Guidance (see also the Article 29 Working Party/EDPB page)
ICO seeks comments from stakeholders following the publication of draft guidance on children and GDPR.
The FPF published a Chart of Potential Harms from Automated Decision-Making, which is a very useful tool to identify potential risks of processing of personal data for those who are conducting Data Protection Impact Assessments as part of their GDPR compliance programs.
Here is a very useful (and quite colorful) guidance on how to choose a DPO, by Tim Turner. Tim has been around in the profession for more than 10 years, having worked for a while also for the ICO.
The Article 29 Working Party adopted last week the updated BCR referential, both for controllers and processors, to align it to the requirements of the GDPR. The Working Party also adopted Guidelines for consent and transparency, according to the press release following the meeting, but we are still waiting to see them published on the website.
Datatylsinet, the Norwegian DPA, published a guide in English on implementing Data Protection by Design and by Default.
IAB Europe presented this week in London an “industry consent mechanism for meeting challenges under the GDPR” and called for “broad industry engagement on further development and roll-out”.
The CNIL launched an interactive application to conduct Data Protection Impact Assessments, available HERE. After you install and open it, you will see that there is an option to have the content in English. I played a bit with it and it seems useful, at least for providing a sizeable list of possible mitigation measures.
The CNIL also published the version in English of the GDPR Guide for processors.
The Bavarian DPA followed-up their GDPR readiness questionnaire with an interactive tool comprised of 28 questions, also available in English. Try it HERE. Good luck!
The ICO updated and republished their Guide to the GDPR.
ENISA (EU Agency for Network and Information Security) published a Report to explain certification and what it means for the data protection legal regime under the GDPR – “Concepts and recommendations on European Data Protection Certification mechanisms”
The Spanish DPA issued a comprehensive Guide for Spanish schools on GDPR compliance.
The Article 29 Working Party published “guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679” (the GDPR). Before going into details, it’s interesting to note the Working Party already refers to itself as being the European Data Protection Board (“the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach“). The guidelines are addressed to supervisory authorities, acknowledging that “the fining powers represent for some national supervisory authorities a novelty in the field of data protection, raising numerous issues in terms of resources, organization and procedure”.
The Article 29 Working Party adopted the final version of the Data Protection Impact Assessment Guidelines, after incorporating the feedback received during the public consultation. If you’ve been waiting for black and white criteria to decide what processing operation is large-scale and likely to result in a risk, you will be disappointed. Such is the nature of data protection law – everything is more or less up to debate.
Guidelines on data breach notifications and profiling have also been adopted by the WP29 and will be open to a public consultation for 6 weeks. Additionally, the WP29 announced the adoption of guidelines on the application and setting of administrative fines, but they will not be subject to a public consultation. The last document is not yet available on the WP29 website.
CNIL published a GDPR “compliance pack” for connected cars (FR).
CPO magazine published an overview of the areas where national laws are allowed to derogate from the GDPR.
Alston and Bird published part 3 of their 5 articles series on the German GDPR implementation, which focuses on Data Protection Officers and Employee personal data.
CNIL adopted Guidance for processors and their new obligations under the GDPR (available only in FR).
The Bavarian Data Protection Authority published a questionnaire in English “for GDPR implementation on 25 May 2018”. The questionnaire was shared with companies in Bavaria as an example of what they should expect to be asked about by the DPA in order to assess whether they are GDPR compliant come May 2018. It’s a great resource for those of you working for your GDPR compliance program.
The Spanish DPA is the first supervisory authority in Europe to publish a certification scheme for Data Protection Officers (only in ES). They partnered with the Spanish National Accreditation institution (ENAC) for this initiative. DPO certifications will be granted by entities accredited first by ENAC, following certification criteria developed by the Spanish DPA. However, the DPA clarified that it will not be an obligation for a professional to hold this certification in order to be appointed as DPO.
The Data Protection Network published Guidance on Legitimate Interests under the GDPR, meant to be a practical tool to help commercial and not-for-profit organisations assess whether or not they can rely on Legitimate Interests as a lawful basis for processing personal data under the GDPR. See the pdf attached to this email.
The Irish DPC issued a statement on DPOs and the appropriate qualifications an employer should be looking for.
German DPAs published three short guidance papers on the application of the GDPR, touching on subjects which have not yet been on the WP29’s table: the record of processing activities, the DPA’s power to supervise/sanction and processing of personal data for advertising purposes. They are only available in German, but here you have a summary in English.
The Irish Data Protection Commissioner published guidance on conducting Data Protection Impact Assessments, including recommendations for the right time to interact with the DPC in the process: “If, during the DPIA process, the Data Controller has identified and taken measures to mitigate any risks to personal data, it is not necessary to consult with the DPC before proceeding with the project.”
