The UK Information Commissioner’s Office (ICO) is consulting on draft GDPR guidance on contracts and liabilities between controllers and processors. The guidance seeks to help organisations understand what must be included in contracts under the GDPR, and the new responsibilities and liabilities of processors.
The Data Protection Commissioner (DPC) has called for submissions on issues of Transparency and International Data Transfers under the GDPR. The submissions received by the DPC from its consultation will be shared with the Article 29 Working Party (WP29), at its third Fablab in Brussels on 18 October 2017 to inform the preparation of new guidelines on transparency under the GDPR and the updating of existing guidelines on international data transfers.
The EU Council has proposed amendments to the draft ePrivacy Regulation (the Regulation). The Presidency points out that work on the text will be incremental and this is only its first redraft.
Proposed amendments include:
Scope – The Presidency clarifies the precise material and territorial scope of the Regulation, as including:
- the processing of electronic communications content in transmission, and of electronic communications metadata carried out in connection with the provision of electronic communications services to end-users in the EU;
- information related to, processed by, or stored in the terminal equipment of end users located in the EU;
- the placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the internet;
- the offering of a publicly available directory of end-users of electronic communications services located in the EU, and
- the sending or presenting of direct marketing communications to end users located in the EU.
The U.S. Federal Trade Commission (FTC) announced on 8 September that three U.S. companies have agreed to settle FTC charges that they misled consumers, by falsely claiming they were certified to participate in the Privacy Shield. In separate complaints, the FTC alleges, all three companies failed to complete the certification process for the Shield. As part of their settlements with the FTC, the three companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and must comply with FTC reporting requirements. The actions against the three companies are the first cases the FTC has brought to enforce the Shield, which was adopted last July 2016.
Employee monitoring versus privacy rights is back in the spotlight due to today’s decision by the Grand Chamber of the European Court of Human Rights (ECHR) in Bărbulescu v. Romania. The Grand Chamber held there had been a violation of Article 8 of the European Convention on Human Rights, where an employer monitored and accessed personal emails sent by an employee during work hours from his Yahoo Messenger account, using a company computer, without notifying the employee in advance of such monitoring.
The General Data Protection Regulation (GDPR) will automatically come into force across the EU on 25 May 2018. As the deadline fast approaches, Member States are busy progressing their draft implementing legislation. Article 23 of the GDPR provides Member States with discretion over how certain provisions will apply. These proposed derogations to the GDPR have been a focus point for many commentators on the draft national legislation.
Under Article 23, Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights, but only where the measure respects the essence of the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society. The measure must safeguard one of the following:
- national security;
- public security;
- the prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties or breaches of ethics in regulated professions;
- other important public interests, in particular economic or financial interests (e.g. budgetary and taxation matters, public health and security);
- the protection of judicial independence and proceedings;
- monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;
- the protection of the individual, or the rights and freedoms of others; or
- the enforcement of civil law matters.
Chapter IX of the GDPR provides Member States with further exemptions, derogations, conditions or rules in relation to specific processing activities.
UK Call for Views on the GDPR
Earlier this year, the UK’s Department for Digital Culture, Media and Sport (DCMS) opened a public “call for views” as part of its implementation process. All stakeholders with an interest in data protection were encouraged to share views on any and all derogations in the UK Data Protection Bill.
Following the end of the call for views, the DCMS published its Statement of Intent and outlined its approach to the Data Protection Bill. The document (available here) emphasises the UK Government’s desire to continue its “gold standard” of data protection law. It states that the GDPR will be implemented in a way that, as far as possible, preserves the concepts of the UK’s Data Protection Act 1998 and ensures a smooth transition post Brexit, while complying with the GDPR and other applicable directives.
The DCMS has also provided a detailed summary of the proposed GDPR derogations in the Data Protection Bill (available here). The summary usefully sets out the derogations in the GDPR, the relevant GDPR article, and the reason for the UK deviating from the default position, where applicable.
It is reported that the Bill will be published in early September 2017.
News reports have confirmed that on Wednesday 26 July, after a public consultation period on the issue, the Irish Government have agreed to set the digital age of consent at 13 years of age. Article 8 of the General Data Protection Regulation (GDPR) provides that a child under the age of 16 cannot consent to the processing of their personal data without the express consent of their parents. EU Member States have been granted the discretion to set a lower age under the GDPR provided that it is no lower than 13.
The decision follows consideration of a submission made by Special Rapporteur for Child Protection, Dr Geoffrey Shannon, who had previously called for the lowest age of consent to be adopted in a Joint Oireachtas Committee on Justice, Defence and Equality meeting on 5 July which discussed the General Scheme of the Data Protection Bill 2017. Dr Shannon stressed the importance of protecting a child’s right to participate and have their voice heard when considering the digital age of consent.
A similar decision has been taken in the UK where the Department of Digital, Culture, Media & Sport have confirmed that they intend to set the age of digital consent at the lower threshold of 13 years of age, in a Statement of Intent released on 7 August, discussing the proposed Data Protection Bill 2017.
