules set out a strategic approach relating to international data transfer. By engaging in so-called “adequacy decisions” the transfer of personal data will be simplified while a high level of privacy remains.
The proposed Regulation further contains rules to ensure that personal data, which is processed by EU institutions and bodies, is handled according to the measures of the General Data Protection Regulation.
Finally, since the nature of the Proposal is a regulation instead of a directive, it should have a stronger impact for both consumers and businesses.
Ideally the legislative process will be finalized by May 25th 2018, when the General Data Protection Regulation will enter into force.
19. December 2016
The European Article 29 Working Party just published Guidelines after their December plenary meeting.
These Guidelines include explanations in terms of the role of the Data Protection Officer, the mechanisms for data portability and how a lead authority will be established with regard to the one-stop shop. Furthermore, some guidance on the EU-U.S. Privacy Shield was also included.
When do you have to appoint a DPO?
Article 37 (1) of the GDPR states that a DPO has to be appointed
a) where the processing is carried out by a public authority or body
b) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
or c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
How does the Article 29 Working Party define these requirements?
“Core activities” are defined as the “key operations necessary to achieve the controller’s or processor’s goals.” The Article 29 Working Party gives the following example: a hospital needs to process health data as core to its ultimate activity of providing health care services.
Therefore, companies have to ask themselves whether the processing of personal data is a inextricably part for archiving their goals.
“Large scale” refers to the number of data subjects and not the company’s size.
The Working Party 29 defines the following identification aspects for a “large scale”:
- The number of data subjects affected.
- The volume of data and/or the range of different data items being processed.
- The duration, or permanence, of the data processing activity.
- The geographical extent of the processing activity.
However, the Working Party 29 welcomes feedback on the Guidelines from stakeholders through January 2017. Comments can be sent to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr.