The Belgian DPA published recommendations on the GDPR record keeping obligation (available only in French and Dutch), answering questions such as ‘Who is obliged to keep the Records?’; ‘Why do companies have to keep the Records?’; ‘What kind of information do the Records have to contain?’ and ‘How should the Records be drawn up?’. Here you have a summary in English.
ICO published an updated Guide for “Preparing for the General Data Protection Regulation (12 steps to take now)”, one year before the GDPR becomes applicable.
The Italian DPA issued its first set of Guidelines on the application of the GDPR. You have an English summary here.
The German Data Protection Authorities published the English version of a guidance document (‘the Standard DataProtection Model’) that they discussed last November at the Conference of Independent Data Protection Authorities of Germany (federal and state DPAs). The document refers to the implementation of technical and organisational data protection measures. The guidance is particularly relevant for the interpretation and application of Articles 5, 12, 25 and 32 GDPR, which “provide essential requirements on the security of the processing of personal data”. This version of the document is a literal translation of the German text.
The ICO published its draft guidance for “profiling” rules under the GDPR and opened a public consultation on the draft. According to the ICO, the discussion paper “highlights the key areas of profiling we feel need further consideration. This includes subjects like marketing, the right to object, and data minimization.” The ICO asked for comments on the draft to be sent before April 28.
CNIL published a GDPR compliance toolkit. The French DPA created a dedicated page for the new “toolkit“ (FR), while detailing each of the six proposed steps towards compliance by also referring to available templates (such as a template for the Register of processing operations and a template for data breach notifications – both in FR). More info EN
Analysis
Julia Powles and Andrew Selbst write about the right to explanation in the GDPR, “Meaningful information and the right to explanation”, arguing that indeed there is a right to explanation provided for by the GDPR, even though it does not have this exact name. The article is offered in open access by the International Data Privacy Law journal.
The fifth and last part of Alston and Bird’s series on the German implementation of the GDPR was published and is available HERE, together with links to the first four parts. It explores DPA oversight, sanctions and fines, how to challenge DPA actions/decisions, DPA challenges to international transfers, and lawsuits/litigation (thanks to FPF Senior Fellow Peter Swire for forwarding this).
Bird & Bird published a useful summary of the Article 29 Working Party Guidelines on profiling, while Hogan Lovells questioned one of the key findings of the Article 29 Working Party in the draft guidance – the fact that the DPAs interpret the right not to be subject to a decision based solely on automated processing and resulting in legal effects or significantly affecting the person as a general prohibition on such processing rather than a right that should be pro-actively exercised by the data subject. The nature of this right (which is currently enshrined in Article 15 of Directive 95/46) has been on the mind of data protection experts for a long time, long before the GDPR was on the table. Professor Bygrave analyzed this question in 2000, highlighting how this wording allowed Member States to transpose it into a general prohibition (e.g. France, Belgium), while other Member States created an actionable right.
The ICO continues their GDPR myth-busting series with a note on why “GDPR is an evolution in data protection, not a burdensome revolution”, highlighting how the GDPR is building on foundations already in place for the last 20 years and how it scales the task of compliance to the risk posed to the rights of individuals.
Quite similar ideas emerge from a piece published this week in the CPO magazine – “No, the GDPR is Not Going to Slow Down the Digital Economy” which reports from a recent GDPR Innovation Briefing in Brussels, and from an analysis shared two weeks ago on Medium – “Europe’s smart take on the fourth industrial revolution: the GDPR”.
DLA Piper published a template with GDPR ready terms for controller-processor contracts that you may find useful.
The ICO started a much welcomed myth-busting campaign regarding the GDPR, acknowledging that there is a lot of misinformation out there about it. The first myth they busted: the biggest threat to organisations from the GDPR is massive fines. Elisabeth Denham, head of the ICO, wrote that “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm”. Read all about it here. The second myth they busted: consent is the silver bullet for GDPR compliance. No, it’s not. “The rules around consent only apply if you are relying on consent as your basis to process personal data. (…) There are five other ways of processing data that may be more appropriate than consent”, wrote Denham here.
If you’re looking for some extra GDPR reading, Phil Lee published two very informative pieces: ‘The great unsolved data protection challenges of our time‘ and ‘Let’s sort out this profiling and consent debate once and for all‘ (where he debunks the myth that profiling must always be based on consent as legal basis).
The Financial Times published last week a piece on “Businesses failing to prepare for EU rules on data protection“, highlighting that “companies operating in Europe are dramatically underestimating the impact of the new data protection regulation that comes into force next May and failing to prepare adequately for it”.
The d.pia.lab of Vrije Universiteit Brussels published its first Policy Brief: “Data protection impact assessment in the European Union: complementing the new legal framework towards a more robust protection of individuals”. The brief explores “a few weak points” in the GDPR requirement to conduct DPIAs and provides recommendations primarily for policymakers.
