Guidance, Opinions
The Article 29 Working Party published new guidance on data processing in a work environment: Opinion 2/2017. The Opinion makes a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees by outlining the risks posed by new technologies. Among other observations, the Group underlines that consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence.
The Article 29 Working Party published the first version of the much awaited Guidelines on Data Protection Impact Assessments under the GDPR (available HERE).
The April Plenary of the Article 29 Working Party adopted an Opinion on the draft ePrivacy Regulation, which was just published on its website. “In general, the Working Party welcomes the proposal for an ePrivacy Regulation. In particular, it appreciates the choice for a regulation as the regulatory instrument, the equalization of Over-The-Top (OTT) providers with telecom operators as regard confidentiality of communications as well as the attempt to modernize the rules applicable for tracking in the online world. However, the DPAs note 4 points of concern related to WiFi tracking, analysis of content and metadata, tracking walls, and privacy by default regarding terminal equipment and software”. We are analysing the opinion in detail, and you’ll hear more about this in the near future.
The WP29 adopted the final versions of three documents adopted in December 2016, formalizing guidance on DPOs, data portability and the lead authority.
The Irish DPC issued a statement on DPOs and the appropriate qualifications an employer should be looking for.
The “Berlin Group” (International Working Group on Data Protection in Telecommunications – a group that gathers technologists working for DPAs) issued a Working Paper on e-Learning Platforms (the link directly downloads pdf), as a result of their last meeting, which took place in April in Washington DC. The paper outlines the main privacy risks for students associated with e-learning platforms and provides recommendations for educational institutions, e-learning platform providers and data protection authorities.
EU-US Privacy Shield
The Joint Annual Review of the Privacy Shield is being prepared by the Commission and the Article 29 Working Party. The WP29 sent a letter to the Commission providing details about the fact finding mission to the US in September and its scope, including the fact that they intend to have 8 members of the Working Party in the EU delegation which will participate to meetings in Washington. The press release points out that the WP29 is particularly interested in asking about: the existence of legal guarantees regarding automated decision making or the existence of any guidance made available by the DOC regarding the application of the Privacy Shield principles to organisations acting as agents/processors; the definition of human resources data; and the latest developments of US law and jurisprudence in the field of privacy.
The Article 29 Working Party published brief guidance and a form for complaints to the Ombudsperson, highlighting that only the requests relating to national security access by US intelligence agencies will be considered by the Ombudsperson. The form is available HERE (link directly downloads .pdf).
The Article 29 Working Party offered a glimpse of their feedback after the visit to Washington DC. The Group’s president, Isabelle Falque Pierrotin, together with Commissioner Vera Jourova, discussed the implementation of the Privacy Shield framework with US officials and civil society groups. In a Press Release, the WP29 mentions that “some of the key functions in the Privacy Shield architecture still need to be definitely appointed following the US election (Ombudsperson, FTC commissioners and PCLOB members). In addition, the organization of the annual review must be discussed in depth and in detail with the US authorities especially regarding access to documents.” The Annual Review of the Privacy Shield framework is due by September.
Other activities
The Article 29 Working Party shared the results of the discussions [link directly downloads .pdf] between European representatives of the industry, the civil society, academics and relevant associations, which took place at the second Fablab workshop on best practices and guidelines with regards to valid consent, data breach notifications and profiling.
The Article 29 Working Party sent out a letter with their analysis and recommendations on a proposed Code of Conduct for mobile Health applications. Here is a link to the draft Code of Conduct that was submitted to WP29. (This is a good opportunity to remind you of the Best Practices for Consumer Wearables & Wellness Apps & Devices published by the FPF last year).
The ICO started a much welcomed myth-busting campaign regarding the GDPR, acknowledging that there is a lot of misinformation out there about it. The first myth they busted: the biggest threat to organisations from the GDPR is massive fines. Elisabeth Denham, head of the ICO, wrote that “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm”. Read all about it here. The second myth they busted: consent is the silver bullet for GDPR compliance. No, it’s not. “The rules around consent only apply if you are relying on consent as your basis to process personal data. (…) There are five other ways of processing data that may be more appropriate than consent”, wrote Denham here.