Photo of Davinia Brennan

At its plenary meeting this month, the WP29 adopted the final version of its Data Protection Impact Assessment (DPIA) guidelines.

It also adopted draft guidelines on data breach notification and profiling, and administrative fines, which will be open for public consultation for 6 weeks before their final adoption. The guidelines are expected to be published shortly on the European Commission’s WP29 webpage.

Each WP29 subgroup provided a state of play of its work on the WP29’s priorities on the GDPR, including guidelines on consent, transparency, and update of data transfer tools which are to be adopted between November 2017 and February 2018.

On certification, the discussions are continuing and the guidelines should be proposed for adoption at the February 2018 WP29 plenary.

The WP29 also worked on the organization and structure of the EDPB and of the cooperation system to be ready for May 2018.

Photo of Davinia Brennan

The UK Information Commissioner’s Office (ICO) is consulting on draft GDPR guidance on contracts and liabilities between controllers and processors. The guidance seeks to help organisations understand what must be included in contracts under the GDPR, and the new responsibilities and liabilities of processors.

Continue Reading ICO opens consultation on draft guidance on controller/processor contracts and liabilities

Photo of Davinia Brennan

The EU Council has proposed amendments to the draft ePrivacy Regulation (the Regulation). The Presidency points out that work on the text will be incremental and this is only its first redraft.

Proposed amendments include:

Scope – The Presidency clarifies the precise material and territorial scope of the Regulation, as including:

  • the processing of electronic communications content in transmission, and of electronic communications metadata carried out in connection with the provision of electronic communications services to end-users in the EU;
  • information related to, processed by, or stored in the terminal equipment of end users located in the EU;
  • the placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the internet;
  • the offering of a publicly available directory of end-users of electronic communications services located in the EU, and
  • the sending or presenting of direct marketing communications to end users located in the EU.

Continue Reading EU Council proposes revisions to the draft ePrivacy Regulation

Photo of Davinia Brennan

Employee monitoring versus privacy rights is back in the spotlight due to today’s decision by the Grand Chamber of the European Court of Human Rights (ECHR) in Bărbulescu v. Romania.  The Grand Chamber held there had been a violation of Article 8 of the European Convention on Human Rights, where an employer monitored and accessed personal emails sent by an employee during work hours from his Yahoo Messenger account, using a company computer, without notifying the employee in advance of such monitoring.

Continue Reading ECHR rules employees must receive prior notice of email monitoring

Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has initiated a consultation seeking submissions in regard to how some key concepts in the GDPR should be interpreted and applied, including:

  • Consent
  • Profiling
  • Personal data breach notifications
  • Certification

The Article 29 Working Party (WP29) (consisting of representatives of the EU data protection authorities) is currently preparing guidance on these concepts, and EU data protection authorities are undertaking consultation processes with the purpose of ensuring that the views of stakeholders are heard.  The questions asked in the consultation demonstrate the lack of detail in the GDPR in regard to these key concepts.

Continue Reading DPC launches consultation on consent, profiling, data breach notifications and certification under the GDPR

Photo of Davinia Brennan

The CJEU has ruled (Case C-398/15) that there is no general right to be forgotten in respect of personal data in the companies register. However, upon expiry of a sufficiently long period after dissolution of a company, Member States may provide for restricted access to such data by third parties in exceptional cases. The CJEU’s decision is in line with its ruling in Google Spain (Case C-131/12) that the right to be forgotten is not absolute, and will always need to be balanced against other fundamental rights.

Continue Reading No right to be forgotten in respect of personal data in the companies register

Photo of Alison Quinn

The UPC Preparatory Committee has adopted and published the Rules and Procedure of the Unified Patent Court. The 18th draft of the agreed Rules is subject to change only with respect to the court fees that may be applicable.   The 1st draft, published in 2009, was progressed through stages of expert meetings and technical and public consultation and sets out the specific framework and functioning of the Unified Patent Court. Continue Reading UPC publishes agreed Rules of Procedure- 18th Draft