The right to data portability was thoroughly covered in EUObserver, featuring input from industry and a summary of discussions in a RightsCon panel on the subject: “New EU Right to Data Portability to cause Headaches“.
Commission’s top scientific advisers publish opinion on Cybersecurity in the Digital Single Market. The High Level Group of the Commission’s Scientific Advice Mechanism (SAM) has published a new independent scientific opinion on cybersecurity in the Digital Single Market. At the request of the Commission Vice-President Andrus Ansip, the scientific advisers make a number of recommendations to make it easier and safer for people and businesses to operate online in the EU. More info here. Read the Report (104 pages).
Citi Group published a comprehensive Report on “ePrivacy and Data Protection. Who watches the watchers? How regulation could alter the path to innovation”. Read the Report here (145 pages).
“Co-regulation in EU personal data protection: the case of technical standards and the privacy by design standardisation mandate”, by Irene Kamara. Read this report from the latest issue of European Journal of Law and Technology here
BCRs and the GDPR: Practical considerations. Further DPA guidance is expected later this year. In the meantime, Wanne Pemmelaar, Anna van der Leeuw and Charlotte Mullarkey explain what companies should do now in a Report for “Privacy laws and business”.
Advocate General Kokott (CJEU) referred to Article 79 of the GDPR (effective judicial remedies) in her Opinion in Puskar. The case is about lawfulness of blacklisting by tax authorities and it tackles questions of lawful grounds for processing other than consent and what constitutes effective legal remedies. A summary of the Opinion is available HERE (the Court is expected to give its judgment by the end of the year).
Policy
The trend of increasing cooperation among DPAs was reflected by the creation of a permanent “Fining taskforce”, which will focus on the harmonization of calculating the GDPR fines, and through the creation of a joint investigatory team regarding Uber’s data breach.
Max Schrems launched a pan-European NGO, NYOB (None of Your Business), with the declared purpose of launching class actions under the GDPR.
If you want to take a step back and look at the future of data protection beyond the GDPR, you can find on FPF’s blog the summary of my conversation with Giovanni Buttarelli, the European Data Protection Supervisor, that took place at the IAPP Data Protection Congress in Brussels earlier this month.
EUCO’s Vice-president Andrus Ansip and Commissioner Vera Jourova issued a statement one year ahead of the entry into application of the GDPR. They talked about working with all Member States and engaging with companies “to make this happen”. They also announced the EU-wide campaign to raise awareness so that European are conscious of their rights.
Amendment of national data protection laws continues in the EU, in order to have them aligned to the GDPR. Ireland recently published the draft GDPR bill, just like Sweden (Available only in Swedish – NB: it’s 504 pages long!). According to reports, Sweden proposes to lower the age of children that need consent of their parents for having their data processed from 16 (as recommended by the GDPR) to 13.
Commissioner Vera Jourova announced a ‘massive information campaign on data protection’ in the year ahead the entering into force of the GDPR.
National implementation
The ICO published a Factsheet on the Data Protection Bill that will implement the GDPR in the UK, explaining which are the differences between the Bill and the GDPR.
The IAPP published an analysis by David Meyer on the UK’s upcoming privacy law, concluding that it will not be a “GDPR cut-and-paste”.
We have a link to the official English translation of the German GDPR implementation law, which you can access here.
The German Parliament will vote on the new draft for a Federal Data Protection Act on April 27. The preliminary draft of the Polish national data protection law was published. Here is a very useful summary in English for those of you who would like to have an idea about how the small degree of flexibility allowed by the GDPR is implemented in national laws. And here is an explanation of how Regulations operate in the EU legal order, including details on how most of the provisions of the GDPR will not necessarily need national implementation in order to be effective, with a special focus on provisions regarding fines: A million dollar question, literally: Can DPAs fine a controller directly on the basis of GDPR, or do they need to wait for national laws?
The debate over the national implementation of the GDPR is ongoing in the Member States. The latest news comes from Ireland, where a special rapporteur for child protection advised the legislature that the digital age of consent should be 13, referring to the need not to excessively limit minors’ freedom to access information.
Germany passed the Amendment Act to the Federal General Data Protection Law, putting it in accordance with the GDPR. You can find here and here detailed accounts in English of the main differences between the German law and the GDPR. Perhaps a remarkable difference is adding to the sanctions regime a criminal penalty of up to three years imprisonment or criminal fines for certain intentional unlawful data processing. The act also provides for additional legitimate grounds for processing for scoring and credit reporting.
The UK Government issued a “Call for views on the General Data Protection Regulation derogations”, expecting replies by May 10. This consultation will inform the British legislative process for the national measures implementing the GDPR.