On 26 July 2017 the Court of Justice of the European Union (CJEU) delivered its Opinion that the draft Passenger Name Record (PNR) Agreement between the EU and Canada is not compatible with the EU Charter of Fundamental Rights (the Charter) and may not be concluded in its current form. The Opinion follows a referral by the European Parliament to the CJEU and is the first time the Court has been requested to examine the compatibility of an international agreement with the EU Charter.
The Court observed that the Charter rights are not absolute, and that an agreement allowing for the transfer and retention of data to ensure public security would be capable of justifying even serious interference with fundamental rights such as privacy and personal data protection. Any such interference should, however, be (1) proportionate, (2) strictly necessary and (3) guided by clear and precise rules governing its scope and application. The transfer of sensitive data would also require a precise and solid justification in addition to that of public security and the Court concluded that in this instance, there was no such justification.
Retention of Data
The envisaged Agreement provided that PNR data may be retained by Canada for five years after receipt of such data. The Court observed that the retention of data for the duration of a visitor’s stay in Canada did not exceed the limits of what is strictly necessary, but noted that as PNR data would be used as part of the verification process to grant entry into the territory, subsequent use of that data would require fresh justification by way of new circumstances or objective evidence. The Court suggested that except in cases of valid urgency, any decision by Canadian authorities to use PSN data after entry has been granted should be subject to prior review by a court or independent body. The retention of data after departure from Canada should also be limited to air passengers only when there is objective evidence available inferring a terrorism or crime risk.
The Court declared that as a number of other provisions were vague and did not adequately address the processing of PNR data in a clear and precise manner, it was not satisfied that the Agreement in its current form was compatible with the Charter.
The European Commission (EC) has opened an online public consultation on the targeted revision of EU consumer law (the Consultation). The Consultation follows the EC’s publication of the results of its Fitness Check on consumer and marketing law and of the evaluation of the Consumer Rights Directive (Directive 2011/83/EU) (the CRD).
Both the Consultation and the Fitness Check form part of the EC’s Regulatory Fitness and Performance (REFIT) programme, which aims to make EU law simpler, less costly and identify any inconsistencies and/or obsolete measures which may have appeared over time.
The Fitness Check carried out a comprehensive evaluation of six directives:
– the Unfair Commercial Practices Directive 2005/29/EC;
– the Unfair Contract Terms Directive 93/13/EEC;
– the Price Indication Directive 98/6/EC;
– the Consumer Sales and Guarantees Directive 1999/44/EC;
– the Injunctions Directive 2009/22/EC; and
– the Misleading and Comparative Advertising Directive 2006/114/EC.
In late May, the EC published its findings of its analysis of these six directives and its separate parallel review of the CRD. In brief, the EC found that “[t]he evaluations confirm that in general consumer law remains fit for purpose.” It did identify, however, the need to improve awareness, enforcement of the rules and redress opportunities to make the best of the existing legislation. It also stated that targeted legislative changes to address certain identified shortcomings of the directives could be beneficial.
Free Online/Digital Services
One of the shortcomings that the EC identified is that the CRD does not currently apply to the provision of ‘free’ online/digital services. ‘Free’ in this context means that the consumer does not pay with money for the service but instead provides data. Examples of this are cloud storage, social media or webmail, where the main contractual obligation of the trader is not to provide digital content but rather a service allowing the creation, processing, storing or sharing of data that is produced by the consumer.
The EC has stated that it will examine extending the scope of the CRD to include such contracts for ‘free’ digital services. This would extend traders’ pre-contractual information requirements and consumers’ 14 days right of withdrawal to any digital services. This singling out of the providers of ‘free’ digital services, demonstrates the EC’s continued focus on the digital economy and protecting consumers rights online.
The Consultation offers all citizens and organisations the opportunity to have their say on this matter along with other consumer law matters such as banning doorstop selling and better individual remedies for consumers harmed by unfair commercial practices including misleading “green” claims.
The Consultation will run for 14 weeks (June – October 2017). Click here for more details.
Stakeholders have written a joint letter to Article 29 Working Party (WP29) expressing their concerns about the GDPR consultation process. They believe that the GDPR consultation processes which have taken place so far with 30-day deadlines to respond were much too short, and that a reasonable consultation period (for example 8 weeks) should be set.
An additional concern is that the WP29 guidelines effectively introduce additional rules. The WP29 guidelines are non-binding, but can still be introduced as compulsory requirements at national level. The stakeholders therefore point out that whilst it is important that they provide clarity and help facilitate implementation, they should not undermine the GDPR’s provisions.
To date, the WP29 have issued guidelines on data portability, data protection officers and lead supervisory authorities, as well as draft guidelines on data protection impact assessments. Further guidance is being prepared by the WP29 on:
- Administrative fines
- Notification of personal data breaches
- Tools for international transfers