The Article 29 Working Party (WP29) (consisting of data protection regulators from the 28 Member States) has adopted an Opinion 01/2017 on the proposed e-Privacy Regulation, which will repeal and replace the e-Privacy Directive. Whilst the WP29 welcomes the proposal, it identifies several points of concern, and sets out how the proposal can be improved.
The Article 29 Working Party (WP29) has proposed guidelines to help organisations identify when it is necessary to carry out a Data Protection Impact Assessment (DPIA) and how to do so. The guidelines are open to public comment until 23 May 2017. DPIAs involve evaluating the potential impact that a new project will have on the privacy of individuals, and identifying ways to mitigate or avoid any adverse effects in advance of processing. The GDPR requires DPIAs to be carried out when processing is likely to result in a “high risk” to the rights and freedoms of natural persons.
The Data Protection Commissioner (DPC) has published her Annual Report for 2016. It highlights key developments and activities of her Office last year, as well as priorities for 2017, which will be “all about GDPR readiness“. 2016 was a busy year for the DPC’s Office. It dealt with an increased number of queries, complaints and data breach notifications. The DPC continued her engaged approach to regulation, engaging extensively with multinational companies, such as Facebook, LinkedIn, Apple and WhatsApp on proposed new policies, products and services, conducting over 100 face-to-face meetings. The DPC also engaged with a number of entities in the public, health and private/financial sectors.
The Article 29 Working Party (WP29) has issued its final guidance on Data Protection Officers (DPOs), Data Portability and Lead Supervisory Authority, in response to stakeholders’ comments. Some of the new points raised in the revised guidance are set out below.
The CJEU has ruled (Case C-398/15) that there is no general right to be forgotten in respect of personal data in the companies register. However, upon expiry of a sufficiently long period after dissolution of a company, Member States may provide for restricted access to such data by third parties in exceptional cases. The CJEU’s decision is in line with its ruling in Google Spain (Case C-131/12) that the right to be forgotten is not absolute, and will always need to be balanced against other fundamental rights.
The Information Commissioner (IC) has made a formal binding decision that records of lobbying communications with the Data Protection Commissioner (ODPC) are not accessible under the Freedom of Information (FOI) Act 2014. In Right to Know CLG v ODPC (Case No. 160447), the IC concluded that the ODPC was justified in refusing the applicant’s request on the ground that the records sought fell outside the scope of the FOI Act, as they did not concern the general administration of the ODPC’s office.
The UK Court of Appeal has clarified the scope of the disproportionate effort exemption, and the relevance of motive, when responding to Data Subject Access Requests (DSARs). The decisions are interesting as the scope of the disproportionate effort exemption has caused considerable confusion in both the UK and Ireland. Neither the English nor Irish Data Protection Acts (DPAs) define what constitutes “disproportionate effort” and there is a paucity of Irish case-law on the issue. Nor has the Irish Data Protection Commissioner (DPC) provided any comprehensive guidance on the exemption.
At a plenary meeting on 7 February 2017, the Article 29 Working Party (WP29) discussed the progress of its guidelines on the GDPR. The WP29 is continuing its work on Data Protection Impact Assessments (DPIAs), Certification and other topics. The DPIA guidelines are expected in April 2017, and the Certification guidelines in June 2017.
In regard to the Privacy Shield, the WP29 has decided that the EU centralised body, in charge of channelling complaints to the Ombudsperson, will be composed by 5 national Data Protection Authorities (DPAs). The WP29 has adopted two sets of template documents serving as complaint forms for submitting commercial related complaints or requests under the Ombudsperson mechanism, and has adopted its rules of procedure.
The WP29 intend to send a letter to the US authorities:
(i) To raise concerns and seek clarification on the impact of Trump’s recent Executive Order on the Shield;
(ii) To request assurances on the way personal data will be dealt with by US authorities regarding complaints under the Shield, and
(iii) To provide answers to questions from the US authorities on the functioning of the centralised body.
The WP29 also intend to issue an Opinion on the draft e-Privacy Regulation, published by the Commission earlier this year, in April 2017.
Press Release: Article 29 Working Party – February 2017 Plenary Meeting
The European Commission has published its draft e-Privacy Regulation which, if adopted, will replace the existing e-Privacy Directive. The Regulation broadens the scope of the Directive, enhances the confidentiality of communications, and simplifies the rules on cookies and unsolicited electronic marketing.
The Regulation expands the scope of the e-Privacy Directive, which only applies to traditional telecoms providers. It is proposed that the Regulation will apply to any business that provides any form of online communication service, so all internet based voice and messaging services, will be subject to the new rules. The Regulation calls these providers “over-the-top communications service providers”. So Skype, WhatsApp, Facebook Messenger, Gmail, Viber and so forth, will all come within the Regulation’s remit. This will ensure that these services guarantee the same level of confidentiality of communications as traditional telecoms operators.
January 28th was European Data Protection Day and we marked the event by attending the 9th Annual Data Protection Conference which was held in the Aviva Conference Centre.
The two-day conference featured interactive workshops on the first day on ‘Privacy by Design’ and ‘Conducting a Data Protection Audit’. The second day included a line-up of notable speakers who spoke on topics related to the theme of the conference; “GDPR – It’s here, what’s next”. Dara Murphy, Minister of State for European Affairs, EU Digital Single Market and Data Protection spoke about his department’s work in preparing for GDPR and the importance of having a strong, well-resourced Office of the Data Protection Commissioner (ODPC). The Minister also announced plans for a data summit in June this year.
A&L Goodbody’s Claire Morrissey presented on “Legal Aspects of the GDPR” and took part in a lively Q&A session. Claire highlighted some of the key changes that the GDPR will bring including the need to demonstrate compliance, the new right of data portability, the new security reporting obligations and the ability for individuals to recover financial and non-financial loss (such as damages for distress or embarrassment in the event of inadvertent disclosure of personal data). She also offered some practical tips for ways in which businesses can prepare for the GDPR (some of which are available here).